[LWN Logo]
[LWN.net]

Sections:
 Main page
 Linux in the news
 Security
 Kernel
 Distributions
 Development
 Commerce
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News

Does building a serial number into each computer processor improve security? Intel argues that it does in this article on the upcoming Pentium III chip. However, Bruce Schneier, author of Applied Cryptography argues differently in his article. In fact, he predicts that "patches that randomize the ID number will be available on hacker Web sites within days of the new chips hitting the streets." He gives a persuasive case that the only real use for the CPU serial number will be to discourage theft and depress the market for stolen processors. [Found in ISN]

Security Reports

The incidents this week where source for TCP Wrappers and other software packages was modified on ftp.win.tue.nl is covered this week on our Front Page. One detail not mentioned there was that the original CERT advisory contained an error and a revised edition was posted as a result. Also note that no advisory was posted for the modifications to util-linux package. Again, please use these incidents, which are not going to be the last, to justify the time and effort required to check the signatures on packages before you install them.

As a following note, Trevor Johnson has released util-linux-2.9h. His posting indicates that the new version is available on both sunsite and tsx-11. And, of course, check the checksum if you choose to download it!

A long thread on Bugtraq discussed problems with ssh, specifically situations where people with expired accounts were still allowed to access a system through ssh. To fix, both ssh 1.2.26 and 2.0.11 can be recompiled with the -DHAVE_STRUCT_SPWD_EXPIRE configuration parameter, as explained in this note from Raymond T Sundland. The thread also contained a lot more discussion of the authorization process. Aleph One summed up the situation best in one of his administrative notes:

It simply comes down to the fact that SSH, like all other services, must check all available authorization policies before providing its service. But the large set of possible restrictions implemented by different unix flavors (account expiration, password expiration, time of day, source location, load, etc) almost assure that it will miss some of them.

Leif Sawyer reported a Quake 2 Server Crashed, apparently caused by a buffer overflow. The matter has been reported. Signal 11 confirmed a similar problem in Quakeworld, which was resolved some time ago. Additional information and confirmation that at least one of these overflows is now being actively exploited, was found in this note, forwarded to Bugtraq by Patrick Oonk. Fixes for the problems are in the works, but not yet available.

John Stanley reported reported a security problem with the WebRamp M3, a small SOHO router, where turning off "visible computer" is much less effective than one would hope. Technical support at WebRamp is apparently not much interested in the report, and possibly not in James Engelhof's note, containing well-known, default passwords for the WebRamp. None of this speaks well for security at this company. Hopefully they will wake up and address the problems soon.

Spikeman reported a bug in Mirc 5.5's newly introduced dcc server. Sandro Jurado followed up with a few more details.

Updates

Last week, we mentioned reports from Michal Zalewski regarding bugs in the latest version of sendmail, version 8.9.2. This week, this post from Gregory Shapiro states that, working with Michal, they have concluded that the first reported "bug" is, in fact, a configuration error. He recommends that people upgrading to 8.9.2 be sure to upgrade their sendmail.cf as well.

As for the "Headers Prescan" Denial-of-Service vulnerability that Michal mentioned, the posting above indicates that they verified Michal's patch, improved it and the fixes will be incorporated into sendmail-8.9.2. The latest patch and instructions are in the posting for those who want to fix their sendmail immediately. Note, there is a minor error in the posting, pointed out by Phil Stracchino.

Resources

HERT (Hacker Emergency Response Team) has released auditd 1.10 for Linux. Auditd is part of the linux kernel auditing toolkit.

Bryan Andregg posted a note to remind or inform people that the domains example.com and example.net have been reserved for use in documentation, examples and talks, to prevent real domains from being passed around and therefore abused.

Events

The Call-For-Papers for the New Security Paradigms Workshop 1999, to be held September 22nd through the 24th in Caledon Hills, Ontario, Canada, has been released.


January 28, 1999

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds