[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and editorials

Improving the Linux security model. Theo de Raadt, a member of the OpenBSD team, had some comments on the effectiveness of the "open source" security model, when not coupled with dedicated staff actually responsible for producing fixes for security problems in a timely manner.
Tom Reed:

Now don't get me wrong, I believe that OpenBSD is about as secure as they get, and I realize that open software can (theoretically) be made more secure because of the distributed effort which goes into it.

Theo de Raadt:

I don't believe that -- it's not the distruted [sic] effort that matters. Rather, _applied_ effort makes the difference.

In our case, it was the applied effort of about 10-15 developers. The various failed Linux and FreeBSD "security-auditing" mailing lists are living, er, I mean dead, proof that the distributed nature of `open source' isn't enough of an assist.

This quote was not reproduced in order to cause bad feelings. It is unfair to the work that has been produced by some of the security projects we've followed. Yet, they have failed to resolve the larger problem. For example, Theo goes on to point out that the problems fixed in that Red Hat's recent update to lpd were originally reported in this advisory, dated ... October of 1997? Ouch.

This does not change the point that having source code available is a critical and necessary part of the process. However, it is not sufficient to guarantee good security, not unless people consistently track down, update and repair problems. This is a problem with security that we've seen for a long time. Busy people have good intentions, can do the right thing even most of the time, but with security, being lax even in one instance can leave you vulnerable, making the effort you did put into security go to waste.

In this particular area, relying on unpaid volunteers to handle the problem is irresponsible. Yes, many people, both paid and unpaid, will work together to find security problems, but the companies that are making money from putting their name on the operating systems we use have a responsibility to see that work to get the problems fixed, in a timely manner, happens. It also needs to happen consistently across all Linux distributions. OpenBSD is acknowledged to be doing a better job; what can we learn from that and apply to Linux?

To demonstrate how important this is, Microsoft has announced a serious commitment to clean up their act in regards to security.

"Microsoft recognizes that security is a matter of great concern to users of its products and services and to the public at large. Therefore Microsoft is committed to pursuing an aggressive program of research and development aimed at continuous improvement in the security of its products and services. Microsoft will also establish an outside advisory board to guide the evolution of its policies, processes, and technology in matters of security and privacy. From time to time, Microsoft will provide the public with reports of its results and progress in improving the security of its products and services."
The response from the Linux community must be no less. LWN promises our commitment to look for, help develop and promote solutions to this problem. (Thanks to Ben De Rydt.)

Security Reports

qpopper. [BugTraq ID, January 26th, 2000]. A remotely exploitable buffer overflow in qpopper 3.X has been reported. A temporary patch has been available, but no official update has yet been posted.

BSD /proc vulnerability. [BugTraq ID, January 21st, 2000]. Local users can get access to root. Patches have been made available for FreeBSD and OpenBSD.

vpopmail (vchkpw). [BugTraq ID, January 21st, 2000]. vpopmail (vchkpw) versions prior to 3.4.11e are vulnerable to a remote buffer overflow attack in the password authentication of vpopmail. The problem has been fixed in the latest version, available from Inter7. Note that this problem was originally, erroneously, labeled a "qmail-pop" vulnerability.

DNS hijacking. [BugTraq ID, January 23rd, 2000]. The insecurity of the current DNS system again comes under discussion, this time illustrated by this posting by Dan Bernstein. As summarized in the BugTraq vulnerability entry, "DNS is built upon levels of trust, and by exploiting single points of failure in this trust system ... By consecutively performing these cache attacks, it could be possible for an attacker to entirely take over name service for any given domain." No solution for this problem is currently available.

VMware. [BugTraq ID, January 21, 2000. A /tmp symlink vulnerability has been identified. No vendor-supplied fix has been reported, but the software does allow the use of an alternate directory for temporary files. Using that feature, along with a directory with restricted write privileges, is highly recommended.

Updates

Red Hat security update to majordomo. Red Hat has issued an update to majordomo (which appears in the "Powertools" product). For information on the problems that have been fixed, see BugTraq ID 902 (December 28th, 1999) and BugTraq ID 903 (December 29th, 1999). The updated RPMs provided by Red Hat upgrade the package to 1.94-5. An upgrade is recommended.

Also check out this note which outlines steps to protect the directory in which the majordomo code lives which should be taken if you are using majordomo.

Resources

connlogd. Alec Kosky's TCP & UDP connection logger, connlogd, is now available via ftp.

Events

New Security Paradigms Workshop 2000. The Call-For-Papers for the New Security Paradigms Workshop, scheduled for September 19 - 21, 2000, Ballycotton, County Cork, Ireland, has been released. Note that the workshop is limited to authors of accepted papers and the conference organizers. "The New Security Paradigms Workshop is highly interactive in nature. Authors are encouraged to present ideas that might be considered risky in some other forum. All participants are charged with providing feedback in a constructive manner. The resulting brainstorming environment has proven to be an excellent medium for furthering the development of these ideas. The proceedings, published after the workshop, have consistently benefited from the inclusion of workshop feedback."

Section Editor: Liz Coolbaugh


January 27, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds