1. Apparently there are *LOTS* of vulnerabilities which are unpatched vulnerabilities in debian stable but presumably people just live with it or am I missing some part of the picture? - See below 2. Is there a version of java plugin that I can run under iceweasel/firefox that I can install in debian stable? My firefox warns me that Java Plug-in 1.6.0_26 (disabled) is known to cause security or stability issues... If there is a better mailing list for these debian specific questions - please let me know but there may be others who are might interested in these answers as well. Item 1: install the debsecan package and scan your box .... On an up to date debian squeeze system I have: debsecan | grep iceweasel CVE-2011-1187 iceweasel (remotely exploitable, low urgency) CVE-2011-1202 iceweasel (remotely exploitable, medium urgency) CVE-2011-3658 iceweasel (remotely exploitable, high urgency) CVE-2012-0475 iceweasel (remotely exploitable, low urgency) CVE-2012-1939 iceweasel (remotely exploitable, high urgency) CVE-2012-1941 iceweasel (remotely exploitable, high urgency) CVE-2012-1945 iceweasel (remotely exploitable, low urgency) CVE-2012-1946 iceweasel (remotely exploitable, high urgency) CVE-2012-1951 iceweasel (remotely exploitable, high urgency) CVE-2012-1952 iceweasel (remotely exploitable, high urgency) CVE-2012-1953 iceweasel (remotely exploitable, high urgency) CVE-2012-1955 iceweasel (remotely exploitable, medium urgency) CVE-2012-1957 iceweasel (remotely exploitable, medium urgency) CVE-2012-1958 iceweasel (remotely exploitable, high urgency) CVE-2012-1959 iceweasel (remotely exploitable, medium urgency) CVE-2012-1961 iceweasel (remotely exploitable, medium urgency) CVE-2012-1962 iceweasel (remotely exploitable, high urgency) CVE-2012-1964 iceweasel (remotely exploitable, medium urgency) CVE-2012-1965 iceweasel (remotely exploitable, medium urgency) CVE-2012-3105 iceweasel (remotely exploitable, high urgency) iceweasel is up to date apt-show-versions -a iceweasel iceweasel 3.5.16-18 install ok installed iceweasel 3.5.16-17 squeeze ftp.au.debian.org iceweasel 3.5.16-18 squeeze security.debian.org iceweasel/squeeze uptodate 3.5.16-18 Looking at the first CVE via debian security tracker shows squeeze is still vulnerable... - See http://security-tracker.debian.org/tracker/CVE-2011-3658 Item 2: Under plugins on my iceweasel it has Java plugin disabled for security / stability issues. I believe I have the latest jre/plugins installed apt-show-versions -a sun-java6-jre sun-java6-jre 6.26-0squeeze1 install ok installed sun-java6-jre 6.26-0squeeze1 squeeze ftp.au.debian.org sun-java6-jre 6.26-0squeeze1 unknown ftp.tw.debian.org sun-java6-jre 6.26-0squeeze1 unknown http.debian.net sun-java6-jre/squeeze uptodate 6.26-0squeeze1 Do the debian people just expect me to not run java in the browser (too dangerous?) Am I suppose to switch to java7 (no package for debian squeeze) and manually install it? If so is there any guidance on manual installation? I notice in wheezy we have java-package (see http://wiki.debian.org/JavaPackage) which lets you install the Oracle binary distributions by putting it into a .deb for you (e.g. http://forums.debian.net/viewtopic.php?f=6&t=84672) Searching around on the debian web site didn't find any obvious guidance on these issues and numerous old looking Wiki pages. Thanks in advance for any help. Andrew
Hi, On 9/10/2012 10:51 AM, Andrew Worsley wrote:
1. Apparently there are *LOTS* of vulnerabilities which are unpatched vulnerabilities in debian stable but presumably people just live with it or am I missing some part of the picture? - See below
In the past I have found that a vulnerability has been patched when it didn't seem apparent. However, your use of debsecan makes me wonder... so I'm installing it and running against all the systems I look after.
2. Is there a version of java plugin that I can run under iceweasel/firefox that I can install in debian stable? My firefox warns me that Java Plug-in 1.6.0_26 (disabled) is known to cause security or stability issues...
That one is probably better for debian-user list, see below.
If there is a better mailing list for these debian specific questions - please let me know but there may be others who are might interested in these answers as well.
http://www.debian.org/MailingLists/
Item 1: install the debsecan package and scan your box ....
On an up to date debian squeeze system I have:
debsecan | grep iceweasel CVE-2011-1187 iceweasel (remotely exploitable, low urgency) CVE-2011-1202 iceweasel (remotely exploitable, medium urgency) CVE-2011-3658 iceweasel (remotely exploitable, high urgency) CVE-2012-0475 iceweasel (remotely exploitable, low urgency) CVE-2012-1939 iceweasel (remotely exploitable, high urgency) CVE-2012-1941 iceweasel (remotely exploitable, high urgency) CVE-2012-1945 iceweasel (remotely exploitable, low urgency) CVE-2012-1946 iceweasel (remotely exploitable, high urgency) CVE-2012-1951 iceweasel (remotely exploitable, high urgency) CVE-2012-1952 iceweasel (remotely exploitable, high urgency) CVE-2012-1953 iceweasel (remotely exploitable, high urgency) CVE-2012-1955 iceweasel (remotely exploitable, medium urgency) CVE-2012-1957 iceweasel (remotely exploitable, medium urgency) CVE-2012-1958 iceweasel (remotely exploitable, high urgency) CVE-2012-1959 iceweasel (remotely exploitable, medium urgency) CVE-2012-1961 iceweasel (remotely exploitable, medium urgency) CVE-2012-1962 iceweasel (remotely exploitable, high urgency) CVE-2012-1964 iceweasel (remotely exploitable, medium urgency) CVE-2012-1965 iceweasel (remotely exploitable, medium urgency) CVE-2012-3105 iceweasel (remotely exploitable, high urgency)
iceweasel is up to date
apt-show-versions -a iceweasel iceweasel 3.5.16-18 install ok installed iceweasel 3.5.16-17 squeeze ftp.au.debian.org iceweasel 3.5.16-18 squeeze security.debian.org iceweasel/squeeze uptodate 3.5.16-18
Looking at the first CVE via debian security tracker shows squeeze is still vulnerable... - See http://security-tracker.debian.org/tracker/CVE-2011-3658
Item 2: Under plugins on my iceweasel it has Java plugin disabled for security / stability issues.
I believe I have the latest jre/plugins installed apt-show-versions -a sun-java6-jre sun-java6-jre 6.26-0squeeze1 install ok installed sun-java6-jre 6.26-0squeeze1 squeeze ftp.au.debian.org sun-java6-jre 6.26-0squeeze1 unknown ftp.tw.debian.org sun-java6-jre 6.26-0squeeze1 unknown http.debian.net sun-java6-jre/squeeze uptodate 6.26-0squeeze1
Do the debian people just expect me to not run java in the browser (too dangerous?) Am I suppose to switch to java7 (no package for debian squeeze) and manually install it? If so is there any guidance on manual installation?
I notice in wheezy we have java-package (see http://wiki.debian.org/JavaPackage) which lets you install the Oracle binary distributions by putting it into a .deb for you (e.g. http://forums.debian.net/viewtopic.php?f=6&t=84672)
Searching around on the debian web site didn't find any obvious guidance on these issues and numerous old looking Wiki pages.
Thanks in advance for any help.
Andrew _______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
-- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP Current Land Line No: 03 9012 2102 Mobile: 04 2574 1827 Fax: 03 9012 2178 National No: 1300 85 3804 Affinity Vision Australia Pty Ltd http://affinityvision.com.au http://securemywireless.com.au http://adsl2choice.net.au In Case of Emergency -- http://affinityvision.com.au/ice.html
On 09/10/12 10:51, Andrew Worsley wrote:
1. Apparently there are *LOTS* of vulnerabilities which are unpatched vulnerabilities in debian stable but presumably people just live with it or am I missing some part of the picture? - See below
How reliable is debsecan? I just ran it on one of my systems, and among many of the problems it found, was this one, which I picked at random: CVE-2011-1148 php5-mysql (remotely exploitable, high urgency) The description of this vulnerability is: "Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments." (from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1148) But the php5-mysql package I have installed is 5.4.4-4, which is definitely later than 5.3.6: Package: php5-mysql Version: 5.4.4-4 What exactly is debsecan using to determine these vulnerabilities? I realise that the man page for it says that it bases vulnerabilities upon source packages, and that this results in errors being shown for all associated binaries, but I don't have an old version of any php package on my system that could be triggering it... Paul. -- Paul Dwerryhouse <paul@dwerryhouse.com.au>
On 9 October 2012 11:45, Paul Dwerryhouse <paul@dwerryhouse.com.au> wrote:
On 09/10/12 10:51, Andrew Worsley wrote:
1. Apparently there are *LOTS* of vulnerabilities which are unpatched vulnerabilities in debian stable but presumably people just live with it or am I missing some part of the picture? - See below
How reliable is debsecan? I just ran it on one of my systems, and among many of the problems it found, was this one, which I picked at random:
CVE-2011-1148 php5-mysql (remotely exploitable, high urgency)
The description of this vulnerability is:
"Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments."
(from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1148)
But the php5-mysql package I have installed is 5.4.4-4, which is definitely later than 5.3.6:
Package: php5-mysql Version: 5.4.4-4
Debian security tracker reports this is fixed in squeeze(5.3.3-7) but *NOT* in wheezy (5.4.4-7)- see http://security-tracker.debian.org/tracker/CVE-2011-1148 You can enter CVEs into the box at the bottom to search by CVEs (and apparently packages - but I think the name has to be just right). Andrew
On 09/10/12 12:01, Andrew Worsley wrote:
Debian security tracker reports this is fixed in squeeze(5.3.3-7) but *NOT* in wheezy (5.4.4-7)- see
My next question is where that page is getting its information from, too, because it doesn't look correct to me. I can't find any information anywhere that says CVE-2011-1148 applies to php 5.4. It was fixed in 5.3.7 in August 2011, and version 5.4.4 (the version in wheezy) came out in June 2012. Unless Debian has backported a patch that reintroduced the vulnerability, I am sceptical about it being vulnerable. Cheers, Paul -- Paul Dwerryhouse | PGP Key ID: 0x6B91B584 http://weblog.leapster.org/
On 9 October 2012 12:49, Paul Dwerryhouse <paul@dwerryhouse.com.au> wrote:
On 09/10/12 12:01, Andrew Worsley wrote:
Debian security tracker reports this is fixed in squeeze(5.3.3-7) but *NOT* in wheezy (5.4.4-7)- see
My next question is where that page is getting its information from, too, because it doesn't look correct to me.
I can't find any information anywhere that says CVE-2011-1148 applies to php 5.4. It was fixed in 5.3.7 in August 2011, and version 5.4.4 (the version in wheezy) came out in June 2012.
Unless Debian has backported a patch that reintroduced the vulnerability, I am sceptical about it being vulnerable.
I guess you could always test via this test data: https://bugs.php.net/bug.php?id=54238 Test script: --------------- <?php $f = array(array('A', 'A')); $z = substr_replace($f, $f, $f, 1); var_dump($z, $f); Actual result: -------------- array(1) { [0]=> string(5) "0Dd y" } array(1) { [0]=> string(1) "0" }
On 09/10/12 13:47, Andrew Worsley wrote:
I guess you could always test via this test data:
Yeah, it's getting the same result on both Debian squeeze and wheezy, and it's not the response given on that page; I really don't think there's a vulnerability there for wheezy.
Paul Dwerryhouse <paul@dwerryhouse.com.au> wrote:
What exactly is debsecan using to determine these vulnerabilities?
I realise that the man page for it says that it bases vulnerabilities upon source packages, and that this results in errors being shown for all associated binaries, but I don't have an old version of any php package on my system that could be triggering it...
In addition, Debian back-port security-related patches, so it would have to look at more than the version number of the source package. The question is how reliable its data sources are.
participants (4)
-
Andrew McGlashan -
Andrew Worsley -
Jason White -
Paul Dwerryhouse