Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsHal Burgiss Introduces Linux Security Quick-Start Guides. LinuxSecurity.com has published an interview with Hal Burgiss, who has just produced a couple of quick-start Linux security guides (linked from the interview). "While there is a wealth of security related information around, there is not so much addressed to the new user who might be coming from another platform. It's one thing to say 'turn off all unneeded services', but quite another if you don't know what's 'needed' and what's not. Or how to know what services are actually running, and where they are getting started." OpenSSH 3.0.1 released. OpenSSH 3.0.1 has been released. It includes a fix for a couple of security problems; both appear to be minor and difficult (or impossible) to exploit, but an upgrade is probably a good idea anyway. Security ReportsMemory exhaustion vulnerability in Postfix. The Postfix mailer has a vulnerability wherein an attacker could run the Postfix daemon out of memory, causing it to crash. A fix is included with the report; no distributor updates have been seen as of this writing. Trouble with wu-ftpd? A vague message has gone out seeking vendors who ship the wu-ftpd FTP server daemon. It seems there's a remotely exploitable problem in that package, though no details are yet available. SuSE to discontinue 6.3 support. SuSE has announced that support for its 6.3 distribution will end on December 10. Thereafter, security updates will no longer be available. SuSE Linux 6.4 is still supported for now, until it, too, reaches its two-year anniversary. A Mandrake Linux update to gnupg. MandrakeSoft has issued an update to gnupg which removes the setgid root bit from the executable. This bit was unnecessary, and, it seems, useful for overwriting files owned by that group. This one appears to be a Mandrake-specific problem.
web scripts.
Proprietary products. The following proprietary products were reported to contain vulnerabilities:
UpdatesSession hijacking vulnerability in IMP. Versions of the Horde IMP mail system prior to 2.2.7 have a session hijacking vulnerability that is well worth fixing. (First LWN report: November 15, 2001). This week's updates: Previous updates: Procmail race conditions. See the July 26 Security page for the initial report.This week's updates: Previous updates: Vulnerabilities in tetex. The tetex package has a temporary file handling vulnerability; this problem was first reported in the July 12, 2001 LWN security page. This week's updates:
Previous updates:
ResourcesCRYPTO-GRAM Newsletter. Bruce Schneier's CRYPTO-GRAM Newsletter for November 15 is available. The bulk of this issue is an extended version of Bruce's response to Microsoft on full disclosure. "Disclosure does not create security vulnerabilities; programmers create them, and they remain until other programmers find and remove them. Everyone makes mistakes; they are natural events in the sense that they inevitably happen. But that's no excuse for pretending that they are caused by forces out of our control, and mitigated when we get around to it." EventsThe 18th annual Chaos Communication Congress will be held in Berlin, Germany, on December 27 to 29. A call for papers is out for those who would like to participate.Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
November 22, 2001
LWN Resources | ||||||||||||||||||||||||