[LWN Logo]
[LWN.net]

Sections:
 Main page
 Linux in the news
 Security
 Kernel
 Distributions
 Development
 Commerce
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News

The theme of the week seems to be small problems, involving information leakage or general sloppiness. Nothing too big or earthshaking - at least for those of us not running Window systems.

Bencsath Boldizsar reported a problem with sudo wherein it will inform a clever user about the existence and permissions of files in a protected directory. Files in the directory remain inaccessible, but it really would be better to not leak the information about them.

Similarly, a problem exists with ssh 2 - its behavior is different depending on whether an account that an intruder attempts to log in to exists or not. Thus it is possible to find out whether a given account exists on a system or not. See the report from Alfonso Lazaro Tellez for details.

Then, there is a logging problem with su on Red Hat systems, and probably any other system which uses PAM. If an su fails due to a bad password, the sequence of operations seems to be:

  1. Tell the user "sorry."
  2. Wait for one second
  3. Log the failure
Thus, there is a one-second window where the failure is known to the user, but not logged. Killing su inside that window will prevent logging from happening. It's not too hard to write a program to brute-force passwords using this problem.

Security Reports

CERT recently issued a security advisory for rpc.statd. Please note that Linux systems generally do not run rpc.statd (and those that do run a newer version), so they should not be impacted by this advisory.

A KMail security problem is addressed by this Caldera advisory, which contains pointers to updated rpms. [Recommended upgrade if you use KMail]

The Debian man-db package is vulnerable to a symlink attack and therefore an updated package has been made available. [Recommended upgrade]

Updates

Red Hat has put out updated versions of wu-ftpd and imap. Upgrades are recommended, though the imap patch only fixes a POP-2 problem on Red Hat 4.x and 5.x systems, and thus will not apply unless you are running the older POP-2 server.

Red Hat has also issued updates for the dev, rxvt, and screen packages, fixing a vulnerability there.

Resources

Matthew Franz asked us to remind people about his OpenSEC web page. OpenSEC contains a well-organized set of links to open-source-based security tools and a moderated announcement list. A moderated discussion list is also in the works.

Events

SANS Linux security workshop. SANS has issued a call for papers for their "Workshop On Securing Linux," which will be held in San Francisco on December 15 and 16, 1999.

Section Editor: Liz Coolbaugh


June 17, 1999


Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Red Hat Errata
Debian Alerts

Miscellaneous Resources
CERT
CIAC
OpenSEC
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds