Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsNew NSA SELinux release. A new release of the NSA's Security Enhanced Linux has been announced. This version is based on the 2.4.9 kernel; the most interesting new feature, though, is likely to be that this release is built on the new Linux security module architecture. It's the first release of this work as part of an integrated product, and thus it gives an indication of how future secure Linux releases will look. The security module project, remember, started after the Kernel Summit last March. Linus Torvalds had stated that he wanted the various security projects to agree on a framework for hooking security extensions into the kernel, so that users could easily experiment with (and switch between) them. Work on the security module project has been proceeding quickly, to the point that the developers are beginning to consider proposing it for inclusion in the 2.5 kernel. Assuming there ever is a 2.5 kernel, of course. The SELinux release is a good step in that direction, since it provides a demonstration of a security-enhanced kernel using the new architecture. It will also allow for wider testing of the security module code and help to shake out the remaining problems. See the NSA Security-Enhanced Linux pages for more information. The generic security module code can be found on the Linux Security Module page. CERT's quarterly summary is available; as usual, it points out the security vulnerabilities that (in CERT's opinion) people should be most worried about. It is dominated this time around by Windows-specific problems - Code Red, Sircam, etc. There is one issue in the list that is relevant for Linux users, though: the telnetd vulnerability. The current list of telnetd updates appears in the "Updates" section below; anybody who is still running telnet should be sure to apply the relevant update to their systems. Security ReportsBuffer overflow in AOLserver. The AOLserver web server has been reported to crash when fed a long authorization string as input. Such problems are usually exploitable, though no exploit has yet been reported in this case. Older versions of AOLserver (3.0, 3.2) are vulnerable; the current version (3.4) is not.
String handling problems in xinetd. A new set of problems has
been found in xinetd, having to do with how it handles strings. Versions
prior to 2.3.1 are vulnerable, and should be upgraded. As of this writing,
the only distributor update available is from Conectiva.
web scripts.
Proprietary products. The following proprietary products were reported to contain vulnerabilities:
UpdatesLinux Kernel 2.4 Netfilter/IPTables vulnerability. Check the April 19 LWN Security Summary for the original report. The NetFilter team has provided a patch for Linux 2.4.3.Previous updates:
Previous updates:
This week's updates:
Previous updates:
Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
This week's updates: Previous updates:
Previous updates:
ResourcesLinuxSecurity.com's weekly newsletters (Linux Security Week and Linux Advisory Watch are available.EventsRAID 2001, the Fourth International Symposium on Recent Advances in Intrusion Detection, will happen in Davis, California, on October 10 to 12. A call for participation has been posted.
The 14th Annual Computer Security Incident Handling Conference will
be held on June 24 to 28 at the Hilton Waikoloa Village in
Hawaii. The call for papers has been issued; the
submission deadline is November 16.
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
August 30, 2001
LWN Resources | ||||||||||||