Linux in the news
All in one big page
See also: last week's Security page.
NewsDebian has released a new stable version of Debian Gnu/Linux, version 2.1r3, primarily to bundle together all the security-related updates that have come through since the release of Debian 2.1. This release does not contain new functionality, just bug fixes, and is highly recommended for any site currently running 2.1 if you don't already have all related patches installed. If you want to install Debian from scratch, this update should save a lot of post-installation work to get in all the needed security updates.
Postfix, and why it is a preferred alternative to sendmail, is the focus of this article, by Kurt Seifried. He focuses on the improvements postfix brings in security and configurability and the ease of which postfix can be dropped in as a replacement for sendmail. " find a typical Postfix conversion takes around 10 minutes for most sites (assuming you use an RPM and don't have to compile it), and have yet to encounter any major disasters (although I have found several small to medium sized glitches). "
He also reports back on the current state of the postfix license, which caused some initial concern. "Previous versions had a rather ugly termination clause, which prevented wide spread acceptance of Postfix, however this has been removed and Postfix is now "safe" to use. You can distribute the software, develop it, make changes and so forth, the only catch being that you must contribute any changes back to IBM (rather reasonable since they paid Wietse to develop it). "
A shared memory-based Denial-of-service attack has been posted to BugTraq and demonstrated on Linux systems. Currently, there are no effective limit on shared memory currently exists, since shared memory segments can be created without being bound to a process. Henrik Nordstrom posted a patch for Linux 2.2.12 which adds a procfs entry for "tuning the limit of shared memory allocable", freeing unreferenced shared memory pages and getting information on when they were created and by whom.
A minor bug in gftpd can result in the display of your password in plain text or saved in plain text to your logfile. The author of gftp has released an update to fix this. For more information, check out Oscar Haeger's BugTraq posting.
Last week's release of ProFTPD 1.2.0pre5 has quickly been followed by the release of ProFTPD 1.2.0pre6. Details on the changes in the latest version have not yet been posted, but they are again security related. Given the length of the list of changes made in pre5, this may just be catching some minor oversights.
Commercial software reports have come in on Netscape Enterprise Server 3.6, and CDE. The CDE problems resulted in the release of this CERT advisory, since the vulnerabilities can result in unauthorized access to root privileges.
UpdatesLinuxPPC has issued new updates for problems with INN and ProFTPD. The ProFTPD updates contain the latest version, 1.2.0pre5.
Yet more updates to XFree have come out from Red Hat. These include the XFree 3.3.5 packages, but are marked as security-related, so an update is recommended.
SuSE released a new PINE update to fix the PINE vulnerabilities reported in June. The new package fixes a problem with the original update which broke support for IMAP.
ResourcesLinux Administrator's Security Guide has been moved over to Security Portal and is now available in HTML form (previous versions were distributed in PDF form). Major updates to the Guide are also promised in the near future.
Stack Shield 0.5 has been announced. Stack Shield is an alternative to Stack Guard; both help make a system less vulnerable to buffer overflow and related problems.
Linux Audit Beta 0.1 is an early release of a package to support auditing under Linux. It requires Linux kernel 2.3.5, plus a patch, to run.
The unix-virus mailing list has been started. The charter indicates that it will be discusses the "virus in the unix environment". This may, of course, be aimed towards anti-virus developers who are now supporting code to run on Unix and Linux systems and find Windows or MacIntosh viruses. Although not theoretically impossible, it seems unlikely that a mailing list could keep active talking about Unix-based viruses ... Also note that the URL provided for the list was incorrect. An update, posted later, indicated that the website for the mailing is http://virus.beergrave.net/.
Section Editor: Liz Coolbaugh
September 16, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project