openSUSE Security July 2008

security@lists.opensuse.org

22 participants
16 discussions

[opensuse-security] ACLs, HAL and serial devices (was: HAL and serial devices)
by Jan Ritzerfeld 12 Oct '08

12 Oct '08

Hello, inspired by the thread "Want to could use /dev/ttyS0 as user" on the opensuse-factory maling list, I tried to figure out whether access to /dev/ttyS0 can be granted by HAL/resmgr (since this works fine with the alsa devices). According to /etc/hal/fdi/policy/90osvendor/80-resmgr.fdi, access to serial devices should be granted to "members" of the resmgr modem class (desktop users are not "member" of this class by default). But using 10.3, I cannot even find any serial device via HAL: jan@karl:~> hal-find-by-capability --capability serial jan@karl:~> Obviously, udev recognizes my /dev/ttyS0: jan@karl:~> udevinfo --query=all --name=/dev/ttyS0 P: /devices/platform/serial8250/tty/ttyS0 N: ttyS0 I do not need access to /dev/ttyS0, but I do want to learn more about HAL. :) Gruß Jan -- A fail-safe circuit will destroy all others. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

2 4

[opensuse-security] Where can I find kernel debuginfo packages for the updated kernels for 11.0?
by Warren Stockton 04 Aug '08

04 Aug '08

This question is not entirely security related but it is a consequence of providing an updated kernel for 11.0. I am looking for the corresponding kernel-default-debuginfo for http://download.opensuse.org/update/11.0/rpm/x86_64/kernel-default-2.6.25.9… I have been unable to locate this package and without it, I cannot use makedumpfile, crash or systemtap with the updated kernel. I would prefer to use the updated kernel rather that the original one from the 11.0 media or a self-compiled kernel just to get debuginfo symbols. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

2 1

[opensuse-security] FreeRADIUS 2.0.3 listens on random port instead of 1812?
by Neil Anderson 31 Jul '08

31 Jul '08

Hi all, I've just upgraded to openSuSE 11.0 and my freeradius server now seems to be broken. It seems to be listening for auth requests on a random port instead of UDP 1812 I've done a bit of digging on the net and as far as I can see, the issue occurs in a number of other distributions but there doesn't seem to be a fix for it. Has anyone else seen this problem on openSuSE? Is there a fix available, or should I just go back to v1.1.7? I've appended some debug output below. Cheers, Neil # radiusd -X FreeRADIUS Version 2.0.3, for host x86_64-unknown-linux-gnu, built on Jun 7 2008 at 04:26:43 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/clients.conf including configuration file /etc/raddb/snmp.conf including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/sql/mysql/counter.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" user = "nobody" group = "nobody" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 127.0.0.1 { require_message_authenticator = no secret = "testing123" shortname = "localhost" nastype = "other" } client 192.168.x.x/32 { require_message_authenticator = no secret = "xxxxx" shortname = "Weasel-AP" } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/xxx.pem" certificate_file = "/etc/raddb/certs/xxx.pem" CA_file = "/etc/raddb/certs/xxx.pem" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no check_cert_cn = "%{User-Name}" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP- Address,NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP- Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } listen { type = "acct" ipaddr = * port = 0 } main { snmp = no smux_password = "" snmp_write_access = no } Listening on authentication address * port 5409 Listening on accounting address * port 18126 Ready to process requests.

4 4

[opensuse-security] Fou4s 0.15beta8 for openSUSE 11.0
by Markus Gaugusch 23 Jul '08

23 Jul '08

Dear users of fou4s, For those who don't know, fou4s stands for "Fast OnlineUpdate for SuSE", so it is an alternative implementation to YOU. It was built during the days, where you had to start YaST and click 5 times with some waiting in between to get your updates. The situation has become much better lately, but fou4s still has some nice features (such as nice and colored console output, automatic downloading with email-notification and powerful filters). Finally, I have a working version with support for openSUSE 11.0. Please note the following restrictions before downloading: * Signature checking may not be performed * Reboot notifications may not work as expected (former pre-install * Self-Update to newer versions is not yet tested (I need to put appropriate XML files on my server to make this work) info) * Performance is not great and should improve soon * The package which is available for download DOES NOT WORK ON OLDER SUSE RELEASES due to a changed compression algorithm * Dependency resolving is not implemented (and probably will never be, but there are only very few updates which change dependencies) But on the plus-side I have now some multi-core/SMP support :) Delta-RPMs are working fine, patch-rpms are not supported (but I don't think they are offered anymore anyway). Error handling needs some work but most things are done. RPM download: http://fou4s.gaugusch.at/beta/fou4s-0.15.0-0.8.noarch.rpm Homepage: http://fou4s.gaugusch.at/ regards, Markus Gaugusch PS: I use the smart package manager for all other package updates. Only two things keep me from using it for updates: delta RPMs and update descriptions. So as long as this is missing in smart (or I don't know that it exists ;) there will be a working fou4s version. I promise :) -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

1 0

[opensuse-security] Re: Do you know if fou4s works on openSUSE-11.0 ?
by Markus Gaugusch 21 Jul '08

21 Jul '08

On Jul 12, Gar Ulbricht <garulbricht7(a)netscape.net> wrote: > Hi Markus et al, > > I have been using fou4s since I installed SuSE-8.0 many years ago. > It has been my up-dater of choice (I do use YaST2 from time to time, > and I am using "openSUSE updater" as well as the SUSE security list > to know when patches available), but fou4s is my first "go to" > for up dating as I feel I am in control of what patches I accept > and which I don't. Hi! I have done some work on 11.0 but it's not ready yet. But requests such as yours are really motivating me :) The biggest problem seems to be some link between the primary.xml and updateinfo.xml (except for the filenames). Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign fou4s(at)gaugusch.at X Against HTML Mail / \ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

6 5

[opensuse-security] Re: [security-announce] Package management security on SUSE Linux
by Carlos E. R. 21 Jul '08

21 Jul '08

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LSU.1.00.0807180231020.7677(a)nimrodel.valinor> El 2008-07-15 a las 17:10 +0200, Ludwig Nussel escribió: > Several news sites recently published articles citing a report about > attacks on package managers [1]. Some unfortunately chose a wording > that could be misunderstood as if a rogue mirror server could trick > YaST into installing malicious software when applying regular > (security-)updates. > > This is not the case. All official update repositories for SUSE > Linux based products use cryptographically signed packages and meta > data. YaST verifies the cryptographic signatures and rejects any > file whose signature doesn't match. Therefore it's not possible for > a rogue mirror to introduce malicious software. Question, please: when a user adds a repository, he is asked to add its key first. Where from is this key imported, from the repository itself, from a central repo, or from the chain of HKP keyservers? Usually we simply click "accept", as there is no clear method of checking, trusting, and importing the key except by clicking "accept" when the repo is added. Perhaps Yast, or zypper, should include a key management module. Once the correct key is imported, it is obvious that a rogue repo would be detected. The problem IMO (I haven't read the report) is the key import phase. I understand you have a person studying this precise problem, so it will be nice to learn the conclusions :-) - -- Saludos Carlos E.R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIf+TZtTMYHG2NR9URAt2OAJ96iwAYGwDmhw94FuD3qtCcq2WDWwCgmVUl KfKLJrYfJmeMm8Do12KZ0QA= =vDm5 -----END PGP SIGNATURE-----

6 7

[opensuse-security] Re: Package management security on SUSE Linux
by Gar Ulbricht 16 Jul '08

16 Jul '08

Ludwig Nussel wrote on [security-announce] "Package management security on SUSE Linux" on Tue, 15 Jul 2008 17:10:52 +0200 (Reference:) <http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00005.html> > > Dear openSUSE and SUSE Linux Enterprise users, > > Several news sites recently published articles > citing a report about attacks on package managers. > Some unfortunately chose a wording > that could be misunderstood as if a rogue mirror server > could trick YaST into installing malicious software > when applying regular (security-) updates. > > This is not the case.... (snip) > ----- <Ludwig Nussel's comments heavily trimmed >---- Dear Ludwig, Thank you for taking the time to post your comments on the (Novell) [security-announce] list regarding "Package management security...". I had seen the original University of Arizona CS article (as you referenced in your footnote) and as cited in either in slash-dot or digg (or may be both) and it was good to get your take on the "Stork project" research. Thanks again. -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

1 0

[opensuse-security] Re: Updater can not install freetype2
by Marcus Meissner 15 Jul '08

15 Jul '08

On Tue, Jul 15, 2008 at 06:45:10PM +0000, opensuse-security-announce(a)opensuse.org wrote: > Hello, Please mail this to opensuse-security(a)opensuse.org, not -announce. -announce is moderated. > Yast autoupdate fails installing freetype2. Message is: > Failed to mount cd:///?devices=/dev/sr0 on /var/adm/mount/AP_0x00000080: > No medium found (mount: No medium found) Problem beim Laden von Daten > von: Failed to mount cd:///?devices=/dev/sr0 on > /var/adm/mount/AP_0x00000080: No medium found (mount: No medium found) . > My system: > uname -a > Linux AMD64 2.6.22.18-0.2-default #1 SMP 2008-06-09 13:53:20 +0200 > x86_64 x86_64 x86_64 GNU/Linux Your openSUSE CD is not in the drive. If you do not use the CD, disable this repository. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

1 0

[opensuse-security] How can I disable SuseFirewall on opensuse 10.3 and use my custom rules?
by Vlad 13 Jul '08

13 Jul '08

Hello everyone! I use OpenSuse since v9.0 and sometimes I needed disable SuseFirewall and used script "iptables" from RedHat. It worked fine.. but I have troubles with OpenSuse 10.3. Of course I disabled Susefirewall from Yast and checked with chkconfig: # chkconfig |grep wall SuSEfirewall2_init off SuSEfirewall2_setup off Then I copied my script and enabled: #chkconfig iptables on # chkconfig -l iptables iptables 0:off 1:off 2:off 3:on 4:off 5:on 6:off But my script didn't work in boot time. And rules have discarded when I used "ifup dsl0" for VPN. Last thing is the most annoying. When I run my script manually : /etc/init.d/iptables start everything is okey. Why does SuseFirewall work? What should I do? Is it a bug? -- Faithfully yours, Vladislav. Key fingerprint = 67CC FA3F 5018 1300 010D 6C26 796D 3965 7B04 2EC6 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

3 4

[opensuse-security] Re: Do you know if fou4s works on openSUSE-11.0 ?
by Gar Ulbricht 12 Jul '08

12 Jul '08

Hi Markus et al, I have been using fou4s since I installed SuSE-8.0 many years ago. It has been my up-dater of choice (I do use YaST2 from time to time, and I am using "openSUSE updater" as well as the SUSE security list to know when patches available), but fou4s is my first "go to" for up dating as I feel I am in control of what patches I accept and which I don't. Now, I just bought openSUSE-11.0 and I am getting ready to install it. ____ Do you know if fou4s works with openSUSE-11.0 ____ The last note on your web page says: # For 10.3 you need to set Server=http://download.opensuse.org/ # in your fou4s.conf. <http://fou4s.gaugusch.at/> And that's what I did and fou4s is working for openSUS-10.3. I would suspect I need to do something similar for openSUSE-11.0, but what is your experience ??? Best Regards, Gar -- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

1 0

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security July 2008