Sections: Main page Linux in the news Security Kernel Distributions Development Commerce Announcements Back page All in one big page See also: last week's Security page. |
SecurityNewsNasty holes of the week: a couple of unpleasant ones came around this time.
CERT has put out an advisory about trojan horse problems. The advisory (available here) contains little new information for readers of these pages. (Although, perhaps, many Linux users were unaware of the fake Internet Explorer upgrade...) It does contain a good summary of the situation and tells how to recognize trojaned versions of some systems. The "Hurwitz Group" has uncovered that buffer overflows are a security problem and issued this press release to alert the world. "Buffer overflow will continue to be a security problem until all system vulnerabilities are revealed and solutions are put in place..." The product being advertised with this alert evidently works by randomizing the stack address; this approach works against a number of simple attacks, but is far from being a comprehensive solution. Security ReportsThere is a buffer overflow problem in the version of 'lpc' that is shipped with the PLP printer system. Most Linux systems do not use PLP; however, SuSE distributions at 5.2 or earlier did. Thus, folks with an older SuSE installation may wish to consider an upgrade.ResourcesAlpha 7.1 of the NRL IPv6+IPSec package has been made publicly available. This is a full implementation of these protocols, and it supports Linux. (They claim it works with the 2.1 kernel; one assumes that 2.2 will work as well). See NRL's web page for more information. The license is of the BSD variety; however, encryption support is only available within the U.S.Network Associates announced a version of their "CyberCop" scanner for Linux; see their press release for more. For an alternative point of view on the value of their announcement, see this note from the ISN moderator... |
February 11, 1999 |