[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

U.S. Cryptography Regulation: the kernel hackers' response. In December, we talked in detail about the second draft of the next round of updates to the US cryptography regulations. This week, it appears that at least some of the Linux kernel hackers have read, absorbed and reacted to them as well. "The US government is about to relax the crypto export regulations, in ways we could not have anticipated 6 months ago, vis-a-vis open source and publicly available cryptography. The first draft of the regulations were, unexpectedly, promising but held some ambiguities for the open-source community. The second draft can only be considered a Christmas present with the open source regs being reduced to little more than 'tell us where it is and then do it'", commented Michael Warfield in a note to the linux-kernel mailing list.

Since the new regulations are due to become official on January 14th, Michael went on to propose that security-related patches, here-to-fore carefully excluded from the primary kernel tree, should be expedited into the kernel before the Linux 2.4 feature-freeze firms up (it has been announced, but appears to still be "squishy"). IPSEC support, ppdd, and KLIPS were examples of new features this would bring us. The final goal would be to enable distributions suppliers to start bundling hardened cryptography with all Linux systems as quickly as possible.

We can only say, yes, please! This will allow us to take a massive step to eliminating one key weakness of Linux, its security right-out-of-the-box, without requiring knowledgeable tuning.

Business to Business Commerce: B2B fever. SecurityFocus takes a look at the security issues of business to business commerce (B2B), another catch-phrase that has caught the eye of Wallstreet. "B2B will both push for better technology to secure transactions & infrastructure and at the same time race ahead of security best practices as companies seek to carve out market share in a B2B e-commerce industry predicted to reach $2.8 trillion by 2003."

Security Reports

Corel Linux Security Vulnerability. The Corel Update program contains coding flaws that make it trivally easy to break root. Corel Linux has not yet responded with a fix. Until they do, you may want to disable Corel Update on your system.

Serious MySQL security bug. This posting to BugTraq describes a serious bug in mysql with how it handles the GRANT privilege and provides both a temporary solution and a patch from TCX. "Anyone with access to a running MySQL and GRANT privilege for any database or table in it, can change any MySQL-password he wishes, including the MySQL superuser's".

Bind vulnerabilities. This message, posted by D. J. Bernstein, describes additional vulnerabilities in bind that can allow temporary denial-of-service attacks when a domain name changes, but its record in the cache have not been timed out. Of course, most Unix systems administrators have learned of this, not as a security issue, but an implementation issue, long ago. Various arcane rules are used, such as changing the time-outs on your DNS records in advance of a name change, to prevent accidental denial-of-service.

Updates

Debian security update for nvi. The Debian Project has released a security update to nvi which fixes a local attack problem. A quick upgrade is recommended.

Debian security update for lpr. The Debian Project has released a security update to lpr, fixing problems with potential IP spoofing and the ability to specify an alternate configuration file (which could allow a remote root exploit). Upgrading to lpr_0.48-0 is highly recommended.

Red Hat security update for lpr. Here's Red Hat's update to the lpr package, which fixes the two security problems found there.

Resources

SRS (Secure Remote Streaming), a "secure Unix syslog", has been released with source code. We'll let the announcement describe the history of this product itself, since the issues are complex.

Port Lookup Resource. For people investigating their firewall logs for security purposes, a resource for identifying port numbers was posted to the Incidents list recently by Keith Owens.

PalmCrack. Now you can test the security of your passwords by running a cracker right on your PalmPilot ... check the announcement for more details.

Stack Shield 0.7 beta has been released. It contains bug fixes, optimization support and a new protection method. "The new Stack Shield also defends from frame pointer overwrite attacks described in Phrack Magazine 55-08 by klog. To Enable the protection the Ret Range Check method must be used (-r or -g flags)".

When strace may lie ... check with ltt, comments Karim Yaghmour, describing his tool, the Linux Trace Toolkit.

Events

Section Editor: Liz Coolbaugh


January 13, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds