See also: last week's Security page.

Security

News and Editorials

OpenSSH 3.1 released. OpenSSH version 3.1 has been released. The main changes include defining /etc/ssh as the default configuration directory, ssh-keygen now requires a key type to be specified, and X11 forwarding now listens on localhost by default. A number of additional changes have been made.

Users are advised to upgrade to OpenSSH 3.1 (see the security report below), or to apply the included patch.

Latest Security Vulnerability: Java VMs (TechWeb). Security problems in Java virtual machines can impact many platforms, as this TechWeb article describes. "Versions of Netscape's browser, version 6.1 and lower, are also impacted, as are some Solaris and Linux releases that ship with the problematic virtual machine."

Exactly which Linux distributions are impacted is unclear. According to the Sun Microsystems Security Bulletin; "This issue may or may not affect other vendors' Java technology implementations which are derived from Sun's SDK and JDK(TM) source bases." The Java SDK and JRE versions 1.3.0_02 and 1.2.2_010 are vulnerable; the latest versions (1.4, 1.3.1_02 and 1.2.2_011) are not (despite an earlier version of this LWN story which said, erroneously, that they were).

Jac virus targets Linux (vnunet). Here's another one of those new Linux virus stories; this one is on vnunet. "Linux users typically crow about how much more secure it is than the Windows platform, but this time they may be justified as Jac has only been branded as a low threat. It is not expected to spread in the wild and causes little damage."

Security Reports

An off-by-one error in the channel code of OpenSSH versions 2.0 to 3.0.2 has been found. Users are advised to upgrade to OpenSSH 3.1, or to apply the relevant security update. "This bug can be exploited locally by an authenticated user logging into a vulnerable OpenSSH server or by a malicious SSH server attacking a vulnerable OpenSSH client."

Also see the the advisory from Pine for this vulnerability.

Distributor updates seen so far:

• Conectiva (March 7, 2002)
• Debian (March 7, 2002)
• EnGarde (March 7, 2002)
• Eridani (March 7, 2002)
• Mandrake (March 7, 2002)
• OpenPKG (March 8, 2002)
• Trustix (March 7, 2002)
• Red Hat (March 8, 2002)
• Slackware (March 8, 2002)
• SuSE (March 7, 2002)
• Yellow Dog (March 9, 2002)

zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code.

LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable."

Updating is recommended. Now it the time to prepare; before there are any known exploits. As always, please proceed with caution when applying updates to the kernel.

Distributor updates seen so far:

• Debian (March 11, 2002) (nine packages)
• EnGarde (March 11, 2002) (zlib kernel popt rsync)
• Eridani (March 13, 2002) (libz)
• Eridani (March 13, 2002) (vnc dump cvs rsync kernel)
• Mandrake (March 12, 2002) (zlib)
• Mandrake (March 12, 2002) (twelve packages including kernel)
• OpenPKG (March 12, 2002) (zlib cvs gnupg rrdtool rsync)
• Red Hat (March 11, 2002) (Red Hat Linux)
• Red Hat (March 11, 2002) (Red Hat Powertools)
• SuSE (March 11, 2002) (libz/zlib)
• SuSE (March 11, 2002) (eight packages including kernel)
• Slackware (March 12, 2002) (zlib)
• Slackware (March 12, 2002) (rsync)
• Slackware (March 12, 2002) (cvs)

Note that we have received a last-minute report saying that the Red Hat kernel update does not actually include the zlib fix.

See also: articles in ZDNet and The Register about the zlib vulnerability.

Slackware rsync update. This Slackware upgrade to the rsync packages makes "sure that supplementary groups are removed from a server process after changing uid and gid". It also addresses the zlib double-free bug described above.

Mandrake Linux update for mod_frontpage. Mandrake Linux has released a security update for mod_frontpage.

Debian update for xtell. Updated Debian packages are available for the simple messaging client and server xtell. "In detail, these problems contain several buffer overflows, a problem in connection with symbolic links, unauthorized directory traversal when the path contains '..'. These problems could lead into an attacker being able to execute arbitrary code on the server machine. The server runs with nobody privileges by default, so this would be the account to be exploited."

XTux Arena server DoS vulnerability. XTux Arena is a client server network game for X11 featuring opensource mascots. The XTux server may be subject to DoS attacks as described in this post to Bugtraq.

Multiple Ecartis/Listar vulnerabilities are described by Janusz Niewiadomski and Wojciech Purczynski in this post to Bugtraq. "Listar is a open-source software package that administers mailing lists (similar to Majordomo and Listserv)."

web scripts. The following web scripts were reported to contain vulnerabilities:

• Directory traversal vulnerability in phpimglist. There is a vulnerabilty in phpimglist which "allows a user to traverse through directories outside the web root." phpimglist 1.2.2 fixes the problem and is available from here.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

• CaupoShop 1.30a, and maybe all versions before, may be subject to a nasty cross-site-scripting bug. Caupo has released a new version which fixes the problem.

Updates

Apache mod_ssl buffer overflow vulnerability. According to this announcement "modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment[...]." (First LWN report: March 7).

This week's updates:

• Caldera (March 18, 2002)

Previous updates:

• Conectiva (March 4, 2002)
• Debian (March 10, 2002)
• EnGarde (March 1, 2002)
• Eridani (March 7, 2002)
• Mandrake (March 7, 2002)
• Red Hat (March 13, 2002) (Red Hat Secure Web Server)
• Red Hat (March 6, 2002) (Red Hat 7, 7.1 & 7.2)
• Trustix (February 28, 2002)

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

  
	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7).

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

This week's updates:

• Caldera (May 16, 2002)

Previous updates:

• Conectiva (March 8, 2002)
• Debian (March 2, 2002)
• EnGarde (March 1, 2002)
• Eridani (March 5, 2002)
• Mandrake (February 28, 2002)
• Mitel Networks (March 7, 2002) (SME Server)
• OpenPKG (February 28, 2002)
• Red Hat (March 21, 2002)
• Slackware (March 5, 2002)
• SuSE (February 28, 2002)
• Trustix (April 29, 2002) (The February 28th update "did not quite do the trick")
• Trustix (February 28, 2002)
• Yellow Dog (March 5, 2002)

Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.

Resources

Linux security week. The and publications from LinuxSecurity.com are available.

Events

Upcoming Security Events.

Date	Event	Location
March 14, 2002	Financial Cryptography 2002	Sothhampton, Bermuda
March 18 - 21, 2002	Sixth Annual Distributed Objects and Components Security Workshop	(Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA
March 18 - 20, 2002	InfoSec World Conference and Expo/2002	Orlando, FL, USA
April 1 - 7, 2002	SANS 2002	Orlando, FL., USA
April 5 - 7, 2002	Rubicon	Detroit, Michigan, USA
April 7 - 10, 2002	Techno-Security 2002 Conference	Myrtle Beach, SC
April 14 - 15, 2002	Workshop on Privacy Enhancing Technologies 2002	(Cathedral Hill Hotel)San Francisco, California, USA
April 16 - 19, 2002	The Twelfth Conference on Computers, Freedom & Privacy	(Cathedral Hill Hotel)San Francisco, California, USA
April 23 - 25, 2002	Infosecurity Europe 2002	Olympia, London, UK
May 1 - 3, 2002	cansecwest/core02	Vancouver, Canada
May 4 - 5, 2002	DallasCon	Dallas, TX., USA
May 12 - 15, 2002	2002 IEEE Symposium on Security and Privacy	(The Claremont Resort)Oakland, California, USA
May 13 - 14, 2002	3rd International Common Criteria Conference(ICCC)	Ottawa, Ont., Canada
May 13 - 17, 2002	14th Annual Canadian Information Technology Security Symposium(CITSS)	(Ottawa Congress Centre)Ottawa, Ontario, Canada

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel