See also: last week's Security page.

Security

News and editorials

Although OpenSSH is not vulnerable to an exploit as a result, it is impacted, as explained in this OpenBSD advisory, along with other several other OpenBSD packages. US citizens will need to review this issue since they mention "(This crypto problem only burns Americans!)"

Bastille Linux 0.93beta. Good news from the headwaters of efforts to create secure Linux implementation: Basille Linux 0.93beta has been announced. This is the beginning of a code freeze, so they are moving towards the release of their first stable version. It also seems to indicate that the homepage for the Bastille project has moved to http://bastille-linux.sourceforge.net/.

Bastille Linux is aimed primarily at non-security-experts, who are less knowledgeable about security, but want to run a more secure distribution of Linux. Our goal is to build a more secure distribution based on an well-supported existing distribution. Our solution currently takes the form of a Universal Hardening Program which must be run immediately after installation of Redhat 6.0. Our Hardening Program is most unique in that virtually every task it performs is optional, giving immense flexibility, and that it educates the installing admin before asking any question. The interactive nature allows the program to be more thorough when securing, while the educational component produces an admin who is less likely to compromise the greater security.

Open source SRP provides an alternative for secure authentication. SecurityFocus' Kurt Seifried takes a look at SRP, the Stanford SRP Authentication Project. "SRP provides several benefits over traditional methods, the biggest being that no actually encryption of the data takes place, meaning SRP can be exported legally from the US. SRP also makes no use of the patented RSA algorithm (typically used in key exchanges), so you can legally use it in the US (without having to pay RSA). "

Security Reports

A problem with the shadow in Slackware 7.0 was reported on BugTraq and reputes to allow a brute force attack on the password file. This report has not be confirmed and no word from the Slackware team has come out as of yet.

The official PostgreSQL RPMs up through 6.5.3-1 had a permission problem, reported by the RPM Maintainer, Lamar Owen. Updated RPMs are now available and a simple fix is mentioned for people who have already installed older RPMs.

Updates

• Debian

ORBit, esound, and gnome-core: A easily guessable source for random data was used in ORBit and esound which might allow an attacker to guess the authentication keys used to control access to these services. In addition, TCP Wrappers support has been added to gnome-session.

• Red Hat

• Cobalt (Old)
• Debian's sendmail (plus addendum regarding problems with initial update)
• Debian's sendmail-wide, sendmail with WIDE patch applied

Section Editor: Liz Coolbaugh

Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

Next: Kernel