openSUSE Security March 2005

security@lists.opensuse.org

101 participants
67 discussions

installing newer software than that in the CDs
by John 01 Apr '05

01 Apr '05

Hello I tried to install the apache 2.0.53 from SUSE's rpm. I found them in SUSE's site. i installed these rpms (apache and other related with the 2.0.53 version packages like prefork, etc) I ran YOU and i surprising found that a patch was available for apache 2.0.53. Can this be true or not? Is there any patch for apache 2.0.53 ? One more issue. I tried to install php using Yast and the rpm from the CD. After having done the proper configuration for the php support, i tried to startapache 2.0.53 but it failed and gave me an error (in the error_log) Segmation Fault (pointed the line that php get loaded) What was wrong with that? Thanks in advance John

3 5

still have problems with "kernel: ip_conntrack: table full, dropping packet."
by Ralf Ronneburger 31 Mar '05

31 Mar '05

Hi everyone, I still get the error message "kernel: ip_conntrack: table full, dropping packet." on SuSE 9.0 with SuSEfirewall2 (all updates installed) about every 2-4 weeks (there was a discussion about this some month ago, but no solution...). The only thing that seems to help when this occurs is rebooting the machine (as far as I could figure). The machine does have some servers behind it and filters about 500MB of traffic average per day. Below are some informations about the error-messages and the configuration and the state of the server when the problem occurs: linux:~ # cat /var/log/messages | grep ip_ Feb 24 12:13:05 linux kernel: ip_conntrack: table full, dropping packet. Feb 24 12:13:09 linux kernel: ip_conntrack: table full, dropping packet. Feb 24 12:13:15 linux kernel: ip_conntrack: table full, dropping packet. Feb 24 12:13:20 linux kernel: ip_conntrack: table full, dropping packet. Feb 24 12:13:24 linux kernel: ip_conntrack: table full, dropping packet. Feb 24 12:13:38 linux kernel: ip_conntrack: table full, dropping packet. Feb 24 12:13:39 linux kernel: ip_conntrack: table full, dropping packet. Feb 24 12:13:56 linux kernel: ip_conntrack: table full, dropping packet. linux:~ # cat /proc/net/ip_conntrack | wc -l 1913 linux:~ # cat /proc/sys/net/ipv4/ip_conntrack_max 32760 linux:~ # iptables-save | wc -l 922 Does anybody have the same problem and hopefully a solution? Any ideas how I can at least find out, which packets are dropped? Greetings, Ralf

9 16

Firefox invocation allows unintended root access
by Phil Betts 31 Mar '05

31 Mar '05

This is possibly not a SuSE specific problem, but since the two systems involved are both running 9.2 Pro, and it's their integrity that's at stake, and since I've no idea what the underlying mechanism is, I thought I'd start here ;) The situation: PC1 - SuSE 9.2 Pro AMD32 PC2 - SuSE 9.2 Pro AMD64 Run Firefox as root@PC2 for browsing local files (the files are only readable by root). Still on PC2, run ssh -X to get a shell as normal-user@PC1. Start Evolution on PC1, opening on PC2's display. Click on an http link in an email. A Firefox window opens with the link displayed. By chance, I noticed that the Adblock extension was missing and I happened to click on the About menu. I was surprised to see that it claimed to be the x86_64 version. Further investigation revealed that Evolution had connected to the root-invoked Firefox on PC2, rather than starting a fresh instance by normal-user@PC1 displaying on PC2. Had I not noticed this, it would have been easy for me to enable java/javascript and installed plugins etc., in the belief that the browser was running as normal-user@PC1. Note that Evolution is an innocent party here, just starting Firefox directly from the ssh session produces the same effect. The reason for mentioning it is that a link in an email can be a seductive way to trap the unwitting user. Also note that the situation does not appear to occur if the remote connection is not involved. I.e. when root@PC2 runs Firefox, then user@PC2 starts Firefox, this results in 2 instances of Firefox. IMHO, Firefox should only connect with an already running instance if that instance was started by the same user on the same host. It is questionable whether normal-user@PC1 should even be aware of the existence of the root@PC2 instance. Phil

3 3

RE: [suse-security] Firefox invocation allows unintended rootaccess
by Jose_Thomas＠Dell.com 31 Mar '05

31 Mar '05

Looks this problem is directly inherited from the way how X works. SELinux will be the right way to solve this problem. Thanks Jose -----Original Message----- From: Phil Betts [mailto:phil_betts@ntlworld.com] Sent: Thursday, March 31, 2005 1:52 AM To: suse-security(a)suse.com Subject: Re: [suse-security] Firefox invocation allows unintended rootaccess On Wed, 2005-03-30 at 11:27 +0200, Marcus Meissner wrote: > Your remote side can do even more things, like snooping or inserting > keyboard input into the main X session. > > If you are on the same X Server you have basically full user access. > Of course, but that's not what one expects of a browser whose reputation is built, at least partly, on security. If you invite your trustworthy neighbour in for a drink, you'd be pretty upset if he took control of the TV remote, emptied your fridge and rearranged the furniture! > > I do not see this is as a problem, but workin as intended. > Hmm, "as intended" != "correctly" (except perhaps in Redmond). If by "intended", you mean that there should only ever be one instance of firefox per X display, then firefox is broken, because two different users on the _same_ box start independent firefox instances, each with their own set of bookmarks, cookies, extensions etc. Why should this policy be different when running a firefox from a session on a second box? The fact remains that I clicked on a link in an email message as an unprivileged user on my web-facing machine, but found that I had connected to the web as root on a machine that normally only connects to the web for system updates. I would NEVER have connected to the web for any other purpose using my root account (on either box) by choice. If the link I had clicked was actually to a page containing some malicious exploit, I would have been completely stuffed. I can't believe that this is "as intended". Also, regardless of the security implications, if I start a session on a remote box and start firefox, I do this because I want THAT user's set of bookmarks etc., not those of some arbitrary user on a different machine. As it stands, the only way to achieve this is to shut down all prior instances of firefox first, which is neither intuitive, nor desirable. As I mentioned in my original post, I don't know the details of the underlying mechanism, as it involves the interaction of X, ssh and firefox. If you have more knowledge on this, I'll be happy to raise it with the most appropriate party. My guess would be the firefox developers, but for all I know, they may just be using some connect_to_existing_instance() routine in an independently written shared library, which could mean that many apps may be subject to the same problem. Phil -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

1 0

Kernel updates+ATI drivers
by Maxim A Belushkin 30 Mar '05

30 Mar '05

Are there any plans to include the ATI drivers for X.org into the YaST graphics card selection? Alternatively, is there any way to force YaST to run a specific command after each kernel update? Every kernel update breaks the ATI drivers (expected), loosing 3D support and requiring a manual re-installation of the ATI rpm which builds the driver for the current kernel... Thanks in advance!

3 2

Securing data on disk - when disk taken out of computer ?
by Robert Rozman 30 Mar '05

30 Mar '05

Hi, I'm seeking for solution, that would let me ecrypt partition of file on disk, but be somehow automatically mounted on reboot (without prompting for password) , but still secured if someone takes disk out and tries to mount on another system... I'm newbie, so please be gentle - it could be impossible to achieve... How to do this? Can I somehow sign disk to be used/mounted only in certain HW and not on another HW ? If proof solution is not possible, could I at least automate mounting of encrypted file and give at least some problems to enyone that stoles disk and tries to mount it outside PC ? Thanks in advance, regards, Rob.

2 1

CAN-2004-1073 fixed by suse ?
by BoneMachine 30 Mar '05

30 Mar '05

Hi, I've noticed a message on the Full-Disclosure mailinglist. The message states that there is no fix supplied in the vanilla kernel and that there is probably no fix in vendor supplied kernels for the CAN-2004-1074 vulnerability. The message to FD can be found at the following link: http://archives.neohapsis.com/archives/fulldisclosure/2005-03/0820.html Can any of you guys confirm that SuSE is still vulnerable? TIA Bone Machine --- "I can hardly wait Betty" - The Pixies

3 2

Susefirewall2 detailed howto
by Valentin Holban 28 Mar '05

28 Mar '05

Hello. I have: Suse 9.1 kernel 2.6.5 Susefirewall2 I would like to know how to use FW_CUSTOMRULES in order to perform more detailed filtering. If there are any docs available, or online references, please point them to me. Thx, Vali.

1 0

Re: [suse-security-announce] SUSE Security Announcement: several kernel security problems (SUSE-SA:2005:018)
by Carlos E. R. 28 Mar '05

28 Mar '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2005-03-24 at 17:29 +0100, Marcus Meissner wrote: > SUSE Security Announcement > > Package: kernel > Announcement-ID: SUSE-SA:2005:018 > Date: Thu, 24 Mar 2005 15:00:00 +0000 > Affected products: 8.2, 9.0, 9.1, 9.2 > SUSE Linux Desktop 1.0 > SUSE Linux Enterprise Server 8, 9 > Novell Linux Desktop 9 Just for the record, YOU update for SuSE 9.1 of this patch forgets to run mkinitrd. The most visible problem is the missing splash in tty1. It is not the fisrt time this happens. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCR+IstTMYHG2NR9URAsMBAJsHj4SKDNeuaTUzsr2KB9koElYMowCgiLPl 5quBxpMZpmYVHuQZucMyZzs= =EY0s -----END PGP SIGNATURE-----

4 4

mysql and kernelupdates
by Philippe Vogel 25 Mar '05

25 Mar '05

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! There are several exploits in the described packages, but why aren't there any packages for YOU or am I too fast with my conclusion? The normal way was to write an announcement and then provide the patch-rpm's via YOU or is there a slightly change after novell is in the business? Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQkMbk0Ng1DRVIGjBAQLn5gb9HQfh2+GLGUZk2UIzvsgwIAtSJL76hyVe Sf4PgbkDh3xnT3jfahoQnM4jtna5xemfFil1hl3VUu16MF8+Dd0Z7LFJ/LMREmJq S2QQjnT02XsiGcA2+QrZQfKkE5DlDG6jk+FH9jsZ3lPk6dnt+WGfs+PzNUMDhISz qiYJRmD3KaE35nAsDIoxe2XddsmGP6eXN/WM9ylHYQtaZj9Xw1xoYFq1ZrEA/Jqh hcXCh7Rvxxa2MPK9UGNgJcyeVNBxjxm6dmjB4gUsNC46wNypDjayNIPP4JkcllmX Ele8wfMRqxQ= =94g2 -----END PGP SIGNATURE-----

3 3

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security March 2005