Welcome to Debian Weekly News, a newsletter for the Debian
For years we've known that Debian's means of getting packages
and releases out to users is lacking from a security standpoint.
There has been no way to know that the package you just downloaded
was really made by a Debian developer and is really a part of a
current Debian release. This is rapidly changing, and soon users
will have two complimentary ways to verify that they are installing
legitimate packages. This week a patch was posted to the
debian-dpkg list that adds support to dpkg for checking signatures
of Debian packages. The signatures are held in a new section of the
package itself, and tools are entering Debian now to add and check
such signatures. This type of package signing parallels similar
techniques that have been present in the rpm world for a long time,
and they are a welcome addition to dpkg, but their usefulness
should not be over-emphasized.
Signed packages alone still leave open several avenues of
attack. Various evil things can be done to the Packages file, or
by tricking apt into downloading an old and insecure package.
Closing off these attacks requires another layer of security --
signed releases. Already Release.gpg files are appearing on the
archive, and apt will soon be able to verify these signatures when
it upgrades a Debian system. In the final analysis, neither of
these schemes guarantees absolute security, but they will make
attacks much harder for the black hats, and perhaps by the time
woody is released, both types of signatures will be widely
Preparations are underway for an update to stable, Debian
version 2.2r3. As in most minor revisions, packages with security
problems, copyright issues, or very bad bugs are candidates to be
updated in this release. It may also include updates to make it
compatible with the 2.4 kernel, since all the necessary packages
are already backported. Martin Schulze is coordinating the
new release, and his list of packages that will get in is available
on the web.
DPL elections are under way, after a few false starts.
Developers can pick up a ballot and mail it in, gpg-signed.
Voting ends on the 28th.
Another bug squashing party is planned for this weekend.
Nearly 350 release critical bugs remain after the last party, and
they all need to be fixed before woody is released, so anyone with
spare time this weekend is encouraged to lend a hand and fix a bug
Some weeks, unending security fixes pour into Debian. This was such a
week. Some of these announcements are for problems that were actually
fixed earlier but not announced, but many are brand-new security
* Several minor bugs in stable's proftpd package could lead to
minor security problems.
* A remotely exploitable buffer overflow in analog could be
exploited via the CGI interface.
* Several buffer overflows in ePerl were discovered that could
lead to a remote root exploit in some setups.
* A remote denial of service attack was found in man2html -- it
could be forced to consume all memory.
* A local exploit in midnight commander.
* All of the xaw replacement libraries (nextaw, xaw3d, and xaw95)
were updated to fix some security holes that were earlier
found and fixed in xaw itself.
* A temp file security hole was fixed in sgml-tools.
* Two security holes in stable's glibc, both root exploits, were
fixed. (Note that the fix broke ldd on suid binaries, so an update
will probably be released eventually to fix that.)
* A remotely exploitable buffer overflow in stable's slrn.
* Joe unsafely read .joerc from the current directory, this was
locally exploitable joe was ran in directories such as /tmp/.
* A remotely exploitable buffer overflow in gnuserv and xemacs.
* Several remote exploits in Zope.
* A buffer overflow in mailx that could locally yield access to
the mail group.