Sections:
Main page
Linux in the news
Security
Kernel
Distributions
Development
Commerce
Announcements
Back page
All in one big page

Security

News

Lots of security problems turned up this week, just in case anybody had thought that all the worst buffer overflows had been found. Details can be found below. But there is one aspect of this week's problems that is deserving of a closer look.

When the cron problem was announced, notes were posted from both Caldera and Debianclaiming that they had found and fixed the problem "years ago." Why did other distributions, like Red Hat, remain vulnerable for so long? How could it be that they were surprised by such an old bug?

It turns out that there is no maintainer for the vixie-cron package used by most distributions. Cron is an old, boring package which has not really needed to change for years. So nobody looks after it. The distributions are usually more than diligent about reporting fixes - especially security fixes - to the ultimate maintainer of a program. But if said maintainer does not exist, there is nobody to send patches to.

There are certainly other parts of the Linux core which are similarly unmaintained. Some of them must contain security problems. Perhaps known problems that some distributions have fixed, and others have never heard of. There is a bit of a time bomb here. How long until some clever cracker attempts a form of patch arbitrage by comparing source from different distributions looking for this sort of problem?

It is probably in the interest of the Linux distributors to work toward common maintenance of the core utilities that currently lack maintainers. Perhaps they could fund this maintenance via the SourceXchange or Cosource? Funding this maintenance certainly would have to be cheaper than dealing with the packages in-house and duplicating effort, which is what is happening now.

Security Reports

The cron vulnerability is worse than had been originally thought; it seems that a clever user can also convince sendmail to run commands (as root). Note that all distributions - even those which claimed invulnerability to the original cron problem - are vulnerable to this one. (One exception is Slackware, which uses a different cron daemon). Details and the patch can be found in this postingfrom Martin Schulze.

Linux kernel 2.0.38 was released, much to the surprise of many, who had not been expecting another 2.0 release soon, if ever. It turns out that there is a complicated, difficult to exploit bug in the TCP stack that needed fixing. There are currently no known exploits out there, and the bug may be impossible to exploit without local (or near-local) network access. 2.2 and later kernels are not vulnerable. See the announcement for more.

Commercial software vulnerabilities: ISS has issued advisories detailing vulnerabilities in Oracle8 (see also this additional Oracle advisory), Netscape's Enterprise and FastTrack Web servers, and Lotus Notes Domino Server 4.6.

INN 2.2 and earlier have a buffer overflow problem as well. INN 2.2.1 has been released as a result; upgrades are advised. Details in the announcement.

Updates

Updates for the cron vulnerability are available from:

Various FTP daemon updates are available:

Linux-Mandrake (wu-ftpd and BeroFTPd - also a Lynx update).
LinuxPPC (ProFTPd)
Red Hat (ProFTPd - shipped on PowerTools CD)
Slackware (wu-ftpd).
Yellow Dog Linux (wu-ftpd, BeroFTPd and ProFTPd).

The AMD automounter has a problem which is being "actively exploited" on the net. Available updates include:

An update for epic4 has been released by Debian; details in the announcement.

A buffer overflow in man was fixed by this update from Caldera.

SuSE's security updates page lags. In last week's Security Summary, we mentioned that no security updates had come out from SuSE since June 30th. This was based on the information on their Security Announcements page. Unfortunately, apparently this page is again not being updated regularly. Martin Treusch von Buttlar pointed out that the SuSE Linux 6.2: Patches, Updates, Bugfixes page lists six security-related updates to 6.2 that are already available, released since August 10th. Updates for nkitb, termcap, xmonisdn, and trn are included.

Solar Designer has put out a 2.2.12 security patch which fixes some worrisome things and includes his other goodies. There is a test version available now, with a final release sometime next week. See the announcement for details.

Second try for Slackware elflibs update. For those of you who applied the original Slackware "elflibs" update to fix the termcap vulnerability: that update did not work, and your systems are still vulnerable. A new version of the elflibs package has been announced which truly fixes the problem.

Events

The Internet Security Conference will be held in Boston, MA on October 11-15. More information can be found on the web site, or in their announcement.

Section Editor: Liz Coolbaugh

September 2, 1999

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Debian Alerts
Red Hat Errata
SuSE Announcements

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal

Next: Kernel