Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[tlug] Fwd: Re: [linuxNUS] Possible HUGE Security Flaw in UbuntuBreezy (and maybe other versions)
- Date: Mon, 13 Mar 2006 08:50:42 -0800 (PST)
- From: Goh Lu Feng <elfgoh@example.com>
- Subject: [tlug] Fwd: Re: [linuxNUS] Possible HUGE Security Flaw in UbuntuBreezy (and maybe other versions)
I aplogise if this is old news... but I guess no harm
hearing it again if u've already done so.
Cheers.
--- Goh Lu Feng <elfgoh@example.com> wrote:
> Date: Mon, 13 Mar 2006 08:27:47 -0800 (PST)
> From: Goh Lu Feng <elfgoh@example.com>
> Subject: Re: [linuxNUS] Possible HUGE Security Flaw
> in Ubuntu Breezy (and maybe other versions)
> To: linuxNUS@example.com
>
> Hi,
>
> In case u haven't caught wind of the patch yet. Juz
> reload the repos and dwnld 2 packages. And change ur
> passswd.
>
>
> ==================================================
> =========
> Ubuntu Security Notice USN-262-1 March 12, 2006
> Ubuntu 5.10 installer vulnerability
> CVE-2006-1183
> ==================================================
> =========
>
> A security issue affects the following Ubuntu
> releases:
>
> Ubuntu 5.10 (Breezy Badger)
>
> The following packages are affected:
>
> base-config
> passwd
>
> The problem can be corrected by upgrading the
> affected
> package to
> version 2.67ubuntu20 (base-config) and
> 1:4.0.3-37ubuntu8 (passwd). In
> general, a standard system upgrade is sufficient to
> effect the
> necessary changes.
>
> Details follow:
>
> Karl Řie discovered that the Ubuntu 5.10 installer
> failed to clean
> passwords in the installer log files. Since these
> files were
> world-readable, any local user could see the
> password
> of the first
> user account, which has full sudo privileges by
> default.
>
> The updated packages remove the passwords and
> additionally make the
> log files readable only by root.
>
> This does not affect the Ubuntu 4.10, 5.04, or the
> upcoming 6.04
> installer. However, if you upgraded from Ubuntu 5.10
> to the current
> development version of Ubuntu 6.04 ('Dapper Drake'),
> please ensure
> that you upgrade the passwd package to version
> 1:4.0.13-7ubuntu2 to
> fix the installer log files.
>
> --- Junhao <junhao82@example.com> wrote:
>
> > Junhao wrote:
> > > Yoz! This is just on Digg. Can anyone please
> > verify this?
> > >
> > >
> >
> http://www.ubuntuforums.org/showthread.php?t=143334
> > >
> > > Passwords and other information are stored in
> > CLEAR TEXT in the file
> > > /var/log/installer/cdebconf/questions.dat. This
> > file stores the answers
> > > to the questions asked during installation. The
> > password is supposed to
> > > be removed or not stored, but apparently it is
> not
> > done.
> > >
> > > Other possible files are
> > > /var/log/installer/cdebconf/questions.dat
> > > /var/log/debian-installer/cdebconf/questions.dat
> > >
> >
> > I shouldn't have posted the workaround in my
> > befuddled state of mind.
> > Forgot that the file can still be found by reading
> > the raw data on the
> > harddisk.
> >
> > Workaround
> > Step 1: Install wipe from universal
> > sudo aptitude install wipe
> > Step 2: Wipe and remove the files from your
> > harddisk.
> > wipe/var/log/installer/cdebconf/questions.dat
> > wipe rm
> > /var/log/debian-installer/cdebconf/questions.dat
> > Step 3: Change your password
> > passwd
> >
> > Bugfix:
> > An update has been posted, so please update your
> > systems.
> > Additionally, change your password(s).
> >
>
http://www.ubuntuforums.org/showthread.php?t=143334&page=7
> >
> > More info:
> > 1) This bug is not a linux bug, but a bug unique
> to
> > Ubuntu.
> > 2)
> >
>
http://www.ubuntuforums.org/showthread.php?t=143334&page=7
> > This bug is found in Ubuntu Breezy only. Has been
> > fixed in Drapper.
> > 3) If you are the only user of the system, and did
> > not install stuff
> > like ssh server, telnet server, etc to allow
> remote
> > login into your
> > machine, your risk is not as great. Still, please
> > update your system as
> > having your password in clear text is not a
> trivial
> > matter. Think
> > backdoors, trojans...
> > 4) Please do remember to change your password.
> >
> > --
> > Junhao
> > junhao82@example.com
> > junhao82@example.com
> > website: http://junhao82.tripod.com/
> >
> > Life's not fair, shit happens. -- Murphy's Law
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
- Follow-Ups:
- Prev by Date: [tlug] TLUG Technical Meeting 2006-03-18
- Next by Date: [tlug] Ubuntu Security Blunder and Poor Post
- Previous by thread: [tlug] TLUG Technical Meeting 2006-03-18
- Next by thread: [tlug] Ubuntu Security Blunder and Poor Post
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |