Debian Weekly News - March 14th, 2001
Welcome to Debian Weekly News, a newsletter for the Debian community.
For years we've known that Debian's means of getting packages and releases out to users is lacking from a security standpoint. There has been no way to know that the package you just downloaded was really made by a Debian developer and is really a part of a current Debian release. This is rapidly changing, and soon users will have two complementary ways to verify that they are installing legitimate packages. This week a patch was posted to the debian-dpkg list that adds support to dpkg for checking signatures of Debian packages. The signatures are held in a new section of the package itself, and tools are entering Debian now to add and check such signatures. This type of package signing parallels similar techniques that have been present in the rpm world for a long time, and they are a welcome addition to dpkg, but their usefulness should not be over-emphasized.
Signed packages alone still leave open several avenues of attack. Various evil things can be done to the Packages file, or by tricking apt into downloading an old and insecure package. Closing off these attacks requires another layer of security -- signed releases. Already Release.gpg files are appearing on the archive, and apt will soon be able to verify these signatures when it upgrades a Debian system. In the final analysis, neither of these schemes guarantees absolute security, but they will make attacks much harder for the black hats, and perhaps by the time woody is released, both types of signatures will be widely available.
Preparations are underway for an update to stable, Debian version 2.2r3. As in most minor revisions, packages with security problems, copyright issues, or very bad bugs are candidates to be updated in this release. It may also include updates to make it compatible with the 2.4 kernel, since all the necessary packages are already backported. Martin Schulze is coordinating the new release, and his list of packages that will get in is available on the web.
DPL elections are under way, after a few false starts. Developers can pick up a ballot and mail it in, gpg-signed. Voting ends on the 28th.
Another bug squashing party is planned for this weekend. Nearly 350 release critical bugs remain after the last party, and they all need to be fixed before woody is released, so anyone with spare time this weekend is encouraged to lend a hand and fix a bug or two.
Some weeks, unending security fixes pour into Debian. This was such a week. Some of these announcements are for problems that were actually fixed earlier but not announced, but many are brand-new security fixes.
- Several minor bugs in stable's proftpd package could lead to minor security problems.
- A remotely exploitable buffer overflow in analog could be exploited via the CGI interface.
- Several buffer overflows in ePerl were discovered that could lead to a remote root exploit in some setups.
- A remote denial of service attack was found in man2html -- it could be forced to consume all memory.
- A local exploit in midnight commander.
- All of the xaw replacement libraries (nextaw, xaw3d, and xaw95) were updated to fix some security holes that were earlier found and fixed in xaw itself.
- A temp file security hole was fixed in sgml-tools.
- Two security holes in stable's glibc, both root exploits, were fixed. (Note that the fix broke ldd on suid binaries, so an update will probably be released eventually to fix that.)
- A remotely exploitable buffer overflow in stable's slrn.
- Joe unsafely read .joerc from the current directory, this was locally exploitable joe was ran in directories such as /tmp/.
- A remotely exploitable buffer overflow in gnuserv and xemacs.
- Several remote exploits in Zope.
- A buffer overflow in mailx that could locally yield access to the mail group.
The security team deserves many thanks for all their hard work this week.
To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.
Back issues of this newsletter are available.
This issue of Debian Weekly News was edited by Joey Hess.