[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 On the Desktop
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

ptrace/execve/procfs race condition in the Linux kernel 2.2.18. Exploits were released this week for a ptrace/execve/procfs race condition in the Linux kernel 2.2.18. Simultaneously, Linux 2.2.19 was also released. Given the fact that the exploit is already available, expect to see 2.2.19 updates from the various Linux distributions in short order. Of course, downloading and compiling Linux 2.2.19 directly will also close the hole. Depending on your distribution, though, you may end up without some of the patches that were included in your original kernel.

Solar Designer also released updated versions of his OpenWall kernel patch for 2.2.19 and for 2.0.39 as well. You will find them at the OpenWall project. The OpenWall kernel patch contains a collection of security-related features and makes them configurable for the kernel. Check the OpenWall README and FAQ for more details.

Distribution updates available so far:

OpenSSH 2.5.2p2 released. OpenSSH 2.5.2p2 has been released. It includes a number of fixes (including improvements in the defenses against the passive analysis attacks discussed in last week's LWN security page) and quite a few new features as well.

Packages of the new OpenSSH are already popping up:

SSH inventor denied trademark request (NW Fusion). Network World Fusion reports on the IETF meeting where Tatu Ylönen's request for a name change for the ssh protocol was turned down. "But IETF participants argued that both Secure Shell and its acronym SSH were generic terms that can't be protected by trademarks. Ultimately, the working group voted 3 to 1 to reject Ylönen's request. 'I'm very disappointed,' Ylönen said after the meeting. 'What will I do next? Consult my lawyers.'"

The Wireless Underground: San Francisco's Free Computer Networks. In this case, it isn't about free software, it is about illegal access to poorly secured (if secured at all) wireless networks in downtown San Francisco. Check out this SFGate article on the subject, which reports on tests done by folks from the Bay Area Wireless User Group (BAWUG).

"We walked around the Financial District with a laptop and an antenna, and we could pick up about six networks per block," says Matt Peterson, a network engineer and founder of the Bay Area Wireless User Group (BAWUG).

Aside from networks that were not intended to be open, though, others are being intentionally left open by individuals, freely allowing others to use their wireless networks to get connected if they happen to be in the area. That provides an interesting model for communities to provide Internet access to the community as a whole.

Unless you are intending to contribute to such a free community, though, configuring your wireless system to only allow specific MAC addresses to connect is recommended.

A Windows/Linux virus?. A company called Central Command ("Without us, there's no defense") has put out a press release claiming the discovery of a virus that can infect both Windows and Linux systems. It works by infecting executable files in the local directory, so it's not going to get all that far in the Linux world... the "media virus," on the other hand, seems to be propagating well, with articles in Reuters, ZDNet, and Newsbytes.

Security Reports

New Linux worm sighted. Here's an alert from SANS on the so-called "Lion worm" which has been recently sighted on the net. This worm takes advantage of the well-known holes in BIND (fixed by most distributors back in January) to break into new systems. At that point it does a number of unpleasant things. Those who have applied their BIND updates need not worry; the rest of you should probably do so fairly soon. SANS has also posted a detection and removal script. (Thanks to Greg Bailey).

Kerberos libkrb4 race condition. A race condition in libkrb4 can be exploited to overwrite the contents of any file on the system.

VIM statusline Text-Embedded Command Execution Vulnerability. A security problem has been reported in VIM where VIM codes could be maliciously embedded in files and then executed in vim-enhanced or vim-X11.

Buffer overflows in imapd, pop2d and pop3d. SuSE issued an advisory this week concerning buffer overflows in imapd, ipop2d and ipop3d. The advisory implies that these overflows became remotely exploitable due to a configuration error: "Due to a misconfiguration these vulnerbilities could be triggered remotely after a user had been authenticated".

This implies that the vulnerability may be specific to SuSE, though the advisory does not explicitly confirm this.

FCheck local command execution vulnerability. FCheck, a perl-based file integrity checker, contains an insecurely-programmed call to open() which does not properly filter user input. As a result, a file can be created with metacharacters in the filename that, when scanned by FCheck, will cause it to execute the commands under the FCheck uid. FCheck 2.6.57 through 2.78.58 are vulnerable; FCheck 2.78.59 is not. Check BugTraq ID 2497 for more details.

UFS/ext2fs data consistency race condition. FreeBSD has reported a data consistency race condition that affects the Unix File System (UFS), commonly used on BSD and other Unix systems and ext2fs, commonly used on Linux systems. This race condition may be used by one user to gain access to data from files deleted by other users. A patch for FreeBSD has been provided.

MySQL 3.23.36 released, fixing security hole. An apparently ancient security hole in MySQL where database names starting with ".." were accepted by MySQL has been closed in the latest release, MySQL 3.23.36.

web scripts. The following web scripts were reported to contain vulnerabilities:

  • Akopia Interchange, a GPL'd ecommerce system, contains sample scripts which can allow unauthenicated users to access the web administration database with privilege. A simple change to the sample code will fix the problem.

  • SWSoft ASPSeek s.cgi versions 1.0.0 through 1.0.3 contain a buffer overflow vulnerability which can be used to execute arbitrary commands under the uid of the webserver. No fix or workaround has been provided so far.

    Update: we've been informed that we're somewhat behind the times on ASPSeek development. The vulnerability described here was fixed in 1.0.4, and remains fixed in several subsequent releases. We regret the error.

  • The cgi-script 'pwc' is reported to contain a format string vulnerability.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • Cisco has released an advisory for the Cisco Catalyst SSH Protocol Mismatch Vulnerability. It affects Cisco VPN 3000 series concentrators with software prior to version 3.0.00 and allows a flood of data to cause a reboot. An upgrade to 3.0.00 should fix the problem.

Updates

licq URL checking problem. Check the March 22nd LWN Security Summary for the original report.

This week's updates:

Previous updates:

timed denial-of-service vulnerability. Check the March 15th security report for this denial-of-service vulnerability in timed.

This week's updates:

Previous updates:

sgml-tools temporary file vulnerability. See the March 15th LWN security page for the initial report.

This week's updates:

Previous updates:

ePerl buffer overflows. Check the March 8th LWN Security Summary for the initial report.

This week's updates:

Previous updates:

sudo buffer overflow. Check the March 1st LWN Security Summary for the original report.

This week's updates:

Previous updates:

joe file handling vulnerability. Check the March 1st LWN Security Summary for the initial report.

This week's updates:

Previous updates:

BSD ftpd single byte buffer overflow. Check the December 21st, 2000 LWN Security Summary for the initial report. NetBSD and OpenBSD systems are affected; FreeBSD is not. BugTraq ID 2124 also covers this issue.

This week's updates:

Previous updates:
  • Trustix, not vulnerable, but new BSD ftpd packages provided anyway (December 21st, 2001)
  • OpenBSD (December 21st, 2000)
  • Trustix, BSD ftpd packages updated due to a typo in the original patch (December 21st, 2000)

Resources

Bastille Linux 1.2.0.pre22 (Testing Releases). A new development version of Bastille Linux was announced Tuesday. This snapshot primarily contains bugfixes and apparently heralds the nearness of the new stable release, Bastille Linux 1.2.0.

Linux Intrusion Detection System 0.9.15 for 2.2.19. With the release of Linux kernel 2.2.19, a new version of the the Linux Intrusion Detection Systems (LIDS) has been announced, LIDS 0.9.15.

Avaya Releases Linux Security Software. Avaya Labs announced it is releasing Libsafe 2.0, a version of its free security software for Linux. Libsafe version 2.0 adds the ability to protect against security attacks that exploit "format string" vulnerabilities in software.

Czech PGP Flaw Tech Details. Details from the PGP Flaw reported last week have been released in a technical paper, along with Hal Finney's analysis of the flaw, which was posted to the OpenPGP list.

New Turbolinux key. The Turbolinux staff has updated their public key.

Events

Upcoming security events.
Date Event Location
March 29, 2001. Security of e-Finance and e-Commerce Forum Series Manhattan, New York, USA.
March 30-April 1, 2001. @LANta.CON Doraville, GA, USA.
April 6-8, 2001. Rubi Con 2001 Detroit, MI, USA.
April 8-12, 2001. RSA Conference 2001 San Francisco, CA, USA.
April 20-22, 2001. First annual iC0N security conference Cleveland, Ohio, USA.
April 22-25, 2001. Techno-Security 2001 Myrtle Beach, SC, USA.
April 24-26, 2001. Infosecurity Europe 2001 London, Britain, UK.
May 13-16, 2001. 2001 IEEE Symposium on Security Oakland, CA, USA.
May 13-16, 2001. CHES 2001 Paris, France.
May 29, 2001. Security of Mobile Multiagent Systems (SEMAS-2001) Montreal, Canada.
May 31-June 1, 2001. The first European Electronic Signatures Summit London, England, UK.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


March 29, 2001

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds