Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
DEBIAN USERS READ THIS
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: DEBIAN USERS READ THIS

  1. #1
    Senior Member
    Join Date
    Sep 2002
    Posts
    421

    DEBIAN USERS READ THIS

    It seems the debian server infrastructure has been compromised. Do not apt-get anything from the official security servers right now. And take a very close look at anything that you installed from there during the last 2 days. Here's the official announcement:

    http://cert.uni-stuttgart.de/files/f...y-20031121.txt

    Relevant mailing list threads:
    http://news.gmane.org/onethread.php?...0wanadoo.fr%3E
    http://news.gmane.org/onethread.php?...ecurity.net%3E

  2. #2

    Re:DEBIAN USERS READ THIS

    Aren't archives GPG signed? It would be a terrible security flaw if they weren't, and I can't see a system as robust as Debian overlooking something like this.

  3. #3
    Senior Member
    Join Date
    Sep 2002
    Posts
    421

    Re:DEBIAN USERS READ THIS

    There are md5sums for all security packages. But afaik there's no automated md5sum check during updates. I run an apt-get server at work that I download all relevant security updates to, make an md5sum check and only then have the other servers grab the updates from this host.

  4. #4
    Junior Member
    Join Date
    Aug 2003
    Posts
    76

    Re:DEBIAN USERS READ THIS

    hmm even my lowly distro has md5sum checking during upgrade (it was just introduced recently after being in development for som time).

    pacman>apt

  5. #5
    Moderator
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001
    Location
    California
    Posts
    3,935

    Re:DEBIAN USERS READ THIS

    Even with MD5SUM, it can be compromised. What MD5 does is just count the number of bits and match it with original numbers. A cracker can modify the source, put in useless fill-ins to match the number of bits that MD5 will check and made it looks official.

  6. #6
    Senior Member
    Join Date
    Sep 2002
    Posts
    421

    Re:DEBIAN USERS READ THIS

    [quote author=Compunuts link=board=5;threadid=8171;start=0#msg74613 date=1070263087]
    Even with MD5SUM, it can be compromised. What MD5 does is just count the number of bits and match it with original numbers. A cracker can modify the source, put in useless fill-ins to match the number of bits that MD5 will check and made it looks official.
    [/quote]

    I doubt it's as simple as that. Correct me if I'm wrong but afaik nobody found a way to do a "(md5sum)^(-1)" (I mean when you have the hash and want to draw conclusions on the file (the bit pattern) that lead to this hash). This leaves a trial and error approach which seems a rediculous attempt given that only two bit patterns in 2^(128)+1 lead to the same hash.

    Anyways, there is apt-secure and debsig-verify. Both verify the package integrety by means of md5sum checks or gpg key signature check prior to installation. I'm not sure how far advanced the devolopment of these packages is but I doubt there are official versions for woody.

    The Security Team set up a page with information on the compromise and the clean-up status. The thing that really worries me is this passage: "a sniffed password was used to access an (unprivileged) account on klecker.debian.org. Somehow they got root on klecker and installed suckit."

    Somehow?? -- maybe there's a local root exploit in the wild...

    So everybody, watch out.

  7. #7

    Re:DEBIAN USERS READ THIS

    So it turns out it was a kernel exploit...and one that Andrew Morton found and fixed in 2.4.23! Upgrade those boxes all...local root exploit on anything but the latest and greatest.

    Now Debian is finally free again. I tell you it's been a pretty crappy week to be using Debian with the entire project frozen like a deer in the headlights. No debian websites being updated, people.debian.org down, apt-repositories not being updated. Hopefully things will get back to 100% soon.

  8. #8

  9. #9
    Moderator
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001
    Location
    California
    Posts
    3,935

    Re:DEBIAN USERS READ THIS

    [quote author=Tyr_7BE link=board=5;threadid=8171;start=0#msg74644 date=1070344014]
    So it turns out it was a kernel exploit...and one that Andrew Morton found and fixed in 2.4.23![/quote]
    Yeah, it was first clasified as low level risk. Now it's becomes high alert.
    The exploit only works on 2.4 kernels lower than 23. My gateway box is 2.2.20 so I'm good ...... ( now you know why Debian stable is STABLE ). ;D

    Now Debian is finally free again. I tell you it's been a pretty crappy week to be using Debian with the entire project frozen like a deer in the headlights.
    I know what you mean ....

    Now I feel better but not knowing what was wrong was the worst of all.

  10. #10

    Re:DEBIAN USERS READ THIS

    They're still not updating the debs for unstable >

Similar Threads

  1. Need comments from experienced Debian users
    By omidkamangar in forum Linux Distros
    Replies: 7
    Last Post: 12-14-2009, 05:32 PM
  2. read this!
    By dox in forum Linux - General Topics
    Replies: 5
    Last Post: 11-10-2003, 03:27 PM
  3. Mandrake 8.2 users READ IN NOW
    By Spot in forum Mandriva
    Replies: 6
    Last Post: 06-26-2002, 04:22 AM
  4. Everyone Read this
    By trommaster in forum Linux - General Topics
    Replies: 1
    Last Post: 02-16-2002, 12:28 PM
  5. Good news for Debian, Slackware and Redhat users!!
    By in forum Linux - General Topics
    Replies: 11
    Last Post: 12-28-2001, 06:01 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •