The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Grrr... more stuff

'Alexander O. Yuriev wrote:'
>
>------- Forwarded Message
>There are known security problems with the sendmail, libc, and doom packages 
>distributed with Red Hat 4.0. The libc problems might allow users root
>access to a Red Hat system (though no exploits have been produced), 
>the most recent sendmail problems allow users access to the sendmail group,
>and the doom problem allows all users root access to a system.

Debian doesn't have a doom package.

libc is already at version 5.4.13-1 which is even newer than Red Hat's
fixed release.  This version is part of the recently released Debian-1.2
(ftp://ftp.debian.org/debian/Debian-1.2/binary/base/libc5_5.4.13-1.deb).
Obviously anyone with an older version should upgrade.  One can check
the version of their installed libc with the command "dpkg -l libc5".
The package libc5_5.4.17-1.deb was just released to our Incoming directory.
(ftp://ftp.debian.org/debian/unstable/binary/base/libc5_5.4.17-1.deb).
At this time there are no plans to move it into our Debian-1.2 patches
area.  So unless version 5.4.13 is insecure, we should not recommend
people get this experimental package.

sendmail in Debian-1.2 is version 8.7.6
(ftp://ftp.debian.org/debian/Debian-1.2/binary/mail/sendmail_8.7.6-2.deb).
It is probably vulnerable, but I don't know.  We also have (as part of
our "unstable" development tree) version 8.8.3
(ftp://ftp.debian.org/debian/Debian-1.2/binary/mail/sendmail_8.8.3-1.deb).
This is known to be vulnerable.  Robert Leslie <rob@mars.org> is our
sendmail maintainer.  I have added him to the CC: list.

Besides getting our sendmail update, is there anything I omitted or
made confusing here?

BTW, I have discovered a security hole in dpkg, rpm, and install with
regard to installing software over setuid binaries.  The scenario is
that if a setuid binary is replaced by a newer binary (the significant
case is when the newer binary includes security fixes) and the binary
being replaced had hard links to it, then (in spite of the intention of
the sysadmin to upgrade his software) there will still be an older
version lying around somewhere (ie., the link to the original will not
have been upgraded).  I posted to linux-kernel and filed a Debian bug
report against dpkg and install.  But all the vendors need to reexamine
their installation software for upgrading setuid binaries.  If that
wasn't clear, you can get a copy of my bug report by sending mail to
request@bugs.debian.org (the subject is ignored except for generating
the Subject of the reply) with the body "send 6006".

-- 
Christopher J. Fearnley            |    Linux/Internet Consulting
cjf@netaxs.com, cjf@onit.net       |    UNIX SIG Leader at PACS
http://www.netaxs.com/~cjf         |    (Philadelphia Area Computer Society)
ftp://ftp.netaxs.com/people/cjf    |    Design Science Revolutionary
"Dare to be Naive" -- Bucky Fuller |    Explorer in Universe


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com