[gentoo-user] security

[gentoo-user] security

[Daniel Iliev]

  Hi,
 
  Since I'm not familiar with Gentoo's practice in dealing with
  security problems I got curious about the following case.
  Yesterday a Secunia advisory [1] about pidgin was brought to my
  attention. The solution offered by the up-streams is upgrading to
  version 2.5.6, while the latest version in portage is "~2.5.5-r1".

  As I see it, there are three possibilities:
  1) even older, the version in Gentoo is not affected, because the
  maintainers had taken care of it (too optimistic?)
  2) Gentoo installations are still vulnerable to the bugs described in
  the advisory and nobody knows about it (quite disturbing)
  3) Gentoo maintainers are working on it, but still not ready

  Which one is it?


  [1] [SA35194] http://secunia.com/advisories/35194/


-- 
Best regards,
Daniel

Re: [gentoo-user] security

[Saphirus Sage]

Daniel Iliev wrote:
>   Hi,
>  
>   Since I'm not familiar with Gentoo's practice in dealing with
>   security problems I got curious about the following case.
>   Yesterday a Secunia advisory [1] about pidgin was brought to my
>   attention. The solution offered by the up-streams is upgrading to
>   version 2.5.6, while the latest version in portage is "~2.5.5-r1".
>
>   As I see it, there are three possibilities:
>   1) even older, the version in Gentoo is not affected, because the
>   maintainers had taken care of it (too optimistic?)
>   2) Gentoo installations are still vulnerable to the bugs described in
>   the advisory and nobody knows about it (quite disturbing)
>   3) Gentoo maintainers are working on it, but still not ready
>
>   Which one is it?
>
>
>   [1] [SA35194] http://secunia.com/advisories/35194/
>
>
>   
It's in portage, sync your tree and check again. I just installed Pidgin
2.5.6 last night.

Re: [gentoo-user] security

[Justin]

[-- Attachment #1: Type: text/plain, Size: 887 bytes --]

Daniel Iliev wrote:
> 
>   Hi,
>  
>   Since I'm not familiar with Gentoo's practice in dealing with
>   security problems I got curious about the following case.
>   Yesterday a Secunia advisory [1] about pidgin was brought to my
>   attention. The solution offered by the up-streams is upgrading to
>   version 2.5.6, while the latest version in portage is "~2.5.5-r1".
> 
>   As I see it, there are three possibilities:
>   1) even older, the version in Gentoo is not affected, because the
>   maintainers had taken care of it (too optimistic?)
>   2) Gentoo installations are still vulnerable to the bugs described in
>   the advisory and nobody knows about it (quite disturbing)
>   3) Gentoo maintainers are working on it, but still not ready
> 
>   Which one is it?
> 
> 
>   [1] [SA35194] http://secunia.com/advisories/35194/
> 
> 
file a bug at b.g.o.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] security

[Justin]

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

Daniel Iliev wrote:
> 
>   Hi,
>  
>   Since I'm not familiar with Gentoo's practice in dealing with
>   security problems I got curious about the following case.
>   Yesterday a Secunia advisory [1] about pidgin was brought to my
>   attention. The solution offered by the up-streams is upgrading to
>   version 2.5.6, while the latest version in portage is "~2.5.5-r1".
> 
>   As I see it, there are three possibilities:
>   1) even older, the version in Gentoo is not affected, because the
>   maintainers had taken care of it (too optimistic?)
>   2) Gentoo installations are still vulnerable to the bugs described in
>   the advisory and nobody knows about it (quite disturbing)
>   3) Gentoo maintainers are working on it, but still not ready
> 
>   Which one is it?
> 
> 
>   [1] [SA35194] http://secunia.com/advisories/35194/
> 
> 

https://bugs.gentoo.org/show_bug.cgi?id=270811


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] security

[Daniel Iliev]

On Sat, 23 May 2009 09:23:27 -0400
Saphirus Sage <saphirus497@gmail.com> wrote:

> Daniel Iliev wrote:
> >   Hi,
> >  
> >   Since I'm not familiar with Gentoo's practice in dealing with
> >   security problems I got curious about the following case.
> >   Yesterday a Secunia advisory [1] about pidgin was brought to my
> >   attention. The solution offered by the up-streams is upgrading to
> >   version 2.5.6, while the latest version in portage is "~2.5.5-r1".
> >
> >   As I see it, there are three possibilities:
> >   1) even older, the version in Gentoo is not affected, because the
> >   maintainers had taken care of it (too optimistic?)
> >   2) Gentoo installations are still vulnerable to the bugs
> > described in the advisory and nobody knows about it (quite
> > disturbing) 3) Gentoo maintainers are working on it, but still not
> > ready
> >
> >   Which one is it?
> >
> >
> >   [1] [SA35194] http://secunia.com/advisories/35194/
> >
> >
> >   
> It's in portage, sync your tree and check again. I just installed
> Pidgin 2.5.6 last night.
> 

I guess the mirror I'm using is not up-to-date and they will get a
report about it,

Thanks!

-- 
Best regards,
Daniel

Re: [gentoo-user] security

[Saphirus Sage]

Daniel Iliev wrote:
> On Sat, 23 May 2009 09:23:27 -0400
> Saphirus Sage <saphirus497@gmail.com> wrote:
>
>   
>> Daniel Iliev wrote:
>>     
>>>   Hi,
>>>  
>>>   Since I'm not familiar with Gentoo's practice in dealing with
>>>   security problems I got curious about the following case.
>>>   Yesterday a Secunia advisory [1] about pidgin was brought to my
>>>   attention. The solution offered by the up-streams is upgrading to
>>>   version 2.5.6, while the latest version in portage is "~2.5.5-r1".
>>>
>>>   As I see it, there are three possibilities:
>>>   1) even older, the version in Gentoo is not affected, because the
>>>   maintainers had taken care of it (too optimistic?)
>>>   2) Gentoo installations are still vulnerable to the bugs
>>> described in the advisory and nobody knows about it (quite
>>> disturbing) 3) Gentoo maintainers are working on it, but still not
>>> ready
>>>
>>>   Which one is it?
>>>
>>>
>>>   [1] [SA35194] http://secunia.com/advisories/35194/
>>>
>>>
>>>   
>>>       
>> It's in portage, sync your tree and check again. I just installed
>> Pidgin 2.5.6 last night.
>>
>>     
>
> I guess the mirror I'm using is not up-to-date and they will get a
> report about it,
>
> Thanks!
>
>   
I sync from rsync://rsync21.us.gentoo.org/gentoo-portage primarily due
to the fact that it's an unlimited-sync server.

Re: [gentoo-user] security

[Daniel Iliev]

On Sat, 23 May 2009 09:37:05 -0400
Saphirus Sage <saphirus497@gmail.com> wrote:

> >>     
> >
> > I guess the mirror I'm using is not up-to-date and they will get a
> > report about it,
> >
> > Thanks!
> >
> >   
> I sync from rsync://rsync21.us.gentoo.org/gentoo-portage primarily due
> to the fact that it's an unlimited-sync server.
> 
> 

Re-syncing fixed it. I guess I've managed to hit the time just before
the mirror was updated.

-- 
Best regards,
Daniel

Re: [gentoo-user] [solved] security

[Daniel Iliev]

On Sat, 23 May 2009 15:31:27 +0200
Justin <justin@j-schmitz.net> wrote:

> Daniel Iliev wrote:
> > 
> > 
> >   [1] [SA35194] http://secunia.com/advisories/35194/
> > 
> > 
> 
> https://bugs.gentoo.org/show_bug.cgi?id=270811
> 

Thanks.

-- 
Best regards,
Daniel

Re: [gentoo-user] security

[Volker Armin Hemmann]

On Samstag 23 Mai 2009, Daniel Iliev wrote:
>   Hi,
>
>   Since I'm not familiar with Gentoo's practice in dealing with
>   security problems I got curious about the following case.
>   Yesterday a Secunia advisory [1] about pidgin was brought to my
>   attention. The solution offered by the up-streams is upgrading to
>   version 2.5.6, while the latest version in portage is "~2.5.5-r1".
>
>   As I see it, there are three possibilities:
>   1) even older, the version in Gentoo is not affected, because the
>   maintainers had taken care of it (too optimistic?)
>   2) Gentoo installations are still vulnerable to the bugs described in
>   the advisory and nobody knows about it (quite disturbing)
>   3) Gentoo maintainers are working on it, but still not ready
>
>   Which one is it?
>
>
>   [1] [SA35194] http://secunia.com/advisories/35194/

subscribe to gentoo-announce
read changelogs
don't forget that it takes a while until all mirrors have that change.

[gentoo-user] Security

[john]

After recently reading about Windigo I am quesstioning how good my
security is on my Gentoo box. I am only a desktop user with iptables
and clamav installed and occasionally running chkrootkit.

Would you recommend any other forms of security (snort, selinux,
hardened etc) that I should be using?

I may be a touch neurotic but would hate to think I have been infected!



-- 
John D Maunder

Re: [gentoo-user] Security

[Ján Zahornadský]

I'm not a professional, but I'd say that running as few services as
possible contributes to the overall security be reducing the attack
vectors (and Gentoo helps with that by not having that much by default).

I usually opt only for ssh and use certificates rather than passwords...

On Thu, 2014-03-20 at 22:06 +0000, john wrote:
> After recently reading about Windigo I am quesstioning how good my
> security is on my Gentoo box. I am only a desktop user with iptables
> and clamav installed and occasionally running chkrootkit.
> 
> Would you recommend any other forms of security (snort, selinux,
> hardened etc) that I should be using?
> 
> I may be a touch neurotic but would hate to think I have been infected!
> 
> 
> 

Re: [gentoo-user] Security

[wraeth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 21/03/14 17:44, Ján Zahornadský wrote:


Indeed, the smaller the surface area, the smaller the target (the
fewer things running, the fewer things can be exploited).

For an average desktop environment, doing what you're already doing, I
think, would be reasonably sufficient - provided it's mixed with a
little common sense (don't grant root privileges to things that don't
need them; don't use passwords like 'MyPassword'; that sort of thing).
Having a personal firewall is already probably more than many (albeit
non-linux) users do (at least of their own accord).

If you wanted to go a little further, you could have a look at
`qcheck` (app-portage/portage-utils) or even app-admin/tripwire; maybe
set up a few cron jobs that mail root with warnings or something.
Otherwise, making sure you don't enable unnecessary services and
keeping on top of your firewall, log checks and chkrootkit'ing should
be sufficient.

If you *do* want to go the whole hog, while I'm no expert on it, using
a desktop environment under the hardened profile can provide some
challenges, but is indeed doable. Personally I'm currently running
thunderbird-bin in a kde environment on a custom hardened/kde profile
that I kludged together (this is Gentoo, after all)!

Ultimately, it's up to you what you feel is appropriate for what you
expected usage and risk level is.

For reference:
https://wiki.gentoo.org/wiki/Project:Hardened

Cheers;
- -- 
wraeth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMsDZAACgkQGYlqHeQRhkwwaQD/fInm5p4rbnoKH3sDIklJvK2e
/Bud0z1N9QvWXRbDvRUA/i+XYipiYjcMHd+NCduj0AHF/slcb9IJxsfgMon3Tf7h
=LJ4m
-----END PGP SIGNATURE-----

Re: [gentoo-user] Security

[Philip Webb]

140320 john wrote:
> After recently reading about Windigo,
> I am quesstioning how good my security is on my Gentoo box.
> I am only a desktop user with iptables and clamav installed
> and occasionally running chkrootkit.
> Would you recommend any other forms of security
> -- snort, selinux, hardened etc -- that I should be using?
> I may be a touch neurotic but would hate to think I have been infected!

Others mb able to offer more professional advice,
but as a desktop user of Gentoo for  > 10 yr , I'ld say don't worry.
I read the Windigo PDF (via LWN)
& saw no explanation of any weakness in the Linux software :
it's very long on all the bad things which can happen,
esp to M$ Windows systems, if a server or network gets infected,
but it looked as if the only way that could happen on a Linux box
wb if someone finds out its root password, ie sysadmin carelessness.

HTH

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca