See also: last week's Security page.

Security

Recently on Bugtraq, a thread titled "Tripwire Mess" discussed a bug in Tripwire 1.2 and lesser versions. It turns out that this bug is fixed in version 1.3 of Tripwire. Tripwire 1.3 was released by Tripwire Security Systems, Inc in July this year. However, it is not a commercial product. It was released under the same Academic Source Release license as the original tripwire. So for any of you using Tripwire, upgrading to Tripwire1.3 is highly recommended (but requires an email address for confirmation).

In afore-mentioned Bugtraq thread, Gene Spafford posted a note explaining why Purdue chose to turn Tripwire over to Gene Kim (the original author) and his company. Purdue was uninterested in doing support for Tripwire and very much wanted to see the code ported to the Windows environment and enhanced. Jon Speer, Product Manager for Tripwire Security Systems, Inc, also posted a note, stating that they intend to provide occasional updates to the original ASR releases, as they did when they released Tripwire 1.3. In a followup phone call, Jon went further to state that they are committed to providing "whatever tools or resources the community requires" in order to support the original ASR version of tripwire. "While we are building a company around the commercial release, we do not want the spirit or functionality of the academic version of Tripwire to die".

In the meantime, if you are interested in more news about Tripwire, keep your ears open for reports from the upcoming RSA '99 conference.

An updated version of the OpenSSL Project Announcement has been posted. The new announcement indicates that efforts to maintain and improve SSLeay have been merged into the OpenSSL project, to benefit the community. The result of the project should be "a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide." It will definitely be released under an open source license.

The discussion on Bugtraq as to the most secure way to implement an MTA (Mail Transfer Agent) continues without reaching any final conclusion. A couple of notes from this week's discussion that are interesting include one from Illuminatus Primus, describing his ideas on inter-process communication and one from D.J. Bernstein on the "costs and benefits of splitting a setuid program into an unprivileged user process and a non-setuid daemon ". The latter advocates the use of getpeeruid(). His comment, though, that implementing getpeeruid() under Linux would be a five minute job for a kernel implementor also provoked response, not because the implementation was difficult, but because he didn't allow time for careful design and validation.

Note that Aleph One has closed Bugtraq discussion of qmail or postfix, so future discussions will presumably take place on the qmail and postfix mailing lists instead.

Donald McLachlan asked Bugtraq for information on past or current probes/attacks using multicast and followed up with this summary of the responses he received. Actual multicast-based attacks seem rare, but ideas on how they could be done are not.

Bruce Redmon confirmed last week's report of a denial of service problem with Oracle8 in this message, forwarded to us by Jason Ackley.

Ben Woodard reported another bug that can crash HP printers. He mentions that HP has been informed and is working on a JetDirect flash upgrade to resolve the problem.

Cisco finally released their security notice regarding versions of Cisco IOS software that crash or hang in response to invalid UDP packets. As usual, the notice contains information to help determine whether or not the version of software you are using is vulnerable and how to get a fix for the problem if it is.

Jon Ribbens filed a note about a buffer overflow in the cgic library.

Continuing reports of vulnerabilities to nmap scans have been seen this week. Here is the report on Neoware X-Terminals

Sekure SDI filed a report on problems in mSQL with the use of buffers with unchecked bounds. As a consequence, all versions of mSQL are vulnerable to a Denial-of-Service attack. The report contains a pointer to the patch they have provided.

Security-Related Events

Next: Kernel