![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/security.png)
|
|
|
 Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsLegacy, security-free protocols: goodbye rlogind (OpenBSD Journal). OpenBSD Journal reports that rlogind and rexecd have been removed from OpenBSD. "Hopefully other operating systems and software vendors will take note and cease having installation or runtime dependencies on r* programs." We certainly agree. Verifying that rlogin and telnet are disabled has been part of securing a Linux installation for as long as your editor can recall. CRYPTO-GRAM newsletter. Here is Bruce Schneier's CRYPTO-GRAM newsletter for May. It looks at Kerckhoffs' Principle (no security through obscurity) and a technique for fooling fingerprint scanners with fake fingers made of gelatin. "Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence." International Developers Finger Biometrics as Most Effective User Authentication Method. In contrast to Bruce Schneier's comments (above), Evans Data Corporation has announced the results of the Evans Data Spring 2002 International Developers Survey. "The Evans Data Corp. survey of more than 400 programmers working outside North America found that biometric solutions generally -- and signatures and fingerprint identification specifically -- have the strongest backing among developers seeking tools to help keep computer networks free from unwanted intrusions and other security breaches." OpenSSH 3.2.2 released. The OpenSSH developers have released OpenSSH 3.2.2. Security fixes and other changes are available in this release. Mailman 2.0.11 released. Mailman 2.0.11 has been announced. There are fixes for a couple of cross-site scripting vulnerabilities in this release, so an upgrade is recommended. Security ReportsRemotely-exploitable vulnerability in fetchmail. Unpatched versions of fetchmail prior to 5.9.10 have a remotely-exploitable buffer overflow problem. Updates which fix the problem have been released by:
SuSE alert for shadow/pam-modules. A security announcement has been released by SuSE for shadow/pam-modules. "The shadow package contains several useful programs to maintain the entries in the /etc/passwd and /etc/shadow files. The SuSE Security Team discovered a vulnerability that allows local attackers to destroy the contents of these files or to extend the group privileges of certain users." Caldera security update to imapd. Caldera International has issued a security update to imapd fixing a buffer overflow vulnerability in that package. Red Hat updates for mpg321. Red Hat has issued an update for mpg321 that fixes a network streaming buffer overflow bug. SuSE alert for lukemftp. SuSE has issued a security alert for the lukemftp,, ftp client. "A buffer overflow could be triggered by an malicious ftp server while the client parses the PASV ftp command. An attacker who control an ftp server to which a client using lukemftp is connected can gain remote access to the clients machine with the privileges of the user running lukeftp. [...] The lukemftp RPM package is installed by default."
ViewCVS cross site scripting vulnerability The
problem exists in ViewCVS version
0.9.2 and under. The ViewCVS team is working on a fix.
"ViewCVS is a WWW interface for CVS Repositories."
web scripts.
Proprietary products. The following proprietary products were reported to contain vulnerabilities:
UpdatesDHCP remotely exploitable format string vulnerability. The May 8, 2000 release of ISC DHCP 3.0p1 fixes this serious vulnerability in ISC DHCPD 3.0 to 3.0.1rc8 inclusive. We encourage dhcp users to upgrade, disable dhcp or, at a minimum, consider using ingress filtering as described in the CERT advisory. (First LWN report: May 16). Note: Distributions which use version 2 of ISC DHCP, such as Red Hat Linux, are not vulnerable. This week's updates: Previous updates: GNU fileutils race condition. A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). This week's updates: Previous updates:
Problem loading untrusted images in imlib. Versions of imlib prior to 1.9.13 used the NetPBM package in ways which "make it possible for attackers to create image files such that when loaded via software which uses Imlib, could crash the program or potentially allow arbitrary code to be executed." (First LWN report: March 28). This week's updates:
Previous updates:
Mozilla XMLHttpRequest file disclosure vulnerability. This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2). This week's updates: Previous updates:
ZDNet also covered the vulnerability with a focus on its presence in Netscape. Buffer overflow in OpenSSH's sshd. According to the advisory, it could be remotely exploitable, but only under a set of relatively rare conditions: "AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default." (First LWN report: April 25). The problem is fixed in the OpenSSH 3.2.2 release. This week's updates: Previous updates: Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini: file_uploads = Off CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7). Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch. This week's updates: Previous updates:
Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem. Sharutils potential privilege escalation using uudecode. According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands ." (First LWN report: May 16). This week's updates: Previous updates: Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a buffer overflow vulnerability in all prior versions. However, newer versions, including 3.6.2, are vulnerable to another buffer overflow in the AFS RPC functions that was reported by Nick Cleaton. (First LWN report: May 9). Both problems appear to have been reported and fixed in FreeBSD some months ago. The CIAC report on the vulnerability in versions prior to 3.5.2 is dated October 31, 2000. Nick Cleaton's FreeBSD security advisory on the AFS RPC bug, and reference to a fix for FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21, 2002. This week's updates:
Previous updates:
This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabeling password timeouts under Webmin->Configuration->Authentication. This week's updates: ResourcesLinux security week. The and publications from LinuxSecurity.com are available. Cross Site Scripting FAQ. Cgisecurity.com has published The Cross Site Scripting FAQ "which covers frequently asked questions in relation to Cross Site Scripting Attacks." EventsUpcoming Security Events. Canadian Security & Intelligence Conference for 2002 announced. CSICON will be held August 19-21, 2002 at the Hyatt Regency, Calgary, Alberta Canada. "This is a technical security conference aimed at IT Professionals, and IT Security Managers. Enjoy three days filled with presentations and discussions around IT Security issues free of vendor pitches." ICICS 2002 call for papers. The 4th International Conference on Information and Communications Security will be held December 9-12, 2002 in Singapore. "Original papers on all aspects of information and communications security are solicited for submission. The proceedings of ICICS'02 will be published in Springer-Verlag's Lecture Notes in Computer Science series."
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Dennis Tenney |
May 23, 2002
LWN Resources | ||||||||||||||||||||||||
Copyright © 2002
Eklektix, Inc., all rights reserved
Next: Kernel