Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsProcess hiding in the 2.3.X kernel series? Pavel Machek posted a note to BugTraq about possible process hiding in the 2.3.X development kernel series. Pavel Kankovsky forwarded this concern to the security audit mailing list pointing out that the vulnerability had come about as a result of work done to close the kernel against pid recycling attacks.
This concern was originally posted to linux-kernel, but garnered no response as of yet. A bit of careful thinking will be needed to fix this problem properly without reintroducing the older vulnerability or creating yet another new one.
Obstacles to Cryptographic Code Exportation Lifting. This LinuxMall article responds to the governmental relaxation regarding cryptographic export regulations. "While encryption restriction and patent law issues are not completely resolved yet, the playing field with the rest of the world is levelling. Better still, the Open Source and Cryptographic software communities are finally seeing real progress in these areas."
Developers Blasted on Security. Rich Pethia, director of the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, blasted software developers for marketing flawed software in an address to a Congressional panel covered in this Wired news article. "Pethia did not criticize any companies by name in his prepared statement to the panel." Very tactful of him ...
Building a Robust Linux Security Solution (Network Magazine). Here's a Network Magazine article on building secure Linux systems. "If you want to grant your remote users VPN access to your Linux gateway, but you don't want to install (or maintain) IPSec software on their laptops, you are in luck: PopTop is a freely available Point-to-Point Tunneling Protocol (PPTP) server that can act as an end-point for VPN sessions from standard Windows desktops." (Thanks to Flemming S. Johansen).
Security Reportsabuse.man web manager kit. abuse.man is a perl-CGI script for managing virtual hosts. A vulnerability in abuse.man has been reported which can allow both remote and local users to execute arbitrary commands on the webserver. The manufacturers website has been notify. Disabling abuse.man or patching it to use relative links instead of absolute paths is recommended, but no patch has been provided.
FreeBSD posted advisories this week for the orville-write port, (local root compromise) and lynx, (remote execution of arbitrary code). They provide a simple workaround for the orville-write port, but recommend removing lynx from the system altogether. "The lynx software is written in a very insecure style and contains numerous potential and several proven security vulnerabilities (publicized on the BugTraq mailing list) exploitable by a malicious server."
Lynx problems were most recently discussed in the September 23rd, 1999 LWN Security Summary, at which point SuSE and Yellow Dog Linux provided updates for this program.
Exploits for the pam-0.68-7 package are being passed around for both Red Hat 6.X and Mandrake 6.X. RPMs for pam-0.68-10 have been around for two months, guys. If you have not already updated, you need to do so now. A note to people using automated tools such as autorpm for installing Red Hat updates: Red Hat has not been linking new updates into the older directories, just providing links to the latest directory in their advisory. As a result, your tools may not be picking up all the updates that they need. The updates for pam-0.68-10 and usermode-1.18 are examples of this.
The Apache project: Jakarta Tomcat. A serious bug has been reported when Tomcat and the Apache web server are used together in order to serve Java Server Pages and Java servlets. Tomcat 3.1 beta 1 has all required fixes applied.
Commercial updates. Cisco has issued an advisory concerning their Secure PIX Firewall concerning its handling of FTP server and client commands which can lead to inappropriate connections being made across the firewall. A fix has been made for its handling of FTP server commands, while the FTP client issue still being worked on. For additional information, check out the BugTraq thread on Extending the FTP "ALG" vulnerability to any FTP client. Note that other firewall products are also likely vulnerable.
UpdatesThe following issues have been previously discussed, but new updates have been made available for them in the past week.
mh/nmh. See discussion in the March 9th, 2000 LWN Security Summary.
mtr (multi-traceroute). See discussions in the March 16th, 2000 LWN Security Summary.
dump/restore. See discussion in the March 9th, 2000, LWN Security Summary. This is the first distribution update seen for this problem.
Overall, updates for specific Linux distributions appear to be coming more slowly, not more quickly. Of equal concern, the updates that are coming out are not getting installed (witness the pam discussion above). As a result, we are all losing ground as far as security is concerned.
ResourcesShaft DDOS tool analysis. An analysis of shaft, yet another distributed denial-of-service tool like Trinoo, TFN, Stacheldraht, and TFN2K, has been made available by Sven Dietrich at the NASA Goddard Space Flight Center and others.
Security Audit FAQ update. An updated version of the Security Audit FAQ has been released. Jeff Graham asked people to note in particular that the address for FAQ submissions has changed to email@example.com.
EventsCall-for-Papers RAID 2000. A last Call-for-Papers for the RAID 2000 conference has been issued. Deadlines start on March 31st, 2000.
Call-for-Papers ACSAC. The call-for-papers for the 16th Annual Computer Security Applications Conference (ACSAC) has been released. ACSAC will be held December 11 - 15, 2000, at the Sheraton Hotel, New Orleans, Louisiana. Deadlines for papers, panels, tutorials and case studies come up in May.
Section Editor: Liz Coolbaugh
March 23, 2000