[LWN Logo]

 Main page
 On the Desktop
 Linux in the news
 Linux History
All in one big page

See also: last week's Security page.


News and Editorials

Warhol worms? Nicholas C Weaver has done a worst-case analysis on just how quickly a virulent worm could infect essentially all of the vulnerable systems on the net. The answer: 15 minutes. One could quibble with the details and assumptions of the analysis, but the answer remains the same. A carefully-written worm could propagate worldwide in a very short period of time.

This, of course, is a scary result. In 15 minutes, very little can be accomplished with things like security alerts, worm analysis, and patches. By the time anybody knows there is a problem, it's over.

Some malware writer is sure to see an analysis of this type as a challenge; the probability of a high-speed worm in the near future seems high. The net, as it stands now, is a frighteningly vulnerable place.

The August CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM newsletter for August is out. Topics discussed include Code Red and the arrest of Dmitry Sklyarov.

The truth is that we all got lucky. Code Red could have been much worse. It had full control of every machine it took over; it could have been programmed to do anything the author imagined, including dropping the entire Internet. It could have spread faster and smarter. It could have exploited several vulnerabilities, and not just one. It could have been stealthier. It could have been polymorphic.

The newsletter also points to a biography of 'Alice' and 'Bob' by John Gordon that is well worth a read.

Against all odds, over a noisy telephone line, tapped by the tax authorities and the secret police, Alice will happily attempt, with someone she doesn't trust, whom she cannot hear clearly, and who is probably someone else, to fiddle her tax returns and to organize a cout d'etat, while at the same time minimizing the cost of the phone call. A coding theorist is someone who doesn't think Alice is crazy.

Security Reports

Buffer overrun vulnerabilities in fetchmail. "antirez" (Salvatore Sanfilippo) has posted an advisory regarding two buffer overrun vulnerabilities in the much-used fetchmail program. Given a hostile server, arbitrary code can be run on the system running fetchmail. The solution is to upgrade to fetchmail 5.8.17. Distributors have been a bit slow in coming out with updates; here's what we have so far.

Debian security update to Window Maker. The Debian Project has issued a security update to Window Maker fixing a buffer overrun problem that could, conceivably, be exploited remotely.

Debian groff update. Debian has posted a security advisory for groff to address printf format string vulnerabilities. No other distributors have yet issued updates for this problem.

Local root vulnerability in TrollFTPD. The TrollFTPD FTP server contains a buffer overflow problem which could result in root access for local users. The solution is to upgrade to version 1.27 or later. Note that the Pure-FTPd server, which is derived from TrollFTPD, is not vulnerable to this problem.

web scripts. The following web scripts were reported to contain vulnerabilities:

  • A vulnerability exists in the phpBB bulletin board system, versions 1.4.0 and earlier, which can allow an attacker to execute arbitrary code on the server. Upgrade to 1.4.1 or later to fix the problem.
  • NetCode NC Book 0.2b (a perl-based guest book) has a vulnerability which allows command execution on the server.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

  • Xerox has a firmware upgrade available for N40 printers which, it seems, do not handle Code Red scans well. Of course, one could question the wisdom of putting a network printer in a place where it is exposed to Code Red attacks in the first place.


Vulnerabilities in Horde IMP Horde IMP has several vulnerabilities which are fixed in version 2.2.6; see Bugtraq ID's 3066, 3079, 3082, and 3083 for more details.

Previous updates:

Denial of service vulnerability in OpenLDAP This problem was first identified in a CERT advisory issued in July, 2001. It was covered in the July 19, 2001 LWN security page.

Previous updates:

Procmail race conditions. See the July 26 Security page for the initial report.

This week's updates:

Previous updates:

Squid httpd acceleration ACL vulnerability. This vulnerability could result in unauthorized access to the squid server. See the July 26 Security page for details.

This week's updates:

Previous updates:

Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.

This week's updates:

Previous updates: Buffer overflows in xloadimage This problem was first covered in the July 12 Security page.

Previous updates:

Yellow Dog catches up. A major flurry of security updates came out for the Yellow Dog Linux distribution this week. Many of them were dated in July, but didn't hit the net for a while thereafter. Beyond the ones mentioned above, the new updates include (with links to the first coverage of the vulnerabilities in LWN):

Progeny also gets moving. Progeny Linux systems also caught up on its security updates this week. Beyond the alerts listed above, we have:


The Log Analysis mailing list has been announced. This list exists for people interested in setting up and using a central logging infrastructure; "most of the discussion will focus on the care and feeding of syslog"

Linux Advisory Watch. The LinuxSecurity.com Linux Advisory Watch for August 10 is out, as is the Linux Security Week Newsletter for August 13.

Linux IPsec Gateways Using FreeS/Wan. SecurityFocus has put up a beginner's article on setting up FreeS/WAN. "FreeS/WAN has one interesting feature that makes it distinct from most other IPsec implementations: DES encryption is unsupported. According to the FreeS/WAN home page, 'DES is, unfortunately, a mandatory part of the IPSEC standard. Despite that, we will not implement DES. We believe it is more important to provide security than to comply with a standard which has been subverted into allowing weak algorithms.'"

A new system fingerprinting tool. Xprobe is a new operating system identification tool by Ofir Arkin and Fyodor Yarochkin. It claims more accurate results while needing to send fewer probes to the target system; there is also a white paper describing how it all works.

Snort 1.8.1 has been released. It contains a number of fixes and new features; see the announcement for details.


Upcoming Security Events.
Date Event Location
August 16 - 17, 200110th USENIX Security Symposium 2001 ConferenceWashington, D.C.
September 11 - 13, 2001New Security Paradigms Workshop 2001(NSPW)Cloudcroft, New Mexico, USA
September 28 - 30, 2001Canadian Association for Security and Intelligence Studies(CASIS 2001)(Dalhousie University)Halifax, Nova Scotia, Canada.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

August 16, 2001

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus

Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds