Sections: Main page Linux in the news Security Kernel Distributions Development Commerce Announcements Back page All in one big page See also: last week's Security page. |
SecurityLast June, it was first announced that Tripwire, a program that helps monitor an installed software base and report possible compromises, had been turned over to a commercial entity. At the time, we asked if anyone was maintaining the original, free version. The answer appeared to be "No". Recently on Bugtraq, a thread titled "Tripwire Mess" discussed a bug in Tripwire 1.2 and lesser versions. It turns out that this bug is fixed in version 1.3 of Tripwire. Tripwire 1.3 was released by Tripwire Security Systems, Inc in July this year. However, it is not a commercial product. It was released under the same Academic Source Release license as the original tripwire. So for any of you using Tripwire, upgrading to Tripwire1.3 is highly recommended (but requires an email address for confirmation). In afore-mentioned Bugtraq thread, Gene Spafford posted a note explaining why Purdue chose to turn Tripwire over to Gene Kim (the original author) and his company. Purdue was uninterested in doing support for Tripwire and very much wanted to see the code ported to the Windows environment and enhanced. Jon Speer, Product Manager for Tripwire Security Systems, Inc, also posted a note, stating that they intend to provide occasional updates to the original ASR releases, as they did when they released Tripwire 1.3. In a followup phone call, Jon went further to state that they are committed to providing "whatever tools or resources the community requires" in order to support the original ASR version of tripwire. "While we are building a company around the commercial release, we do not want the spirit or functionality of the academic version of Tripwire to die". In the meantime, if you are interested in more news about Tripwire, keep your ears open for reports from the upcoming RSA '99 conference. An updated version of the OpenSSL Project Announcement has been posted. The new announcement indicates that efforts to maintain and improve SSLeay have been merged into the OpenSSL project, to benefit the community. The result of the project should be "a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide." It will definitely be released under an open source license.
The discussion on Bugtraq as to the most secure way to implement
an MTA (Mail Transfer Agent) continues without reaching any
final conclusion. A couple of notes from this week's discussion
that are interesting include one from Illuminatus Primus, describing his ideas on inter-process
communication and one from D.J. Bernstein on the "costs and benefits of splitting
a setuid program into an unprivileged user process and a non-setuid daemon
". The latter advocates the use of getpeeruid(). His
comment, though, that implementing getpeeruid() under Linux would
be a five minute job for a kernel implementor also provoked
response, not because the implementation was difficult, but
because he didn't allow time for careful design and validation.
Note that Aleph One has closed Bugtraq discussion of qmail or
postfix, so future discussions will presumably take place on
the qmail and postfix mailing lists instead.
Donald McLachlan asked Bugtraq for information on past or current
probes/attacks using multicast and followed up with this summary of the responses he received. Actual multicast-based
attacks seem rare, but ideas on how they could be done are not.
Bruce Redmon confirmed last week's report
of a denial of service problem with Oracle8 in this message, forwarded to us by Jason Ackley.
Ben Woodard reported another bug that can crash HP printers. He mentions
that HP has been informed and is working on a
JetDirect flash upgrade to resolve the problem.
Cisco finally released their security notice regarding versions of Cisco IOS software
that crash or hang in response to invalid UDP packets. As
usual, the notice contains information to help determine whether or
not the version of software you are using is vulnerable and how to
get a fix for the problem if it is.
Jon Ribbens filed a note about a buffer overflow in the cgic library.
Continuing reports of vulnerabilities to nmap scans have been
seen this week. Here is the report on Neoware X-Terminals
Sekure SDI filed a report on problems in mSQL with the use of buffers with
unchecked bounds. As a consequence, all versions of mSQL are
vulnerable to a Denial-of-Service attack. The report contains
a pointer to the patch they have provided.
The National Information Systems Security Conference (NISSC)
has issued their Call-For-Papers. The conference will be held the week of
October 18, 1999.
|
January 14, 1999 |