Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsMore ssh problems! This time, ssh 1.2.27 with RSAREF2 defined was found to contain another buffer overflow which can make the machine running sshd allow an unauthorized login according to this CORE SDI security advisory and this followup by Niels Provos. Note that the vulnerability is not specific to ssh; any code that uses RSAREF2 may be impacted.Although OpenSSH is not vulnerable to an exploit as a result, it is impacted, as explained in this OpenBSD advisory, along with other several other OpenBSD packages. US citizens will need to review this issue since they mention "(This crypto problem only burns Americans!)"
Bastille Linux 0.93beta. Good news from the headwaters of
efforts to create secure Linux implementation: Basille Linux
0.93beta has been announced. This is the beginning of a code freeze,
so they are moving towards the release of their first stable version.
It also seems to indicate that the homepage for the Bastille project
has moved to http://bastille-linux.sourceforge.net/.
Open source SRP provides an alternative for secure authentication. SecurityFocus' Kurt Seifried takes a look at SRP, the Stanford SRP Authentication Project. "SRP provides several benefits over traditional methods, the biggest being that no actually encryption of the data takes place, meaning SRP can be exported legally from the US. SRP also makes no use of the patented RSA algorithm (typically used in key exchanges), so you can legally use it in the US (without having to pay RSA). " Security ReportsA problem with the shadow in Slackware 7.0 was reported on BugTraq and reputes to allow a brute force attack on the password file. This report has not be confirmed and no word from the Slackware team has come out as of yet. The official PostgreSQL RPMs up through 6.5.3-1 had a permission problem, reported by the RPM Maintainer, Lamar Owen. Updated RPMs are now available and a simple fix is mentioned for people who have already installed older RPMs. Updatesdump: fixes for a security problem when symbolic links are restored (see original announcement).ORBit, esound, and gnome-core: A easily guessable source for random data was used in ORBit and esound which might allow an attacker to guess the authentication keys used to control access to these services. In addition, TCP Wrappers support has been added to gnome-session. sendmail: Any user can run sendmail with the -bi option to rebuild the aliases database, which opens a window during which the aliases database can be left in an unusable state, causing a Denial-of-Service. Versions of sendmail through 8.9.3 are impacted. [SecurityFocus entry] (Old)
Section Editor: Liz Coolbaugh |
December 9, 1999
|