Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsVulnerability Reporting: Bugs in the bug reporting process (CORE-SDI). Volume 3, Issue 3 of Insight a newsletter from The Internet Security Conference, contains a column by Ivan Arce, Founder and Chairman of the Board of CORE-SDI, which discusses the problems in the current ad-hoc process for reporting security vulnerabilities. The column uses a detailed list of the steps possibly involved in a given security report, then outlines many of the ways in which that process can break down. Near the end, he recommends a simplified set of guidelines: The guidelines: A feeble attempt at improving the processFrom here, though, he goes on to end with a recommendation to "formalize and implement a vulnerability reporting process". That opens many cans of worms, in terms of who is involved in "formalizing" such a process and, once formalized, what are the penalties for non-conformance? The "who" is mentioned at the beginning of the article, which was inspired by discussions at SafeNet2000, an invitation-only gathering sponsored by Microsoft that was held last December. Apparently as a result of that gathering, work to formalize the process is already underway. Neither the sponsor nor the invitation-only nature of that gathering recommend it to us. The article does a good job of showing why the ideal process of reporting vulnerabilities will always be impacted by reality (insufficient resources, poor vendor response, multiple discoverers, active exploits, etc.), in short, why a formalized process will always tend to break down. Add to that the danger of allowing a closed (invitation-only) group to define, implement and potentially enforce a formal process and it seems like we might end up exchanging one set of problems for a less-appealing set. Starting and ending with the simple guidelines suggested seems like a better idea. WEP: No weapon against hackers (ZDNet). You might assume that this latest ZDNet article on WEP was also talking about the cryptographic issues with WEP, which have been mentioned in the last couple of weeks. You'd be wrong. Instead, it looks at the issue of keeping trespassers off of your wireless LAN. "Controlling access to wireless networks is an increasingly difficult challenge for network administrators. Unlimited access means that anyone with a wireless network card could gain access to the network. On the other hand, highly restricted access negates the benefits of going wireless and annoys the users." More SSH articles. For those still with stamina to handle more editorial coverage of the SSH trademark issue, C|Net's Robert Lemos has written an article entitled, "Ssh! Don't use that trademark". "'Regardless of its origins, the word has become the generic description for this type of software,' said Michael Bednarek, an intellectual property attorney at Washington, D.C.-based law firm Shaw Pittman. 'As far as I can tell, there is no other name for it.'" Security ReportsSecurity hole in Java may expose servers (News.com). Sun has issued a warning that a bug in Java Runtime Environments for multiple platforms, including Linux, may allow an attacker to run harmful programs on a server, though client systems running browsers should be unaffected.Linux-Mandrake security advisory for CUPS. Linux-Mandrake has issued a security advisory for the CUPS printing packages. An internal audit found buffer overflow and temporary file creation problems. It is highly recommended that all Linux-Mandrake users upgrade to this new version of CUPS.sudo buffer overflow. A buffer overflow in Sudo, apparently discovered by Chris Wilson, has been fixed in the just-released sudo 1.6.3p6.
Zope security update. Digital Creations has released a security update to Zope (all versions up to 2.3b1) fixing a security vulnerability in how ZClasses are handled. An upgrade is recommended.
elm alternate folder buffer overflow. A buffer overflow in elm 2.5 PL3 was demonstrated this week. It can be exploited by passing a long string in via the "-f" option. No patch or updated version has yet been reported. Check BugTraq ID 2403 for more details.PHP-Nuke magic quotes vulnerability. A new vulnerability in PHP-Nuke was reported this week which can allow any user to execute commands with the privileges of the PHP-Nuke administrator. This occurs because magic_quotes_gpc is expected to be enabled; if it is disabled, then information continues to be read even after a NULL character is seen. An upgrade to PHP-Nuke 4.4.1 will fix the problem. Note, however, that any PHP script that expects Magic Quotes to be enabled could have this same problem. Here is a recommended tip to prevent such problems.joe file handling vulnerability. The configuration file for the joe editor, .joerc, is read first from the current directory, if available, making it possible to trick users into executing commands if they edit/open a file in a directory with a malicious .joerc file installed. No workaround/vendor solution has been posted yet, though theoretically a patch should be fairly easy to implement, by removing the check for the configuration file in the local directory and restricting the file to the user's home directory or the appropriate system directory.An informal report indicates that FreeBSD and NetBSD are vulnerable to this, but that OpenBSD is not. No Linux-specific reports have been posted. Slackware IMAP exploit. A short note in the slackware-current changelog commented that all previous versions of imapd (which is installed by default for Slackware distributions) had a remote exploit problem. This was slightly puzzling to us, since we hadn't heard of a new imapd vulnerability and Slackware issued an update for imapd in November that fixed the most recent vulnerability that we knew of. Wednesday, though, an update to the Slackware Changelog cleared up the confusion: Tue Feb 27 15:31:05 PST 2001 web scripts. The following cgi-bin scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesAnalog buffer overflow. An exploitable buffer overflow in analog was reported in the February 22nd LWN Security Summary. Version 4.16 contains a fix for the problem, which affects all earlier versions.This week's updates: Multiple vulnerabilities in bind 8.2.2 and bind 4. Check the February 1st LWN Security Summary for the initial reports. Bind 8.2.3 contains fixes for the problems with 8.2.2. Bind 4 fixes are also available, but an upgrade to bind 8 or even bind 9 is generally considered a preferable approach.This week's updates: Previous updates:
Sendmail 8.11.2 security fixes. Check the January 4th LWN Security Summary for the announcement of the release of sendmail 8.11.2. It includes fixes for a number of security issues found after 8.11.1 was released, including the "sendmail -bt negative index bug" reported by Michal Zalewski in October, 2000. Note that the exploitability of this bug was questioned, but in any case, it has been fixed as of sendmail 8.11.2.This week's updates: dump-0.4b15 local root access. Check the November 2nd LWN Security Summary for the original report. This exploit only affects dump/restore if they are installed setuid root. As of dump-0.4b18, dump and restore no longer require setuid root. dump 0.4b20 was released in mid-November, 2000, with a fix for this problem.This week's updates: Previous updates:
Format string vulnerabilities in PHP. Check the October 19th LWN Security Summary for the original report. PHP 3.0.17 and 4.0.3 contain the fixes for these problems.This week's updates: Previous updates:
LPRng format string vulnerability. Check the September 28, 2000 LWN Security section for the first report of format string vulnerabilities in LPRng and lpr.This week's updates: Previous updates:
ResourcesOpenSSH 2.5.1p2. A new, minor update to the portable version of OpenSSH 2.5.1p2 has been announced. The new version primarily contains bug-fixes, none of them specific to any security problem, but the upgrade is still recommended, possibly in particular to its bug-fixes for PAM failures seen on Linux (and Solaris) systems. EventsUpcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
March 1, 2001
LWN Resources | ||||||||||||||||||||||||||||||||||||||