[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

Open source encryption software in Denmark. This article on the Skåne Sjælland Linux User Group's site covers a hearing held by the Danish Ministry of Research concerning the use of encryption software to enable Danish citizens to protect themselves from Echelon and other surveillance activities. Thanks in part to SSLUG's efforts, open source software was well represented at this hearing. "Even more interesting was the 'how do you prevent back-doors in you product?'. Most companies stated that third-party reviewers could be allowed to check the source code given that they conform to a NDA (non disclosure agreement). The representatives for GnuPG and PGP had an easy task here. Roger Needham from Microsoft managed to make the whole audience laugh by stating that 'If our product contains a back-door, we simply don't know anything about it....'" (Thanks to Hans Schou).

More details on "NSA Linux". More information came out this week on exactly what work Secure Computing will be doing on Linux for the NSA and how it will be handled in this note, posted to the securedistros mailing list by Tom Haigh, CTO for Secure Computing. "We will open source all the modifications to the kernel as well as deliver a general-purpose security policy engine...Separately, we will use Linux and develop Linux policy engines for our own products, such as Sidewinder. These policy engines will remain proprietary to Secure Computing."

If you are interested in some of the code origins of the planned "Type Enforced Linux" from Secure Computing, check out Jay Lepreau's comments and Tom Haigh's response from recent conversations on the securedistros list.

Security Reports

New FreeBSD update for procfs. Previous fixes to problems with procfs under FreeBSD have been found to be incomplete. Upgrading to the latest patch is strongly recommended, to prevent potential local root compromises.

Cobalt RAQ server vulnerabilities. The RAQ1, RAQ2 and RAQ3 servers from Cobalt contain vulnerabilities that may allow the site administrator password to be trivially acquired. Cobalt has issued an advisorycovering the issues with information on where to acquire patches to resolve the problems. Applying the patches as soon as possible is highly recommended.

Updates

Debian advisory: symlink problem in apcd package. Debian has issued an advisory regarding a /tmp symlink vulnerability in the apcd package. If you have this package installed, an upgrade is strongly recommended.

Resources

SARA Security Auditor. SARA, which stands for the "Security Auditor's Research Assistant", is based on the original SATAN scanner, but offers quick response to today's problems and a real-time report writer. It has been field-tested and is now being made available as free software, with a commercial product, SARA Pro, apparently on the way.

Instructor 1.0 is a "32 bit instruction set auditor" announced by author David Goldsmith.

Section Editor: Liz Coolbaugh


February 3, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds