Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and editorialsA first crack in the US Administration stand on export controls for source code was publicized in several articles last week, including this article from Reuters:The Clinton administration is considering relaxing export limits on computer source code for data scrambling programs, in a possible move acknowledging the growing importance of Linux, a top export official said Tuesday.It seems that the impact of relaxing the restrictions on commercial binaries while maintaining them on source code is being felt in many areas. There are hints that the administration's change in attitude is prompted by the commercial companies themselves, who are finding the current situation unworkable. Bear Giles dropped us this notein which he points out the impact on Kerberos, which is used both in commercial products, like Windows 2000 and many ISDN modems, yet is a free/open source product in the form of the original MIT Kerberos implementation. Bear also mentioned that he is working on a Kerberos-ized version of Debian, due out by the end of the year. He would be pretty happy to see the export restrictions lifted, since it would allow him to contribute his work back to the main Debian tree and obviate the need for a separate distribution. Quite a bit of "fragmentation" in Linux distributions is due to export retrictions: multiple versions of SuSE, Red Hat, additional distributions like Definite Linux, KRUD, to name a few. If the articles are not off in left field, we'll hear something back on the issue by mid-December. Meanwhile, time to keep the pressure up. Security ReportsLinux kernel 2.2.13 has been released. This version of the kernel, delayed for a few weeks so that testing and bug-fixes could hammer it into a truly stable kernel, contains several security fixes. At this point in time, any system running the 2.2.X kernel series should be upgraded to 2.2.13.Problems in lpd and lpr were announced by Red Hat this week. Links to updates from the various distributions are below. Another wu-ftpd problem. After a week or two of no new comments on ftpd servers, AusCERT released a new advisory for a remotely-exploitable root access vulnerability. CERT followed up with their own advisory as well. Expect to see another round of updates to wu-ftpd in the coming weeks. Commercial products: A security problem with Eicon ISDN modems was reported and new firmware for it is now available. A vulnerability in CheckPoint Firewall-1's LDAP authentication can lead to unauthorized authentication. Updatesamd updates: (New problems since the 9/30 update) lpd updates:
mirror updates: PAM: ResourcesA 'next generation' CGI Scanner, called whisker, has been released. "Whisker can easily scan your corporations network for the latest in CGI holes, slices through the false positives, and lets you tweak/customize the script to your heart's content. "EventsThe Twelfth Annual Forum of Incident Response and Security Teams (FIRST) will be held June 25th through the 30th in Chicago, Illinois, USA. Here is their Call For Papers.Section Editor: Liz Coolbaugh |
October 21, 1999
|