June 2015 - openSUSE Security - openSUSE Mailing Lists

[opensuse-security] Re: [security-announce] openSUSE-SU-2015:1148-1: important: Security update for Adobe Flash Player
by Carlos E. R. 26 Jun '15

26 Jun '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-06-26 10:05, opensuse-security(a)opensuse.org wrote: > openSUSE Security Update: Security update for Adobe Flash Player > Patch Instructions: > - openSUSE 13.1:NonFree: > > zypper in -t patch openSUSE-2015-450=1 > > To bring your system up-to-date, use "zypper patch". I don't see the patch: minas-tirith:~ # zypper info -t patch "openSUSE-2015-450=1" ... patch 'openSUSE-2015-450=1' not found. minas-tirith:~ # minas-tirith:~ # zypper patch ... Resolving package dependencies... Nothing to do. minas-tirith:~ # Has it being removed, or not published? > Package List: > - openSUSE 13.1:NonFree (i586 x86_64): > > flash-player-11.2.202.468-123.1 > flash-player-gnome-11.2.202.468-123.1 > flash-player-kde4-11.2.202.468-123.1 cer@minas-tirith:~> rpm -q flash-player flash-player-11.2.202.466-120.1.x86_64 cer@minas-tirith:~> - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlWNO0MACgkQja8UbcUWM1z2jAEAlwO5b4V7EfXl69eZAUT7bGCq YfCUrzsZXrV47cL6V7EBAIxdkkQ01pAaY50Ppt9BO8PMRhyvGh/B9xX5gxutw+jd =M7S8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 2

[opensuse-security] Errors after last seccheck update
by Markus Gaugusch 17 Jun '15

17 Jun '15

Hi, I'm receiving errors after the last seccheck update: /usr/lib/secchk/helper.inc: line 46: guessable_password_email: command not found sed: can't read blurbs/guessable_passwd.txt: No such file or directory /usr/lib/secchk/helper.inc: line 49: syntax error near unexpected token `}' /usr/lib/secchk/helper.inc: line 49: `}' /usr/lib/secchk/helper.inc: line 46: guessable_password_email: command not found sed: can't read blurbs/guessable_passwd.txt: No such file or directory /usr/lib/secchk/helper.inc: line 49: syntax error near unexpected token `}' /usr/lib/secchk/helper.inc: line 49: `}' /usr/lib/secchk/security-daily.sh: line 64: check_for_globally_exported_fs: command not found /usr/lib/secchk/security-daily.sh: line 70: list_loaded_kernel_modules: command not found /usr/lib/secchk/security-daily.sh: line 73: nfs_mounted_with_missing_nosuid: command not found /usr/lib/secchk/security-daily.sh: line 76: display_programs_with_bound_sockets: command not found /usr/lib/secchk/security-control.sh: line 52: send_daily_changes: command not found Is anybody aware of this? Thanks! Markus -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

3 3

[opensuse-security] Request 311390 - a new password recovery tool
by Greg Freemyer 12 Jun '15

12 Jun '15

All, The below SR is for a new to OBS password recovery tool (LaZagne). >From what I've seen all it does is look for plain text passwords that the user has visibility to if they knew where to look and present them. I have not done a code review, but I did run it to see what it found. In the case of running it as root, it is not looking in /home/* for passwords, just /etc and /root I know hacking tools are not allowed on OBS, but I argue this is more of an auditing tool in that it lets users know what plain text passwords they have on there system. I can accept it into security:forensics (which is where it was submitted), but I'd appreciate your feedback as to the appropriateness of this package in security:forensics and/or factory before I do that. Per the website (http://www.kitploit.com/2015/02/the-lazagne-project-recover-most-common.html) LaZagne can recover passwords from: ==== browsers - firefox, opera chats - pidgin, jitsi mails - thunderbird adminsys - filezilla, environment variables database - sqldeveloper, squirrel, dbvisualizer wifi - network manager wallet - gnome keyring ==== Summary, With openSUSE 13.2 LaZagne was able to retrieve some passwords for filezilla and wireless lans, but the passwords were being stored in plain text. Thanks Greg ---------- Forwarded message ---------- From: Luigi Baldoni <aloisio(a)gmx.com> Date: Wed, Jun 10, 2015 at 3:06 AM Subject: Request 311390 created by alois (submit security:forensics/LaZagne) To: Greg Freemyer <Greg.Freemyer(a)gmail.com>, Marcus Meissner <meissner(a)suse.com> Visit https://build.opensuse.org/request/show/311390 Description: Retrieves credentials stored locally. Actions: - submit home:alois:branches:security:forensics/LaZagne => security:forensics/LaZagne changes files: -------------- ++++++ new changes file: --- LaZagne.changes +++ LaZagne.changes @@ -0,0 +1,17 @@ +------------------------------------------------------------------- +Fri Jun 5 07:37:17 UTC 2015 - aloisio(a)gmx.com + +- Update to version 0.71: + * Wifi password module from WPA Supplicant implemented (by rpesche) + +------------------------------------------------------------------- +Sat May 30 12:01:35 UTC 2015 - aloisio(a)gmx.com + +- Update to version 0.7: + * Fix mozilla bug (special characters were not printed) + +------------------------------------------------------------------- +Wed May 27 11:50:21 UTC 2015 - aloisio(a)gmx.com + +- Initial version 0.6 + new: ---- LaZagne-0.71.tar.bz2 LaZagne.changes LaZagne.spec spec files: ----------- ++++++ new spec file: --- LaZagne.spec +++ LaZagne.spec @@ -0,0 +1,74 @@ +# +# spec file for package LaZagne +# +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +Name: LaZagne +Version: 0.71 +Release: 0 +Summary: Python tool to decode locally stored passwords +License: GPL-3.0 +Group: Development/Languages/Python +Url: https://github.com/AlessandroZ/LaZagne +Source0: %{name}-%{version}.tar.bz2 +BuildRequires: fdupes +BuildRequires: python-devel +Requires: dbus-1-python +Requires: python-argparse +Requires: python-kde4 +Requires: python-pyasn1 +Requires: python-pycrypto +BuildArch: noarch + +%description +LaZagne is an open source tool to retrieve and decode +credentials stored on your computer. + +%prep +%setup -q + +%build + +%install +pushd Linux/src +mkdir -p %{buildroot}%{python_sitelib}/%{name} +sed -e 's|^# !/|#!/|' -i LaZagne.py +cp LaZagne.py* %{buildroot}%{python_sitelib}/%{name} +cp -a config %{buildroot}%{python_sitelib}/%{name} +cp -a softwares %{buildroot}%{python_sitelib}/%{name} +popd + +pushd %{buildroot}%{python_sitelib}/%{name}/ +%py_compile . +popd + +mkdir -p %{buildroot}%{_bindir} +pushd %{buildroot}%{_bindir} +ln -s %{python_sitelib}/%{name}/%{name}.py . +chmod +x %{buildroot}%{python_sitelib}/%{name}/%{name}.py +popd + +%fdupes -s %{buildroot} + +%files +%defattr(-,root,root) +%doc CHANGELOG LICENSE README.md +%dir %{python_sitelib}/%{name} +%{_bindir}/%{name}.py +%{python_sitelib}/%{name}/%{name}.py* +%{python_sitelib}/%{name}/config +%{python_sitelib}/%{name}/softwares + +%changelog other changes: -------------- ++++++ LaZagne-0.71.tar.bz2 (new) To REVIEW against the previous version: osc request show --diff 311390 To ACCEPT the request: osc request accept 311390 --message="reviewed ok." To DECLINE the request: osc request decline 311390 --message="declined for reason xyz (see ... for background / policy / ...)." To REVOKE the request: osc request revoke 311390 --message="retracted because ..., sorry / thx / see better version ..." -- Configure notifications at https://build.opensuse.org/user/notifications openSUSE Build Service (https://build.opensuse.org/) -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

3 3

[opensuse-security] Review needed, putting yast2-security in shape
by Ancor Gonzalez Sosa 12 Jun '15

12 Jun '15

YaST2-Security, the YaST module to configure local security settings, is aging. There is a quite deep analysis about the problems here https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3O… The plan described in the document is a mid-term goal. In the short term (next week), the goal is to do less disruptive changes. To be concrete, just: - Remove any reference to runlevels - Update the list of security settings (currently "home workstation", "networked worstation" and "network server") - Update the list of mandatory services (it will still be independent of the security setting for the time being) - Update the list of extra allowed services (same as above) We are already working with the following lists, feedback is highly appreciated. New list of security settings: - Workstation - Server New list of mandatory services: - systemd - systemd-journald - systemd-dmevented - systemd-udevd - systemd-logind - dbus-daemon - rsyslogd - polkitd - cron - SuSEfirewall - auditd New list of extra (harmless) services: - wickedd - nscd - postfix - ntpd - sshd - haveged Anything you miss? Anything you thing should not be there? Thanks. -- Ancor González Sosa YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

3 2

[opensuse-security] Re: [opensuse-factory] Re: Review needed, putting yast2-security in shape
by Ancor Gonzalez Sosa 11 Jun '15

11 Jun '15

On 06/11/2015 11:26 AM, Yamaban wrote: > Comments inserted, personal IMHO. > > On Thu, 11 Jun 2015 10:47, Ancor Gonzalez Sosa wrote: >> >> YaST2-Security, the YaST module to configure local security settings, is >> aging. There is a quite deep analysis about the problems here >> https://docs.google.com/document/d/1BFVou4YrRoc4vPCkofs-Qo2C9b-lWIbuMBiGk3O… >> >> >> The plan described in the document is a mid-term goal. In the short term >> (next week), the goal is to do less disruptive changes. To be concrete, >> just: >> >> - Remove any reference to runlevels > First step: replace runlevels with the corresponding systemd *.target, > afterwards think about removal, where it makes sense. To be honest, I find much cheaper, coherent and a lot less confusing to only analyze the current target. >> - Update the list of security settings (currently "home >> workstation", "networked worstation" and "network server") > Giving examples like "private network with internet (home)", > "public network (guest / public wifi, cell-mobile)", "providing > services to others (server)" would be much more clear and helpfull. The full descriptions of the old settings (clearly outdated nowadays) are in the help of the module and in one screenshot in the document referenced at the beginning of my mail. >> - Update the list of mandatory services (it will still be independent >> of the security setting for the time being) >> - Update the list of extra allowed services (same as above) >> >> We are already working with the following lists, feedback is highly >> appreciated. >> >> New list of security settings: >> - Workstation >> - Server > Missing : roaming mobile (laptop, tablet) Good point. >> New list of mandatory services: >> - systemd >> - systemd-journald >> - systemd-dmevented > Really, for every one? Many of the systems under my care are better of > without any dm* stuff, better move that to extra. > >> - systemd-udevd >> - systemd-logind >> - dbus-daemon >> - rsyslogd > Urgs, either generic syslog(rsyslogd,syslogd-ng,journald-only), > or all of them selecive (radio-button) We actually have the ability to specify a list of equivalent services, but this only makes obvious the inability of Yast2-Journal to manage systemd aliases. I will try to implement proper management of aliases, so specifying "syslog" is enough for the module to figure out that rsyslogd is also ok. >> - polkitd >> - cron > Eh?, and what about handling systemd-timer stuff, that more and more > replaces cron, as well as which implemention of cron > (anacron,crony,dcron,fcron,vixie-cron,etc)? To some extend, more work for the to-be-implemented aliases handling. :-) >> - SuSEfirewall > give hints to other firewalls (firewalld, shorewall, etc) and ipv6 > handling (its ugly in SuSEfirewall) > >> - auditd > Well, dunno. Apparmour seems more relevant to security than auditd, IMHO >> >> New list of extra (harmless) services: >> - wickedd >> - nscd >> - postfix >> - ntpd >> - sshd >> - haveged > place auditd here, and if not above, apparmour also here, > also needed here: modem-manager, network-manager > >> Anything you miss? Anything you thing should not be there? >> >> Thanks. > Thanks for starting this thread, it is needed work. Thanks for the feedback. -- Ancor González Sosa YaST Team at SUSE Linux GmbH -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

[opensuse-security] [CFP] Reminder: Linux Security Summit 2015 CFP closes this Friday 5th June
by James Morris 03 Jun '15

03 Jun '15

Just a reminder to folk who've done interesting things in Linux security this year, the CFP for LSS 2015 is open until this Friday, 5th June. See the following link for details: http://kernsec.org/wiki/index.php/Linux_Security_Summit_2015 This is not just for kernel developers, or even developers -- any interesting/novel application of Linux security or research is welcome. We're also looking for round-table discussion topics, and people to lead those discussions. Get your proposals in soon! - James -- James Morris <jmorris(a)namei.org> -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0