[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and editorials

Buffer overflow protection from kernel patches. Patches for the Linux kernel exist, like Solar Designer's non-executable stack patch, which disallow the execution code on the stack, making a number of buffer overflow attacks harder - and defeating completely a number of current exploits used by "script kiddies" worldwide. However, such patches have not been pulled into the main Linux kernel. Why not?

Linus has resisted these patches for a couple of reasons. One is that there are occasional uses for executable code on the stack; life gets a bit harder if you turn that off. But Linus's main point has always been that a non-executable stack is a band-aid solution which does not fix the real problem - poorly written applications. The real solution is to eliminate buffer overflows from user space code; these overflows can be exploited, after all, without an executable stack (though it is harder). See, for example, this note from Linus from back in August, 1998.

The point Linus makes is valid. Meanwhile, however, the script kiddies are giving grief to a number of sites that could be prevented by this fix. In the end, security is not absolute, and every obstacle placed in the way can only help. But don't expect a non-executable stack from the mainstream kernel anytime soon; those interested in high security will need to look at the Solar Designer patches or a distribution like Immunix instead.

Lessons from the quake cheat. Eric Raymond sent us an article about the "Quake cheat" - people modifying the (now open-source) Quake client to gain an advantage in the game. Eric's point is that, had Quake been developed as an open-source application since the beginning, these problems would not have arisen, since different design decisions would have been made. Worth a read.

As another case to look at, consider Netrek, which has dealt with this problem for a long time. Netrek, in the end, has gone with a "blessed binaries" scheme; the code is in the open, but only specially built binaries (containing a proper cryptographic key) can be used with most servers.

How SSH was freed. Daemonnews has put out a nice article describing the development of OpenSSH, titled "How SSH was freed". It gives some nice background on the developers that did the work and even includes some pictures. Of course, some people might disagree that the following constitutes "freeing" the code: "As detailed in the OpenSSH history page, much of the early work involved removing GPL'd or non-portable code."

Security Reports

Quake Smurf. An exploit has been posted that allows a hacker to kick a player off a Quake server.

glFtpdD vulnerabilities. Multiple vulnerabilities have been reported in the glFtpdD FTP Daemon. A fix for the problem has been made available and will be included in the next release.

Traffic shaper. Yuri Kuzmenko pointed out that the Linux traffic shaper allows non-root accounts to reset the speed of the shaper. Alan Cox acknowledged the problem and indicated that it has been fixed in the pre-patch series for the Linux 2.2.14 kernel (which should hopefully be released in the near future).

msql cgi script. The w3-msql cgi script distributed with msql contains exploitable buffer overflows that can allow arbitrary code to be executed under the httpd uid, according to this advisory. An exploit for Solaris has been released. If you are not using the script, removal of it from your system is probably a good idea. No vendor comment or fix has been reported.


Denial of Service Tools. The latest CERT Advisory addresses new techniques for implementing Denial-of-Services attacks that are becoming more frequently used. This is not the type of problem that an easy patch or update will fix, so they can only provide suggestions, such as:
  • develop relationships and capabilities with other sites
  • implement ingress filtering on your routers
  • prevent your site from being used by intruders
All of these suggestions are "Good Neighbor" tactics. In this case, your security is impacted by the insecurity of your neighbors, so you need to set a good example in order to receive similar treatment.


RAID 2000. The Call-For-Papers for the Third International Workshop on the Recent Advances in Intrusion Detection (RAID) has been released. Papers are due by March 30th, 2000 and the conference itself will be held October 2nd through the 4th in Toulouse, France.

Section Editor: Liz Coolbaugh

December 30, 1999

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus

Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds