Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsFun with wu-ftpd. As reported last week, a new, remotely exploitable vulnerability has been found in wu-ftpd. This server seems to have had more than its share of difficulties; one can only hope that we are coming to the end of the list.The people publicizing this hole really tried to do the right thing: they gathered together a list of vendors shipping wu-ftpd, and set up a coordinated release date for updates. The idea was that everybody would have a fix available when the word got out that there was a problem. It almost worked, except that somebody at Red Hat slipped up and sent an alert out early. Red Hat undoubtedly should have been more careful, but, given the number of vendors involved, it's not surprising that somebody made a mistake. Coordinating that many groups is never going to be easy. Most of the top-tier distributors have been quick to get their updates out there; the full list appears in the "updates" section, below. There are a couple of glaring exceptions, however. Turbolinux, in particular, is notable in its absence. In fact, according to the Turbolinux "Security Center," that distributor has not issued a single update since last June. Either Turbolinux has found an amazing way to avoid vulnerabilities, or that company is failing its customers with regard to security. Meanwhile, the most important thing is for the wu-ftpd patch to be applied as widely as possible. This is the worst sort of vulnerability, the kind that wide-ranging, destructive worms are made of. Exploits for this vulnerability will be widespread before long; sites running the vulnerable code will have reason to regret it before long. (See also: CERT's advisory on this vulnerability).
OpenSSH 3.0.2 released. Security ReportsA Red Hat OpenSSH update. Red Hat has issued a new OpenSSH update with some new fixes. One is for the restricted command vulnerability first reported in the September 27 LWN security page; despite the passage of almost two months, this is the first update we have seen for this particular problem. Also fixed is a bug in the code which attempts to frustrate passive analysis attacks. More OpenSSH updates. Both Debian and Red Hat have updated OpenSSH to fix the (obscure) UseLogin vulnerability. Both appear to have backported that particular fix from OpenSSH 3.0.2 to earlier versions. This Red Hat update supersedes the one mentioned above. Other updates from Debian. Another set of alerts has come from Debian, including fml (cross-site scripting vulnerability in this mailing list manager), icecast-server (several remotely exploitable holes), and xtel (symlink attacks). The icecast update, in particular, looks like one that should be applied. Problems with libgtop_daemon. The libgtop_daemon package, a GNOME program which makes system information available remotely, has a format string vulnerability which is remotely exploitable. This bug is fixed in version 1.0.13. Unfortunately, this package also has a buffer overflow problem which remains unfixed as of this writing (there is a patch in the advisory, though).
Buffer overflow in frox. The "frox" FTP proxy has
a buffer overflow problem that could be exploited by a hostile server.
The fix is to upgrade to version 0.6.7.
web scripts.
Updateswu-ftpd buffer overflow. The wu-ftpd FTP server contains a remotely exploitable buffer overflow vulnerability; anybody running this package should already have upgraded. Versions up through 2.6.1 are vulnerable, as are 2.7.0 testing snapshots. (First LWN report: November 29). This week's updates: Previous updates:
OpenSSH restricted host vulnerability. Versions of OpenSSH prior to 2.9.9 have a vulnerability that can allow logins from hosts which have been explicitly denied access. The fix is to upgrade to OpenSSH 2.9.9. This problem first appeared in the October 4 LWN security page. This week's updates:
Postfix session log memory exhaustion. Postfix 20010228, and some earlier verions, have a denial of service vulnerability. The SMTP session log could grow to an unreasonable size. (First LWN report: November 29, 2001). This week's updates: Previous updates: Cyrus SASL format string vulnerability. A format string bug in the Cyrus SASL authentication API for mail clients and servers may be remotely exploitable. (First LWN report: November 29, 2001). This week's updates: Previous updates:
Directory indexing and path discovery in Apache. Versions of Apache prior to version 1.3.19 are vulnerable to a custom crafted request that can cause modules to misbehave and return a listing of the directory contents by avoiding the error page. (First LWN report: September 20, 2001). This week's updates: Previous updates:
ResourcesMandrakeSoft launches security web site. MandrakeSoft has announced the launch of a new web site, MandrakeSecure.net, dedicated to Linux security. It is mostly of interest, of course, to those working with the Mandrake Linux distribution. Newsletters from LinuxSecurity.com. Here's the latest Linux Advisory Watch and Linux Security Week from LinuxSecurity.com. Secure distribution list. Here's a list of secure Linux distributions put together by Deepak Kumar Gupta. EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
December 6, 2001
LWN Resources | |||||||||||||||