Re: proposed-updates (bylo Bezpecnostni dira v podobe apt-setup?)

[Vaclav Ovsik <Vaclav bod Ovsik zavinac i bod cz>]

On Wed, Oct 09, 2002 at 07:49:02AM +0200, Vaclav Ovsik wrote:
> Protoze se zatim nikdo nevyjadril, chtel bych se zeptat (takova mala
> anketa), kdo ma/nema, ci spise nemel (protoze si to tam ted doufam kazdy
> doplni) v /etc/apt/sources.list archiv proposed-updates?
> Pokud mozno napiste proc to tam mate ci nemate, aby bylo jasno.

Tak jsem zase jednou ze sebe udelal pitomce.

----- Forwarded message from Matt Zimmerman <mdz zavinac debian bod org> -----

From: Matt Zimmerman <mdz zavinac debian bod org>
To: Vaclav Ovsik <Vaclav bod Ovsik zavinac i bod cz>
Cc: security zavinac debian bod org
Subject: Re: openssl vulnerability & proposed-updates?
Mail-Followup-To: Vaclav Ovsik <Vaclav bod Ovsik zavinac i bod cz>,
        security zavinac debian bod org

On Wed, Oct 09, 2002 at 09:57:53AM +0200, Vaclav Ovsik wrote:

> somebody told me, that Debian stable has vulnerable packages of OpenSSL.
> (Openssl packages downloaded from security.debian.org.)
> He tested apache/mod_ssl by some exploit-test ...
> Version 0.9.6c-2.woody is still vulnerable.

There was most likely a problem with his test.  Please provide _exact_
details about the test, and the results, and the packages involved.

> He don't know about packages in proposed-updates!
> (I am editing sources.list by hand everytime.
> He is using apt-setup for each entry during installation.)
> I know many poeple don't have proposed-updates in sources.list.
> 
> Where is the problem?
> a) The security.debian.org contains vulnerable package
> b) Or apt-setup should direct user to include proposed-updates in
> sources-list?

Probably neither.  In general, adding proposed-updates to sources.list is
not a good idea, as packages in proposed-updates have not been checked or
approved by anyone except the maintainer.

-- 
 - mdz

----- End forwarded message -----

Takze s tema proposed-updates je to ted trochu jasnejsi.

Co se tyce toho vulnerable openssl - dneska se clovek nemuze
bohuzel na nikoho spolehnout. Prehral jsem to na cloveka, kterej tvrdil
ze je to vulnerable, ale uz je chvili ticho po pesine, takze jsem se to
rozhodl zkusit sam. Downgradoval jsem openssl a zkontroloval apache, zda
to souhlasi s tim co je na security.debian.org.

zito zavinac fog:~$ dpkg -s apache libapache-mod-ssl openssl libssl0.9.6 
|dpkg-awk -f - -- Package Version
Package: apache
Version: 1.3.26-0woody1

Package: libapache-mod-ssl
Version: 2.8.9-2

Package: openssl
Version: 0.9.6c-2.woody.1

Package: libssl0.9.6
Version: 0.9.6c-2.woody.1


Stahl jsem ten exploit kit co mi poslal

http://packetstormsecurity.nl/0209-exploits/openssl-too-open.tar.gz

a

zito zavinac fog:~/openssl-too-open$ ./openssl-too-open localhost
: openssl-too-open : OpenSSL remote exploit
  by Solar Eclipse <solareclipse zavinac phreedom bod org>

: Opening 30 connections
  Establishing SSL connections

: Using the OpenSSL info leak to retrieve the addresses
Connection closed after KEY_ARG data was sent. Server is most likely not 
vulnerable.
zito zavinac fog:~/openssl-too-open$ 
zito zavinac fog:~/openssl-too-open$ ./openssl-scanner localhost
: openssl-scanner : OpenSSL vulnerability scanner
  by Solar Eclipse <solareclipse zavinac phreedom bod org>

Opening 1 connections . . done
Waiting for all connections to finish . . done

127.0.0.1: Connection closed after KEY_ARG data was sent. Server is most likely 
not vulnerable.
zito zavinac fog:~/openssl-too-open$ 

Takze zaver je, ze baliky ze security.debian.org (alespon prozatim :-),
jsou bezpecne. To co vznika v proposed-updates neni plne testovano, po
otestovani je vydan novy release.
Jeste jednou se omlouvam za tenhle zbytecny thread.

-- 
Vaclav Ovsik
ICZ a.s.
Pobocka Plzen
Namesti Miru 10, 301 00 Plzen, CZ
Tel. +420 37 74 88 511
Tel. +420 37 74 88 505
Fax. +420 37 74 88 506
mailto:vaclav bod ovsik zavinac i bod cz
http://www.i.cz