See also: last week's Security page.

Security

News and editorials

This issue will need to be dealt with, and quickly. The existence of a duplicate key ID could allow falsified mail. If a duplicate key ID can be generated by accident, presumably it can also be generated on purpose, as well. Network Associates was not directly informed of the problem, which was posted today, so no response from them is yet available.

ARIP: Association of Responsible Internet Providers. One result from the long weeks of discussion of distributed denial-of-service attacks on BugTraq has been the creation of a mailing list to discuss potentially creating an organization to promote and recognize responsible behavior on the part of Internet Service Providers (ISPs). David Nesting posted a note summarizing responses to his suggestion that such an organization be created. It contains a pointer to the mailing list, as well as to other organizations that are dealing with this issue, including NANOG (The North American Network Operators' Group) and ISPF (Internet Service Providers' Forum).

Security and Apache: An Essential Primer (LinuxPlanet). LinuxPlanet has a tutorial on securing a Linux/Apache system. "Chances are that your Web site has at least a few pages that you really don't want published to the Internet at large. How do you keep the Black Hats from seeing them, whilst not impeding the access of the White Hats who need the pages?"

New site on Linux security (Upside). Upside ran this article on the launch of LinuxSecurity.com. "Last month's denial of service uproar has intensified attention to Internet security. Coincidentally -- or perhaps not, depending on your viewpoint -- last month also saw the debut of LinuxSecurity.com, a new website completely dedicated to Linux operating system security issues."

Security Reports

Remote vulnerability in nmh. Versions of nmh prior to 1.0.3 can be made to execute arbitrary commands via the mhshow command. Check this note for more details. (First reported March 2nd, 2000.)

• Debian (old)
• Red Hat

dosemu problem in Corel Linux. Corel Linux contains an improperly configured dosemu package, which can allow local users to execute commands as root. Check BugTraq ID 1030 for more details. No other Linux distributions have been reported to be vulnerable.

Fixes for this can be found on the DOSemu site.

mtr-0.42. A new version of mtr, a program that does a full-screen combination of ping and traceroute at a higher speed than traceroute, has been announced, in reaction to problems with management of root privileges. An upgrade is recommended, if you are using this tool.

• TurboLinux

Oracle installer for Linux. The Oracle installer for Linux improperly uses a file in /tmp, leaving it vulnerable to symlink issues, reported Keyser Soze. For more information, check BugTraq ID 1035.

Resources

GNU userv 1.0.0. userv is a program for invoking an executable in situations of limited trust.

How to Write Secure Code. the shmoo group has made available a set of links to information on how to write secure code, an updated version of a list posted on BugTraq a while back.

Section Editor: Liz Coolbaugh

Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Secure Linux

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxSecurity.com Linux Security Audit Project
OpenSSH
OpenSEC
Security Focus
SecurityPortal

Next: Kernel