Sections: Main page
Security Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page
See also: last week's Security page.
|
News and Editorials
OpenSSH 3.1 released.
OpenSSH version 3.1 has been released.
The main changes include defining /etc/ssh as the default configuration
directory, ssh-keygen now requires a key type to be specified, and X11
forwarding now listens on localhost by default. A number of additional
changes have been made.
Users are advised to upgrade to OpenSSH 3.1 (see the security report below), or to apply the
included patch.
Latest Security Vulnerability: Java VMs (TechWeb).
Security problems in Java virtual machines can impact many
platforms,
as this TechWeb article describes. "Versions of Netscape's browser,
version 6.1 and lower, are also impacted,
as are some Solaris and Linux releases that ship with the problematic
virtual machine."
Exactly which Linux distributions are impacted is unclear.
According to the
Sun Microsystems Security Bulletin; "This issue may or may not
affect other vendors' Java technology
implementations which are derived from Sun's SDK and JDK(TM) source
bases." The Java SDK and JRE versions 1.3.0_02 and 1.2.2_010 are
vulnerable; the latest versions (1.4, 1.3.1_02 and 1.2.2_011) are not
(despite an earlier version of this LWN story which said, erroneously,
that they were).
Jac virus targets Linux (vnunet). Here's another one of those new Linux virus stories;
this one is on vnunet. "Linux users typically crow about how much
more secure it is than the Windows platform, but this time they may be
justified as Jac has only been branded as a low threat. It is not
expected to spread in the wild and causes little damage."
Security Reports
An off-by-one error in the channel code of OpenSSH versions 2.0 to 3.0.2
has been found. Users are advised to
upgrade to OpenSSH 3.1, or to apply the relevant security update.
"This bug can be exploited locally by an authenticated user logging
into a vulnerable OpenSSH server or by a malicious SSH server attacking a
vulnerable OpenSSH client."
Also see the
the advisory from Pine for this vulnerability.
Distributor updates seen so far:
- Conectiva (March 7, 2002)
- Debian (March 7, 2002)
- EnGarde (March 7, 2002)
- Eridani (March 7, 2002)
- Mandrake (March 7, 2002)
- OpenPKG (March 8, 2002)
- Trustix (March 7, 2002)
- Red Hat (March 8, 2002)
- Slackware (March 8, 2002)
- SuSE (March 7, 2002)
- Yellow Dog (March 9, 2002)
zlib corrupts malloc data structures via double
free. This vulnerability impacts all major Linux vendors. It may
impact every Linux installation on Earth.
Updates are required to zlib and any
packages that were statically built with the zlib code.
LinuxSecurity
describes the vulnerability and coordinated distributor efforts
in detail.
"Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc,
vnc, and many other programs that have the ability to use network
compression are potentially vulnerable."
Updating is recommended. Now it the time to prepare; before there are any known
exploits. As always, please proceed with caution when applying updates to
the kernel.
Distributor updates seen so far:
- Debian (March 11, 2002)
(nine packages)
- EnGarde (March 11, 2002)
(zlib kernel popt rsync)
- Eridani (March 13, 2002)
(libz)
- Eridani (March 13, 2002)
(vnc dump cvs
rsync kernel)
- Mandrake (March 12, 2002)
(zlib)
- Mandrake (March 12, 2002)
(twelve
packages including kernel)
- OpenPKG (March 12, 2002)
(zlib
cvs gnupg rrdtool rsync)
- Red Hat (March 11, 2002)
(Red
Hat Linux)
- Red Hat (March 11, 2002)
(Red Hat Powertools)
- SuSE (March 11, 2002)
(libz/zlib)
- SuSE (March 11, 2002)
(eight packages including kernel)
- Slackware (March 12, 2002)
(zlib)
- Slackware (March 12, 2002)
(rsync)
- Slackware (March 12, 2002)
(cvs)
Note that we have received a last-minute report saying that the Red Hat
kernel update does not actually include the zlib fix.
See also: articles in ZDNet and The Register
about the zlib vulnerability.
Slackware rsync update. This Slackware
upgrade to the rsync packages makes "sure that supplementary groups are
removed from a server process after changing uid and gid". It also
addresses the zlib double-free bug described above.
Mandrake Linux update for mod_frontpage.
Mandrake Linux has released a security update for mod_frontpage.
Debian update for xtell.
Updated Debian packages are available for the simple messaging client and
server xtell. "In detail,
these problems contain several buffer overflows, a problem in connection
with symbolic links, unauthorized directory traversal when the path
contains '..'. These problems could lead into an attacker being able to
execute arbitrary code on the server machine. The server runs with
nobody privileges by default, so this would be the account to be
exploited."
XTux Arena server DoS vulnerability.
XTux
Arena is
a client server network game for X11 featuring opensource mascots.
The XTux server may be subject to DoS attacks as
described in this
post to Bugtraq.
Multiple Ecartis/Listar vulnerabilities are described
by Janusz Niewiadomski and Wojciech Purczynski
in this post to Bugtraq.
"Listar is a open-source software package that
administers mailing lists
(similar to Majordomo and Listserv)."
web scripts.
The following web scripts were reported to contain vulnerabilities:
- Directory traversal vulnerability in phpimglist.
There is a vulnerabilty in phpimglist which "allows a user
to traverse through directories outside the web root."
phpimglist 1.2.2 fixes the problem and is available from
here.
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
- CaupoShop 1.30a, and maybe all versions before,
may be subject to a nasty cross-site-scripting
bug.
Caupo has released a new version which fixes the problem.
Updates
Apache mod_ssl buffer overflow vulnerability. According to
this
announcement
"modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the
underlying OpenSSL routines in a manner which could overflow a buffer
within the implementation. This situation appears difficult to
exploit in a production environment[...]."
(First LWN report: March 7).
This week's updates:
Previous updates:
Both PHP3 and PHP4 have vulnerabilities in
their file upload code which can lead to remote command execution.
This one could be ugly; sites using PHP should apply updates at the first
opportunity. If an update isn't available for your distribution, users
of PHP 4.0.3 and later are encouraged to consider disabling file upload
support by adding this directive to php.ini:
file_uploads = Off
CERT has issued this advisory on the problem.
This article in
the Register also talks about the vulnerability.
(First LWN report: March 7).
Developers using the 4.2.0 branch, are not vulnerable because
because file upload support was completely rewritten for that branch.
This week's updates:
Previous updates:
- Conectiva (March 8, 2002)
- Debian (March 2, 2002)
- EnGarde (March 1, 2002)
- Eridani (March 5, 2002)
- Mandrake (February 28, 2002)
- Mitel Networks (March 7, 2002) (SME Server)
- OpenPKG (February 28, 2002)
- Red Hat (March 21, 2002)
- Slackware (March 5, 2002)
- SuSE (February 28, 2002)
- Trustix (April 29, 2002)
(The
February 28th update "did not quite do the trick")
- Trustix (February 28, 2002)
- Yellow Dog (March 5, 2002)
Update: Despite some
concern expressed in an earlier report by LWN, these updates do,
in fact, fix the problem. The original update from the php team
fixes the security hole but introduces a "rare segfault condition"
that is not a security problem.
Resources
Linux security week. The
and
publications from LinuxSecurity.com are available.
Events
Upcoming Security Events.
Date | Event | Location |
March 14, 2002 | Financial Cryptography 2002 | Sothhampton, Bermuda |
March 18 - 21, 2002 | Sixth Annual Distributed Objects and Components Security Workshop | (Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA |
March 18 - 20, 2002 | InfoSec World Conference and Expo/2002 | Orlando, FL, USA |
April 1 - 7, 2002 | SANS 2002 | Orlando, FL., USA |
April 5 - 7, 2002 | Rubicon | Detroit, Michigan, USA |
April 7 - 10, 2002 | Techno-Security 2002 Conference | Myrtle Beach, SC |
April 14 - 15, 2002 | Workshop on Privacy Enhancing Technologies 2002 | (Cathedral Hill Hotel)San Francisco, California, USA |
April 16 - 19, 2002 | The Twelfth Conference on Computers, Freedom & Privacy | (Cathedral Hill Hotel)San Francisco, California, USA |
April 23 - 25, 2002 | Infosecurity Europe 2002 | Olympia, London, UK |
May 1 - 3, 2002 | cansecwest/core02 | Vancouver, Canada |
May 4 - 5, 2002 | DallasCon | Dallas, TX., USA |
May 12 - 15, 2002 | 2002 IEEE Symposium on Security and Privacy | (The Claremont Resort)Oakland, California, USA |
May 13 - 14, 2002 | 3rd International Common Criteria Conference(ICCC) | Ottawa, Ont., Canada |
May 13 - 17, 2002 | 14th Annual Canadian Information Technology Security Symposium(CITSS) | (Ottawa Congress Centre)Ottawa, Ontario, Canada |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Section Editor: Dennis Tenney
|
March 14, 2002
LWN Resources
Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix
Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH
Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive
Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata
BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD
Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog
Security Software Archives
munitions
ZedZ.net (formerly replay.com)
Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
|