Sections: Main page Linux in the news Security Kernel Distributions Development Commerce Announcements Back page All in one big page See also: last week's Security page. |
SecurityNewsA long thread on Bugtraq this week concentrated on the potential Denial-of-Service vulnerabilities associated with shared memory. Under Linux and a variety of BSD-based systems, the operating system does not check to make sure you don't try to share more memory than actually exists. In some circumstances, it also does not clean up allocated shared memory after a process is killed.The consequences of this behavior varies widely depending on the operating system and even on the distribution of Linux. All Linux distributions that support PAM can use resource limitations to control the potential impact of this problem, as Mike Perry, the gentleman who started the discussion, pointed out. Additional discussion focused on recent versions of the Linux shadow suite, which also provide support for resource limitations. It was interesting that the focus moved to resource limits without examining the issue of whether or not this behavior, under Linux, is acceptable. SGI Irix, for example, also uses shared memory but is not vulnerable in this way. The fact that allocated shared memory is not physically in memory until a page fault is triggered is intended to be a feature, not a bug. The question is, can this be controlled in such a way as to protect the system, not only from malicious actions, but as well from programmers who fail to build safe practices into their code, without disabling this feature? This question was not asked or answered in this thread. An in-depth review of the nmap port scanner is available from SecurityPortal.com. "Nmap is the premier open source port scanning tool, and provides several powerful methods to analyze weaknesses in a TCP/IP network. As its history shows, it might be too powerful for some people to use, and should be used only after educating yourself with its usage and the many subtleties of IP scanning." Denial of Service attacks can show up anywhere, as demonstrated by this report of a Denial-of-Service vulnerability with AT&T PCS phones. Yet another industry to educate to the need for swift response to security issues ... For those following the politics of encryption in the United States, news.com provided an update. It appears the House Armed Services Committee has gutted the export relief in the bill, in response to Janet Reno's appeal, but that does not mean their version of the bill is the one that the House will vote on. Security ReportsFrom Security Focus's new incidents mailing list, comes a report of security problems with the default mail setup provided with Red Hat 5.0, 5.1 and 5.2. People using Red Hat 6.0, or sendmail 8.9.x on any distribution, should not experience any problem. The default configuration may allow a spammer to use your system as a relay. An unofficial patch to fix the problem is available. Bryan Andregg at Red Hat confirmed the problem and is working on an official solution.We have received confirmed reports of this vulnerability being exploited. Neither qmail or postfix are impacted. A security problem with the AMaViS incoming-mail virus scanning utility for Linux can be exploited to allow a non-privileged user to execute an arbitrary command with root privileges, according to this report on Bugtraq. Christian Bricart responded by releasing AMaViS 0.2.0-pre5, with a fix for the problem. If you are using AMaViS, you should upgrade immediately. Another IRC bug has been reported, this time in ircu based servers, such as lulea-r, ann-arbor, plano, Gothenburq, and toronto, which can allow a user to trigger a segmentation violation on the server. A fix is already available. UpdatesNo security-related updates for Caldera, Debian, Red Hat or SuSE in the past week.Section Editor: Liz Coolbaugh |
July 22, 1999
|