See also: last week's Security page.

Security

News and Editorials

RSA Laboratories, Dan Bernstein himself and Bruce Schneier do not predict any immediate threat to the security of 1024 bit RSA keys based on this research. When choosing a key size, RSA Laboratories considers the table of proposed key sizes offered for discussion at NIST's key management workshop in November 2001 (PDF format) to still be "reasonable general guidelines".

CRYPTO-GRAM Newsletter. Bruce Schneier's CRYPTO-GRAM Newsletter for April is out. He looks at ways of thinking about security, corporate liability for security vulnerabilities, and more. "If security has a silly season, we're in it. After September 11, every two-bit peddler of security technology crawled out of the woodwork with new claims about how his product can make us all safe again. Every misguided and defeated government security initiative was dragged out of the closet, dusted off, and presented as the savior of our way of life."

Security Reports

mod_python 2.7.7 released. Version 2.7.7 of mod_python has been announced. "This release (as far as I could tell adequately) addresses the security issue whereby a module indirectly imported by a published module could then be accessed via the publisher." Upgrades are recommended.

Debian security update to xpilot. The Debian Project has sent out a security alert for xpilot regarding a buffer overflow vulnerability which could be remotely exploitable.

Squid vulnerable to a DNS server based attack. The vulnerability exists in Squid-2.x up to and including 2.4.STABLE4. "A malicous DNS server could craft a DNS reply that causes Squid to exit with a SIGSEGV." MandrakeSoft has released what appears to be the first security update from a distributor to fix the problem for ML 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1, and Single Network Firewall 7.2.

Webalizer is also vulnerable to a DNS server based attack because of a buffer overflow bug. This unofficial patch to fix the problem was posted on Bugtraq. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with command over his own DNS service, has the ability to gain remote root acces to a machine."

Multiple vulnerabilities in the Melange chat system were reported by Leon Harris. "Melange is a chat system written in C and java which is freely available under GPL. It is quite a nice system, and has been my pleasure to work with it. It was also coded nearly five years ago, at a time when people were not quite so security conscious. Its author has indicated that he is not currently maintaining it, due to other commitments."

web scripts. The following web scripts were reported to contain vulnerabilities:

• Guestbook and xNewsletter from x-dev.de were reported to have multiple vulnerabilities including cross site scripting and "Arbitrary Command Execution under certain circumstances."

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

• IBM Informix Web DataBlade SQL injection and related auto-decoding HTML vulnerabilities were reported by Simon Lodal. When contacted by LWN, IBM Informix Support stated that a fix is being tested and is expected to be released "soon."

Updates

Cross-site scripting vulnerability in Horde/IMP. Version 2.2.8 of IMP has been released, it fixes some vulnerabilities. "The Horde team announces the availability of IMP 2.2.8, which prevents some potential cross-site scripting (CSS) attacks. Site administrators should consider upgrading to IMP 3 (our first recommendation), but if this is not possible, IMP 2.2.8 should be used to prevent these potential attacks." (First LWN report: April 11, 2002).

This week's updates:

Previous updates:

• Debian (April 16, 2002)
• Caldera (April 16, 2002)

Format string exploits in libsafe Libsafe versions prior to 2.0-12 are vulnerable to format string exploits. "Libsafe protection against format string exploits may be easily bypassed using flag characters that are implemented in glibc but are not implemented in libsafe." The current version is libsafe 2.0-13. Steve Beattie pointed out that the Immunix FormatGuard tool is not vulnerable to these kinds of attacks. (First LWN report: March 28, 2002).

This week's updates:

• Mandrake (April 11, 2002)

rsync supplementary groups vulnerability. Ethan Benson reported that rsyncd fails to remove supplementary groups (such as root) from the server process after changing to the specified unprivileged uid and gid. "This seems only serious if rsync is called using "rsync --daemon" from the command line where it will inherit the group of the user starting the server (usually root)." (First LWN report:  March 14th, 2002).

This week's updates:

• Caldera (April 3, 2002)
• Conectiva (March 14, 2002)
• EnGarde (March 11, 2002)
• Mandrake (March 13, 2002)
• Mandrake (April 17th, 2002) (Mandrake 8.1/ia64)
• Red Hat (March 21, 2002)
• Slackware (March 12, 2002)

Resources

Keyed-Hash Message Authentication Code standard. The US NIST has published FIPS 198, The Keyed-Hash Message Authentication Code. FIPS 198 "became a [US] Federal standard on March 6, 2002 [...] The standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions."

Linux security week. The publications from LinuxSecurity.com is available.

Events

Upcoming Security Events.

Date	Event	Location
April 18 - 19, 2002	The Twelfth Conference on Computers, Freedom & Privacy	(Cathedral Hill Hotel)San Francisco, California, USA
April 18 - 19, 2002	InfoSec 2002	UniNet IRC network (irc.uninet.edu) - channel #infosec
April 23 - 25, 2002	Infosecurity Europe 2002	Olympia, London, UK
May 1 - 3, 2002	cansecwest/core02	Vancouver, Canada
May 4 - 5, 2002	DallasCon	Dallas, TX., USA
May 12 - 15, 2002	2002 IEEE Symposium on Security and Privacy	(The Claremont Resort)Oakland, California, USA
May 13 - 14, 2002	3rd International Common Criteria Conference(ICCC)	Ottawa, Ont., Canada
May 13 - 17, 2002	14th Annual Canadian Information Technology Security Symposium(CITSS)	(Ottawa Congress Centre)Ottawa, Ontario, Canada
May 27 - 31, 2002	3rd International SANE Conference(SANE 2002)	Maastricht, The Netherlands
May 29 - 30, 2002	RSA Conference 2002 Japan	(Akasaka Prince Hotel)Tokyo, Japan
June 17 - 19, 2002	NetSec 2002	San Fransisco, California, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel