[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Devel] Skolelinux got some security problems...
(Follow-up to devel@xxxxxxxxxxxxx, to make sure our international
developers can follow the discussion.)
As you probably do not know, skolelinux got some security problems.
Most of these problems comes from the fact that for a few of the
packages we supply, the packages in woody wasnt' good enough. For
these, we had to use newer versions, or recompile them to change
behavior. After we did this, some security problem was found and
fixed in woody, while our packages still contain the security problem.
The security problem we are seeing, is that no one fixes security
problems for these packages in a timely fashion. Fixing security
problem in this context is to keep track of security problems in the
packages, make patched packages available and make sure these fixed
packages are tested and placed into the official Skolelinux APT
source.
At the moment, I know about the following problems:
- Remote root exploit in Webmin, bug #331 (fixed version announced
2003-02-20 on webmin.org, while the bug was disocovered by me and
reported to our bugzilla 2003-03-21).
- Webmin uses well-known SSL certificate, making it trivial to sniff
the root password, bug #332 (fixed version announced 2002-10-08.
Not sure when I discovered it, but I reported it into our bugzilla
2003-03-21).
- Passwords are sent in clear text when users authenticate using
LDAP, bug #213 (configuration problem because of missing crypto
system i woody. Reported to our bugzilla 2002-10-07.)
These are old problems, and none of them was discovered (or at least
reported into bugzilla) by the one responsible for the service in
Skolelinux. I believe these problems indicate a structure problem
with the way Skolelinux is organized.
I've tried to keep the number of non-woody packages to a minimum,
because I anticipated these kind of problems. At the moment, we use
the following non-woody upgraded source packages (from
<URL:http://developer.skolelinux.no/info/cdbygging/sl-packages.txt>):
Description of the extra packages from Skolelinux sources
---------------------------------------------------------
base-config-skolelinux pere L
* cfengine-skolelinux pere L
* ldap-skolelinux andread L
xdebconfigurator ? L
locale-config-skolelinux ilmari L
task-skolelinux pere L
The skolelinux configuration packages. These take care of the
install configuration.
user-sme ? L
Sami keyboard for XFree86 4. Newer versions of XFree86 (>=4.2)
will have the keyboard included.
* webmin-ldap-skolelinux andread L
LDAP User administration module for Webmin. This should be pushed
into Debian, or included upstream into webmin. A student group is
working spring 2003 to compine webmin-ldap and webmin-useradm into
one package, and pushing it upstream.
* webmin-cupsadmin-skolelinux runesk ?
CUPS admin module to webmin.
kwebmin mortehu L
Make webmin available in the KDE control panel.
Description of the local modifications
--------------------------------------
apt pere F
Patches to avoid request to insert CD if it already is inserted,
make the "Insert CD" question easier to read, and support
DEBIAN_FRONTEND=noninteractive. (Debian bug #154601, #154602,
#177272)
discover-data pere F
Patches to support kernel 2.4 and more HW. (Debian bug #166093,
#166676, #164276, #163429, #164288)
kde-i18n gautehk L/F
Updated KDE 2.2 bokmål, nynorsk and northern sami translations.
These are sent upstream to the KDE project, and not to Debian.
* ntp pere F
Upgraded from 4.1.0-8 to 4.1.1b-3 to get support for using
debconf answers to configure a local clock. Patched to get it to
work.. (Debian bug #147846 and #179521).
* openldap2 runesk F
Upgraded from 2.0.23 to 2.0.27 to get TLS and SSL support.
Local fixes for init.d script and konfiguration of this in
/etc/default/slapd
Justification for upgraded packages (from Sid or Sarge)
-------------------------------------------------------
base-config pere D
Upgraded from baseconfig 1.33.18 to 1.41 to add locale support
and handle noninteractive install. (Debian bug #135565, #141057).
Upgraded from 1.41 to 1.52 (with a patch to avoid depending on
the Sid version of debconf) to get rid of the interaction from
APT, and to get better support for translations. Upgraded from
1.52 to 1.58 to get rid of some duplicate code in
base-config-skolelinux. No local patch needed as newer debconf
is available.
cfengine tfheen D
I'm not sure why we upgraded. [pere 2003-01-19]
debconf pere D
Upgraded from 1.0.32 to 1.2.34 to get support for UTF-8
templates. This is needed by base-config-skolelinux now that we
make debs and udebs from the same package.
discover tfheen D
Upgraded from version in Woody (1.1-6) to version in Sid
(1.5-1.3) to get fixes for install problems when modules fail to
load (Debian bug #153656).
etherconf pere D
Upgraded from the version in Woody (1.10) to the version in
Sid (1.14-0.1) to get support for setting the broadcast
address, fixing Skolelinux bug #283. (Debian bug #153465)
grub pere D
Upgraded from the version in Woody (0.91-2) to the version in Sid
(0.93+cvs20030217-1) to get fixes for several SCSI-related
bugs. (Debian bug #110431, #155289, #158485)
initrd-tools pere D
* kernel-image-2.4.20-1-i386 pere D
modutils pere D
Upgrading the kernel from 2.4.19 (Woody) to 2.4.20 give us more
HW support. It requires newer initrd-tools and modutils.
Upgraded to 2.4.20-1 to fix local exploit.
hwdata ? D
Not sure why we upgraded from Woody (0.12-1) to a version fetched
from Sid (0.44-1). [pere 2003-01-19]
lvm-common pere D
lvm10 pere D
devfsd pere D
The packages fetched from Sid (lvm10 1.0.6-1, lvm-common 1.5.7,
devfsd 1.3.25-12) solves problems with LVM on SCSI when kernel is
compiled with devfs, but without /dev/ mounted as devfs. These
packages and installed devfs should fix the problem.
manpages pere D
The manual pages in Woody (1.39-1.1) are old, so I decided to
upgrade to the latest version fetched from Sid (1.48-2)
noteedit pere D
This user application did not make it into Woody due to problems
on ia64. Fetched from Sid (1.16.1-1.1).
wine pere D
The version in Woody is old (0.0.20020411-1) and the version
fetched from Sid (0.0.20021007-1) supports more Windows programs.
libieee1284 pere D
* sane-backends pere D
sane-frontends pere D
xsane pere D
The sane version in Woody (sane 1.0.7-2.1, xsane 0.84-2) is old,
and the version fetched from Sid (sane 1.0.9-4, xsane 0.90-2)
support more scanners. libieee1284 is missing in Woody but is
required by the new sane packages. The xsane upgrade is just
cosmetics.
* webmin ilmari D
* webmin-apache ilmari D
* webmin-bind ilmari D
* webmin-core ilmari D
* webmin-dhcpd ilmari D
* webmin-exports ilmari D
* webmin-grub ilmari D
* webmin-inetd ilmari D
* webmin-ltsp ilmari D
* webmin-lvm ilmari D
* webmin-quota ilmari D
* webmin-raid ilmari D
* webmin-samba ilmari D
* webmin-software ilmari D
* webmin-squid ilmari D
* webmin-sshd ilmari D
* webmin-status ilmari D
Upgraded to v1.000-1 to fix Skolelinux bug #110, #151 and #155.
Upgraded to v1.070-1 to fix security problem, Skolelinux bug #331
and #332.
tetex-brev pere D
Norwegian letter style for LaTeX. Missing in Woody. Fetched from
Sid (4.19-2).
kmplot tfheen D
KDE mathematical function plotter. It is missing in Woody, but is
present in Sarge and Sid. We fetched a copy from Sid (0.3-2).
ng-utils pere D
Command line utilities for accessing netgroups through NSS. We
fetched a copy from Sid (0.4-1).
Description of the extra packages from external sources
-------------------------------------------------------
* ltsp-core-i386 ragnar X
ltsp-doc ragnar X
* ltsp-kernel-2.4.9-i386 ragnar X
ltsp-kernel-pxe-2.4.9-i386 runesk X
ltsp-local-apps-i386 ragnar X
* ltsp-x-core-i386 ragnar X
ltsp-x-fonts-i386 ragnar X
* ltsp-x-xserver-3dlabs-3.3.6-i386 ragnar X
* ltsp-x-xserver-8514-3.3.6-i386 ragnar X
* ltsp-x-xserver-agx-3.3.6-i386 ragnar X
* ltsp-x-xserver-fbdev-3.3.6-i386 ragnar X
* ltsp-x-xserver-i128-3.3.6-i386 ragnar X
* ltsp-x-xserver-mach32-3.3.6-i386 ragnar X
* ltsp-x-xserver-mach64-3.3.6-i386 ragnar X
* ltsp-x-xserver-mach8-3.3.6-i386 ragnar X
* ltsp-x-xserver-mono-3.3.6-i386 ragnar X
* ltsp-x-xserver-p9000-3.3.6-i386 ragnar X
* ltsp-x-xserver-s3-3.3.6-i386 ragnar X
* ltsp-x-xserver-s3v-3.3.6-i386 ragnar X
* ltsp-x-xserver-svga-3.3.6-i386 ragnar X
* ltsp-x-xserver-vga16-3.3.6-i386 ragnar X
* ltsp-x-xserver-w32-3.3.6-i386 ragnar X
Linux Terminal Server Project packages from LTSP/Georg Baum. This
should be pushed into Debian. There is already a Debian RFP
submitted, <URL:http://bugs.debian.org/163000>. License is GPL.
* j2re1.3 skogmus X
Java Runtime Environment 1.3 from ?. License is unknown.
* openoffice.org gautehk X/D
openoffice.org-debian-files gautehk X/D
openoffice.org-spellcheck-nb gautehk X/D
openoffice.org-spellcheck-nn gautehk X/D
OpenOffice.org with extra translations, compiled for the
Skolelinux project. License is unknown/mixed.
* opera pere X
Opera web browser from Opera Software. Special version for
Skolelinux with option to replace the advertisement image and URL.
License is unknown.
chkconfig pere X
Debian-port of RedHats tool to manage /etc/init.d/ and friends.
License is GPL. Not sure if it is needed. [pere 2003-02-28]
hwinfo ? X
HW detection packages used by xdebconfiguratior. License is
unknown.
klogic ? X
KDE program for building and simulating digital circuits. There
is already a Debian RFP submitted, <URL:http://bugs.debian.org/178907>.
License is GPL.
I've marked the packages I believe can pose a security risk with '*'.
These are programs receiving data directly from the net (ie servers),
and programs that work on document formats that allow executable
content.
I'm not sure how we should handle this, but after a few months of
trying the current approach, where the one inserting the new package
into Skolelinux also is (or should be) responsible for keeping it
secure, I am convinced we need some change. We need this fixed before
we upgrade any more packages from woody. Any comments?