Search the Community

A bug in Linux kernel that was discovered two years ago, but was not considered a security threat at that time, has now been recognised as a potential local privilege escalation flaw. Identified as CVE-2017-1000253, the bug was initially discovered by Google researcher Michael Davidson in April 2015. Since it was not recognised as a serious bug at that time, the patch for this kernel flaw was not backported to long-term Linux distributions in kernel 3.10.77. However, researchers at Qualys Research Labs has now found that this vulnerability could be exploited to escalate privileges and it affects all major Linux distributions, including Red Hat, Debian, and CentOS. The vulnerability left "all versions of CentOS 7 before 1708 (released on September 13, 2017), all versions of Red Hat Enterprise Linux 7 before 7.4 (released on August 1, 2017), and all versions of CentOS 6 and Red Hat Enterprise Linux 6 are exploitable," Qualys said in an advisory published yesterday. The vulnerability, which has been given a CVSS3 Base Score of 7.8 out of 10, resides in the way Linux kernel loads ELF executables, which potentially results in memory corruption. Researchers find that an unprivileged local user with access to SUID (or otherwise privileged) Position Independent Executable (PIE) binary could use this vulnerability to escalate their privileges on the affected system. In order to mitigate this issue, users can switch to the legacy mmap layout by setting vm.legacy_va_layout to 1, which will effectively disable the exploitation of this security flaw. Since the mmap allocations start much lower in the process address space and follow the bottom-up allocation model, "the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack." Qualys says this flaw is not limited to the PIEs whose read-write segment is larger than 128MB, which is the minimum distance between the mmap_base and the highest address of the stack, not the lowest address of the stack. So, when passing 1.5GB of argument strings to execve(), any PIE can be mapped directly below the stack and trigger the vulnerability. Linux distributions, including Red Hat, Debian, and CentOS, have released security updates to address the vulnerability. The Qualys team has promised to publish a proof-of-concept soon exploit that works on CentOS-7 kernel versions "3.10.0-514.21.2.el7.x86_64" and "3.10.0-514.26.1.el7.x86_64," once a maximum number of users have had time to patch their systems against the flaw. Via https://thehackernews.com/2017/09/linux-kernel-hacking.html

GitHub has revoked an unknown number of cryptographic keys used to access accounts after a developer found they contained a catastrophic weakness that came to light some seven years ago. The keys, which allow authorized users to log into public repository accounts belonging to the likes of Spotify, Yandex, and UK government developers, were generated using a buggy pseudo random number generator originally contained in the Debian distribution of Linux. During a 20-month span from 2006 to 2008, the pool of numbers available was so small that it made cracking the secret keys trivial. Almost seven years after Debian maintainers patched the bug and implored users to revoke old keys and regenerate new ones, London-based developer Ben Cartwright-Cox said he discovered the weakness still resided in a statistically significant number of keys used to gain secure shell (SSH) access to GitHub accounts. "If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time," Cartwright-Cox wrote in a blog post published Monday. "It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker." Cartwright-Cox told Ars that he found about 94 keys on GitHub that contained the Debian-derived weakness. He said that after he reported his finding to GitHub officials in March he learned the actual number of site users was much higher. GitHub revoked the keys early last month, he said. GitHub officials didn't respond to a request to comment. Separately, the UK developer said he found nine GitHub SSH keys that contained woefully insufficient numbers of bits. Two of them had only 256 bits, making it possible for him to factor them and clone the private key in less than an hour. The remaining seven had only have 512 bits. During the time the Debian bug was active, the pool of bits available when generating OpenSSH keys was so limited that there were only 32,767 possible outcomes for a given architecture, key size, and key type. Cartwright-Cox said attackers could have used the same methods he employed to find weak keys and then used several techniques to gain unauthorized access to the accounts the keys protected. The task would have been aided by obtaining the list of insecure Debian SSH keys off one or more public sites, such as this one. In an e-mail, he elaborated: If I wanted to be more noisy I could have just done what I said [in the blog post] and looped though the keys, that may or may not have set off alarms at Github itself (I'd give it a 25% chance that it would). So the breakdown of how this could have been done is the following: Grab the bad key list. It contains the public and private parts of all the SSH keys that would have been made if the user had a version of OpenSSH that had Debian RNG bug, then get each private key on the list, and try to log into GitHub's ssh with them. Depending on what key you succeed with it will tell you what user name it matches up with, in the example I provided since my key is loaded it tells me "Hi benjojo! You've successfully authenticated, but GitHub does not provide shell access." but if I was to try with a weak key that matched up with another user it would say "Hi {user}! You've successfully authenticated, but GitHub does not provide shell access." and then I know what user I can compromise with that. Technically, attackers don't even need the private key to see if a site accepts authentication from a user, HD Moore, chief research officer at Rapid7 and co-founder of the Metasploit hacking framework, told Ars. Just the public key and this Metasploit module will do. "This trick can also be used to see what internet-facing servers allow logins from what public keys, even if the private key is not available, which is a neat reconnaissance/opsec technique," Moore said. The randomness bug was introduced in late 2006, when Debian maintainers removed two lines of code in the OpenSSL code base in an attempt to fix warnings received by some users. In the process, the maintainers wiped out almost all of the entropy that OpenSSL relied on for its randomness engine. The epic mistake, which eventually migrated to the Ubuntu distribution of Linux as well, wasn't diagnosed for 20 months, and by that time an untold number of cryptographic keys had been generated. The bug was unusual in that installing a patch was only the beginning of the healing process. To fully recover, users had to revoke any keys made during that 20-month period and generate new ones using the updated OS. The discovery that GitHub users continued to rely on these hopelessly weak keys eight years after they came to light is testament to just how monumental the Debian debacle was and how hard it is for users to mop up after the mess it created. Source

Several security holes that affect Tails 1.3 are now fixed in Tails 1.3.1. We strongly encourage you to upgrade to Tails 1.3.1 as soon as possible. Details Tor Browser: Mozilla Foundation Security Advisory 2015-28, Mozilla Foundation Security Advisory 2015-29 Linux: CVE-2015-1465, CVE-2015-1420 and CVE-2015-1593 OpenSSL: Debian Security Advisory 3197 file and libmagic: Debian Security Advisory 3196 libxfont: Debian Security Advisory 3194 tcpdump: Debian Security Advisory 3193 libgnutls26: Debian Security Advisory 3191 libav: Debian Security Advisory 3189 FreeType 2: Debian Security Advisory 3188 ICU: Debian Security Advisory 3187 NSS: Debian Security Advisory 3186 libgcrypt11: Debian Security Advisory 3185 GnuPG: Debian Security Advisory 3184 libssh2: Debian Security Advisory 3182 libarchive and bsdtar: Debian Security Advisory 3180 libgtk2-perl: Debian Security Advisory 3173 CUPS: Debian Security Advisory 3172 https://tails.boum.org/security/Numerous_security_holes_in_1.3/index.en.html

De la ultimul update pe debian, flashplayer nu mai functioneaza pe Chromium. Puteti face oricate update-uri doriti, rezultatul este 0. Cauza este pepperflashplugin-nonfree ; El cere GLIBC_2.14 in timp ce Debian wheezy are GLIBC_2.13. Cam cum se intampla cu orice librarie sau binar nenorocit care nu este compilat la noi in sistem si este oferit ca 'binary'. Erori: root@hp:~# ldd /usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so /usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.14' not found (required by /usr/lib/pepperflashplugin-nonfree/libpepflashplayer.so) linux-vdso.so.1 => (0x00007ffff53da000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff7d203b000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007ff7d1e33000) libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007ff7d1b2b000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff7d18a9000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007ff7d1693000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff7d1476000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff7d10eb000) Quickfix: O versiune de chrome din luna august din care luam libpepflashplayer.so: root@hp:~# wget http://mirror.pcbeta.com/google/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_37.0.2062.94-1_amd64.deb --2014-09-17 21:43:03-- http://mirror.pcbeta.com/google/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_37.0.2062.94-1_amd64.deb Resolving mirror.pcbeta.com (mirror.pcbeta.com)... 113.107.42.25 Connecting to mirror.pcbeta.com (mirror.pcbeta.com)|113.107.42.25|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 49195682 (47M) [application/octet-stream] Saving to: `google-chrome-stable_37.0.2062.94-1_amd64.deb' 100%[===============================================>] 49,195,682 4.31M/s in 16s 2014-09-17 21:43:21 (2.91 MB/s) - `google-chrome-stable_37.0.2062.94-1_amd64.deb' saved [49195682/49195682] root@hp:~# dpkg -x google-chrome-stable_37.0.2062.94-1_amd64.deb ./tmp root@hp:~# cd tmp/ root@hp:~/tmp# find ./ -name *.so ./opt/google/chrome/libwidevinecdm.so ./opt/google/chrome/libpdf.so ./opt/google/chrome/libffmpegsumo.so ./opt/google/chrome/libppGoogleNaClPluginChrome.so ./opt/google/chrome/lib/libpeerconnection.so ./opt/google/chrome/PepperFlash/libpepflashplayer.so ./opt/google/chrome/libwidevinecdmadapter.so root@hp:~/tmp# cp ./opt/google/chrome/PepperFlash/libpepflashplayer.so /usr/lib/pepperflashplugin-nonfree/ root@hp:~/tmp# ldd ./opt/google/chrome/PepperFlash/libpepflashplayer.so linux-vdso.so.1 => (0x00007fffcf10f000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1c8e89c000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f1c8e694000) libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f1c8e38c000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1c8e10a000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f1c8def4000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f1c8dcd7000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1c8d94c000) /lib64/ld-linux-x86-64.so.2 (0x00007f1c8fc26000) Functioneaza perfect dupa asta. ** Nu uitati sa inchideti si sa deschideti chromium **

This tutorial is to show you how to install a proxy on Debian 7 using SQUID3 In order for this to work correctly you will need to follow these instructions. First you need to download the script, this can be done by running: wget http://rmlh.me/dw/squid.sh Login as root to the server that you will install SQUID on and with our favourite text editor and some copy/paste technique we will create the executable script. nano squid.sh Paste the text in the code section above and save the file. Make it executable with this command chmod +x ./squid-install.sh Execute the script and follow the instructions. You will actually only need to enter a username and password that will protect the proxy from anonymous use. The username and password is shown in clear-text when entering them, this is the only time they will be shown in clear-text so make sure no one is watching over your shoulder. ./squid.sh When everything is installed you will see the IP and username needed to connect to your proxy. To add another user you can run this command on the server running your Squid proxy server. htpasswd -b /etc/squid3/squid_passwd username password Change username to the username you would like to add and password to the password you would like to use. Source

Un simplu tutorial despre mailgraph. Mailgraph este un frontend (web/cgi) cu ajutorul caruia puteti face grafice pentru serverul de email pentru a tine o evidenta clara a mesajelor primite/trimise cat si a mesajelor rejectate, blocate sau care contin virusi. Pe debian, instalarea este foarte simpla si consta in doi pasi. 1. Instalare pachet mailgraph. 2. Configurare director web cu ExecCGI (adaugare permisiune) ------- Instalare mailgraph root@ns:~# apt-get install mailgraph Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: fontconfig libcairo2 libdatrie1 libdbi1 libfile-tail-perl libpango1.0-0 libpixman-1-0 librrd4 librrds-perl libthai-data libthai0 libxcb-render0 libxcb-shm0 libxft2 libxrender1 ttf-dejavu ttf-dejavu-extra Suggested packages: ttf-baekmuk ttf-arphic-gbsn00lp ttf-arphic-bsmi00lp ttf-arphic-gkai00mp ttf-arphic-bkai00mp The following NEW packages will be installed: fontconfig libcairo2 libdatrie1 libdbi1 libfile-tail-perl libpango1.0-0 libpixman-1-0 librrd4 librrds-perl libthai-data libthai0 libxcb-render0 libxcb-shm0 libxft2 libxrender1 mailgraph ttf-dejavu ttf-dejavu-extra 0 upgraded, 18 newly installed, 0 to remove and 0 not upgraded. Need to get 4,812 kB of archives. After this operation, 12.8 MB of additional disk space will be used. Do you want to continue [Y/n]? y ...... Pentru a accesa pe web mailgraph-ul, eu am facut un virtualhost. DocumentRoot-ul acestuia este in "/var/www/tools". Am facut un director denumit mailgraph pentru a putea accesa cu virtualhost/mailgraph si apoi am editat fisierul de configuratie al virtualhost-ului in care am adaugat permisiunea de a se executa scriptul cgi necesar randarii graficelor. Directorul mailgraph in virtualhost. Aici am copiat scriptul mailgraph.cgi root@ns:~# cd /var/www/tools/mailgraph root@ns:/var/www/tools/mailgraph# cp /usr/lib/cgi-bin/mailgraph.cgi . Sectiune in fisierul de configurare al virtualhost-ului. <Directory "/var/www/tools/mailgraph"> Options +ExecCGI AddHandler cgi-script .cgi </Directory> Sunteti curiosi cum arata ?

Daca doriti sa fiti notificati atunci cand sunt disponibile update-uri la pachetele de pe Debian, puteti utiliza apticron. Apticron este un script bash ce este rulat din crontab si verifica daca exista upgrade-uri la pachetele instalate. In cazul in care exista, va trimite o notificare detaliata prin email. Este foarte customizabil si util. Instalarea acestuia se face foarte simplu: root@pluto:~# apt-get install apticron Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: apticron 0 upgraded, 1 newly installed, 0 to remove and 70 not upgraded. Need to get 20.1 kB of archives. After this operation, 88.1 kB of additional disk space will be used. Get:1 http://ftp.de.debian.org/debian/ wheezy/main apticron all 1.1.55 [20.1 kB] Fetched 20.1 kB in 0s (120 kB/s) Preconfiguring packages ... Selecting previously unselected package apticron. (Reading database ... 53927 files and directories currently installed.) Unpacking apticron (from .../apticron_1.1.55_all.deb) ... Processing triggers for man-db ... Setting up apticron (1.1.55) ... Creating config file /etc/apticron/apticron.conf with new version Creating config file /etc/cron.d/apticron with new version root@pluto:~# Am editat fisierul '/etc/apticron/apticron.conf' si l-am configurat dupa cum urmeaza: EMAIL="tex@myfuckingdomain.org" SYSTEM="pluto.myfuckingdomain.org" IPADDRESSNUM="1" CUSTOM_SUBJECT="Pluto Server - available update packages" CUSTOM_FROM="system@myfuckingdomain.org" Am sters fisierul '/etc/cron.d/apticron' si am adaugat in loc de el un crontab in '/etc/crontab' care sa ruleze la ora 10.30: root@pluto:~# rm -f /etc/cron.d/apticron root@pluto:~# echo "30 10 * * * root if test -x /usr/sbin/apticron; then /usr/sbin/apticron --cron; else true; fi" >> /etc/crontab Cam asa arata reportul trimis pe email: apticron report [Thu, 03 Apr 2014 23:24:38 +0100] ======================================================================== apticron has detected that some packages need upgrading on: pluto.myfuckingdomain.org [ 188.240.xx 94.177.xx 94.177.xx 188.240.xx ] The following packages are currently pending an upgrade: apache2.2-bin 2.2.22-13+deb7u1 apache2.2-common 2.2.22-13+deb7u1 apache2-mpm-prefork 2.2.22-13+deb7u1 apache2-prefork-dev 2.2.22-13+deb7u1 apache2-utils 2.2.22-13+deb7u1 apt 0.9.7.9+deb7u1 apt-utils 0.9.7.9+deb7u1 base-files 7.1wheezy4 curl 7.26.0-1+wheezy8 dropbox 1.6.1 gnupg 1.4.12-7+deb7u3 gpgv 1.4.12-7+deb7u3 libapache2-mod-php5 5.4.4-14+deb7u8 libapache2-mod-rpaf 0.6-7+wheezy1 libapt-inst1.5 0.9.7.9+deb7u1 libapt-pkg4.12 0.9.7.9+deb7u1 libavcodec53 6:0.8.10-1 libavformat53 6:0.8.10-1 libavutil51 6:0.8.10-1 libc6 2.13-38+deb7u1 libc6-dev 2.13-38+deb7u1 libc-bin 2.13-38+deb7u1 libc-dev-bin 2.13-38+deb7u1 libcurl3 7.26.0-1+wheezy8 libcurl3-gnutls 7.26.0-1+wheezy8 libexpat1 2.1.0-1+deb7u1 libexpat1-dev 2.1.0-1+deb7u1 libgnutls26 2.12.20-8+deb7u1 libmysqlclient18 5.5.35-rel33.0-611.wheezy libmysqlclient18.1 5.6.15-25.5-759.wheezy libmysqlclient-dev 5.6.15-25.5-759.wheezy libnet-server-perl 2.006-1+deb7u1 libperconaserverclient18 5.5.36-rel34.2-648.wheezy libpq5 9.1.12-0wheezy1 libpq-dev 9.1.12-0wheezy1 libpython2.7 2.7.3-6+deb7u2 librsvg2-2 2.36.1-2 librsvg2-common 2.36.1-2 libssl-doc 1.0.1e-2+deb7u4 libswscale2 6:0.8.10-1 linux-image-3.2.0-4-amd64 3.2.54-2 linux-libc-dev 3.2.54-2 locales 2.13-38+deb7u1 memcached 1.4.13-0.2+deb7u1 multiarch-support 2.13-38+deb7u1 mutt 1.5.21-6.2+deb7u2 openssl 1.0.1e-2+deb7u4 percona-server-client-5.5 5.5.36-rel34.2-648.wheezy percona-server-common-5.5 5.5.36-rel34.2-648.wheezy percona-server-server-5.5 5.5.36-rel34.2-648.wheezy php5 5.4.4-14+deb7u8 php5-cli 5.4.4-14+deb7u8 php5-common 5.4.4-14+deb7u8 php5-curl 5.4.4-14+deb7u8 php5-dev 5.4.4-14+deb7u8 php5-fpm 5.4.4-14+deb7u8 php5-gd 5.4.4-14+deb7u8 php5-intl 5.4.4-14+deb7u8 php5-mcrypt 5.4.4-14+deb7u8 php5-mysql 5.4.4-14+deb7u8 php5-sqlite 5.4.4-14+deb7u8 php5-sybase 5.4.4-14+deb7u8 php5-tidy 5.4.4-14+deb7u8 php5-xmlrpc 5.4.4-14+deb7u8 php5-xsl 5.4.4-14+deb7u8 php-pear 5.4.4-14+deb7u8 python2.7 2.7.3-6+deb7u2 python2.7-minimal 2.7.3-6+deb7u2 tzdata 2013i-0wheezy1 wget 1.13.4-3+deb7u1 whois 5.1.1~deb7u1 ======================================================================== Package Details: Reading changelogs... --- Changes for curl (curl libcurl3 libcurl3-gnutls) --- curl (7.26.0-1+wheezy8) wheezy-security; urgency=high * Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015 http://curl.haxx.se/docs/adv_20140129.html * Set urgency=high accordingly -- Alessandro Ghedini <ghedo@debian.org> Wed, 29 Jan 2014 19:01:03 +0100 curl (7.26.0-1+wheezy7) stable-security; urgency=high * Fix GnuTLS checking of a certificate CN or SAN name field when the digital signature verification is turned off as per CVE-2013-6422 http://curl.haxx.se/docs/adv_20131217.html * Set urgency=high accordingly -- Alessandro Ghedini <ghedo@debian.org> Wed, 11 Dec 2013 18:00:59 +0100 --- Changes for gnupg (gnupg gpgv) --- gnupg (1.4.12-7+deb7u3) wheezy-security; urgency=high * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See <http://www.cs.tau.ac.il/~tromer/acoustic/>. [CVE-2013-4576] -- Thijs Kinkhorst <thijs@debian.org> Sat, 14 Dec 2013 09:18:28 +0100 --- Changes for gnutls26 (libgnutls26) --- gnutls26 (2.12.20-8+deb7u1) wheezy-security; urgency=high * 38_CVE-2014-0092.diff by Nikos Mavrogiannopoulos: Fix certificate validation issue. CVE-2014-0092 -- Andreas Metzler <ametzler@debian.org> Sat, 01 Mar 2014 07:44:51 +0100 gnutls26 (2.12.20-8) wheezy-security; urgency=high * 26_fix_rejection-of-v1-intermedi.diff pulled and unfuzzed from GIT 3.x: A version 1 intermediate certificate will be considered as a CA certificate by default (something that deviates from the documented behavior). CVE-2014-1959 / GNUTLS-SA-2014-1 -- Andreas Metzler <ametzler@debian.org> Sat, 15 Feb 2014 18:27:37 +0100 --- Changes for linux (linux-image-3.2.0-4-amd64 linux-libc-dev) --- linux (3.2.54-2) wheezy; urgency=high * [arm] Ignore ABI change in omap_dsp_get_mempool_base (fixes FTBFS) -- dann frazier <dannf@debian.org> Sat, 01 Feb 2014 13:08:46 +0000 linux (3.2.54-1) wheezy; urgency=high * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.54 - NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk() - USB: mos7840: fix tiocmget error handling - ALSA: 6fire: Fix probe of multiple cards - can: c_can: Fix RX message handling, handle lost message before EOB - dm mpath: fix race condition between multipath_dtr and pg_init_done - ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea() - KVM: IOMMU: hva align mapping page size - crypto: s390 - Fix aes-cbc IV corruption - audit: printk USER_AVC messages when audit isn't enabled - audit: fix info leak in AUDIT_GET requests - audit: use nlmsg_len() to get message payload length - PM / hibernate: Avoid overflow in hibernate_preallocate_memory() - blk-core: Fix memory corruption if blkcg_init_queue fails - block: fix a probe argument to blk_register_region - SUNRPC: Fix a data corruption issue when retransmitting RPC calls - mwifiex: correct packet length for packets from SDIO interface - vsprintf: check real user/group id for %pK - ipc, msg: fix message length check for negative values - hwmon: (lm90) Fix max6696 alarm handling - rtlwifi: rtl8192cu: Fix more pointer arithmetic errors - setfacl removes part of ACL when setting POSIX ACLs to Samba - nfsd: make sure to balance get/put_write_access - nfsd4: fix xdr decoding of large non-write compounds (regression in 3.2.49) - NFSv4 wait on recovery for async session errors - powerpc/signals: Mark VSX not saved with small contexts - iscsi-target: fix extract_param to handle buffer length corner case - iscsi-target: chap auth shouldn't match username with trailing garbage - configfs: fix race between dentry put and lookup - [powerpc] signals: Improved