Topic: Important News

Today, while refactoring the sidux installer, a potential local privilege escalation issue has been discovered, which leaves a copy of the installer's configuration file on the target system. This configuration file also contains the salted MD5 password hashes for root and the first user account (UID 1000) and remains readable for local users. While this does not reveal these passwords directly, it can be used for a brute force attack against them.

• 2007-01 Χάος
• 2007-02 Τάρταρς
• 2007-03/ 2007-03.1 Γάια
• 2007-04/ 2007-04.5 Έρως
• 2008-01 Νυξ
• 2008-02 Έρεβος
• 2008-03 Ουρέα

# find /root /home -maxdepth 2 -type f -name '.sidconf*' -delete

Especially on multi-user systems, it is recommended to change the passwords for root and the first user (UID 1000) as well, this can be done using "passwd" as root/ user.

The cause for this issue has been found and upcoming releases will not be affected.

Please hold back from dist-upgrades until further notice!
There seems to be a serious issue with lsb and maybe other packages affected which renders your system unusable.

If you got caught by this bug in dmsetup (<a href=http://bugs.debian.org/491107>#491107, #491114), please follow the steps below (fixed packages are in sidux' repositories):

• try to find an older, still installed, kernel with an unaffected initrd, select it and just head over to the steps starting with apt-get update below
• if you're not lucky to find a still booting kernel, restart your system and wait a few minutes, while it seems to freeze at "Begin: Waiting for root file system...", the initramfs will time out after a little while (less than 5 minutes) and drop you to a very limited busybox shell, once there please follow the next steps
  • rm /etc/udev/rules.d/65_dmsetup.rules # you can use [tab] expansions here
  • udevadm trigger # you most likely won't see a prompt, after udev has enumerated your devices - just type ahead when it stops scrolling down (if you don't see any output here, just wait ~2 minutes)
  • exit
• get to tty1 --> press [alt]+[ctrl]+[f1]
• log in as root
• apt-get update
• apt-get install dmsetup lsb-base # make sure to get dmsetup >= 2:1.02.27-2+c0.sidux.1 and lsb-base >= 3.2-15
• update-initramfs -u
• reboot

Now everything should be in order.

if you already dist-upgraded within the last 24h, don't reboot and make sure to update to dmsetup >= 2:1.02.27-2+c0.sidux.1 and lsb-base >= 3.2-15 before powering down!

Hi folks! It's that time again, when we ask sidux users to break out the stylus' and create something spectacular for the annual sidux User Wallpaper Competition. The competition winner will have their creation included as the default wallpaper for the upcoming 2008-03 "Ουρέα" release