[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


Security Reports

FreeBSD: Exploitable hole in ssh-1.2.27. An exploitable hole in ssh-1.2.27 has been reported under FreeBSD and a patch has been released. Note that versions of ssh not compiled with "RSAREF" defined are not vulnerable. Current reports indicate that Debian GNU/Linux and the international rpm packages for ssh are not vulnerable to this problem as a result.

thttpd remotely-exploitable buffer overflow. A buffer overflowin thttpd, a small, fast web server with a limited feature set, has been reported and fixed by the author in an extremely prompt manner. Check below for distribution updates for thttpd.

Red Hat security update for user-mode nfsd. Red Hat has issued an update to nfsd for versions 4.2 and 5.2 of the distribution. The older user-mode NFS daemon had an unpleasant buffer-overflow problem. Those running older systems will want to upgrade. Red Hat 6.x, which is running the 2.2 kernel, is not vulnerable.

Updates

bind: Six different vulnerabilities are described on this ISC page. Upgrades are strongly recommended. nfsd: Buffer overflows in the nfs-server packages have been identified and fixed.

proftpd: Version 1.2.0pre9 of proftpd has produced enough confidence to result in updated packages, the first package updates for proftpd we've seen since late September.

thttpd: A remotely-exploitable buffer overflow has been discovered.

Resources

SANS: First Tuesday broadcasts. The SANS Institute November First Tuesday broadcasts will include two topics, "The Hunt for RingZero", which talks about investigating reports of heavy scanning activity in September and "The CVE Project", which talks about efforts to "to develop a common language for describing vulnerabilities and consensus list of vulnerabilities and exposures". The broadcasts are free, but registration is required.

Events

The 12th Annual FIRST Conference. The Call-For-Papers for the Forum of Incident Response and Security Teams (FIRST) Conference has been issued. The conference will be held June 25th through the 30th, in Chicago, IL, USA.

Section Editor: Liz Coolbaugh


November 18, 1999


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 1999 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds