Recent updates

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Recent updates

Jim Popovitch
I haven't seen any other news about this, I show 7 pending updates for
which no DSA or notices have gone out.  Given that d.o servers have
been hacked in the past, are these updates valid and where can I find
official info about them?

apache2-mpm-worker:
  Installed: 2.2.3-4+etch3
  Candidate: 2.2.3-4+etch4
  Version table:
     2.2.3-4+etch4 0
        500 http://ftp.us.debian.org stable/main Packages
 *** 2.2.3-4+etch3 0
        100 /var/lib/dpkg/status
apache2-utils:
  Installed: 2.2.3-4+etch3
  Candidate: 2.2.3-4+etch4
  Version table:
     2.2.3-4+etch4 0
        500 http://ftp.us.debian.org stable/main Packages
 *** 2.2.3-4+etch3 0
        100 /var/lib/dpkg/status
apache2.2-common:
  Installed: 2.2.3-4+etch3
  Candidate: 2.2.3-4+etch4
  Version table:
     2.2.3-4+etch4 0
        500 http://ftp.us.debian.org stable/main Packages
 *** 2.2.3-4+etch3 0
        100 /var/lib/dpkg/status
cpio:
  Installed: 2.6-17
  Candidate: 2.6-18
  Version table:
     2.6-18 0
        500 http://ftp.us.debian.org stable/main Packages
 *** 2.6-17 0
        100 /var/lib/dpkg/status
libc6:
  Installed: 2.3.6.ds1-13etch4
  Candidate: 2.3.6.ds1-13etch5
  Version table:
     2.3.6.ds1-13etch5 0
        500 http://ftp.us.debian.org stable/main Packages
 *** 2.3.6.ds1-13etch4 0
        100 /var/lib/dpkg/status
libc6-dev:
  Installed: 2.3.6.ds1-13etch4
  Candidate: 2.3.6.ds1-13etch5
  Version table:
     2.3.6.ds1-13etch5 0
        500 http://ftp.us.debian.org stable/main Packages
 *** 2.3.6.ds1-13etch4 0
        100 /var/lib/dpkg/status
locales:
  Installed: 2.3.6.ds1-13etch4
  Candidate: 2.3.6.ds1-13etch5
  Version table:
     2.3.6.ds1-13etch5 0
        500 http://ftp.us.debian.org stable/main Packages
 *** 2.3.6.ds1-13etch4 0
        100 /var/lib/dpkg/status


Thx,

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Gian Piero Carrubba
Il giorno Sun, 17 Feb 2008 00:46:19 -0500
"Jim Popovitch" <[hidden email]> ha scritto:

> I haven't seen any other news about this, I show 7 pending updates for
> which no DSA or notices have gone out.

As resulting from the candidate URI, they are from the main repository
not the security one. Related signed messages have been posted on
[hidden email], so it seems a regular proposed-updates -> point
release transition. Anyway, I've missed the announce about the stable
update release... coming soon, I guess.

Ciao,
Gian Piero.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Alexander Reichle-Schmehl
In reply to this post by Jim Popovitch
* Jim Popovitch <[hidden email]> [080217 06:46]:
> I haven't seen any other news about this, I show 7 pending updates for
> which no DSA or notices have gone out.  Given that d.o servers have
> been hacked in the past, are these updates valid and where can I find
> official info about them?

Subscribe to debian-announce:
http://lists.debian.org/debian-announce/debian-announce-2008/msg00000.html


Yours sincerely,
  Alexander

--
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Jim Popovitch
On Feb 17, 2008 8:18 AM, Alexander Schmehl <[hidden email]> wrote:
> * Jim Popovitch <[hidden email]> [080217 06:46]:
> > I haven't seen any other news about this, I show 7 pending updates for
> > which no DSA or notices have gone out.  Given that d.o servers have
> > been hacked in the past, are these updates valid and where can I find
> > official info about them?
>
> Subscribe to debian-announce:
> http://lists.debian.org/debian-announce/debian-announce-2008/msg00000.html

I hope you are teasing, or perhaps you didn't see my first sentence
where I stated that I had not seen any other news about this.  I have
been subscribed to d-a, as well as d-s, and d-i, and d-v..... the
problem was the updates hit the mirrors before the announcement hit
the wire.  Normally this wouldn't be much of an issue, but the formal
signed announcement is the only way for most of us to know that the
updates are legit and not a nefarious action by some rogue hacker.

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Jim Popovitch
In reply to this post by Alexander Reichle-Schmehl
On Feb 17, 2008 8:18 AM, Alexander Schmehl <[hidden email]> wrote:
> http://lists.debian.org/debian-announce/debian-announce-2008/msg00000.html

One additional thing that is not clear to me is that I see pending
updates for libc6 and libc6-dev that are NOT mentioned in that
announcement.

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Noah Meyerhans-3
On Sun, Feb 17, 2008 at 03:12:26PM -0500, Jim Popovitch wrote:
> > http://lists.debian.org/debian-announce/debian-announce-2008/msg00000.html
>
> One additional thing that is not clear to me is that I see pending
> updates for libc6 and libc6-dev that are NOT mentioned in that
> announcement.

No?

From the advisory:

Miscellaneous Bugfixes
----------------------
<snip>
   Package                 Reason
<snip>
   glibc                   Fix sunrpc memory leak

noah


signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Alexander Reichle-Schmehl
In reply to this post by Jim Popovitch
Hi!

* Jim Popovitch <[hidden email]> [080217 21:12]:

> > http://lists.debian.org/debian-announce/debian-announce-2008/msg00000.html
> One additional thing that is not clear to me is that I see pending
> updates for libc6 and libc6-dev that are NOT mentioned in that
> announcement.

They are mentioned indirectly by their source package:
[..]
   glibc                   Fix sunrpc memory leak
[..]

The respective bug would be #460226.


Yours sincerely,
  Alexander

--
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Jim Popovitch
In reply to this post by Noah Meyerhans-3
On Feb 17, 2008 3:17 PM, Noah Meyerhans <[hidden email]> wrote:
>    glibc                   Fix sunrpc memory leak

Ahhh, glibc and libc6 are the same thing.  I forgot about that.  (why is that?)

Thx,

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Alexander Reichle-Schmehl
In reply to this post by Jim Popovitch
Hi!

* Jim Popovitch <[hidden email]> [080217 20:43]:

> > Subscribe to debian-announce:
> > http://lists.debian.org/debian-announce/debian-announce-2008/msg00000.html
> I hope you are teasing, or perhaps you didn't see my first sentence
> where I stated that I had not seen any other news about this.  I have
> been subscribed to d-a, as well as d-s, and d-i, and d-v..... the
> problem was the updates hit the mirrors before the announcement hit
> the wire.

Yes, as the last couple of announcement did.  The problem is, that if we
announce a new release before it is send to the mirrors, mirrors are hit
very hard hindering the sync of our mirror network.

So in general we first push upgrade to the mirrors, and then sent out
announcements.


> Normally this wouldn't be much of an issue, but the formal signed
> announcement is the only way for most of us to know that the updates
> are legit and not a nefarious action by some rogue hacker.

Well, a rogue hacker would need to be quite skilled to add some kind of
"bad" package.

Let's assume he has created a bad package and got control over a mirror
(since he can't upload the package himself that's the only way to
include it).  Of course he could add his package to the Debian archive
he has on that mirror, but since packages and releases are signed with
gpg he couldn't benefit from that, since as soon as someone tries to
install his bad package, package management would detect the wrong
signature.


Yours sincerely,
  Alexander

--
http://learn.to/quote/
http://www.catb.org/~esr/faqs/smart-questions.html

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Jim Popovitch
On Feb 17, 2008 3:48 PM, Alexander Schmehl <[hidden email]> wrote:
> Yes, as the last couple of announcement did.  The problem is, that if we
> announce a new release before it is send to the mirrors, mirrors are hit
> very hard hindering the sync of our mirror network.
>
> So in general we first push upgrade to the mirrors, and then sent out
> announcements.

That does make good sense, for the masses (of which I am one) I suppose.

> Well, a rogue hacker would need to be quite skilled to add some kind of
> "bad" package.
>
> Let's assume he has created a bad package and got control over a mirror
> (since he can't upload the package himself that's the only way to
> include it).  Of course he could add his package to the Debian archive
> he has on that mirror, but since packages and releases are signed with
> gpg he couldn't benefit from that, since as soon as someone tries to
> install his bad package, package management would detect the wrong
> signature.

Thanks for the explaination Alexander,

-Jim P.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Alexander Reichle-Schmehl
In reply to this post by Jim Popovitch
Hi!

* Jim Popovitch <[hidden email]> [080217 21:46]:

> >    glibc                   Fix sunrpc memory leak
> Ahhh, glibc and libc6 are the same thing.  I forgot about that.
> (why is that?)

Short explanation:
The Debian archive has source packages (which you as an enduser don't
see) which get compiled and become binary packages (the .deb files).  A
source package can compile several binary packages, e.g. the apache2
package creates different flavours of the apache web server, the vim
source package create different flavours of the vim editor, etc.

The source package glibc create beneath others the binary package libc6.
The announcement lists sourcepackages.


Yours sincerely,
  Alexander

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Alexander Reichle-Schmehl
In reply to this post by Jim Popovitch
Hi!

* Jim Popovitch <[hidden email]> [080217 23:42]:
[..]
> > So in general we first push upgrade to the mirrors, and then sent out
> > announcements.
> That does make good sense, for the masses (of which I am one) I suppose.

In general it does; and under normal circumstances we try to send out
the announcement as soon as possible.  Sadly we were quite busy this
weekend, so we didn't succeded this time.  I'm sorry.


[ Explanation about our digital package signatures ]
> Thanks for the explaination Alexander,

You are welcome!


Yours sincerely,
  Alexander

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

philsf79 (Bugzilla)
In reply to this post by Alexander Reichle-Schmehl
On Sun 17 Feb 2008 17:48:16 Alexander Schmehl wrote:


> Well, a rogue hacker would need to be quite skilled to add some kind of
> "bad" package.
>
> Let's assume he has created a bad package and got control over a mirror

How about a simpler attack vector: compromise a devel account, and sneak in a
patch to be automatically incorporated to a package. Is this feasible?

I understand that this case would not reflect what the OP asked about, but
still.

regards
FF


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Rolf Kutz-2
On 18/02/08 06:01 -0300, Felipe Figueiredo wrote:

>On Sun 17 Feb 2008 17:48:16 Alexander Schmehl wrote:
>
>
>> Well, a rogue hacker would need to be quite skilled to add some kind of
>> "bad" package.
>>
>> Let's assume he has created a bad package and got control over a mirror
>
>How about a simpler attack vector: compromise a devel account, and sneak in a
>patch to be automatically incorporated to a package. Is this feasible?
I think packages are signed when uploaded, so it's
not easy. You also could compromise upstream, a
buildd machine or gcc.

>I understand that this case would not reflect what the OP asked about, but
>still.

Why trust software you didn't write yourself at
all[0]?

regards, Rolf

[0] http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

--
Vorgang zu schwer zu erklären.

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Recent updates

Alexander Reichle-Schmehl
In reply to this post by philsf79 (Bugzilla)
Hi!

* Felipe Figueiredo <[hidden email]> [080218 10:01]:

> > Well, a rogue hacker would need to be quite skilled to add some kind of
> > "bad" package.
> >
> > Let's assume he has created a bad package and got control over a mirror
> How about a simpler attack vector: compromise a devel account, and sneak in a
> patch to be automatically incorporated to a package. Is this feasible?
>
> I understand that this case would not reflect what the OP asked about, but
> still.

Yes, that would be an possible attack vector.  But you would need to do
more, than just brak into a devel account.  Since package uploads of
developers need to be signed with an pre-approved gpg-key, you would
need to break into that, too (which I must confess is still possible).

However, while it would then be possible to upload packages to debians
unstable branch directly (and therefore could possibly [but IMHO
unlikely] even get a package into the testing branch), you still don't
get a package into a stable (point) release, since your manipulated
package needs to pass the review of our stable release managers.

Now keep in mind, that you in general can't get new upstream releases
into a stable point release, and since the manipulated package has been
uploaded before the manipulation, changing the source-code of the
package won't work.  So the only way you can get your manipulations in,
is via the diff.gz of the source package.  So it is more or less easy to
review, what has been changed.  Tools like "debdiff" to compare changes
between packages make it even easier.  So it is not impossible, but
quite unlickely, that a manipulated package get's into a stable point
release. (And you would still need to do some more to get your package
in.  E.G. a bug report of serious severity (or higher) which your
package claims to fix, which of course will be tested; and all that
while the Debian Developer whose account and gpg key you hacked isn't
noticing anything.)


The next attack vector would be to get a manipulated package into
Debian's unstable branch, and hope it will make it into a stable
release.  That would be complicate and unlikely, too, but I'm too lazy
now to write it all down ;)



Yours sincerely,
  Alexander

signature.asc (196 bytes) Download Attachment