![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/security.png)
|
|
|
 Sections: Main page Linux in the news Security Kernel Distributions Development Commerce Announcements Back page All in one big page See also: last week's Security page. |
SecurityNewsRemember, our security coverage last week was spotty, due to our attendance and involvement in the LinuxWorld Expo. Therefore, some of the reports below are older than this week. We've tried to group information together, old and new, to make it more understandable. As a result, some information may be repeated.Several ISPs were recently impacted by a program called GeoList Professional, from earthonline.com. This program scans a list of over 4000 domains for possible user names based on a dictionary-lookup scheme. The way that the scan is done results essentially in a Denial-of-Service style attack on impacted machines. Earthonline's response has been to pull the product. To see if you are in a domain that was affected by the attack, you can check this list of domain names hardcoded into the program. In the meantime, the report generated a great deal of mail on the Bugtraq list addressing how to properly configure your Mail Transfer Agent (MTA) to handle attacks of this sort. No one solution was agreed to be the best, but the discussion was interesting and enlightening ... On the Cryptography Front, this Wired News article describes the return of the Cryptography bill to Congress. That sounds like good news, until you get to the comments that the bill was not written to benefit the individual, only industry. You can judge for yourself by going to the Thomas site and searching for "Security and Privacy Through Encryption Act" (note that the bill number in the Wired article is wrong). From a brief scan, it appears to exclude free software from export restrictions. Security ReportsA new buffer overflow in Super was reported one day and fixed the day before. Now, that's service! Take a closer look at the URL for the fix. It is a note from the author of Super, William Deich. Because of the two problem reports for super coming so close together, he did a comprehensive audit of the code this time and has integrated four new changes to overall improve security weaknesses that he found. As Ryan Russell on Bugtraq commented, this was an exemplary way to handle the problem.Mutt version 0.95.4 was released in order to fix some problems with mutt's temporary file name generator and some inconsistent library call handling. These problems did open up potentially serious security problems, so it is recommended that you update your mutt packages. Unfortunately, no vendor reports have yet come out, although a conversation at LinuxWorld indicated that the Debian 2.1 release was held up, in part, in order to fix this problem. The March 8th Debian changes log for Intel indicates that an updated package for mutt was uploaded to fix security problems, package mutt-0.95.3-0.2. Gnuplot version 3.5 reportedly has a serious root compromise hole. Of course, 3.5 is a old version. The problem was fixed before the release of Gnuplot 3.7. If you are running SuSE, you may want to check for the installation of this program and remove the suid bit immediately. For even better security, SuSE users should take a look at /etc/rc.config and consider setting PERMISSION_SECURITY="secure". Security problems with Linux kernel 2.0.35 and earlier are described in this advisory from Network Associates, Inc. The fact that earlier versions of the 2.0 kernel series are vulnerable has been already reported. However, if you've been putting off upgrading your kernel, this report should encourage you to increase the priority of that task. Fixes for bugs in HP network-connected printers are now available. This includes a fix for the infamous nestea2 and other TCP/IP exploits. This note describes the problems and the firmware upgrades that contain the fixes in more details. As he mentions, getting these firmware upgrades should be considered mandatory for anyone running HP network-connected printers if they are exposed to any untrusted traffic. UpdatesDebian's report on a fix for the lsof problem reported in the February 25th Security Section came out on February 26th. The problem can be fixed by upgrading to the debian package lsof-4.37-3 (or presumably later).EventsShadowCon October 1999 has issued their Call for Papers and preliminary announcement for the event, which will be held October 26th and 27th, 1999, at the Naval Surface Warfare Center in Dahlgren, Virginia. The event is free.The Black Hat Briefings '99 is a computer security conference to be held July 7th and 8th in Las Vegas, Nevada, USA. This year, they've added a "white hats track" for CEOs and CIOs. One wonders if they object to segregation ... Here is the official announcement. The CQRE [Secure] Congress & Exhibition has released its Call-For-Papers for its 1999 conference. CQRE will be held November 30th through December 2nd, 1999, in Duesseldorf, Germany. Section Editor: Liz Coolbaugh |
March 11, 1999 |
Copyright © 1999
Eklektix, Inc., all rights reserved
Next: Kernel