Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page

Security

News and Editorials

Checking for root kits. After his security tutorial at Linux World, LWN asked Michael H. Warfield, of Internet Security Systems, if there was one current security issue our readers should watch. It is "root kits installed by intruders after they cracked your site to hide their activities and protect their backdoors." Michael also mentioned, in his talks, that "common worms have new exploits plus root kits wrapped up with some crude scripting glue to propagate from system to system and install backdoors with the rootkits hiding them."

Michael recommends regularly checking exposed systems by running chkrootkit. This nifty tool locally checks for signs of a rootkit. Running it regularly and using diff to compare the results to past runs is one way to look for compromised systems.

The Sardonix security auditing portal. Crispin Cowan has announced a new security portal designed to encourage auditing of code. "The whole project is intended to leverage community skepticism of claims of security, and the community's joyful habit of criticizing the work of others, and so we call it Sardonix." There will be features to track the auditing of various packages; it will also be able to audit the auditors by tracking how many bugs are found after somebody has declared it clean. The project is in an early stage, and contributors are being sought. This work is supported by a DARPA grant.

Out of the box, Linux is 'dreadfully insecure' (Register). The Register reminds us that default installations for most Linux distibutions are insecure. "Jay Beale, the lead developer of Bastille Linux and an independent security consultant, says it's not the Unix-based systems with interesting stuff on them that get hacked, it's the vulnerable ones. And if you're not prepared to tighten up what you get from the vendor, it's just a matter of time."

Security Reports

Mandrake Linux Security Update - gzip. Mandrake has issued a security advisory for gzip. This fixes two problems with the gzip archiving program; the first is a crash when an input file name is over 1020 characters, and the second is a buffer overflow that could be exploited if gzip is run on a server such as an FTP server.

Net::FTPServer security fix. The Net::FTPServer project released this security fix to close a potential vulnerability "allowing users to list directories to which they should not have access. If your configuration file uses 'list rule', then you need to upgrade to version 1.034."

PHP Safe Mode Filesystem Circumvention Problem. According to this post to Bugtraq: "If an attacker has access to a MySQL server [...], he can use it as a proxy by which to download files residing on the [PHP] safe_mode-enabled web server".

web scripts. The following web scripts were reported to contain vulnerabilities:

Faq-O-Matic has a cross-site scripting vulnerability described in this Bugtraq post. There is a fix available in CVS according to this subsequent post.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Multiple vulnerabilities in Oracle 9i and 9iAS are described in Bugtraq posts from NGSSoftware Insight. They are charaterized as potential remote compromise, multiple buffer overflows and JSP translation file access. Although the vulnerabilties are described as present on "all operating systems" no mention is made of verification on Linux.
texis(CGI) has a path disclosure vulnerability described in this Bugtraq post.

Updates

Remotely exploitable vulnerability in pine. Pine has an unpleasant vulnerability in URL handling vulnerability which can lead to command execution by remote attackers. (First LWN report: January 17th).

This vulnerability is remotely exploitable; updating is a good idea.

Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein).

This week's updates:

Conectiva (January 31, 2002)

Previous updates:

A remotely exploitable hole in rsync. A vulnerability has been found in the rsync server: it seems that the server did not pay enough attention to the sign of numbers it reads from the client connection. This oversight allows an attacker to write bytes containing zero almost anywhere in the stack, with results similar to those caused by buffer overflows. Sites running rsync in its daemon mode are thus vulnerable to remote root compromises. Versions of rsync prior to 2.5.2 are vulnerable. (First LWN report: January 31th).

This week's updates:

Previous updates:

Caldera (January 24, 2002)
Conectiva (January 25, 2002)
Debian (February 3, 2002) (note: if you applied the original update, which broke rsync, you need to update again.)
EnGarde (January 25, 2002)
Mandrake (January 28, 2002)
Red Hat (January 30, 2002) (note that this alert was updated; if you applied the original version you should update again.)
Slackware (January 26, 2002)
SuSE (January 25, 2002)
Trustix (January 28, 2002)
Yellow Dog (January 27, 2002)

Events

Upcoming Security Events.

The schedule for CodeCon 2002 has been announced. "CodeCon is the premier event in 2002 for the P2P, cypherpunk, and network/security application developer community." CodeCon 2002 will be held at DNA lounge in San Francisco, February 15th to 17th.

Date Event Location

February 15 - 17, 2002 CODECON 2002 San Francisco, California, USA

February 18 - 22, 2002 RSA Conference 2002 San Jose, CA., USA

March 11 - 14, 2002 Financial Cryptography 2002 Sothhampton, Bermuda

March 18 - 21, 2002 Sixth Annual Distributed Objects and Components Security Workshop (Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA

April 7 - 10, 2002 Techno-Security 2002 Conference Myrtle Beach, SC

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

February 7, 2002

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel