Debian: New refpolicy packages fix incompatible policy

    Date24 Jul 2008
    CategoryDebian
    3980
    Posted ByLinuxSecurity Advisories
    In DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447)
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1617-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Devin Carraway
    July 25, 2008                         http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : refpolicy
    Vulnerability  : incompatible policy
    Problem type   : local
    Debian-specific: no
    CVE Id(s)      : CVE-2008-1447
    Debian Bug     : 490271
    
    In DSA-1603-1, Debian released an update to the BIND 9 domain name
    server, which introduced UDP source port randomization to mitigate
    the threat of DNS cache poisoning attacks (identified by the Common
    Vulnerabilities and Exposures project as CVE-2008-1447).  The fix,
    while correct, was incompatible with the version of SELinux Reference
    Policy shipped with Debian Etch, which did not permit a process
    running in the named_t domain to bind sockets to UDP ports other than
    the standard 'domain' port (53).  The incompatibility affects both
    the 'targeted' and 'strict' policy packages supplied by this version
    of refpolicy.
    
    This update to the refpolicy packages grants the ability to bind to
    arbitrary UDP ports to named_t processes.  When installed, the
    updated packages will attempt to update the bind policy module on
    systems where it had been previously loaded and where the previous
    version of refpolicy was 0.0.20061018-5 or below.
    
    Because the Debian refpolicy packages are not yet designed with
    policy module upgradeability in mind, and because SELinux-enabled
    Debian systems often have some degree of site-specific policy
    customization, it is difficult to assure that the new bind policy can
    be successfully upgraded.  To this end, the package upgrade will not
    abort if the bind policy update fails.  The new policy module can be
    found at /usr/share/selinux/refpolicy-targeted/bind.pp after
    installation.  Administrators wishing to use the bind service policy
    can reconcile any policy incompatibilities and install the upgrade
    manually thereafter.  A more detailed discussion of the corrective
    procedure may be found here:
    
      http://wiki.debian.org/SELinux/Issues/BindPortRandomization
    
    For the stable distribution (etch), this problem has been fixed in
    version 0.0.20061018-5.1+etch1.  The unstable distribution (sid) is
    not affected, as subsequent refpolicy releases have incorporated an
    analogous change.
    
    We recommend that you upgrade your refpolicy packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018.orig.tar.gz
        Size/MD5 checksum:   571487 1bb326ee1b8aea1fa93c3bd86a3007ee
      http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.diff.gz
        Size/MD5 checksum:    53515 bd171f0cfa9adc59d451d176fb32c913
      http://security.debian.org/pool/updates/main/r/refpolicy/refpolicy_0.0.20061018-5.1+etch1.dsc
        Size/MD5 checksum:      859 52bc8ea0cab864e990e9dacc4db3b678
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-strict_0.0.20061018-5.1+etch1_all.deb
        Size/MD5 checksum:  1541610 626c93fc13beaa01ff151d9103a7860b
      http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-doc_0.0.20061018-5.1+etch1_all.deb
        Size/MD5 checksum:   289230 b082a861eda93f9bc06dd2e2f03ba89d
      http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-targeted_0.0.20061018-5.1+etch1_all.deb
        Size/MD5 checksum:  1288314 c00ed4f0ea4ddbb8dd945c24c710c788
      http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-src_0.0.20061018-5.1+etch1_all.deb
        Size/MD5 checksum:   595490 841f616c8f08b22ed7077c21c1065026
      http://security.debian.org/pool/updates/main/r/refpolicy/selinux-policy-refpolicy-dev_0.0.20061018-5.1+etch1_all.deb
        Size/MD5 checksum:   418666 bee3f41fe8771b7b88693937814494a3
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"8","type":"x","order":"1","pct":61.54,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":23.08,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":15.38,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.