Sections: Main page
Security Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page
See also: last week's Security page.
|
News and Editorials
Are 1024 bit RSA keys secure?
RSA Laboratories has published an FAQ about
Dan Bernstein's recent research on factoring.
Some recent posts and articles have expressed concern that
1024-bit RSA keys are no longer secure based on Dr. Bernstein's research.
RSA Laboratories,
Dan Bernstein himself and Bruce Schneier do not predict any immediate threat to the security of 1024 bit
RSA keys based on this research. When choosing a key size, RSA
Laboratories considers the table of proposed key sizes offered for
discussion at
NIST's key management workshop in November 2001 (PDF format) to still be
"reasonable general guidelines".
CRYPTO-GRAM Newsletter.
Bruce Schneier's CRYPTO-GRAM Newsletter for
April is out. He looks at ways of thinking about security, corporate
liability for security vulnerabilities, and more. "If security has a
silly season, we're in it. After September 11, every two-bit peddler of
security technology crawled out of the woodwork with new claims about how
his product can make us all safe again. Every misguided and defeated
government security initiative was dragged out of the closet, dusted off,
and presented as the savior of our way of life."
Security Reports
mod_python 2.7.7 released. Version 2.7.7 of mod_python has been
announced. "This release (as far as I could tell adequately)
addresses the security issue whereby a module indirectly imported by a
published module could then be accessed via the publisher." Upgrades
are recommended.
Debian security update to xpilot.
The Debian Project has sent out a
security alert for xpilot regarding a buffer overflow vulnerability
which could be remotely exploitable.
Squid vulnerable to a DNS server based attack. The vulnerability exists in Squid-2.x up to and including
2.4.STABLE4. "A malicous DNS server could craft a DNS reply that causes Squid to exit
with a SIGSEGV."
MandrakeSoft has released what appears to be the first security update from a distributor
to fix the problem for ML 7.1, 7.2, 8.0, 8.1, 8.2,
Corporate Server 1.0.1, and Single Network Firewall 7.2.
Webalizer is also vulnerable to a DNS server based attack because
of a buffer overflow bug. This unofficial
patch to fix the problem was posted on Bugtraq.
This one sounds nasty. If reverse DNS lookups are enabled in webalizer,
"an attacker with command over his own DNS service, has the
ability to gain remote root acces to a machine."
Multiple vulnerabilities in the Melange chat system were reported by Leon Harris. "Melange is
a chat system written in C and java which is freely available
under GPL. It is quite a nice system, and has been my pleasure to work with
it. It was also coded nearly five
years ago, at a time when people were not quite so security conscious.
Its author has indicated that he is not currently maintaining it, due to
other commitments."
web scripts.
The following web scripts were reported to contain vulnerabilities:
- Guestbook
and xNewsletter
from x-dev.de were reported to have multiple vulnerabilities including cross site scripting and
"Arbitrary Command Execution under certain circumstances."
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
- IBM Informix Web DataBlade
SQL injection and related auto-decoding HTML vulnerabilities
were reported by Simon Lodal. When contacted by LWN, IBM Informix Support
stated that a fix is being tested and is expected to be released "soon."
Updates
Cross-site scripting vulnerability in Horde/IMP.
Version 2.2.8 of IMP has been released, it
fixes some vulnerabilities. "The Horde team announces the
availability of IMP 2.2.8, which prevents some potential cross-site
scripting (CSS) attacks. Site administrators should consider upgrading
to IMP 3 (our first recommendation), but if this is not possible, IMP
2.2.8 should be used to prevent these potential attacks."
(First LWN
report: April 11, 2002).
This week's updates:
Previous updates:
Format string exploits in libsafe Libsafe versions
prior to 2.0-12 are vulnerable to format
string exploits.
"Libsafe protection against format string exploits may be easily bypassed
using flag characters that are implemented in glibc but are not
implemented in libsafe."
The current version is libsafe
2.0-13.
Steve Beattie pointed out that the Immunix FormatGuard tool
is not vulnerable to these kinds of attacks.
(First LWN report: March 28, 2002).
This week's updates:
rsync supplementary groups vulnerability.
Ethan Benson reported that
rsyncd fails to remove supplementary groups (such as root)
from the server process after changing to the specified unprivileged
uid and gid.
"This seems only serious if rsync is called using "rsync
--daemon" from the command line where it will inherit the group of the
user starting the server (usually root)."
(First LWN report: March 14th, 2002).
This week's updates:
Previous updates:
Resources
Fragroute 1.2 has
been released by dug song.
"fragroute intercepts, modifies, and rewrites egress traffic destined
for a specified host, implementing most of the attacks described in the
Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network
Intrusion Detection" paper of January 1998."
Fragroute is intended to aid in the testing of network intrusion detection
systems and firewalls.
Keyed-Hash Message Authentication Code standard. The US NIST
has published FIPS 198, The Keyed-Hash Message Authentication Code.
FIPS 198 "became a [US] Federal standard on March 6, 2002
[...]
The standard describes a keyed-hash message authentication
code (HMAC), a mechanism for message authentication using
cryptographic hash functions."
Linux security week. The
publications from LinuxSecurity.com is available.
Events
Upcoming Security Events.
Date | Event | Location |
April 18 - 19, 2002 | The Twelfth Conference on Computers, Freedom & Privacy | (Cathedral Hill Hotel)San Francisco, California, USA |
April 18 - 19, 2002 | InfoSec 2002 | UniNet IRC network (irc.uninet.edu) - channel #infosec |
April 23 - 25, 2002 | Infosecurity Europe 2002 | Olympia, London, UK |
May 1 - 3, 2002 | cansecwest/core02 | Vancouver, Canada |
May 4 - 5, 2002 | DallasCon | Dallas, TX., USA |
May 12 - 15, 2002 | 2002 IEEE Symposium on Security and Privacy | (The Claremont Resort)Oakland, California, USA |
May 13 - 14, 2002 | 3rd International Common Criteria Conference(ICCC) | Ottawa, Ont., Canada |
May 13 - 17, 2002 | 14th Annual Canadian Information Technology Security Symposium(CITSS) | (Ottawa Congress Centre)Ottawa, Ontario, Canada |
May 27 - 31, 2002 | 3rd International SANE Conference(SANE 2002) | Maastricht, The Netherlands |
May 29 - 30, 2002 | RSA Conference 2002 Japan | (Akasaka Prince Hotel)Tokyo, Japan |
June 17 - 19, 2002 | NetSec 2002 | San Fransisco, California, USA |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Section Editor: Dennis Tenney
|
April 18, 2002
LWN Resources
Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix
Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH
Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive
Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata
BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD
Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog
Security Software Archives
munitions
ZedZ.net (formerly replay.com)
Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
|