Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsDebian took a month to distribute a fix for a glibc buffer overflow vulnerability. This week's glibc updates from Debian and Slackware distribute a fix for the problem about a month after the first update from Red Hat on December 14th. You may wonder why Debian, with over eight hundred developers and a dedicated security team, took so long to distribute a fix for such a basic vulnerability. The short answer is that with a half dozen architectures the only way to change glibc is very carefully. This note from Martin Schulze illustrates the care with which Debian manages a distribution for six different architectures. Tending the necessary balance between release management and getting out security fixes for core components is a serious challenge. As Mr. Schulze notes, "we have to be extraordinary careful. This takes time." January CRYPTO-GRAM Newsletter. Here's Bruce Schneier's CRYPTO-GRAM Newsletter for January. The main topic this time around is the Windows UPnP vulnerability. "To think, some time ago I criticized eEye for not waiting long enough before releasing a vulnerability. Shows how hard it is to get the balance right." Security ReportsNasty security hole in sudo. The sudo package, used to provide limited administrator access to systems, has an unpleasant vulnerability which makes it relatively easy for a local attacker to obtain root access. If you have sudo on a system with untrusted users, you probably want to disable it until you can get a fix installed. So far, updates are available from MandrakeSoft, Conectiva, EnGarde, SuSE, Debian, Red Hat and Red Hat Powertools Remotely exploitable vulnerability in pine. Pine has an unpleasant vulnerability in URL handling vulnerability which can lead to command execution by remote attackers. Updates fixing the problem were released this week by Slackware, EnGarde and Red Hat. This vulnerability is remotely exploitable; updating is a good idea. Heap corruption vulnerability in at. Security updates for this potentially exploitable heap corruption bug are available from SuSE and Debian. XChat session hijacking vulnerability. Updates fixing this problem in XChat were released by Debian and Red Hat. EnGarde Secure Linux security update to LIDS. EnGarde Secure Linux released a security update to LIDS (Linux Intrusion Detection System) fixing a number of locally exploitable vulnerabilities. Debian security update to gzip. The Debian Project has issued a security update to gzip fixing a buffer overflow problem in that package. Debian security update to cipe. The Debian Project has issued a security update to the cipe VPN package fixing a denial of service vulnerability.Yellow Dog Linux released a whole list of updates that they evidently forgot to send out until now. Geeklog 1.3 vulnerability. According to this post to BugTraq the version of Geeklog released last December 30th has a vulnerability which "allows any user to assume the identity of any other registered user, including the administrative user." Instructions on where to obtain a fix are on the Geeklog website. Pi3Web Webserver v2.0 is subject to a denial of service attach which crashes the daemon according to this brief description posted to BugTraq. UpdatesBugzilla upgrade to version 2.14.1. This is a security update with patches for a number of security-related bugs described in this announcement. "All users of Bugzilla, the bug-tracking system from mozilla.org [...] are strongly recommended to update to version 2.14.1". The problem was first reported by LWN in the January 10th Security page. New updates:
Previous updates: Buffer overflow problem in glibc. The glibc filename globbing code has a buffer overflow problem. For those who are interested, Global InterSec LLC has provided a detailed description of this vulnerability. This problem was first reported by LWN on December 20th.This week's updates: Previous updates:
Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001). The stable release of Debian is not vulnerable. New updates:
Previous updates:
This week's updates: Previous updates:ResourcesSecuring Linux Servers for Service Providers by Bill Half, Sr. Consulting I/T Architect, is now available in PDF format from this link inside the IBM Linux Technology Center website. (Thanks to Steve Fox). EventsUpcoming Security Events. Sixth Annual Distributed Objects and Components Security Workshop has extended the call for papers to January 26. "The workshop, hosted by the Object Management Group and co-sponsored by Promia, Inc. and the National Security Agency (NSA), will provide a forum for discussing the issues associated with securing integrated application systems." The workshop will be held March 18 through 21, 2002 in Baltimore, Maryland, USA.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Dennis Tenney |
January 17, 2002
LWN Resources | ||||||||||||||||||