Linux in the news
All in one big page
See also: last week's Security page.
News and editorials
Linux 2.2.16 security release. Alan Cox has released Linux 2.2.16, a new version of the stable Linux tree, to fix several security issues, including a potentially remotely exploitable hole in the sunrpc code. An upgrade to 2.2.16 is recommended immediately for anyone with untrusted local users and/or publicly-accessible kernel sunrpc services.
U.S. To Follow EU Crypto Lead (Wired). Wired reports that the US is watching upcoming decisions on cryptography in Europe and will respond to them. "Commerce Department Undersecretary William Reinsch said Monday that any change, designed to make sure American high-tech companies aren't disadvantaged, will have to wait until the Europeans reach a decision." A dramatic relaxation of cryptography regulations in Europe is currently expected.
After its hard-nosed policy against relaxing cryptographic regulations, the U.S. government likely needs a good excuse before it makes an about-face in policy. However, they seem to know that their current regulations are ineffective, since cryptography is already widely available, sanctioned or not. Given the pressure from U.S. businesses to not be restricted from competition in the global market for encryption products, a European decision to relax regulations will pave the way for the U.S. to respond in kind.
NetBSD developer password exposed (Fairfax I.T.). In the list of most annoying/embarrassing situations, having your password "acquired" has got to be near the top. The Fairfax I.T. in Australia reports on the exposure of Paul Vixie's password. Paul is a well-known developer, working on NetBSD, XFree86 and other projects. Warning, though, the article has no particularly useful information about how the password was acquired, how they became aware of its exposure, etc. No damage appears to have been done.
Kondara MNU/Linux Advisories. Security advisories for Kondara MNU/Linux are now available at http://www.kondara.org/errata/k11-security.html. Currently, the web-site contains updates for dump, kernel, gpm, emacs, imwheel, openldap, cdrecord and xlockmore.
Linux-Mandrake bind update. Linux-Mandrake announced a security update for bind. By default in Linux-Mandrake, bind is launched as user and group root. This setting makes it possible to easily exploit vulnerabilities in bind.
cdrecord. The Linux cdrecord binary is vulnerable to a locally exploitable buffer overflow attack. Check BugTraq ID 1265 for more details. Linux Mandrake 6.1 and 7.0 have been verified as vulnerable. cdrecord 1.9a02 has just been announced and is reported to contain a fix for this overflow.
kdelibs. Kdelibs 1.2.2 has a problem which can allow the exploitation of any setuid root KDE application.
Buffer overflow in inn. A buffer overflow in inn 2.2.2 has been reported that can be an issue if the option "verifycancels" in /etc/news/inn.conf is set to "true". Setting this option to "false" should fix the problem.
Debian: mailx buffer overflow. Debian has put out a security advisory and updates for mailx to fix an exploitable buffer overflow. This is the first report of this problem, so updates from other distributions have not yet been seen.
Debian: splitvt local root vulnerability. Debian has also put out an advisory for splitvt, which contains a buffer overflow that can be exploited to gain access to root on a local system. An upgrade is recommended for all versions of Debian. This problem has been fixed in splitvt 1.6.4.
Xterm Denial-of-Service vulnerability. An exploit has been made available that can cause an xterm window to crash and, in some instances, consume all memory on the system. For more information, check out the BugTraq discussion or BugTraq ID 1298. XFree86 4.0 xterm, rxvt and eterm have been confirmed to be vulnerable. Gnome-terminal, KDE konsole, OpenWindows xterm and Secure CRT are reported not vulnerable.
BRU. The BRU backup and restore facility has an exploitable vulnerability which can be easily fixed by modifying the permission bits to remove the setuid root.
Commercial products. The following commercial products were reported to contain vulnerabilities:
gdm. A buffer overflow vulnerability was reported in gdm, the Gnome display manager. An upgrade to gdm 2.0beta4-25 is recommended. An exploit for this has been published. (From June 1st).
mailman. An upgrade to mailman-2.0beta2 is recommended to close several security holes. (From June 1st).
Majordomo wrapper vulnerability. (From June 1st).
xlockmore. (From June 1st).
SSH Secure Shell 2.2. SSH Communications Security has announced the release of SSH Secure Shell 2.2, an update to this proprietary product.
Hardening Linux Machines For Web Services (themestream). Here is an article from themestream specifically targeted at people placing their webservers at a co-location facility. It provides a checklist of security issues to consider.
June/July security events.
June 12-14, 2000. NetSec 2000, San Francisco, California, USA.
June 19-23, 2000. 12th Annual Canadian Information Technology Security Symposium, Ottawa, Ontario, Canada.
June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA.
June 26-28, 2000. SSS2000 Strategic Security Summit, Helsinki, Finland.
June 27-28, 2000. CSCoRE 2000, "Computer Security in a Collaborative Research Environment", Long Island, New York, USA.
July 3-5, 2000. 13th IEEE Computer Security Foundations Workshop, Cambridge, England.
July 10-12, 2000. Fifth Australasian Conference on Information Security and Privacy (ACISP 2000), Brisbane, Australia.
July 14-16, 2000. H2K / HOPE 2000, New York, New York, USA.
July 26-27, 2000. The Black Hat Briefings, Las Vegas, Nevada, USA.
July 28-30, 2000. DEF CON VIII, Las Vegas, Nevada, USA.
Section Editor: Liz Coolbaugh
June 8, 2000