[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and editorials

StackGuarded Red Hat Linux 5.2. Immunix, a distribution built with the StackGuard compiler, has been in the works for some time now. For sites that wish to protect themselves not only against buffer overflows that have been found so far, but also ones that have not yet been found or reported, Immunix may be one of the options you'll want to consider. It also makes a proving ground for the concept for secured Linux distributions, though comments from those projects have not yet been seen.

The existence of OpenSSH-1.0 has been confirmed. We mentioned last week that we had heard OpenBSD had picked up the source for ssh 1.1.12, which was released under a DFSG-approved license. (Debian Free Software Guidelines).Louis Bertrand dropped us this note to confirm this information. "Yes, the rumour is true. OpenBSD will ship with a free implementation of SSH based on 1.2.12. We'll bring it up to present standards, of course (security fixes and functionality)". Many thanks go to them for this effort, which will benefit the entire free and open source community. This is a great case study of how a free license continues to benefit people. Once a product is free, even if the original author adds to and tries to restrict future versions, the choice can be made to support the free option instead, as OpenBSD has now done. This version will interact with existing ssh 1.X servers, without any potential licensing problems. Of course, work will have to continue on free software to support the ssh 2.0 protocols.

PC Week summarizes 'HackPCWeek' episode. PC Week has posted a summary of what happened when they put up their hacking challenge. It includes at least one ridiculous claim: "While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system. Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure." Red Hat (the distribution they were running) has a very nice central infrastructure for all of the security fixes that need to be applied. They simply blew it by not applying the available fixes.

As before, the announcement of lifted restrictions on cryptography by the U.S administration addressed only commercial issues, leaving out the issue of the export of the actual source code. Here is a repost of a New York Time article on the issue. "The exclusion of source code from the relaxed rules, recently announced by the Clinton administration, threatens to constrain software developed under the so-called open-source model, most notably the Linux operating system." This continuing "oversight" leaves legislation or court action as the only way to address the current cryptographic problems. On a side note, the change in cryptography rules has been linked to Al Gore's presidential campaign. Maybe some letters to the gentleman could suggest that including open source in such restrictions would be an excellent way to raise the estimation of his technical understanding among a large and extremely vocal community ...

Security Reports

A problem has been reported with PAM (Pluggable Authentication Modules) which could, in some situations, allows users into a locked account. Apparently it only happens when NIS is being used. Thus far we have seen updates come in from Red Hat, Yellow Dog Linux, and LinuxPPC.

A correction to our comments on KDE and kvt last week. Duncan Haldane, who manages the packaging of KDE at ftp.kde.org for the "rh5x" series of KDE rpm packages (for Red Hat 5.x systems) sent us a note which kindly corrected our comment that kvt had been removed from KDE 1.1.2. "kvt is in fact included in the KDE-1.1.2 release, but the reported buffer overflow was fixed in the kvt v. included in that release. If you are using kvt-0.18.7, or earlier, from a previous release, you should either:

  • (a) remove that kvt,
  • (b) apply a security update appropriate for your distribution, or
  • (c) upgrade to KDE-1.1.2. "

Red Hat 6.1 contains two security issues, with the way it handles the startup of Xsessions and with properly implementing the PAM policy for /etc/nologin. The latter can be fixed quite easily by an administrator. The former could allow local implementations of account security to be bypassed. No package updates have been seen as of yet.

Auto_FTP security considerations. An advisory was posted to Bugtraq this week for the Auto_FTP.pl v0.2 perl script. Auto_FTP is used in a push system to automatically ftp files from a local directory to a remote site. Unfortunately, security issues did not seem to be highly prioritized in the design. If you are using Auto_RPM, you will want to read this advisory and think about the ramifications for your site.

Rpmmail 1.4 has been released, with bugfixes to resolve recently reported vulnerabilities that could lead to root exploits. If you are using rpmmail, you will want to upgrade.

On the commercial side: Hybrid Network's Cable Modems apparently contain long-standing security problems. Check out this thread on Bugtraq for more details. Meanwhile, you may want to leave Hybrid off your shopping list until they become more responsive to security issues.

And the Webtrends Server, for both Solaris and Linux, has some serious security issues, including one that could allow root access. A response from WebTrends has not yet been seen.


Another new Netscape package from Red Hat. Red Hat has announced another updated Netscape package. The previous one had a bit of a problem.


Doobee. R. Tzeck has written a document describing several ways to encrypt disks under Linux.


The 6th ACM Conference on Computer and Communications Security will be held November 1st through the 4th in Singapore. For more information, check out the Conference Home Page. In addition, a recent update mentions that a "Rump" session has been added, with informal presentations with "recent results, work in progress, and other topics of interest to the research community".

Section Editor: Liz Coolbaugh

October 14, 1999

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus

Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds