Linux Today: Linux News On Internet Time.

Debian Weekly News - March 14th, 2001

Mar 15, 2001, 02:08 (0 Talkback[s])
(Other stories by Joey Hess)

Date: Wed, 14 Mar 2001 17:01:07 -0800
From: Joey Hess joeyh@debian.org
To: debian-news@lists.debian.org
Subject: Debian Weekly News - March 14th, 2001

Debian Weekly News
Debian Weekly News - March 14th, 2001

Welcome to Debian Weekly News, a newsletter for the Debian community.

For years we've known that Debian's means of getting packages and releases out to users is lacking from a security standpoint. There has been no way to know that the package you just downloaded was really made by a Debian developer and is really a part of a current Debian release. This is rapidly changing, and soon users will have two complimentary ways to verify that they are installing legitimate packages. This week a [1]patch was posted to the debian-dpkg list that adds support to dpkg for checking signatures of Debian packages. The signatures are held in a new section of the package itself, and tools are entering Debian now to add and check such signatures. This type of package signing parallels similar techniques that have been present in the rpm world for a long time, and they are a welcome addition to dpkg, but their usefulness should not be over-emphasized.

Signed packages alone still leave open several avenues of attack. Various evil things can be done to the [2]Packages file, or by tricking apt into downloading an [3]old and insecure package. Closing off these attacks requires another layer of security -- signed releases. Already Release.gpg files are appearing on the archive, and apt will soon be able to verify these signatures when it upgrades a Debian system. In the final analysis, neither of these schemes guarantees absolute security, but they will make attacks much harder for the black hats, and perhaps by the time woody is released, both types of signatures will be widely available.

Preparations are underway for an update to stable, Debian version 2.2r3. As in most minor revisions, packages with security problems, copyright issues, or very bad bugs are candidates to be updated in this release. It may also include updates to make it compatible with the 2.4 kernel, since all the necessary packages are [4]already backported. Martin Schulze is [5]coordinating the new release, and his list of packages that will get in is available [6]on the web.

DPL elections are under way, after a few false starts. Developers can pick up a [7]ballot and mail it in, gpg-signed. Voting ends on the 28th.

Another bug squashing party is planned for [8]this weekend. Nearly 350 release critical bugs remain after the last party, and they all need to be fixed before woody is released, so anyone with spare time this weekend is encouraged to lend a hand and fix a bug or two.

Some weeks, unending security fixes pour into Debian. This was such a
week. Some of these announcements are for problems that were actually
fixed earlier but not announced, but many are brand-new security
  * [9]Several minor bugs in stable's proftpd package could lead to
    minor security problems.
  * A remotely exploitable [10]buffer overflow in analog could be
    exploited via the CGI interface.
  * Several [11]buffer overflows in ePerl were discovered that could
    lead to a remote root exploit in some setups.
  * A [12]remote denial of service attack was found in man2html -- it
    could be forced to consume all memory.
  * A [13]local exploit in midnight commander.
  * All of the xaw replacement libraries (nextaw, xaw3d, and xaw95)
    were updated to fix some [14]security holes that were earlier
    found and fixed in xaw itself.
  * A [15]temp file security hole was fixed in sgml-tools.
  * [16]Two security holes in stable's glibc, both root exploits, were
    fixed. (Note that the fix broke ldd on suid binaries, so an update
    will probably be released eventually to fix that.)
  * A [17]remotely exploitable buffer overflow in stable's slrn.
  * Joe [18]unsafely read .joerc from the current directory, this was
    locally exploitable joe was ran in directories such as /tmp/.
  * A [19]remotely exploitable buffer overflow in gnuserv and xemacs.
  * Several [20]remote exploits in Zope.
  * A [21]buffer overflow in mailx that could locally yield access to
    the mail group.
The security team deserves many thanks for all their hard work this week.
1. http://lists.debian.org/debian-dpkg-0103/msg00024.html
2. http://lists.debian.org/debian-dpkg-0103/msg00046.html
3. http://lists.debian.org/debian-dpkg-0103/msg00035.html
4. http://www.fs.tum.de/~bunk/kernel-24.html
5. http://lists.debian.org/debian-devel-announce-0103/msg00008.html
6. http://master.debian.org/~joey/2.2r3/
7. http://lists.debian.org/debian-devel-announce-0103/msg00005.html
8. http://lists.debian.org/debian-devel-announce-0103/msg00009.html
9. http://www.debian.org/security/2001/dsa-032
10. http://www.debian.org/security/2001/dsa-033
11. http://www.debian.org/security/2001/dsa-034
12. http://www.debian.org/security/2001/dsa-035
13. http://www.debian.org/security/2001/dsa-036
14. http://www.debian.org/security/2001/dsa-037
15. http://www.debian.org/security/2001/dsa-038
16. http://www.debian.org/security/2001/dsa-039
17. http://www.debian.org/security/2001/dsa-040
18. http://www.debian.org/security/2001/dsa-041
19. http://www.debian.org/security/2001/dsa-042
20. http://www.debian.org/security/2001/dsa-043
21. http://lists.debian.org/debian-security-announce-01/msg00042.html

see shy jo