| Present: |
P. Hazel,
D.P. Carter,
R.J. Dowling,
F.A.N. Finch,
C.J. Jardine,
K.M. Jeary,
B.K. Omotani, P. Stewart, C.E. Thompson, J.M. Wilkins |
Date of next meeting: 7th June 2006 at 11:15 in C304.
There are currently 188 lists. A new version of Mailman has been released and we will need to integrate our local patches. We are still waiting for staff time to become available for documentation before Mailman can be released as a full service.
On the evening of 3rd April, an attacker managed to gain shell access to the active Webmail/SSH server sytem (hermes-2.csi at the time) through a bug in the Prayer frontend Web servers process. They do not appear to have been able to escalate from the (relatively unprivileged) prayer account to root. A single log file owned by the prayer user was tampered with.
The code in question has been audited (and is now being audited again by another developer). While a certain amount of debugging code has been stripped out, no obvious vulnerabilities have been discovered to date. The Prayer frontend has been wrapped in a chroot environment to reduce the exposure, but we really need a core dump generated from an attack to pin down the problem.
47% of the people with insecure settings have fixed their configuration. 5362 people still have problems. FANF has started to add institutions with relatively small numbers of insecure users (25 to 30) to the notification schedule. There have been further exchanges of messages with some of the departments which still have large numbers of insecure users (notably Physics and Chemistry).
Users identified as undergraduates through their Jackdaw registration are not currently being pestered to fix insecure settings, as most with insecure settings are final year undergraduates. A small fraction of these users will be returning for new or extended courses next academic year: a proper list should be available in the last week of May. We will start to contact undergraduates after the exam session has finished.
Mulberry 4.0 cannot be properly secured when running on Windows 98. However Mulberry 4.0 and Windows 98 are both effectively end of life, so people should be encourged to replace one or both.
Logins from external login pages have now been blocked.
DPC 2006-04-26