[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.

Security


News and Editorials

Netscape SSL authentication vulnerability (again). The possibility that an attacker could use a previously authenticated SSL certificate to fool your Netscape session into accepting transactions from a redirected site was first reported in the May 18th LWN Security Summary. Last week, we heard that the problem was fixed in Netscape 4.73. This week, the report is that Netscape 4.73 is still vulnerableto a similar problem, if a user ignores a received warning message, unless the iPlanet Personal Security Manager (PSM) has also been installed. CERT has also issued an updated advisory for the problem.

From the paragraph above, the options for person using Netscape seem simple: install the Personal Security Manager. Well, the issue is not quite so simple. If you go to the download site listed above and check their installation instructions for "Unix", it states, "Before you install Personal Security Manager on Unix, you must be logged in as the same Unix user you will be logged in as when you run Communicator. For the Unix installation to succeed, you must have write privileges for both the directory where the Netscape executable resides and the directory where the installation script creates the directory containing the Personal Security Manager files."

For an average system, the only user that owns the directory in which the Netscape executable resides is "root". We stepped through the installation and verified that only Netscape running as "root" has access to the Personal Security Manager after its installation. In fact, any attempt to click on the "dead-bolt" security icon by a user other than root will lock Netscape 4.73.

This means that you will have to install a private copy of Netscape for each non-root user on your system, and then install a matching copy of the Personal Security Manager. That would be a pretty tall order for a University system with, say, several thousand accounts. Even for a non-technical user with their own PC, this is an unexpected burden. PSM is essentially a broken product within a multi-user Unix environment and needs to be fixed.

Security Reports

Majordomo wrapper vulnerability. A problem has been reported with majordomo, in which the majordomo wrapper script can be used to gain access to and run commands under the uid and gid of the login id that owns the majordomo binary. A patch for majordomo is included.

xlockmore overflow. COVERT Labs has reported an overflow in xlockmore which can allow an attacker access to password hashes for other users. An upgrade to xlockmore-4.16.1 will fix the problem. Information on updates from Debian, FreeBSD, NetBSD, OpenBSD, SCO and TurboLinux is included in the advisory.

IP Filter 3.3.15 vulnerability. IP Filter, a TCP/IP packet filter shipped with FreeBSD, NetBSD and OpenBSD, has been reported to contain a weakness which, via a flawed configuration, can allow a firewall penetration. Patch/workaround and vendor information for the three BSD platforms are included in the advisory.

FreeBSD and OpenBSD: incorrectly exported system call. FreeBSD has issued an advisory reporting an undocumented system call that is incorrectly exported. As a result, an unprivileged user can block all processes from exiting properly. New stable versions of FreeBSD dated after May 1st are no longer vulnerable. NetBSD and OpenBSD are impacted, but only in rare cases and with less severe symptoms. Recent OpenBSD 2.7-beta snapshots and the upcoming OpenBSD 2.7 release have been fixed. NetBSD has put out an update as well.

NetBSD security updates. NetBSD issued two additional security advisories this week for problems specific to NetBSD:

Cobalt FrontPage. As we mentioned in last week's Security Summary, the installation of FrontPage on the Cobalt RaQ2/RaQ3 contains a permissions problem that could allow files on the system to be improperly changed, overwritten or deleted. Cobalt has issued an advisory confirming the problem and making available updated packages to resolve the problem.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Updates

dump. Security-related buffer overflows in dump were reported originally in the March 2nd, 2000 LWN Security Summary. For more details, check BugTraq ID 1020.

fdmount. An exploitable buffer overflow was reported in fdmount. For more information, check last week's Security Summary.

gdm. A buffer overflow vulnerability was reported in gdm, the Gnome display manager. An upgrade to gdm 2.0beta4-25 is recommended.

kdm. In a related item, kdm, the KDE display manager, also contains a buffer overflow (though not the same one). It has not been demonstrated that this overflow is actually exploitable, but an upgrade is still recommended.

gnapster/knapster. For more information, check out the security report in the May 18th LWN Security Summary.

gpm improper permissions handling. Improper permissions handling in gpm, the virtual console cut and paste utility and mouse server, was discussed in the March 30th LWN Security Summary.

This week's updates:

Previous updates:

kscd. kscd, the CD player provided with the KDE multimedia package, can be easily exploited to gain root privileges, if it is installed setgid to "disk". Removal of the setgid bit should fix the problem. This was first mentioned in the May 18th Security Summary.

kdesud. A DISPLAY environment variable overflow can give an attacker access to gid 0. Check BugTraq ID 1274 for more details.

Kerberos. Check last week's Security Summary for details.

lynx. After a series of reported security problems with the lynx text-based web browser dating back to September of 1999, the code has at last undergone a thorough audit. The latest version, lynx-2.8.3pre.5, is believed to close all major holes. (From last week's Security Summary).

mailman. Additional details about the mailman mailing list manager security problems we reported in last week's Security Summary can be found in this Debian bug report log. An upgrade to mailman-2.0beta2 is recommended to close these holes.

openldap tmplink vulnerability. A tmplink vulnerability was reported in openldap. Check the April 27th LWN Security Summary or Red Hat Bugzilla ID 10714 for more details.

This week's reports:

Previous reports:

Qpopper. Check last week's Security Summary for more details. Qpopper 3.0.2 or later should fix this problem.

xemacs. Check last week's Security Summary for details.

Events

June/July security events.

June 12-14, 2000. NetSec 2000, San Francisco, California, USA.

June 19-23, 2000. 12th Annual Canadian Information Technology Security Symposium, Ottawa, Ontario, Canada.

June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA.

June 26-28, 2000. SSS2000 Strategic Security Summit, Helsinki, Finland.

June 27-28, 2000. CSCoRE 2000, "Computer Security in a Collaborative Research Environment", Long Island, New York, USA.

July 3-5, 2000. 13th IEEE Computer Security Foundations Workshop, Cambridge, England.

July 10-12, 2000. Fifth Australasian Conference on Information Security and Privacy (ACISP 2000), Brisbane, Australia.

July 14-16, 2000. H2K / HOPE 2000, New York, New York, USA.

July 26-27, 2000. The Black Hat Briefings, Las Vegas, Nevada, USA.

July 28-30, 2000. DEF CON VIII, Las Vegas, Nevada, USA.

Section Editor: Liz Coolbaugh

June 1, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds