![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/security.png)
|
|
|
 Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsStores find security in Linux (ZDNet). ZDNet has a very short article, trying to give an overview of the superiority of Linux's security over DOS (No, that's not a typo). "The inherent security of the Linux environment was a key motivation for Burlington Coat Factory in choosing the operating system for a large retail point-of-sale environment." There is a companion article that gives a little more detail. Introduction to msec (MandrakeSecure). Here's an article that provides insight into what exactly msec is, what it does, and how it can be customized to suit your tastes and environment. "The Mandrake-Security package, more commonly known as msec, has been one of the base packages in Mandrake Linux since it was first introduced in version 7.0. Since that time, msec has undergone a lot of changes, most notably the transformation from being a series of shell scripts in 8.1 to the python-based system it is currently in 8.2." Caldera International - Updated Caldera Public Keys. Caldera generated new security keys. Now that the new key is out, Caldera seems to be getting caught up with security alerts. Security ReportsDebian update for analog. Debian has issued a security for the analog web log analyzer that addresses a cross-site scripting vulnerability. Updates are highly recommended. Caldera update to XFree86. This update to XFree86, fixes a problem in which any user with local X access can exploit the MIT-SHM extension and gain read/write access to any shared memory segment on the system. Packages prior to XFree86-4.1-12 are vulnerable. Security advisory for the Name Service Cache Daemon (nscd). Caldera issued an advisory that nscd has a default behavior that does not allow applications to validate DNS "PTR" records against "A" records. "Caldera recommends that this problem be worked around by disabling the hosts cache in the nscd configuration file." Caldera OpenLinux 3.1.1, startkde script vulnerability. startkde sets the LD_LIBRARY_PATH environment variable to "/opt/kde2/lib:" which includes the current working directory in the library search path. This exposes users to shared library attacks.
Caldera fix for packages previous to cups-1.1.10-5. This
CUPS update fixes a
buffer overflow vulnerability when reading names of attributes in versions
prior to 1.1.10-5. It does not appear to fix the
more recent buffer overflow vulnerability found in versions
prior to 1.1.14 described below under "Updates".
web scripts.
Proprietary products. The following proprietary products were reported to contain vulnerabilities:
UpdatesApache mod_ssl buffer overflow vulnerability. According to this announcement "modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment[...]." (First LWN report: March 7). This week's updates: Previous updates:
Buffer overflow in CUPS. Versions of the Common Unix Print System prior to 1.1.14 have a buffer overflow vulnerability. (First LWN report: February 14). This week's updates: Previous updates:
Problem loading untrusted images in imlib. Versions of imlib prior to 1.9.13 used the NetPBM package in ways which "make it possible for attackers to create image files such that when loaded via software which uses Imlib, could crash the program or potentially allow arbitrary code to be executed." (First LWN report: March 28). This week's updates:
Previous updates:
An off-by-one error in the channel code of OpenSSH versions 2.0 to 3.0.2 has been found. Users are advised to upgrade to OpenSSH 3.1, or to apply the relevant security update. "This bug can be exploited locally by an authenticated user logging into a vulnerable OpenSSH server or by a malicious SSH server attacking a vulnerable OpenSSH client." (First LWN report: March 14). Also see the the advisory from Pine for this vulnerability. This week's updates: Previous updates:
This week's updates: Previous updates: ResourcesThe Common Vulnerabilities and Exposures (CVE) dictionary achieved a major milestone with over 2,000 official entries. MITRE's CVE Lexicon of Information Security Vulnerabilities aims to standardize the names for all publicly known vulnerabilities and security exposures. Linux security week. The and publications from LinuxSecurity.com are available. Pierre-Alain Fayolle and Vincent Glaume have written a study on buffer overflows and the existing protections a Linux system may use against them; A Buffer Overflow Study Attacks & Defenses. The authors are Computer Science students at Ecole Nationale Supérieure d'Electronique, d'Informatique et de Radiocommunications de Bordeaux. A similar paper was published in 2000 by researchers at the Oregon Graduate Institute of Science & Technology. EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Dennis Tenney |
April 4, 2002
LWN Resources | |||||||||||||||||||||||||||||||||||||||||||||
Copyright © 2002
Eklektix, Inc., all rights reserved
Next: Kernel