Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page

Security

News and Editorials

OpenSSH 3.0 released. OpenSSH version 3.0 has been released. It includes a great many new features, including smartcard support, improved Kerberos support, dynamic forwarding, and more.

CERT advisory on lpd vulnerabilities. CERT has issued an advisory regarding several vulnerabilities in the lpd print system. Most of the problems are old; the purpose of the advisory is to remind people to apply their upgrades.

Security Reports

Trouble with netfilter and syncookies. Just when you had installed a new kernel and thought that the security problems were behind you, a new one turns up. It's an obscure problem, but, in many cases, worth fixing anyway. Essentially, the "syncookies" mechanism, developed to defend against SYN flood attacks, can be exploited by a clever attacker to circumvent netfilter firewall rules that block incoming connections. Since many firewall setups depend on blocking these connections, this vulnerability could seriously compromise the protection of the system or network. A short-term workaround is to turn off syncookies:

  echo 0 > /proc/sys/net/ipv4/tcp_syncookies

Syncookies will be reset at the next reboot; the system will also be more vulnerable to SYN flood (denial of service) attacks while syncookies are disabled. The real fix, of course, is to apply another kernel update. Here's the ones we've seen so far:

Webalizer tag vulnerability. The "webalizer" logfile analysis program has a vulnerability which can allow an attack to place arbitrary HTML tags into the reports. When the reports are viewed, these tags can be used toward unpleasant ends, including cross-site scripting attacks. A fix is available which closes the vulnerability.

Updates seen so far:

Red Hat updates ghostscript. Red Hat has issued a security update to ghostscript fixing an interesting problem. When ghostscript is used as part of the print spooling system (a common configuration), a clever attacker can use its PostScript file commands to read any file that is accessible to the print spooler. The update disables those commands in that context. There is also a more comprehensive printer update available from Red Hat which includes this fix, a number of others, and tosses in the IBM Omni printer drivers for good measure.

Denial of service vulnerability in Tux. The Tux kernel-based web server has a denial of service vulnerability which can allow a remote attacker to crash the host system. Most systems do not run Tux; those which do should apply the Red Hat kernel update for the syncookie problem; it also fixes this vulnerability.

Caldera security update for libdb. Caldera has released a security update that fixes the libdb package. The update fixes vulnerabilities from an unsafe version of the snprintf and vsnprintf that can be exploited by local and remote attacks.

Format string vulnerability in rwhoisd. The "rwhoisd" whois server has a format string vulnerability which can be used by a remote attacker to run arbitrary code. A patch is available which should be quickly applied by anybody running this server; no distributor updates have been seen as of this writing.

Updates

Configuration file vulnerability in ht://Dig. The ht://Dig search engine contains a vulnerability which allows a remote user to specify an alternate configuration file. If that user is able to place a suitable file in a location where ht://Dig can read it, the system may be compromised. See the original report from the ht://Dig project for details. This vulnerability first appeared in the October 11 LWN security page.

This week's updates:

Red Hat (October 30, 2001)

Previous updates:

Procmail race conditions. See the July 26 Security page for the initial report.

This week's updates:

Mandrake (November 20, 2001)

Previous updates:

Vulnerabilities in tetex. The tetex package has a temporary file handling vulnerability; this problem was first reported in the July 12, 2001 LWN security page.

This week's updates:

Mandrake (November 20, 2001) (A mktemp update is also required for 7.x users).

Previous updates:

Immunix (July 12, 2001)
Red Hat (October 23, 2001)

Several vulnerabilities in ucd-snmp. The ucd-snmp package has a number of vulnerabilities, including buffer overflows, format string problems, and temporary file races. This problem was first reported in the August 23 LWN security page.

This week's updates:

Red Hat (October 31, 2001)

Previous updates:

Caldera (August 16, 2001)

Improper credentials from login. A problem with the login program (in the util-linux package) can, in some situations, cause a user to be given the credentials of another user at login. Use of the pam_limits module, in particular, can bring about this problem. In general, distributions using the default PAM configuration are not vulnerable; an upgrade is probably a good idea anyway. This problem was first reported in October 18 LWN security page.

This week's updates:

Mandrake (November 1, 2001)

Previous updates:

Red Hat (October 16, 2001) (Adds an update for version 7.2).
SuSE (October 23, 2001) (Doesn't use util-linux login, but vulnerable anyway).
Red Hat (October 16, 2001)
Trustix (October 17, 2001)

Resources

Linux Security Week for November 5 from LinuxSecurity.com is now available.

Events

Upcoming Security Events.

Date Event Location

November 8, 2001 8th ACM Conference on Computer and Communication Security(CCS-8) Philadelphia, PA, USA

November 13 - 15, 2001 International Conference on Information and Communications Security(ICICS 2001) Xian, China

November 19 - 22, 2001 Black Hat Briefings Amsterdam

November 21 - 23, 2001 International Information Warfare Symposium AAL, Lucerne, Swizerland.

November 24 - 30, 2001 Computer Security Mexico Mexico City

November 29 - 30, 2001 International Cryptography Institute Washington, DC

December 2 - 7, 2001 Lisa 2001 15th Systems Administration Conference San Diego, CA.

December 5 - 6, 2001 InfoSecurity Conference & Exhibition Jacob K. Javits Center, New York, NY.

December 10 - 14, 2001 Annual Computer Security Applications Conference New Orleans, LA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

November 8, 2001

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel