On Mon, 10 Mar 2003, Robert Davies wrote:
On Friday 07 March 2003 13:47, HoneyNet Germany wrote:
Together with the Sendmail Remote Buffer Overflow there has been announced a Snort vulnerablity. But until now no one mentioned this on the list, nor is an update availble.
When can we expect an updated Snort 1.9.1 RPM?
Usually SuSE publish minimum patches to address vulnerabilities, rather than new versions of a package. Maybe that was the wrong question to ask?
Having watched the thread slightly bemused, I am wondering :
1) Will there be an advisory on snort, in response to the vulnerability? 2) If so will there be update patch rpms in future 3) Will the work round be published officially, to tide 'snorters' over in meantim
Yes.
As it is, I have impression snort, though present on my CD disks and the SuSE ftp site, is creeping under the radar. If I had not been paying attention here, then I might open up one of my systems unkowingly by installing this package with a remote root exploit.
Thomas, thank you for the info, and I agree with you that it is simple to update the snort package by downloading source and rebuilding the rpm.
I know it isn't the most conveniently way, but we are working under high preassure currently. I used snort for myself a very long time and as a snort-user I recognized that it's very important to keep track of the releases made by the snort-team. Their release frequency is much higher then every vendor is able to publish new and tested packages. And their installation routines are clean enough to make compiling, installing and running a new snort release very easy.
There is however a problem if a known remote-root vulerable package can remain on the install list for long, simply because it that package is 'low priority', maybe because it's infrequently installed, or it's software the Security Team do not trust and like.
We think snort is useful that's the reason we ship it. SuSE always tries to ship the most recent versions with their upcoming SuSE Linux release. Bugs like this will be communicated in section two of our security announcements. I know snort wasn't part of the last announcement but it'll be part of the next one.
One of the reasons I buy and use SuSE, is because of the Security Team, and I really like the fact that you are accessible on this list. But you and your
Thank you.
managers, need to appreciate, that I am then relying on you then to make sure the SuSE packages are sound against known vulnerabilities, or at least produce an advisiory, with a workround or 'pull the package entirely'.
We will...
If there's not time to deal with snort patches and update rpm's, and you don't seem to have confidence in the implementation, then maybe the axe should fall?
For those who do want to risk snort, a simple spec file and a support note on how to build the snort update package for those who *must* have it, with appropriate disclaimers?
It should be easy. Just install the source rpm from your CD, generate the
patch for your version by using their CVSWeb
(http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/snort/snort/src/preprocessors...)
and add it to the spec file. I didn't try ot my own, but it may work.
Copy the tar balls containing the sources to /usr/src/packages/SOURCES and
the spec file to /usr/src/packages/SPECS .
Run rpm -bb /usr/src/packages/SPECS/snort.spec to build the rpm file.
Make sure all dependecies are solved. A list of dependencies is (should
be) included in the header of the spec file.
Now install/update the new snort rpm by running the following command as
root: rpm -Uvh /usr/src/packages/RPMS/<your arch>/snort-<your version>.<your arch>.rpm
But compiling and installing the new snort version my be alot easier.
Bye,
Thomas
--
Thomas Biege