[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and editorials

A Secure and Open Society (ComputerWorld Canada). An interview with OpenBSD developer and recognized security guru Theo de Raadt, entitled A Secure and Open Society, takes a look at what OpenBSD has done differently to make itself possibly the most secure operating system available today. " The secret is straightforward. de Raadt and his peers assume that every single bug found in the code occurs elsewhere. de Raadt admits it sounds simple, but just rooting security bugs out of the entire source tree took 10 full-time developers one and a half years to complete."

A simple concept, but one that requires a tremendous amount of effort to implement. Another view of the effort required was produced by this interaction on BugTraq. First, H D Moore complained about buffer overflows in applications shipped with SuSE Linux that had been previously reported, but continued to persist. Note that these applications were not installed with enhanced privileges, but could potentially be run by a more privileged process. Marc Heuse responded, bringing to light the problem caused when such bugs are fixed, but the fixes are not incorporated into the developer tree, due to lack of time or interest on the part of the developer/maintainer. The bugfixes produced by OpenBSD, for example, are all made available, but do not generally get incorporated into the developer's tree, leaving versions of the software for other free operating systems vulnerable.

So blame the developers? Bad policy. Encourage the developers. Pay the developers. After all, without them the software wouldn't exist at all. Best of all, educate the developers, just as much as the end user, the system administrator and the distributor, to care about security, even when the immediate risk level seems small. We are all only as safe as the weakest link in this chain.

Security Reports

Linux kernel-related vulnerabilities. The latest stable kernel prepatch, 2.2.15pre16, contains two security fixes that will make the update to 2.2.15, once released, more imperative. In addition, if a fix comes out quickly enough for the reported UDP masquerading vulnerability, that will be included in 2.2.15 before it is released as well.

gpm-root improper permissions handling. Egmont Koblinger posted a report of improper permissions handling in gpm-root, a tool included in the gpm package. He followed up with a patch when it was pointed out that gpm is now a package looking for a new maintainer. Alessandro Rubini, author of gpm-root, also followed up, promising that a fix for the problem will be included with gpm 1.19.1, which should be released in a few days. That will presumably be the last version of gpm released, unless a new maintainer steps to the plate.

SuSE: IMAP vulnerability. SuSE has published an advisory for a vulnerability in the IMAP server that could allow an attacker to create or delete mail folders. Few details are included, but a fix has been made available.

Subtle data corruption of TCP streams. Wietse Venema posted an analysis of a problem with data corruption of TCP streams when TCP-level options are turned on. Eventually, the problem was traced down to an unnamed bandwidth management system.


mh/nmh. See discussion in the March 9th, 2000 LWN Security Summary.

usermode. See discussion in the January 6th, 2000 LWN Security Summary.

Section Editor: Liz Coolbaugh

March 30, 2000

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus

Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds