This Tuesday Robert Felber released a new upstream version. It is a (local) security bugfix (and some minor fixes) which was reported on Sunday by Chris Howells to the Debian Security Team (as well as to other vendors). Today DSA-1531 was released. Right from the DSA:
“… created its socket in an insecure way, which may be exploited to overwrite or remove arbitary files from the local system.” So please update you systems if you use this package asap. While we are at policyd-weight… there is one bug open (#471645) where I’m unsure if I want to fix it, cause only stable is effected and the problem can be solved by providing a adjusted array of rbl in the config file. Should I ask for inclusion directly into stable? But it’s a really minor issue. Or try to get 0.1.14.15 uploaded to volatile? I’m really unsure and suggestions are welcome.

Serious business involving the vmsplice() exploit: The kernel is fixed, hopefully Debian security team will have a fix for production use soon. In the meantime, waldi has provided unofficial fixed images. Thanks! They are confirmed to be working. These images are for etch. Lenny and sid are still vulnerable, but I suspect this will be fixed soon. If you are using these images in virtual machines, be aware that you will need to install the modules into each one or they may have problems later. GNOME is broken on Debian/kFreeBSD: All of this exploit nonsense made me consider installing Debian/kFreeBSD on one of my machines to see if it was worth using as a desktop system. Sadly, it doesn’t work for me right now. I guess I’ll try back in a couple of months. Also, it’d be nice if a new install CD was released with the proper /etc/apt/sources.list (ftp.gnuab.org -> ftp-debian-ports.org).

Today is the end of a pretty long week-end of dealing with samba. About 10 days ago, we (the samba packaging team in Debian) were privately notified of security issues found by the Samba Team developers in this quite popular package. This very close to one of their bi-annual releases, namely 3.0.25. No less than three security issues were unveiled. Two of them (CVE-2007-2446 and CVE-2007-2447) affect all currently supported Debian releases, namely sarge, etch and sid. One (CVE-2007-2444) affects both etch and unstable. This was the beginning of long days of rehearsal, helped out by Noah Meyerhans from the security team. Finally, updated versions for sarge and etch were uploaded to oldstable-security and stable-security for the autobuilders to catch up (they still are catching up because I uploaded the updates without the .orig.tar.gz file, which unveiled a bug in the security autobuilders apparently). These updates for sarge and etch should be available as soon as the security team completes the final checks and approval, I guess. And, today, the Samba Team gave us early access to the newly released 3.0.25 version of samba so that we could build and upload that package 2 hours before it was officially announced..:-) Thanks a lot again to the Samba Team for their care and more particularly to Gerald "Jerry" Carter (someone I have deep respect for, along with Jeremy Allison and Andrew Tridgell). Thanks to Steve Langasek for his hard work preparing the 3.0.25 release (tracking down an upstream bug in the Pythin bindings build). And, finally, thanks to the Debian security team and more particularly to Noah Meyerhans for his work on backporting some of the patches. This was a tiring but really motivating week-end. I hope that all Debianers who use Samba will enjoy the result.

My face is covered in egg. Antti-Juhani Kaijanaho found a security problem in EoC, both the 1.0.3 and the 1.2.3 versions. The problem is that EoC did not quote shell arguments properly. I have fixed the problem in 1.2.4, which contains no other changes relative to 1.2.3. This problem has the code CVE-2006-5875. You can find the 1.2.4 version from the EoC website: http://liw.iki.fi/liw/eoc/ and I have also uploaded it to Debian's unstable. Debian's stable contains 1.0.3, and I have prepared a patch for that. It is actually essentially the same patch as was used to create 1.2.4. The Debian security team has uploaded a fixed version of the 1.0.3 package to security.debian.org. I've attached it to this message in case anyone not running Debian wants to stay with 1.0.3, but I won't be releasing a 1.0.4 unless someone really needs it (if you do, please tell me immediately). For risk assessment: I was unable to come up with an exploit. Doing so would require getting a certain kind of construct through the SMTP level to EoC, and I wasn't able to make that happen, but I would not rely on it being impossible. Therefore, please upgrade immediately. I apologize for this problem. It was amateurish to let the problematic code into a released version of the program, I knew better than do that.

I personally continue to work on Debian how I can but the Dunk Tank think made me thoght about the priorities that some people are putting in few (better, one) position only of project. I disagree completely how is this working and see, not too few people, reducing their work on Debian. Some are clearly not caused by this annoyance but others not. Why does our FTP Masters and NEW queue processing people are not included on that list of people that are receiving money to work? Debian Security team? Debian Installer team? Those teams has the same importance of RM team. Can we release without a propor security or lacking a Debian Installer? Of even, can we release without a good libc or a stable and well maintained GCC compiler? That “Dunk Tank” or, in my understanding, “How we workaround a project concensuos” thing, is wrong. Obs.: you don’t need to agree with me and that is my point of view.

Disclaimer: I am not comfortable with technical documents in my native language, German. I generally find German translations of technical stuff clumsy, overly complicated and badly worded. I might have a “special” feeling for the language, but some output of translators is just too bad to tolerate.For example, I constantly keep stumbling over the german translation of the Debian security team FAQ, which I consider horrendously badly done. Especially the use of the german word “Gutachten”, which basically means “opinion” in the legal sense (as the document produced by an expert called by a court of law) to translate “advisory” is a very very bad choice. My toes curl when I read the german version.In April 2005, I suggested to the German translation team to review the translation of the security team FAQ. I might not have chosen the right wording for that request, but besides a lot of flamage and “the translation is just fine”, I received the usual “send a patch”. Which I did in April 2005.No answer. In October 2005, I asked again, and received answer from the translator that my patch was just too intrusive. Well, a bad translation was rewritten, and the bad translation is still being used.Consequences for me? I’m not going to bother any more about German translations. English is just fine, and when somebody needs a German translation, I’m going to translate the stuff myself. Pointing people to the official German translations is just too embarrassing. A pity.

Before:

skx@desktop:~$ ssh security-master.debian.org groups
Password:
Debian webwml sec_data
skx@desktop:~$

After:

skx@desktop:~$ ssh security-master.debian.org -l skx groups
Password:
Debian security webwml sec_data

… or in other words I’m no longer a secretary of the Debian Security Team, instead I’m a full member!