Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsImproving the Linux security model. Theo de Raadt, a member of the OpenBSD team, had some comments on the effectiveness of the "open source" security model, when not coupled with dedicated staff actually responsible for producing fixes for security problems in a timely manner.Tom Reed:This quote was not reproduced in order to cause bad feelings. It is unfair to the work that has been produced by some of the security projects we've followed. Yet, they have failed to resolve the larger problem. For example, Theo goes on to point out that the problems fixed in that Red Hat's recent update to lpd were originally reported in this advisory, dated ... October of 1997? Ouch. This does not change the point that having source code available is a critical and necessary part of the process. However, it is not sufficient to guarantee good security, not unless people consistently track down, update and repair problems. This is a problem with security that we've seen for a long time. Busy people have good intentions, can do the right thing even most of the time, but with security, being lax even in one instance can leave you vulnerable, making the effort you did put into security go to waste. In this particular area, relying on unpaid volunteers to handle the problem is irresponsible. Yes, many people, both paid and unpaid, will work together to find security problems, but the companies that are making money from putting their name on the operating systems we use have a responsibility to see that work to get the problems fixed, in a timely manner, happens. It also needs to happen consistently across all Linux distributions. OpenBSD is acknowledged to be doing a better job; what can we learn from that and apply to Linux?
To demonstrate how important this is,
Microsoft has
announced a serious
commitment to clean up their act in regards to security.
Security Reportsqpopper. [BugTraq ID, January 26th, 2000]. A remotely exploitable buffer overflow in qpopper 3.X has been reported. A temporary patch has been available, but no official update has yet been posted.BSD /proc vulnerability. [BugTraq ID, January 21st, 2000]. Local users can get access to root. Patches have been made available for FreeBSD and OpenBSD. vpopmail (vchkpw). [BugTraq ID, January 21st, 2000]. vpopmail (vchkpw) versions prior to 3.4.11e are vulnerable to a remote buffer overflow attack in the password authentication of vpopmail. The problem has been fixed in the latest version, available from Inter7. Note that this problem was originally, erroneously, labeled a "qmail-pop" vulnerability. DNS hijacking. [BugTraq ID, January 23rd, 2000]. The insecurity of the current DNS system again comes under discussion, this time illustrated by this posting by Dan Bernstein. As summarized in the BugTraq vulnerability entry, "DNS is built upon levels of trust, and by exploiting single points of failure in this trust system ... By consecutively performing these cache attacks, it could be possible for an attacker to entirely take over name service for any given domain." No solution for this problem is currently available. VMware. [BugTraq ID, January 21, 2000. A /tmp symlink vulnerability has been identified. No vendor-supplied fix has been reported, but the software does allow the use of an alternate directory for temporary files. Using that feature, along with a directory with restricted write privileges, is highly recommended. UpdatesRed Hat security update to majordomo. Red Hat has issued an update to majordomo (which appears in the "Powertools" product). For information on the problems that have been fixed, see BugTraq ID 902 (December 28th, 1999) and BugTraq ID 903 (December 29th, 1999). The updated RPMs provided by Red Hat upgrade the package to 1.94-5. An upgrade is recommended.Also check out this note which outlines steps to protect the directory in which the majordomo code lives which should be taken if you are using majordomo. Resourcesconnlogd. Alec Kosky's TCP & UDP connection logger, connlogd, is now available via ftp.EventsNew Security Paradigms Workshop 2000. The Call-For-Papers for the New Security Paradigms Workshop, scheduled for September 19 - 21, 2000, Ballycotton, County Cork, Ireland, has been released. Note that the workshop is limited to authors of accepted papers and the conference organizers. "The New Security Paradigms Workshop is highly interactive in nature. Authors are encouraged to present ideas that might be considered risky in some other forum. All participants are charged with providing feedback in a constructive manner. The resulting brainstorming environment has proven to be an excellent medium for furthering the development of these ideas. The proceedings, published after the workshop, have consistently benefited from the inclusion of workshop feedback."Section Editor: Liz Coolbaugh |
January 27, 2000
|