The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bugs in Debian Linux's ircd package (fwd)

To: security@debian.org
Subject: Bugs in Debian Linux's ircd package (fwd)
From: John Goerzen <jgoerzen@onyx.southwind.net>
Date: Sun, 3 Aug 1997 17:01:44 -0500 (CDT)
Delivered-to: bruce-lists--debian-private@lists.debian.org
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 4 Aug 1997 21:25:19 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"z2LfU3.0.Fq4._Yavp"@debian>
Resent-sender: debian-private-request@lists.debian.org

John Goerzen, Running FREE Debian | Developer for Debian GNU/Linux
jgoerzen@southwind.net            | Asst. sysadmin, Wichita State CS Dept.
jgoerzen@gesundheit.cs.twsu.edu   | All opinions are stricly my own
jgoerzen@complete.org [Owner, the Communications Centre (complete.org)]
---------- Forwarded message ----------
Date: Fri, 1 Aug 1997 23:10:57 -0500
From: Matt <ainvar@ENTERACT.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Bugs in Debian Linux's ircd package

There are a couple of bugs in the Undernet IRC Server package (ircd 2.9.32-3)
which is included in Debian Linux 1.3.1 (and probably earlier versions as
well)...

First, /etc/ircd/ is set world readable...  This directory contains the server
configuration files and irc operator passwords.  By default, the passwords are
encrypted, but anyone with crack can easily bypass this protection in a few
hours and /oper themselves!

The fix:
chmod 700 /etc/ircd/

Second, the package adds the following line to inetd.conf:
ircd            stream  tcp     wait    root    /usr/sbin/ircd ircd -i

ircd is supposed to be run as 'irc', not 'root'..!  I don't know if this is
exploitable in any way, but the irc server does -not- require root priviledges.

The fix:
chown irc.irc /etc/ircd/

and

change the line in inetd.conf to
ircd            stream  tcp     wait    irc     /usr/sbin/ircd ircd -i

or (if you are running xinetd)

service ircd
{
        socket_type     = stream
        user            = irc
        wait            = yes
        server          = /usr/sbin/ircd
        server_args     = -i
}

That's all for now..
-ir (ainvar@enteract.com)
Greets to #hackhelp on the Undernet!

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Prev by Date: Transfer of "mc" component to FSF
Next by Date: Re: Crash any Debian Box
Previous by thread: Re: Transfer of "mc" component to FSF
Next by thread: we lose master.debian.org tomorrow
Index(es):
- Date
- Thread