See also: last week's Security page.

Security

News and editorials

NSA Linux?. Here's a press release from Secure Computing Corporation stating that it has been awarded a contract from the National Security Agency to develop "a robust and secure Linux platform." Many people speculated that the results would not be openly released, given the nature of the NSA. However, this post from Mike Beede at Secure Computing indicates that the results will be released under the GPL.

More details are promised in the near future. Mike closed with the comment, "Having a secure operating system available to the community will also benefit us, by giving us a non-proprietary platform for our security products."

Linux vs Microsoft: Who solves security problems faster?. Security Portal has taken a look at response times to bug fixes, in an effort to determine whether the response time for open source software is truly shorter. The results: "Red Hat had the best score, with 348 recess days on 31 advisories, for an average of 11.23 days from bug to patch. Microsoft had 982 recess days on 61 advisories, averaging 16.10 days from bug to patch. Sun proved itself to be very slow, although having only 8 advisories it accumulated 716 recess days, a whopping three months to fix each bug on average."

The results turned out well enough, this time, but given that patches for most open source security problems come out almost simultaneous to initial announcements, or within only a few days, it is unfortunate that an average of 11 days occurred before Red Hat updates followed. If the same tests were done on all Linux distributors, some might fare slightly better, but most would fare worse. The time is coming where more attention needs to be paid to getting security updates out in a timely manner for all Linux distributions.

Responses flow in to new cryptographic rules. For good news, check out the Cracking DES book from the EFF, which has been put back online. A lot of press articles took a look at the issue as well:

• Wired News looks at the posting of the PGP source by John Young. "Young's seemingly innocuous act might violate new US government regulations that restrict placing privacy-protecting crypto programs on the Web. Therein lies the uncertainty. The rules are much less onerous than the previous version, but they still apply. And they're so labyrinthine and convoluted that even lawyers who specialize in the area declined to guess whether or not Young has run afoul of President Clinton's executive order and Commerce Department regulations."

• Canoe News looks at opposition to the new rules within the administration. "The new rules, disclosed Wednesday, had encountered strong opposition inside the administration. Top law enforcement and defence officials argued that relaxing the export requirements would allow criminals and terrorists to more easily transmit scrambled electronic messages the government could not decipher."

• Countering the concerns mentioned above, the The American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC) still say the new regulations don't go far enough. " The new regulations, like the old ones, impose special requirements on Internet speech, contrary to the Supreme Court's 1997 ruling in Reno v. ACLU. The regulations require that the government be notified of any electronic "export" of publicly available encryption source code, and prohibit electronic "export" to certain countries. Yet people may freely send the same information anywhere on paper."

• Reuters. "The new rules, which take effect after being published in the Federal Register on Friday, fulfill a White House promise from September to dramatically relax the previously restrictive encryption export rules."

No privacy protection for e-mail or chat sessions. This New York Times article describes the decision in a recent case in Washington state, where the judge chose to allow as evidence e-mail and recordings of chat sessions. "After all, the judge said, Townsend chose to 'communicate via e-mail and/or ICQ . . . with the knowledge that the computer itself is a transmission and recording device.'" Others believe the judge has taken a first step down a slippery slope.

Security Reports

MySQL. In last week's Security Page, we mentioned a security problem in MySQL. MySQL version 3.22.30 has been released and contains a fix for this problem. An upgrade is highly recommended.

Yams 0.5.7 - Security Fix Release. Yams 0.5.7 has been released. It fixes a problem where the customer id was being stored as a hidden field in some of the order pages. It would have been possible for users to modify this id.

sendmail concerns. Back in December, Michal Zalewski posted a list of procmail/sendmail bugs, at least one of which included a concern about a security issue with sendmail. Gregory Neil Shapiro posted an official reply this week. "We have run through the possible scenarios we could find and do not believe this to a threat."

Updates

• Debian (old)
• Red Hat (old)
• SuSE

Resources

ssh-proxy. Magosanyi Arpad has released the code to a partially-developed ssh-proxy. "A serious programmer does not give out such a code. I wouldn't either, but I have to abort this project of mine here and I hope someone will find it interesting enough to keep on."

Section Editor: Liz Coolbaugh

Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

Next: Kernel