[ILUG] Going to try debian

Rick Moen rick at linuxmafia.com
Wed Sep 8 09:05:28 IST 2004 

Quoting Paul Jakma (paul at clubi.ie):

> Hmmm.. I read LWN, and I have the vague notion Debian is, more often 
> than not, not the speediest to release security updates. If someone 
> knew of a URL to a more rigorous analysis, that would be interesting, 
> or they could trawl through:
> 
> 	http://lwn.net/Vulnerabilities/
> 
> Some of the more interesting IDs, eg commonly used software, are:
> 
> 	http://lwn.net/Vulnerabilities/100607/

CVE _candidate_ CAN-2004-0748, dated 2004-09-02:  This alleged
vulnerability in mod_ssl in conjunction with Apache2 through 2.0.50 has
(per www.cve.mitre.org) not been confirmed, and is under review by the
CVE Editorial Board. 

However, Debian 3.0 "woody" packages are not vulnerable to the claimed
bug (because Apache2 isn't packaged for it):
http://www.debian.org/security/nonvulns-woody

The Debian 3.1 "sarge" package might have been, briefly, if the bug is
ever confirmed to exist and be significant.

> 	http://lwn.net/Vulnerabilities/94732/

This is two bugs:  CAN-2004-0600 (2004-07-22) concerns the SWAT utility
for Samba 3.0.2 through 3.0.4 being vulnerable in theory to a particular
invalid base64-encoded input character, during HTTP basic
authentication.

The Samba packages in Debian 3.0 "woody" aren't vulnerable because
they're still maintained at Samba v. 2.2.3a with backported fixes of
significant bugs and security holes.

The Samba packages in Debian 3.1 "sarge" weren't vulnerable because they
had were upgraded (2004-07-22) to Samba v. 3.0.5 (and later to
3.0.6).

The other bug, CAN-2004-0686, a claimed buffer overflow bug in the
"mangling method = hash" functionality of Samba  3.0.2 through 3.0.4,
is again a _candidate_ vulnerability.  It has never been confirmed, 
is (theoretically) "under review", and basically nobody cared about it
because it went away with Samba 3.0.5.

Debian aspects:  See remarks about the other half of this item, which
likewise apply here.

> 	http://lwn.net/Vulnerabilities/100358/

Theoretical DoS attack (integer overflow leading to kernel oops) against
kernel 2.6.5's knfsd and XDR decode functions.  Oddly, nobody but SUSE
reported this, or claimed to have fixed it.  

Debian 3.0 "woody" packages weren't vulnerable because I'm pretty sure
there weren't any 2.6 prepared kernel official packages for "woody". 

Were Debian 3.1 "sarge" kernel 2.6.5 packages vulnerable, and if so for
how long?  Damned if I know.  If anyone seriously cares, I can go hunt
down changelogs.

> 	http://lwn.net/Vulnerabilities/97725/

Remote possible code execution vulnerability claimed to exist in the MSN
Messenger plug-in for Gaim IRC client versions 0.81 and prior (strncpy
call), reported 2004-08-12 as CAN-2004-0500.  Again, this is a
_candidate_ vulnerability, has never been confirmed, and is
(theoretically) "under review".  

Debian 3.0 "woody:  Packages weren't aren't vulnerable because
they're still maintained at Gaim v. 0.58 with backported fixes of
significant bugs and security holes.

Debian 3.1 "sarge":  Package for Gaim 0.82.1 was released 2004-08-29.
There was probably a 0.82 package earlier, but I can't find its release
date.  For that matter, the fix might have been released in a 0.81
backport; I'd have to go find the changelog, to be sure.

> 	http://lwn.net/Vulnerabilities/96389/

Possible local privilege escalation (possible race conditions for memory
access) in 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7,
reported 2004-08-03 as CAN-2004-0415.  Again, this is a _candidate_
vulnerability, has never been confirmed, and is (theoretically) "under
review".

Debian 3.0 "woody":  Fix backported to the 2.4.26 kernel image's package
version 1woody.1 (i.e., 2.4.26-1woody.1) on 2004-08-19.
 
Debian 3.1 "sarge":  Fix backported to the 2.4.26 kernel image's package
version #6 (i.e., 2.4.26-6), on 2004-08-19. 

These were fixed with the urgency field set to "low" in the changelog,
because nobody made a plausible case for exploitability.

> 	http://lwn.net/Vulnerabilities/93071/

Ethereal various vulnerabilities amounting to a possible DoS (crashing
ethereal; no other ramifications): CAN-2004-0633 (candidate only,
reported 2004-07-07), CAN-2004-0634 (candidate only, reported
2004-07-07), CAN-2004-0635 (candidate only, reported 2004-07-07).  Of
those, only the last affected Debian 3.0 "woody" versions.  Here's a
copy of the Debian Security Advisory, dated 2004-07-17:
http://lwn.net/Alerts/94075/

> etc.

Yep, one could spend all evening tracking those down.

> For those where no debian advisory is listed: it could partly be due 
> to debian not shipping affected versions of the software, but some of 
> the vulnerabilities above affect wide-ranging swathes of versions of 
> the software concerned.

But the closer one looks in the particular cases you cited, the less is
there to look at.  The Debian Security Team try to concentrate on
_sigificant_ bugs first.  Ditto the 1000+ Debian developers for whom the
Security Team are intended to be just a fallback measure.

-- 
Cheers,                    Facta tua Restitueri ad Status Pristinus Eius.
Rick Moen                       (May your data be restored to
rick at linuxmafia.com            its original pristine condition.)

More information about the ILUG mailing list