mark VSX not saved with small contexts fix - mac80211: don't attempt to reorder multicast frames - Staging: zram: Fix access of NULL pointer - Staging: zram: Fix memory leak by refcount mismatch - irq: Enable all irqs unconditionally in irq_resume - tracing: Allow events to have NULL strings - [armhf/omap] Staging: tidspbridge: disable driver - cpuset: Fix memory allocator deadlock - crypto: authenc - Find proper IV address in ablkcipher callback - crypto: scatterwalk - Set the chain pointer indication bit - [s390] crypto: s390 - Fix aes-xts parameter corruption - crypto: ccm - Fix handling of zero plaintext when computing mac - net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST (fixes regression in 3.2.17) - hpsa: do not discard scsi status on aborted commands - hpsa: return 0 from driver probe function on success, not 1 - [arm] 7912/1: check stack pointer in get_wchan - [arm] 7913/1: fix framepointer check in unwind_frame - ALSA: memalloc.h - fix wrong truncation of dma_addr_t - dm snapshot: avoid snapshot space leak on crash - dm table: fail dm_table_create on dm_round_up overflow - hwmon: (w83l786ng) Fix fan speed control mode setting and reporting - hwmon: (w83l768ng) Fix fan speed control range - futex: fix handling of read-only-mapped hugepages - KVM: Improve create VCPU parameter (CVE-2013-4587) - [x86] KVM: Fix potential divide by 0 in lapic (CVE-2013-6367) - net: Fix "ip rule delete table 256" (Closes: #724783) - 6lowpan: Uncompression of traffic class field was incorrect - ipv4: fix possible seqlock deadlock - inet: prevent leakage of uninitialized memory to user in recv syscalls - net: rework recvmsg handler msg_name and msg_namelen logic - net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct sockaddr_storage) - inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions - ipv6: fix leaking uninitialized port number of offender sockaddr - net: core: Always propagate flag changes to interfaces - packet: fix use after free race in send path when dev is released - inet: fix possible seqlock deadlocks - ipv6: fix possible seqlock deadlock in ip6_finish_output2 - ftrace: Check module functions being traced on reload - ftrace: Fix function graph with loading of modules - mmc: block: fix a bug of error handling in MMC driver [ Ben Hutchings ] * SCSI: virtio_scsi: fix memory leak on full queue condition (Closes: #730138) * drm, agp: Update to 3.4.76: - drm/radeon: fix asic gfx values for scrapper asics - drm/edid: add quirk for BPC in Samsung NP700G7A-S01PL notebook - drm/radeon: fixup bad vram size on SI [ dann frazier ] * ath9k_htc: properly set MAC address and BSSID mask (CVE-2013-4579) * KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) * x86, fpu, amd: Clear exceptions in AMD FXSAVE workaround (CVE-2014-1438) * hamradio/yam: fix info leak in ioctl (CVE-2014-1446) -- dann frazier <dannf@debian.org> Wed, 29 Jan 2014 13:42:01 -0700 linux (3.2.53-2) wheezy; urgency=high * [sparc] Ignore insignificant ABI changes (fixes FTBFS) * [powerpc] Update CPU device backport to work after 'powerpc/sysfs: Disable writing to PURR in guest mode' in 3.2.52 (fixes FTBFS) * exec/ptrace: Fix typo in backport of 'fix get_dumpable() incorrect tests' (CVE-2013-2929) (Closes: #732208) * net: Fix infinite loop in in skb_flow_dissect() (CVE-2013-4348) -- Ben Hutchings <ben@decadent.org.uk> Tue, 17 Dec 2013 03:24:07 +0000 linux (3.2.53-1) wheezy; urgency=medium * New upstream stable update: http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.52 - 8139cp: Add dma_mapping_error checking - ipv6: drop packets with multiple fragmentation headers - ipv6: Don't depend on per socket memory for neighbour discovery messages - HID: hidraw: correctly deallocate memory on device disconnect - xen-gnt: prevent adding duplicate gnt callbacks - usb: config->desc.bLength may not exceed amount of data returned by the device - USB: cdc-wdm: fix race between interrupt handler and tasklet - [powerpc] Handle unaligned ldbrx/stdbrx - intel-iommu: Fix leaks in pagetable freeing - ath9k: fix rx descriptor related race condition - ath9k: avoid accessing MRC registers on single-chain devices - rculist: list_first_or_null_rcu() should use list_entry_rcu() - USB: mos7720: fix big-endian control requests - of: Fix missing memory initialization on FDT unflattening - fuse: postpone end_page_writeback() in fuse_writepage_locked() - fuse: invalidate inode attributes on xattr modification - fuse: hotfix truncate_pagecache() issue - hdpvr: register the video node at the end of probe - hdpvr: fix iteration over uninitialized lists in hdpvr_probe() - fuse: readdir: check for slash in names - crypto: api - Fix race condition in larval lookup - sd: Fix potential out-of-bounds access - ocfs2: fix the end cluster offset of FIEMAP - mm/huge_memory.c: fix potential NULL pointer dereference - sched/fair: Fix small race where child->se.parent,cfs_rq might point to invalid ones - HID: zeroplus: validate output report details (CVE-2013-2889) - HID: LG: validate HID output report details (CVE-2013-2893) - HID: validate feature and input report details (CVE-2013-2897) - HID: logitech-dj: validate output report details (CVE-2013-2895) - nilfs2: fix issue with race condition of competition between segments for dirty blocks - powerpc: Fix parameter clobber in csum_partial_copy_generic() - powerpc: Restore registers on error exit from csum_partial_copy_generic() - net: sctp: fix smatch warning in sctp_send_asconf_del_ip - net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit (CVE-2013-4350) - ip: generate unique IP identificator if local fragmentation is allowed - ipv6: udp packets following an UFO enqueued packet need also be handled by UFO (CVE-2013-4387) - esp_scsi: Fix tag state corruption when autosensing. - [sparc] Fix not SRA'ed %o5 in 32-bit traced syscall - perf: Use css_tryget() to avoid propping up css refcount - Revert "zram: use zram->lock to protect zram_free_page() in swap free notify path" (regression in 3.2.49) - macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS - sfc: Fix efx_rx_buf_offset() for recycled pages - cgroup: fail if monitored file and event_control are in different cgroup - perf: Fix perf_cgroup_switch for sw-events - Revert "sctp: fix call to SCTP_CMD_PROCESS_SACK in sctp_cmd_interpreter()" (regression in 3.2.34) - iscsi: don't hang in endless loop if no targets present - cpqarray: fix info leak in ida_locked_ioctl() (CVE-2013-2147) - cciss: fix info leak in cciss_ioctl32_passthru() (CVE-2013-2147) - staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.53 - tcp: must unclone packets before mangling them - tcp: do not forget FIN in tcp_shifted_skb() (fixes regression in 2.6.39) - net: do not call sock_put() on TIMEWAIT sockets - net: heap overflow in __audit_sockaddr() - proc connector: fix info leaks - ipv6: restrict neighbor entry creation to output flow (fixes regression in 3.2.39) - farsync: fix info leak in ioctl - connector: use nlmsg_len() to check message length - wanxl: fix info leak in ioctl - net: unix: inherit SOCK_PASS{CRED, SEC} flags from socket to fix race (fixes regression in 3.2) - net: fix cipso packet validation when !NETLABEL - zram: allow request end to coincide with disksize - perf: Fix perf ring buffer memory ordering - inet: fix possible memory corruption with UDP_CORK and UFO (CVE-2013-4470) - tracing: Fix potential out-of-bounds in trace_get_user() - include/linux/fs.h: disable preempt when acquire i_size_seqcount write lock - jfs: fix error path in ialloc - random: run random_int_secret_init() run after all late_initcalls - mac80211: drop spoofed packets in ad-hoc mode - libata: make ata_eh_qc_retry() bump scmd->allowed on bogus failures - [powerpc] KVM: PPC: Book3S HV: Fix typo in saving DSCR - compiler/gcc4: Add quirk for 'asm goto' miscompilation bug - ext4: fix memory leak in xattr - [hppa] fix interruption handler to respect pagefault_disable() - dm snapshot: fix data corruption (CVE-2013-4299) - ecryptfs: Fix memory leakage in keystore.c - target/pscsi: fix return value check - Fix a few incorrectly checked [io_]remap_pfn_range() calls (CVE-2013-4511) - uml: check length in exitcode_proc_write() (CVE-2013-4512) - aacraid: missing capable() check in compat ioctl - staging: wlags49_h2: buffer overflow setting station name - Staging: bcm: info leak in ioctl - lib/scatterlist.c: don't flush_kernel_dcache_page on slab page * [armel/orion5x] i2c: mv64xxx: work around signals causing I2C transactions to be aborted * [armel/orion5x] I2C: mv64xxx: fix race between FSM/interrupt and process context (Closes: #622325) * aufs: Set version to 3.2.x-debian * drm: fix DRM_IOCTL_MODE_GETFB handle-leak * drm, agp: Update to 3.4.72: - drm/edid: add quirk for Medion MD30217PG - drm/ttm: fix the tt_populated check in ttm_tt_destroy() - drm/radeon: fix LCD record parsing - drm/radeon: fix endian bugs in hw i2c atom routines - drm/radeon: update line buffer allocation for dce4.1/5 - drm/radeon: update line buffer allocation for dce6 - drm/radeon: fix resume on some rs4xx boards (v2) - drm/radeon: fix handling of variable sized arrays for router objects - drm/radeon/atom: workaround vbios bug in transmitter table on rs880 (v2) - drm/i915/dp: increase i2c-over-aux retry interval on AUX DEFER - drm/radeon: disable tests/benchmarks if accel is disabled - drm/radeon: fix hw contexts for SUMO2 asics - drm: Prevent overwriting from userspace underallocating core ioctl structs - drm/radeon/atom: workaround vbios bug in transmitter table on rs780 - drm/ttm: Handle in-memory region copies - drm/i915: flush cursors harder - drm/nouveau: when bailing out of a pushbuf ioctl, do not remove previous fence - drm/radeon/si: fix define for MC_SEQ_TRAIN_WAKEUP_CNTL - radeon: workaround pinning failure on low ram gpu * [rt] Update to 3.2.53-rt75: - genirq: Set the irq thread policy without checking CAP_SYS_NICE - hwlat-detector: Don't ignore threshold module - mm/memcontrol: Don't call schedule_work_on in preemption disabled context - drm: remove preempt_disable() from drm_calc_vbltimestamp_from_scanoutpos() * net: clamp ->msg_namelen instead of returning an error (fixes regression in 3.2.53) * rds: prevent BUG_ON triggered on congestion update to loopback (CVE-2012-2372) * HID: multitouch: validate indexes details (CVE-2013-2897) * exec/ptrace: fix get_dumpable() incorrect tests (CVE-2013-2929) * crypto: ansi_cprng - Fix off by one error in non-block size request (CVE-2013-4345) * KVM: perform an invalid memslot step for gpa base change * KVM: Fix iommu map/unmap to handle memory slot moves (CVE-2013-4592) * [armhf] 7527/1: uaccess: explicitly check __user pointer when !CPU_USE_DOMAINS (CVE-2013-6282) * libertas: potential oops in debugfs (CVE-2013-6378) * aacraid: prevent invalid pointer dereference (CVE-2013-6380) * [s390,s390x] qeth: avoid buffer overflow in snmp ioctl (CVE-2013-6381) * xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382) -- Ben Hutchings <ben@decadent.org.uk> Fri, 06 Dec 2013 07:23:56 +0000 --- Changes for memcached --- memcached (1.4.13-0.2+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Add 06_CVE-2011-4971.patch patch. CVE-2011-4971: Fix remote denial of service. Sending a specially crafted packet cause memcached to segfault. (Closes: #706426) * Add 07_CVE-2013-7239.patch patch. CVE-2013-7239: SASL authentication allows wrong credentials to access memcache. (Closes: #733643) -- Salvatore Bonaccorso <carnil@debian.org> Mon, 30 Dec 2013 17:47:44 +0100 --- Changes for mutt --- mutt (1.5.21-6.2+deb7u2) wheezy-security; urgency=high * Non-maintainer upload. * Fix buffer overrun caused by not updating a string length after address expansion. Fixes: CVE-2014-0467 Closes: #708731 -- Evgeni Golov <evgeni@debian.org> Tue, 11 Mar 2014 18:31:30 +0100 --- Changes for postgresql-9.1 (libpq5 libpq-dev) --- postgresql-9.1 (9.1.12-0wheezy1) wheezy-security; urgency=high * New upstream security/bugfix release. + Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) + Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) + Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) + Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) + Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) + Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) + Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066) + Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) * The upstream tarballs no longer contain a plain HISTORY file, but point to the html documentation. Note the location of these files in our changelog.gz file. -- Christoph Berg <christoph.berg@credativ.de> Thu, 20 Feb 2014 13:34:54 +0100 postgresql-9.1 (9.1.11-0wheezy1) stable; urgency=low * New upstream bug fix release: - Fix "VACUUM"'s tests to see whether it can update relfrozenxid In some cases "VACUUM" (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31). - Fix initialization of "pg_clog" and "pg_subtrans" during hot standby startup This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions. This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading. - See HISTORY/changelog.gz for details about other bug fixes. -- Martin Pitt <mpitt@debian.org> Thu, 05 Dec 2013 06:28:57 +0100 postgresql-9.1 (9.1.10-0wheezy1) stable; urgency=low * New upstream bug fix release. See HISTORY/changelog.gz for details. (No security or critical issues this time.) -- Martin Pitt <mpitt@debian.org> Tue, 15 Oct 2013 11:49:53 +0200 --- Changes for apache2 (apache2.2-bin apache2.2-common apache2-mpm-prefork apache2-prefork-dev apache2-utils) --- apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium Low impact security fixes: * CVE-2013-1862: mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file. Closes: #722333 * CVE-2013-1896: mod_dav: denial of service via MERGE request. Closes: #717272 * mod_dav: Fix segfaults in certain error conditions. https://issues.apache.org/bugzilla/show_bug.cgi?id=52559 * Make apache2ctl create the necessary directories even if started with special options for apache2. Closes: #731531 * Adjust paragraph in README.Debian about MaxMemFree not working properly. The issue has been fixed with apr 1.4.5-1. -- Stefan Fritsch <sf@debian.org> Fri, 31 Jan 2014 19:43:07 +0100 --- Changes for openssl (libssl-doc openssl) --- openssl (1.0.1e-2+deb7u4) stable; urgency=medium * enable ec_nistp_64_gcc_128 on *-amd64 (Closes: #698447) * Enable assembler for the arm targets, and remove armeb. Patch by Riku Voipio <riku.voipio@iki.fi> (Closes: #676533) -- Kurt Roeckx <kurt@roeckx.be> Sat, 01 Feb 2014 21:25:20 +0100 openssl (1.0.1e-2+deb7u3) stable-security; urgency=medium * Don't change version number if session established -- Kurt Roeckx <kurt@roeckx.be> Mon, 06 Jan 2014 20:28:20 +0100 openssl (1.0.1e-2+deb7u2) stable-security; urgency=medium * The patch we applied for CVE-2013-6450 was causing segfaults, also apply the previous commit checking for NULL in EVP_MD_CTX_destroy() * Fix for TLS record tampering bug CVE-2013-4353 -- Kurt Roeckx <kurt@roeckx.be> Mon, 06 Jan 2014 18:17:13 +0100 openssl (1.0.1e-2+deb7u1) stable-security; urgency=medium * Fix CVE-2013-6449 (Closes: #732754) * Fix CVE-2013-6450 * disable rdrand by default. It was used as only source of entropy when available. (Closes: #732710) * Disable Dual EC DRBG. -- Kurt Roeckx <kurt@roeckx.be> Mon, 23 Dec 2013 17:47:19 +0100 --- Changes for whois --- whois (5.1.1~deb7u1) proposed-updates; urgency=low * Rebuilt for wheezy. -- Marco d'Itri <md@linux.it> Sat, 11 Jan 2014 03:16:43 +0100 whois (5.1.1) unstable; urgency=medium * Added the servers for 29 "new" gTLDs. -- Marco d'Itri <md@linux.it> Sat, 11 Jan 2014 00:51:05 +0100 whois (5.1.0) unstable; urgency=low * Added the .ga, .ml, .pf, .xn--l1acc (.???, Mongolia) and .xn--mgba3a4f16a (.?????, Iran) TLD servers. * Added the servers for 54 "new" gTLDs. * Updated the .bw, .gd, .hn, .sb, .xn--j1amh and .xn--mgberp4a5d4ar TLD servers. * Added new RIPE and APNIC ASN allocations. * Removed the .ck TLD server. * Updated one or more translations. * Applied multiple small fixes contributed by Petr Písa? of Red Hat. * Correctly hide the disclaimers for .be and .sx. (Closes: #729366) * Direct queries for private ASN blocks to RIPE. (Closes: #724661) -- Marco d'Itri <md@linux.it> Thu, 26 Dec 2013 10:05:43 +0100 whois (5.0.26) unstable; urgency=low * Added the .cf TLD server. * Updated the .bi TLD server. * Added a new ASN allocation. -- Marco d'Itri <md@linux.it> Wed, 17 Jul 2013 00:48:12 +0200 whois (5.0.25) unstable; urgency=low * Added the .ax, .bn, .iq, .pw and .rw TLD servers. * Updated one or more translations. -- Marco d'Itri <md@linux.it> Fri, 10 May 2013 05:13:47 +0200 whois (5.0.24) unstable; urgency=low * Merged documentation fixes and the whois.conf(5) man page, courtesy of Petr Písa? of Red Hat. * Added a new ASN allocation. * Updated one or more translations. (Closes: #705163) -- Marco d'Itri <md@linux.it> Thu, 18 Apr 2013 03:36:17 +0200 --- Changes for apt (apt apt-utils libapt-inst1.5 libapt-pkg4.12) --- apt (0.9.7.9+deb7u1) wheezy; urgency=low * Non-maintainer upload. * Apply patch for large .debs (Closes: #725483) Thanks Mark Hymers for the patch, Vincent Sanders for the review * Apply patch for strict multi-arch checking in single-architecture environments (Closes: #723586) -- Jonathan Wiltshire <jmw@debian.org> Sat, 16 Nov 2013 11:14:39 +0000 --- Changes for base-files --- base-files (7.1wheezy4) stable; urgency=low * Changed /etc/debian_version to 7.4, for Debian 7.4 point release. -- Santiago Vila <sanvila@debian.org> Tue, 28 Jan 2014 11:49:40 +0100 base-files (7.1wheezy3) stable; urgency=low * Changed /etc/debian_version to 7.3, for Debian 7.3 point release. -- Santiago Vila <sanvila@debian.org> Wed, 04 Dec 2013 12:30:04 +0100 --- Changes for dropbox --- dropbox (1.6.1) stable; urgency=low * Initial Release, This package doesn't use a changelog -- Rian Hunter <rian@dropbox.com> Wed, 18 Dec 2013 09:08:46 -0800 --- Changes for eglibc (libc6 libc6-dev libc-bin libc-dev-bin locales multiarch-support) --- eglibc (2.13-38+deb7u1) wheezy; urgency=low [ Aurelien Jarno ] * debian/testsuite-checking/compare.sh: disable failing the build on test regressions to ease the pain of ongoing stable/security maintenance. * patches/any/cvs-CVE-2012-44xx.diff: backport overflow fixes in strcoll, addressing CVE-2012-4412 and CVE-2012-4424 (Closes: #687530, #689423). * patches/any/CVE-2013-0242.diff: backport buffer overrun fix in regexp matcher, addressing CVE-2013-0242 (Closes: #699399). * patches/cvs-CVE-2013-1914.diff: backport stack overflow fixes in getaddrinfo(), addressing CVE-2013-1914 (Closes: #704623). * patches/any/cvs-CVE-2013-4237.diff: backport buffer overwrite fix in readdir_r for file systems returning file names longer than NAME_MAX characters, addressing CVE-2013-4237 (Closes: #719558). patches/kfreebsd/local-readdir_r.diff: remove superseded by the CVE patch. * patches/any/cvs-CVE-2013-4332.diff: backport integer overflow fixes in pvalloc, valloc, posix_memalign, memalign and aligned_alloc functions, addressing CVE-2013-4332 (Closes: #722536). * patches/any/cvs-CVE-2013-4458.diff: backport stack (frame) overflow fixes in getaddrinfo() when called with AF_INET6, addressing CVE-2013-4458 (Closes: #727181). * patches/any/cvs-CVE-2013-4788.diff: backport patch to fix PTR_MANGLE ineffectivity for statically linked binaries, addressing CVE-2013-4788 (Closes: #717178). *** Note that static binaries need to be recompiled to take advantage of the fix ***. * patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix a SIGFPE when locale-archive has been corrupted to all zeros (Closes: #718890, #730336). * patches/mips/cvs-prlimit64.diff: patch from upstream to fix getrlimit64 and setrlimit64 with recent 64-bit kernels (Closes: #665897). [ Petr Salinger ] * patches/kfreebsd/local-initgroups-order.diff: always put supplied extra gid as the first entry of group list in setgroups(). Closes: #699593. * inline is not keyword in c89 mode, use __inline. Closes: #704598. * sys_ktimer_settime have 4 parameters. Closes: #712196. -- Aurelien Jarno <aurel32@debian.org> Thu, 05 Dec 2013 23:19:48 +0100 --- Changes for expat (libexpat1 libexpat1-dev) --- expat (2.1.0-1+deb7u1) wheezy; urgency=low [ Matthias Klose ] * Don't ship the pkgconfig file in lib64expat1-dev. Closes: #706932. [ Laszlo Boszormenyi (GCS) ] * New maintainer (closes: #660681). -- Andreas Beckmann <anbe@debian.org> Thu, 05 Dec 2013 12:39:53 +0100 --- Changes for libapache2-mod-rpaf --- libapache2-mod-rpaf (0.6-7+wheezy1) stable; urgency=low * Restore 030_ipv6.patch, removed by QA upload in 0.6-1 (Closes: #726529) -- Sergey B Kirpichev <skirpichev@gmail.com> Mon, 20 Jan 2014 17:56:07 +0400 --- Changes for libav (libavcodec53 libavformat53 libavutil51 libswscale2) --- libav (6:0.8.10-1) stable-security; urgency=low * Imported Upstream version 0.8.9, new releases fixes: - CVE-2013-0855, CVE-2013-0856, CVE-2013-0865, CVE-2013-4358, CVE-2013-7010, CVE-2013-7014 * Too many security related upstream changes to list here, please cf. to upstream changelog: http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.9 -- Reinhard Tartler <siretart@tauware.de> Tue, 04 Feb 2014 20:09:57 -0500 --- Changes for libnet-server-perl --- libnet-server-perl (2.006-1+deb7u1) wheezy; urgency=low * Team upload. * Add fix-use-of-uninitialized-value-in-pattern-match.patch. Fixes use of uninitialized value in pattern match. This in particular affects munin-nodes under wheezy. Logs are spammed with entries: "Use of uninitialized value in pattern match (m//) at /usr/share/perl5/Net/Server.pm line 600.". (Closes: #693320) -- Salvatore Bonaccorso <carnil@debian.org> Thu, 28 Nov 2013 12:31:37 +0100 --- Changes for librsvg (librsvg2-2 librsvg2-common) --- librsvg (2.36.1-2) stable; urgency=low [ Raphaël Geissert ] * Fix CVE-2013-1881: disable loading of external entities. Closes: #724741. [ Josselin Mouette ] * Break libgtk-3-0 (<< 3.4.2-7) which uses the anti-feature that is disabled by the security fix. -- Josselin Mouette <joss@debian.org> Wed, 04 Dec 2013 21:08:25 +0100 --- Changes for percona-server-5.5 (libmysqlclient18 percona-server-client-5.5 percona-server-common-5.5 percona-server-server-5.5) --- percona-server-5.5 (5.5.36-rel34.2-648.wheezy) wheezy; urgency=low * Update distribution -- Jenkins User <jenkins@debian> Mon, 24 Mar 2014 12:09:43 -0400 percona-server-5.5 (5.5.36-34.2-1) unstable; urgency=low * Update to new upstream release Percona Server 5.5.36-34.2 -- Jenkins User <jenkins@debian> Mon, 24 Mar 2014 12:03:33 -0400 --- Changes for percona-xtradb-cluster-5.6 (libmysqlclient18.1 libmysqlclient-dev) --- percona-xtradb-cluster-5.6 (5.6.15-25.5-759.wheezy) wheezy; urgency=low * Update distribution -- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Thu, 20 Mar 2014 06:39:36 -0400 percona-xtradb-cluster-5.6 (5.6.15-rel62.0) unstable; urgency=low * Release bump. -- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Thu, 30 Jan 2014 17:00:00 -0300 percona-xtradb-cluster-5.6 (5.6.15-rel62.0) unstable; urgency=low * Updated to 5.6.15. -- Raghavendra Prabhu <raghavendra.prabhu@percona.com> Wed, 14 Dec 2013 17:00:00 -0300 --- Changes for php5 (libapache2-mod-php5 php5 php5-cli php5-common php5-curl php5-dev php5-fpm php5-gd php5-intl php5-mcrypt php5-mysql php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl php-pear) --- php5 (5.4.4-14+deb7u8) wheezy-security; urgency=low * [CVE-2014-1943]: Fix segmentation fault in libmagic (Closes: #739012) -- Ond?ej Surý <ondrej@debian.org> Mon, 17 Feb 2014 10:07:18 +0100 php5 (5.4.4-14+deb7u7) wheezy-security; urgency=low * [CVE-2013-6420]: Fix memory corruption in openssl_x509_parse (Closes: #731895) * [CVE-2013-6712]: Fix heap buffer over-read in DateInterval (Closes: #731112) -- Ond?ej Surý <ondrej@debian.org> Thu, 12 Dec 2013 09:28:14 +0100 php5 (5.4.4-14+deb7u6) stable; urgency=low [ William Dauchy ] * upstream fix: curl memory leak (Closes: #725868) * upstream fix: allow root to run php-fpm (Closes: #725890) * upstream fix: remove annoying warnings with php-fpm and user usage (Closes: #725972) * upstream fix: memoryleak in function declaration (Closes: #726033) * upstream fix: munmap() is called with the incorrect length (Closes: #726037) * upstream fix: segfault on zend_deactivate (Closes: #726295) * upstream fix: Possible null dereference (Closes: #726320) * upstream fix: Phar::buildFromDirectory creates corrupt archives (Closes: #726379) * upstream fix: segfault while loading extensions (Closes: #726627) * upstream fix: (un)serialize() leaves dangling pointers, causes crashes (Closes: #726633) -- Ond?ej Surý <ondrej@debian.org> Tue, 22 Oct 2013 08:33:07 +0200 --- Changes for python2.7 (libpython2.7 python2.7 python2.7-minimal) --- python2.7 (2.7.3-6+deb7u2) stable-security; urgency=low * Fix installation of modules in python2.7-minimal, thanks to Jakub Wilk for the analysis -- Moritz Mühlenhoff <jmm@debian.org> Wed, 12 Mar 2014 23:45:44 +0100 python2.7 (2.7.3-6+deb7u1) stable-security; urgency=low * CVE-2014-1912, CVE-2013-4238 -- Moritz Mühlenhoff <jmm@debian.org> Wed, 05 Mar 2014 00:18:28 +0100 --- Changes for tzdata --- tzdata (2013i-0wheezy1) stable; urgency=low * New upstream version. * Remove solar87, solar88 and solar89 from the list of timezones, as they have been removed upstream. -- Aurelien Jarno <aurel32@debian.org> Sun, 26 Jan 2014 19:33:55 +0000 tzdata (2013h-0wheezy1) stable; urgency=low * New upstream version. -- Aurelien Jarno <aurel32@debian.org> Sat, 07 Dec 2013 15:06:58 +0100 --- Changes for wget --- wget (1.13.4-3+deb7u1) stable-proposed-updates; urgency=low * backported TLS Server Name Indication (SNI) to stable (patches/wget-tls-sni) from wget 1.14 http://git.savannah.gnu.org/cgit/wget.git/commit/?id=fd582e454378db9a1e218acf79f24fbe042bed98 closes: #653267 -- Noël Köthe <noel@debian.org> Sat, 1 Feb 2014 20:29:14 +0100 ======================================================================== You can perform the upgrade by issuing the command: apt-get dist-upgrade as root on pluto.myfuckingdomain.org -- apticron

Linux Graphic PPPoE/PPTP/3G/Mobile Client https://code.google.com/p/graphic-pppoe-client/ Depends: $ sudo apt-get install ppp pptp-linux hal python python-gtk2 python-gconf python-notify Download Ubuntu / Debian / Linux Mint: $ wget http://graphic-pppoe-client.googlecode.com/files/graphic-pppoe-pptp-client_0.6~all.deb Install: $ sudo dpkg -i graphic-pppoe-pptp-client_0.6~all.deb Se poate face PPPoE/PPTP si prin placa wireless.

Daca utilizati SSD-uri, este o idee buna sa inlocuiti MySQL cu Percona. Veti fi uimit de castigul de performanta. Chiar si cu HDD-uri obisnuite, o sa aveti un castig de 10-30 % in performanta. Adaugam repo-urile in '/etc/apt/sources.list' echo "deb http://repo.percona.com/apt wheezy main" >> /etc/apt/sources.list echo "deb-src http://repo.percona.com/apt wheezy main" >> /etc/apt/sources.list Adaugam key-ul pentru apt apt-key adv --keyserver keys.gnupg.net --recv-keys 1C4CBDCDCD2EFD2A Facem un apt-get update pentru o lista cu pachetele actualizate apt-get update Instalam percona server, percona client si common files (fisiere de configuratie, etc) apt-get install percona-server-common-5.5 percona-server-client-5.5 percona-server-server-5.5 Un config se poate vedea aici # File '/etc/mysql/my.cnf' [client] port = 3306 socket = /var/run/mysqld/mysqld.sock [mysqld_safe] socket = /var/run/mysqld/mysqld.sock nice = 0 [mysqld] user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /run/shm lc-messages-dir = /usr/share/mysql skip-external-locking bind-address = 127.0.0.1 key_buffer = 600M max_allowed_packet = 1200M open_files_limit = 4096 thread_stack = 192K thread_cache_size = 8 myisam-recover = BACKUP max_connections = 1000 max_user_connections = 100 table_cache = 512 thread_concurrency = 2 query_cache_limit = 128M query_cache_size = 16M log_slow_queries = /var/log/mysql/mysql-slow.log long_query_time = 2 expire_logs_days = 10 max_binlog_size = 100M [mysqldump] quick quote-names max_allowed_packet = 1200M [mysql] [isamchk] key_buffer = 16M # # * IMPORTANT: Additional settings that can override those from this file! # The files must end with '.cnf', otherwise they'll be ignored. # !includedir /etc/mysql/conf.d/ Nota: configul este doar ca exemplu, nu-i dati copy/paste in sistemele voastre fara sa stiti cu exactitate ce fac acele variabile. Ele sunt calculate in in functie de resurse si aplicatii. Pagina oficiala percona: http://www.percona.com/ Documentatie: http://www.percona.com/docs/wiki/

Just old plain text tutorial idsplus ~ # cd /usr/src/ idsplus /usr/src # wget http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.5.5.tar.bz2 --2012-10-05 23:53:55-- http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.5.5.tar.bz2 Resolving www.kernel.org... 149.20.20.133, 149.20.4.69 Connecting to www.kernel.org|149.20.20.133|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 80984418 (77M) [application/x-bzip2] Saving to: “linux-3.5.5.tar.bz2” 100%[========================================================>] 80,984,418 14.3M/s in 9.8s 2012-10-05 23:54:05 (7.91 MB/s) - “linux-3.5.5.tar.bz2” saved [80984418/80984418] idsplus /usr/src # tar jxf linux-3.5.5.tar.bz2 idsplus /usr/src # rm linux rm: remove symbolic link `linux'? yes idsplus /usr/src # ln -s linux-3.5.5 linux idsplus /usr/src # cd linux idsplus /usr/src/linux # cp /boot/config-`uname -r` .config idsplus /usr/src/linux # make menuconfig // Selectati EXIT si YES idsplus /usr/src/linux # make bzImage modules modules_install install idsplus /usr/src/linux # mkinitramfs -o /boot/initrd-3.5.5 3.5.5 idsplus /usr/src/linux # update-grub2 Generating grub.cfg ... Found linux image: /boot/vmlinuz-3.5.5 Found initrd image: /boot/initrd-3.5.5 ....... done idsplus /usr/src/linux # init 6 // Dupa doua minute ... idsplus ~ # uname -a Linux idsplus 3.5.5 #1 SMP PREEMPT Sat Oct 6 00:40:49 CEST 2012 x86_64 GNU/Linux [*] Nota: Bootloader-ul folosit este grub.

Acest tutorial este adresat celor care doresc sa isi configureze un server cu Debian. O sa acopar in in el urmatoarele aspecte: 1. Instalare kernel cu grsec. 2. Instalare si configurare apache. 3. Instalare si configurare php. 4. Instalare si module php (extensii). 5. Configurare suhosin. 6. Instalare MySQL Server. 7. Modificari diverse permisiuni pentru un nivel mai bun de securitate 8. Instalare nginx si folosirea lui ca frontend pentru apache (dual strat web server) ---------------- 1. Instalare kernel cu grsec. Daca nu stiti inca ce este grsec/grsecurity, un bun punct de plecare este Grsecurity. Pentru linux, grsecurity este un fel de "sfantul graal" in materie de securitate. In plus, va scapa de o problema ce o are linux si care pe mine ma irita: ps aux dupa user, arata toate procesele. root@tex:~# echo "deb http://debian.cr0.org/repo/ kernel-security/" >> /etc/apt/sources.list root@tex:~# wget http://kernelsec.cr0.org/kernel-security.asc root@tex:~# apt-key add kernel-security.asc OK root@tex:~# apt-get update root@tex:~# apt-cache search grsec linux-source-2.6.32.15-1-grsec - Linux kernel source for version 2.6.32.15-1-grsec linux-source-2.6.25.10-1-grsec - Linux kernel source for version 2.6.25.10-1-grsec linux-image-2.6.32.15-1-grsec - Linux kernel binary image for version 2.6.32.15-1-grsec linux-headers-2.6.32.15-1-grsec - Header files related to Linux kernel, specifically, linux-source-2.6.27.29-4-grsec - Linux kernel source for version 2.6.27.29-4-grsec root@tex:~# apt-get install linux-image-2.6.32.15-1-grsec linux-headers-2.6.32.15-1-grsec root@tex:~# init 6 # aici dam reboot pentru a boota noul kernel. // Dupa reboot root@tex:~# uname -a Linux tex 2.6.32.15-1-grsec #2 SMP Mon Jun 28 09:05:30 CEST 2010 x86_64 GNU/Linux root@tex:~# su - tex tex@tex:~$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND tex 2103 0.6 0.1 36908 1276 pts/0 S 00:58 0:00 su - tex tex 2104 13.0 0.6 23380 6200 pts/0 S 00:58 0:00 -su tex 2129 0.0 0.1 16332 1176 pts/0 R+ 00:58 0:00 ps aux Din cate observati, vad doar procesele mele dupa user. 2. Instalare si configurare apache. root@tex:~# apt-get install apache2-mpm-prefork apache2.2-common apache2.2-bin root@tex:~# rm /etc/apache2/sites-available/default root@tex:~# cat >> /etc/apache2/sites-available/default << EOF > NameVirtualHost * > > <Directory "/var/www"> > AllowOverride AuthConfig FileInfo Options Indexes Limit > Options FollowSymLinks > Options -Indexes > </Directory> > > <VirtualHost *> > DocumentRoot /var/www > ServerName 10.0.0.220 > CustomLog /var/log/apache2/access_log combined > ErrorLog /var/log/apache2/error_log > </VirtualHost> > EOF root@tex:~# Apache o sa-l listam pe 127.0.0.1 port 81 si o sa fie backend. root@tex:~# echo "Listen 127.0.0.1:81" > /etc/apache2/ports.conf root@tex:~# /etc/init.d/apache2 start 3. Instalare si configurare php (plus libapache2-mod-php5, necesar la apache (mod php)) PHP-ul o sa-l instalez de la dotdeb. root@tex:~# echo "deb http://packages.dotdeb.org stable all" >> /etc/apt/sources.list root@tex:~# echo "deb-src http://packages.dotdeb.org stable all" >> /etc/apt/sources.list root@tex:~# wget http://www.dotdeb.org/dotdeb.gpg root@tex:~# cat dotdeb.gpg |apt-key add - && rm dotdeb.gpg OK root@tex:~# apt-get update root@tex:~# apt-get install php5 php5-cli libapache2-mod-php5 php5-common php5-suhosin Inlocuiesc "expose_php = On" cu "expose_php = Off" / "short_open_tag = Off" cu "short_open_tag = On" si "session.name = PHPSESSID" cu "session.name = SERVLET" in php.ini pentru apache2. root@tex:~# perl -pi -e 's/expose_php = On/expose_php = Off/' /etc/php5/apache2/php.ini root@tex:~# perl -pi -e 's/short_open_tag = Off/short_open_tag = On/' /etc/php5/apache2/php.ini root@tex:~# perl -pi -e 's/PHPSESSID/SERVLET/' /etc/php5/apache2/php.ini 4. Instalare si configurare module php (extensii). O sa instalez urmatoarele extensii php: curl, gd, mcrypt, mysql. root@tex:~# apt-get install php5-curl php5-gd php5-mcrypt php5-mysql 5. Configurare suhosin. Din motive de securitate, o sa adaug in blacklisted utilizand suhosin urmatoarele functii: exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown root@tex:~# cat >> /etc/php5/conf.d/suhosin.ini << EOF > > suhosin.executor.func.blacklist = "exec,shell_exec,passthru,show_source,dl,leak,ini_alter,ini_restore,proc_open,proc_nice,proc_terminate,proc_close,proc_get_status,symlink,system,popen,pcntl_getpriority,pcntl_wait,diskfreespace,disk_free_space,disk_total_space,get_current_user,stream_socket_accept,stream_socket_client,stream_socket_get_name,stream_socket_recvfrom,stream_socket_sendto,stream_socket_server,stream_socket_shutdown" > suhosin.cookie.max_array_depth = 256 > suhosin.cookie.max_array_index_length = 256 > suhosin.cookie.max_name_length = 256 > suhosin.cookie.max_totalname_length = 512 > suhosin.cookie.max_value_length = 20000 > suhosin.cookie.max_vars = 200 > suhosin.get.max_array_depth = 200 > suhosin.get.max_totalname_length = 1024 > suhosin.get.max_value_length = 1024 > suhosin.get.max_vars = 1024 > > > suhosin.post.max_array_depth = 1024 > suhosin.post.max_array_index_length = 1024 > suhosin.post.max_name_length = 1024 > suhosin.post.max_totalname_length = 1024 > suhosin.post.max_value_length = 95000 > suhosin.post.max_vars = 1024 > > suhosin.request.max_vars = 512 > suhosin.request.max_value_length = 90000 > suhosin.request.max_totalname_length = 1024 > suhosin.upload.max_uploads = 400 > > suhosin.executor.include.max_traversal = 2 > > EOF root@tex:~# Cam asa arata php in cli: root@tex:~# php -v PHP 5.3.8-1~dotdeb.2 with Suhosin-Patch (cli) (built: Aug 25 2011 13:30:46) Copyright (c) 1997-2011 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH root@tex:~# 6. Instalare MySQL Server si MySQL Client root@tex:~# apt-get install mysql-client-5.5 mysql-server-5.5 7. Modificari diverse permisiuni pentru un nivel mai bun de securitate Mountam tmpfs in /tmp cu flag-urile "noexec,nosuid,nodev" din motive de securitate. root@tex:~# echo "tmpfs /tmp tmpfs noexec,nosuid,nodev 2 2" >> /etc/fstab root@tex:~# mount /tmp root@tex:~# mount |grep "/tmp" tmpfs on /tmp type tmpfs (rw,noexec,nosuid,nodev) Stergem "/var/tmp" si il facem simlink catre tmp. root@tex:~# rm -rf /var/tmp/ && ln -s /tmp /var/tmp Dam chmod 640 la "/dev/shm" din motive de securitate. root@tex:~# chmod 640 /dev/shm 8. Instalare nginx si folosirea lui ca frontend pentru apache (dual strat web server) O sa listam port 80 cu nginx si o sa-l folosim ca frontend pentru apache, care se listeaza pe 127.0.0.1 port 81. (reverse proxy) root@tex:~# apt-get install nginx root@tex:~# rm /etc/nginx/sites-enabled/default root@tex:~# pico /etc/nginx/sites-enabled/default # fisier configuratie server { listen 0.0.0.0:80 default; server_name _; access_log off; error_log /dev/null; location / { proxy_pass http://127.0.0.1:81; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } Pornim nginx-ul. root@tex:~# /etc/init.d/nginx start Starting nginx: nginx. root@tex:~# [URL="http://i42.tinypic.com/121zmtx.png"]O sa pun un phpinfo in "/var/www/"[/URL] pentru a vedea daca este totul in ordine si o sa sterg index.html (default) root@tex:~# echo "<?php phpinfo(); ?>" >> /var/www/index.php root@tex:~# rm /var/www/index.html // restart la apache. root@tex:~# /etc/init.d/apache2 restart --------- Note: - Daca aveti intrebari legate de acest tutorial, va raspund cu cea mai mare placere. - Imi cer scuze pentru eventualele greseli legate de exprimare (am cam tras chiulul de la somn) - Nu am specificat sursa acestui tutorial pentru ca este facut de mine.