[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

A truly free ssh? This week's Debian Weekly News contained a link to this posting by James Troup. It seems that ssh 1.2.12 was published under a license that was still compatible with the Debian Free Software Guidelines (DFSG). OpenBSD has picked up that version of ssh and is working on "ripping out the patented algrothims (IDEA, etc.)" and, of course, they will have to fix the security problems in this older version. It is far enough along that OpenBSD has added it to their base system. This is excellent news! If anyone has more direct experience or knowledge with what OpenBSD is doing here, we'd love to hear about it.

What does "Secure" mean? A couple of new products showed up this month, both making claims to that word. The first, titled Secure DSL, made this editor wonder if perhaps an encrypted DSL line service was being offered. Closer perusal of the product description shows that it is simply the addition of firewalling capabilities: "The system works by securing each DSL line with network-based, packet firewalls, so precluding outside attacks." Now, firewalls are a good and necessary thing, but all the evidence of the past year clearly proves that they do not guarantee a "secure" line. With a starting price of $30,000 (aimed at ISPs), it is not a low-end solution, either.

The second product that caught our eye was the BRICKhouse from SAGE, a Linux-based web server appliance that they claim provides a "bullet-proof" web-site solution. This one was more interesting to examine. "BRICKHouse is a highly scalable Linux-based Web server that raises the standard on Internet security by incorporating an innovative approach to security called Process-Based Security (PBS)." By limiting access to files on a per-process, rather than per-user, basis, they believe they can prevent both malicious damage to the site and potential down-time. It is an interesting approach and deserves closer investigation.

Do watch out for the marketing, though! One person's "secure" is another person's "insecure". Stick with the rule that "security is a process, not a state". That said, if either product enhances your current security or addresses your needs, it will be worth a look (with a particular bias towards the Linux-based BRICKhouse :-).

In the on-going cryptography battles, the US Federal government has achieved one of their short-term goals, winning a new hearing on the issue of whether or not they have the right to regulate encryption, this time in front of an eleven-member panel of judges. "The existing regulations 'allow the government to restrain speech indefinitely, with no clear criteria for review,' said Judge Betty Fletcher in the 2-1 ruling. That, she wrote, prevents professors such as Bernstein from engaging in valuable scientific expression." Here's hoping that their new hearing only re-affirms the status of cryptography as a form of free speech.

ZDNet Labs admitted it was their choice not to apply security patches to the Red Hat system used in the recent PC Week challenge. LinuxToday waxed eloquent on that choice, which has called the integrity of ZDNet Labs into question, since they did choose to apply the latest service packs to the NT box.

Security Reports

kvt: A buffer overflow in kvt was reported to BugTraq this week. However, it seems the KDE Team was already aware of the problem, since the most recent version of KDE now ships without kvt. No patched version of kvt seems to currently exist and most people seem to be using other alternatives, such as xterm. Note, though, that if you want to keep kvt around for some reason, you'll need to save it off before applying the latest KDE updates. Otherwise, it will disappear during the upgrade process.

mirror: The mirror package contains a perl script which is used to duplicate directory hierarchies across machines and is popular for maintaining "mirror" sites. A vulnerability in this package can allow a remote site operator to create or overwrite files on the local machine. Vendor fixes for this problem are starting to come in. Check below in the updates section for details.

mutt: A buffer overflow has been found which can allow someone to send an email message containing commands that are then executed as the user. An immediate upgrade to mutt 1.0pre3 is recommended. Several vendor updates have already come out; check below.

Updates

All the following are security-related updates.

mirror updates:

mutt updates:

netscape updates: sccw:

SuSE has released yet another new update to sccw, which fixes a vulnerability in this (setuid root) utility. Upgrades are recommended. Note that this is a different sccw update than the one that came out last week - more problems have come up since then.

Resources

Ethereal 0.7.5 was released on September 24th. Although clearly still pre-release, ethereal has started garnering mentions on newsgroups, where people apparently have found its protocol analysis capabilities very useful.

Section Editor: Liz Coolbaugh


October 7, 1999


Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds