[LWN Logo]
[LWN.net]

Sections:
 Main page
 Linux in the news
 Security
 Kernel
 Distributions
 Development
 Commerce
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News

Privacy issues on the Internet took the spotlight again as IBM declared its intent to pull advertising from sites without clearly cited privacy polcies. This is probably one of the best ways to encourage commercial sites to take privacy issues seriously, by grabbing their wallets and squeezing hard.

Good news for encryption politics? This news.com article talks about another U.S. politician that has changed his tune about encryption issues. Unfortunately, he's introducing alternate legislation that would ease controls, but not fully until 2002. The Security and Freedom through Encryption Act remains the better bill. However, the latest move is another indication that support for the current White House policy on encryption is dwindling.

Security problems with insmod were the topic of this long message from Brian Szymanski. Insmod is a command that can be used to install a loadable kernel module. However, Brian's note mentions that the modprobe command is actually the recommended tool to use for this task. In addition, insmod has some security weaknesses that are potentially exploitable. As a result, version 2.2.2-pre6 of modutils, the package that contains insmod, has been produced. Any version of insmod prior to 2.2.2-pre6 will be vulnerable.

Denial of service attacks and sendmail were the topic of one thread on Bugtraq this week. In particular, this discussed attacks launched from a local user account which resulted in filling up a file system and therefore halting the mail server. The summary from the thread indicated that this was not a sendmail or MTA problem per se, but a general problem of how to prevent resource starvation caused by the actions of someone with access to an account on your system. Generally, such attacks are dealt with by finding the culprit and dealing directly with them. It is an example, however, of why even basic user accounts need good password security and protection, since even the compromise of a non-privileged account can leave you vulnerable to this type of attack.

Security Reports

rsync 2.3.1 has been released in order to fix a security hole discovered in 2.3. Here is the announcement, along with links to the source. The bug reported is serious, so anyone using rsync should upgrade as soon as possible.

Debian has released a new procmail package with fixes for multiple buffer overflows. Upgrading to this package is highly recommended. Philip Guenther, the gentleman that fixed most of these overflows, posted this note with information on the problems found and pointers to the source code for people interested in his modifications. No word from other distributions so far. Philip later announced procmail 3.13.1, with a couple more buffer overflows repaired.

The Xylan OmniSwitch has an interesting lack of security features, as described in two email messages posted to Bugtraq: message 1 and message 2. If you have one of these, you may want to check out the postings, confirm the reported problems and talk to your vendor. However, the problem reported has only been confirmed with the 3.1.8 and 3.1.9 versions of the code, so if you are running a newer version, you may not be impacted.

ICQ-Webserver users need to check out this security report from Jan Vogelgesang. If confirmed, it indicates a severe enough security problem with ICQ-Webserver that you will probably not want to continue using the software until it has been repaired.

Updates

Procmail can also be used against Melissa, et al. John D. Hardin dropped us a line to point out that the same CERT advisory that describes how sendmail can be used to filter mail containing the Melissa virus also contained a link to a web page containing information on how to use procmail to search for Melissa as well. The site actually includes a variety of email security notes and the procmail filter continues to be developed and improved.

Resources

For your amusement, if any of you have managed not to see the Tuxissa Virus Report, it is worth a chuckle or two.

Rob Slade's review of "Hacker Proof", a book by Lars Klander, is now available [Source: ISN mailing list] The alpha2 release of the Nessus security scanner has been released. It is claimed to be stable and usable by all, despite its "alpha" designation.

Section Editor: Liz Coolbaugh


April 8, 1999

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds