Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsA Secure and Open Society (ComputerWorld Canada). An interview with OpenBSD developer and recognized security guru Theo de Raadt, entitled A Secure and Open Society, takes a look at what OpenBSD has done differently to make itself possibly the most secure operating system available today. " The secret is straightforward. de Raadt and his peers assume that every single bug found in the code occurs elsewhere. de Raadt admits it sounds simple, but just rooting security bugs out of the entire source tree took 10 full-time developers one and a half years to complete."A simple concept, but one that requires a tremendous amount of effort to implement. Another view of the effort required was produced by this interaction on BugTraq. First, H D Moore complained about buffer overflows in applications shipped with SuSE Linux that had been previously reported, but continued to persist. Note that these applications were not installed with enhanced privileges, but could potentially be run by a more privileged process. Marc Heuse responded, bringing to light the problem caused when such bugs are fixed, but the fixes are not incorporated into the developer tree, due to lack of time or interest on the part of the developer/maintainer. The bugfixes produced by OpenBSD, for example, are all made available, but do not generally get incorporated into the developer's tree, leaving versions of the software for other free operating systems vulnerable. So blame the developers? Bad policy. Encourage the developers. Pay the developers. After all, without them the software wouldn't exist at all. Best of all, educate the developers, just as much as the end user, the system administrator and the distributor, to care about security, even when the immediate risk level seems small. We are all only as safe as the weakest link in this chain. Security ReportsLinux kernel-related vulnerabilities. The latest stable kernel prepatch, 2.2.15pre16, contains two security fixes that will make the update to 2.2.15, once released, more imperative. In addition, if a fix comes out quickly enough for the reported UDP masquerading vulnerability, that will be included in 2.2.15 before it is released as well.
gpm-root improper permissions handling. SuSE: IMAP vulnerability. SuSE has published an advisory for a vulnerability in the IMAP server that could allow an attacker to create or delete mail folders. Few details are included, but a fix has been made available. Subtle data corruption of TCP streams. Wietse Venema posted an analysis of a problem with data corruption of TCP streams when TCP-level options are turned on. Eventually, the problem was traced down to an unnamed bandwidth management system. Updatesmh/nmh. See discussion in the March 9th, 2000 LWN Security Summary.
usermode. See discussion in the January 6th, 2000 LWN Security Summary.
Section Editor: Liz Coolbaugh |
March 30, 2000
|