Topic: Direction, Security, Mailmods and the future

[dickmorrell]

I am posting this because of concern that as an SME user and an SME fan of many years standing (and also because I have a clue and I've run my own larger Linux distro/project so I know the pains of projects).

Is anyone else getting fed up with loading a "current" 6.0.1.x iso image thats 1) out of date dramatically in that so many packages just are insecure, long since deprecated by their maintainers 2) that the whole point of SME is to have a distro thats easy for users to get to grips with out the box (SME APPEARS simple but how many newbies don't realise just how little its come since Mitel gave it to the community).

On average for a user to get a box up and secure and updated, with his chosen base contribs you're looking at four hours. Four hours because he/she will have to source

Apache
glibc
pine
Updated Perl / PHP
Iptables
iproute
OpenSSL
OpenSSH

+ then again all the RPMs and dependencies unless you follow the brilliance of Messrs May, Knudsen et al and can source RPMs or scripts which represent so much hard work on their part.

In a nutshell is there likely to be an updated iso at a cut off date say of June which includes all the relevant to date RPMS plus base contribs and a little more emphasis on security and usability.

Stuff like POP over SMTP and the SMTP frontend should be in the base as should be Jesper Knudsens modified Pagefault scripts for SpamAssassin and ClamAV etc etc, with SPF on so many of our horizons in the fight against spam no one seems to worry that SME has no SASL support compiled so that all SME users serving mail do risk being blacklisted within 12 months for not having such records by the likes of me.

What do I know I only deliver 40m emails a day.

I know Jeff Coleman doesnt want to do this as it then competes with the product he sells and supports and that "it would give away too much".

If this is the case where is SME going ? I see virtually no progress from the team we've supported and would continue to support (financially and morally).

Where is the direction guys ?? I know the pains, I've run a project a lot larger than this pre going back to a proper job but there needs to be focus on security - on roadmap and asking for willing volunteers who don't need to understand the secret handshake and rolled up trouser leg.

/me dons the flame retardent pants and steps back to light the oven.

[Anonymous]

I think that it's time to change from Red Hat 7.3 as distro base, to another one like WhiteBox, Tao, CentOS, based on RHEL, than have profesional support on erratas for five years.

Is the easiest and necesary first step, in order to maintain de security on thousands of servers arround internet, and the most important: don't lose the administrator's confidence on sme security.

[raem]

Dear Dick

As far as I understand there is an email address for sending information re suspected or provable security issues with sme server, security@lists.contribs.org

There is also the Bugs forum and Bugs mail list and the Bug Tracker Mantis, which could be used to report bugs and/or security issues.

As has been the case with Mitel, users are asked to send security related information to the security email address, particularly where an apparent security breach has occurred, so that follow up can be carried out without further unnecessary exposure of the problem.

I do not personally have the skills to build rpms etc, so cannot contribute greatly to the task of following up and fixing security problems.
My understanding is that this is a self help community, so if you have specific issues then report them (as above) and/or roll some new rpms to fix the problems and post them to your contribs site or send them to the contribs.org admins for inclusion in the updates folder.

I believe you can request to be put on the security mail list if you wish to be more closely involved.

I have read many posts by yourself and others re this matter, and I would agree that there could probably be more openness or clarity regarding security issues, a lot of people just seem to be unsure of what is going on.

It does seem that you have significant knowledge about these matters, and that the security issues you raise indeed are valid.
I have read many times before that not all published security problems actually apply to the sme server, as some specific functionality or particular rpm version being used results in the problem being not applicable to the sme server.

My lack of "in depth knowledge" of the above does not allow me to ascertain whether your viewpoint is more correct than that of the maintainers of the sme server iso at contribs.org. There has only been one official update rpm released for sme 6.0.1 so I have to accept that for now that is all the security updates that are required to keep my sme server secure.

Again I would say, if you have specific knowledge of security issues, please either pass it on or do something about it by creating update rpms, everyone will be very thankful to you for doing so.

All the best

[briank]

Well this is a bit scarey - I fondly imagined that the basic server was kept up to date with security by "those gurus that know about these things" quietly behind the scenes and that there would be a posting on the forums if something required attention. Obviously we add contribs at our own risk and that is just the way it should be. We can of course argue about what packages should be included.
If security is not being addressed adequately lets get it sorted out promptly. Like Ray I have assumed that not all RH security issue apply to the sme server.
Regards
brian Kirk

[dickmorrell]

Ray, thanks for the comment, you hit the tree but missed the apple. The point I am making is this. SME is this wonderful community of happy helpful people. However you see nothing (less than nothing) in the way of posts from "Team Members" over things like "Advisory update Apache", or "updated Pine available from".

There is no direction - no focus and no clear understanding - period. Not trying to start a flame war just stating a basic fact. I'm no doubt others will shout me down but as they can't back it up with say 20 or 30 examples of the above - or clear examples of assistance for Newbies to update boxes that are running the latest iso....

The whole ethos behind SME has been for new users (not the likes of maybe you and I who would automatically source rpms and source to update our own networks) to have a system they install and go. The issue is the current iso has so many missing bits and flaws and could contain many of the contribs (while I appreciate this results in package maintenance probs but thats why we have bugzilla, cvs and other tools).

SME just needs to say - this is where we're going and Jeff needs to point out why he sells a fully patched version including all the contribs and bits and pieces (that he is fully entitled to under the GPL ver 2 and no-ones saying otherwise) but why he then as project lead allows all his users to happily go about unaware there are patches required.

I know Jeff doesn't want to increase the usability of SME too much or it would be "too good" hence why contribs and patches havent made it into the core ISO but I don't see it as his decision as this isn't 1930's Russia - its a community.

So I ask the question again - updates for newbies - is SME going anywhere fast - doesn't look like it.

[Anonymous]

There are a lot of packages with known bugs that have been fixed in Red Hat but not in e-smith.

A little example:

CVS
e-smith: 1.11.1p1-7es02
Red Hat: 1.11.1p1-9.7
Vulnerability: CAN 2003-0977

KERNEL

e-smith: 2.4.20-18.7
Red Hat: 2.4.20-30.7
Vulnerability: CAN-2003-0984 Local user can be root
CAN-2004-0010 Idem, local user can scale to root

OPENSSL

e-smith: 0.9.6b-35.7
Red Hat: 0.9.6b-36.7
Vulnerability: CAN-2004-0081 - Denial of Service

MC

e-smith: 4.5.55-5
Red Hat: 4.5.55-6
Vulnerability: CAN-2003-1023 - Execution of remote code

APACHE

e-smith: 1.3.27-2
Red Hat: 1.3.27-4
Vulnerability: CAN-2003-0542 - Explotaible buffer overflow

RSYNC

e-smith: 2.5.4
Red Hat: 2.5.7-0.7
Vulnerability: CAN-2003-0962 - Heap overflow

MYSQL

e-smith: 3.23.56
Red Hat: 3.23.58-1.73
Vulnerability: CAN-2003-10-09 - Buffer overflow


There are more....
If these packages haven't been fixed, what about, another erratas esmith's exclusive? and what happend with new vulnerabilitys, now that the Red Hat support have finished?.

It's time to move to another base distro, where security would be managed by a security team.

[RonM]

At last - meat! Thank you, Guest, for raising the level of the discussion. Reading vague worries about security (especially the assumption that security level=x number of patches per month) is getting pretty old.

Folks, the babysitters have gone on to the rest of their lives - it's all up to us. Of course every update should be applied, and the latest most secure version used, but who is going to do it? If no one posts it for everyone to use, then we are each going to need to apply the ones we think necessary to our own boxes.

Should contribs ignore these? IMO, no: patches or updated packages (as deemed appropriate) should be part of the next release. In particular, a kernel update will become necessary sooner or later - IMS, the idea was (as Jeff stated in the beginning) to let the Red Hat distro drop "settle out", so the community could choose its course wisely. In the meantime, folks would try to patch or fix critical issues.

My take is: none of the issues listed (that I can find) are a critical threat to users of 'stock' SME installed and configured as suggested in the manual (the rsync server issue might be of some concern to contribs.org admins). Mostly this is because SME doesn't use the specific functionality mentioned, or because it is so restrictive about what it lets ordinary users do.

But don't take _my_ word for it! (What do I know I only deliver 4 emails a day ) I've made a list of links to info about each of the suggested issues; each contains links to more spots. Research them for yourself. Check to make sure SME actually uses the item in question. If you feel any are necessary to fix for the core distro, send an email to security@lists.contribs.org. Bring known issues up in the forum (please be specific). Volunteer to help out. And, Thanks! to all who have.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

CVS
e-smith: 1.11.1p1-7es02
Red Hat: 1.11.1p1-9.7
Vulnerability: CAN 2003-0977

Google search on CAN#
http://www.google.com/search?q=CAN+2003-0977&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8
CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
BugTraq Vulnerability page
http://www.securityfocus.com/bid/9178/info/
RedHat Advisory Link
http://www.securityfocus.com/advisories/6282


KERNEL

e-smith: 2.4.20-18.7
Red Hat: 2.4.20-30.7
Vulnerability: CAN-2003-0984 Local user can be root
CAN-2004-0010 Idem, local user can scale to root

Google search on CAN#
http://www.google.com/search?q=+CAN-2003-0984&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8
CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0984
BugTraq Vulnerability page
http://www.securityfocus.com/bid/9154/info/
RedHat Advisory Link
http://www.securityfocus.com/advisories/6195

OPENSSL

e-smith: 0.9.6b-35.7
Red Hat: 0.9.6b-36.7
Vulnerability: CAN-2004-0081 - Denial of Service

Google search on CAN#
http://www.google.com/search?q=CAN-2004-0081&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8
CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
BugTraq Vulnerability page
http://www.securityfocus.com/bid/9899/info/
RedHat Advisory Link
http://www.securityfocus.com/advisories/6459


MC

e-smith: 4.5.55-5
Red Hat: 4.5.55-6
Vulnerability: CAN-2003-1023 - Execution of remote code

Google search on CAN#
http://www.google.com/search?q=CAN-2003-1023&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8
CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023
BugTraq Vulnerability page
http://www.securityfocus.com/bid/8658/info/
RedHat Advisory Link
http://www.securityfocus.com/advisories/6259


APACHE

e-smith: 1.3.27-2
Red Hat: 1.3.27-4
Vulnerability: CAN-2003-0542 - Explotaible buffer overflow

Google search on CAN#
http://www.google.com/search?q=CAN-2003-0542&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8
CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
BugTraq Vulnerability page
http://www.securityfocus.com/bid/8911/info/
RedHat Advisory Link
http://www.securityfocus.com/advisories/6174


RSYNC

e-smith: 2.5.4
Red Hat: 2.5.7-0.7
Vulnerability: CAN-2003-0962 - Heap overflow

Google search on CAN#
http://www.google.com/search?q=CAN-2003-0962&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8
CAN page
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962
BugTraq Vulnerability page
http://www.securityfocus.com/bid/9153/info/
RedHat Advisory Link
http://www.securityfocus.com/advisories/6145


MYSQL

e-smith: 3.23.56
Red Hat: 3.23.58-1.73
Vulnerability: CAN-2003-10-09 - Buffer overflow

I cn't seem to find this one. Heres a list of all CVE entries on MySQL
http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

[wellsi]

What is the process for getting updated packages into SME Server, or more immediately made available as updates.

For instance Fedora Legacy is just pushing out a CVS package, and as CVS is in the base release (should it be?) it would be good to see the update.

SME Server   cvs-1.11.1p1-7es02.i386.rpm
FedoraLegacy cvs-1.11.1p1-14.legacy.2.i386.rpm

The 'Redhat' version
https://rhn.redhat.com/errata/RHSA-2004-190.html

The Fedora Legacy Bugzilla entry
http://bugzilla.fedora.us/show_bug.cgi?id=1620

Is there a process to be followed - i.e. what can we do to help.

(I am not suggesting this is a security issue for a stock SME Server install but it is an example of a worthwhile update)

[Jon_Reynolds]

Do not make SPF a default, make it an option. This has been addressed on the qmail list and I would not use it on my mail server.  Keep the base as it is but offer the option to install any add-ons at install time.

Jon