Sections: Main page Linux in the news Security Kernel Distributions Development Commerce Announcements Back page All in one big page See also: last week's Security page. |
SecurityNewsThe theme of the week seems to be small problems, involving information leakage or general sloppiness. Nothing too big or earthshaking - at least for those of us not running Window systems.Bencsath Boldizsar reported a problem with sudo wherein it will inform a clever user about the existence and permissions of files in a protected directory. Files in the directory remain inaccessible, but it really would be better to not leak the information about them. Similarly, a problem exists with ssh 2 - its behavior is different depending on whether an account that an intruder attempts to log in to exists or not. Thus it is possible to find out whether a given account exists on a system or not. See the report from Alfonso Lazaro Tellez for details. Then, there is a logging problem with su on Red Hat systems, and probably any other system which uses PAM. If an su fails due to a bad password, the sequence of operations seems to be:
Security ReportsCERT recently issued a security advisory for rpc.statd. Please note that Linux systems generally do not run rpc.statd (and those that do run a newer version), so they should not be impacted by this advisory.A KMail security problem is addressed by this Caldera advisory, which contains pointers to updated rpms. [Recommended upgrade if you use KMail] The Debian man-db package is vulnerable to a symlink attack and therefore an updated package has been made available. [Recommended upgrade] UpdatesRed Hat has put out updated versions of wu-ftpd and imap. Upgrades are recommended, though the imap patch only fixes a POP-2 problem on Red Hat 4.x and 5.x systems, and thus will not apply unless you are running the older POP-2 server.Red Hat has also issued updates for the dev, rxvt, and screen packages, fixing a vulnerability there. ResourcesMatthew Franz asked us to remind people about his OpenSEC web page. OpenSEC contains a well-organized set of links to open-source-based security tools and a moderated announcement list. A moderated discussion list is also in the works.EventsSANS Linux security workshop. SANS has issued a call for papers for their "Workshop On Securing Linux," which will be held in San Francisco on December 15 and 16, 1999. Section Editor: Liz Coolbaugh |
June 17, 1999
|