See also: last week's Security page.

News and Editorials

The Myth of Open Source Security (EarthWeb). EarthWeb has run this article by John Viega, author of mailman, the GNU mailing list manager. He takes a look at why the open source process, great for feature development and quick fixes for bugs once found, does not necessarily provide the best environment for developing secure software. "People using open source programs are most likely to look at the source code when they notice something they'd like to change. Unfortunately, that doesn't mean the program gets free security audits by people good at such things. It gets eyeballs looking at the parts of the code they want to change. Often, that's only a small part of the code."

This article is not a flame-bait, open source-bashing piece. It is a rational attempt to look at the development methods of the open source community and determine why there are so many simple, avoidable security problems out there, still waiting to be detected. It can easily be argued that commercially-developed software has as many problems or more.

The real point of the article is that we shouldn't assume that software is secure just because it is open source. Praise open source software for quick response to problems once found, but don't assume that all, or even most, of the problems have been dealt with already. Last, support the work of people who are providing security audits for open source code. Encourage new developers to learn about security issues. Require your own software to be designed with security in mind from the beginning, not as an afterthought.

Linux Kernel Auditing Project. The Linux Kernel Auditing Project has been announced. They are taking on a big bite: auditing of the 2.0.X, 2.2.X and 2.3.X/2.4.X kernel series for potential security problems, as well as developing resolutions for the problem without impairing the performance of the kernel or introducing new bugs. Their goals are laudable and we wish them the best of luck.

OpenSSH 2.1.1 released. A new release of OpenSSH has been announced. This new version, 2.1.1, contains a security fix for a vulnerability in OpenSSH that may exist if the UseLogin feature is enabled (not enabled by default). An upgrade to the latest version is recommended.

In addition to announcing the new version, Theo de Raadt also passed on good news on the adoption of OpenSSH: "We've been completely blown away by the number of people who are switching from commercial ssh to openssh, with over 250,000 people visiting the our web page in the last 3 months. It's really been a silent revolution, because thousands of people welcomed the switch from commercial use of non-licensed software to a free choice, but have not spoken about how they were running non-free software before."

Errata for 2.2.16 and 2.2.17pre1. A few people have hit problems with 2.2.16. Because it is important that people be able to run 2.2.16, due to the security fixes included therein, Alan has released the 2.2.16 errata patch set.

Also aimed at fixing the problems with 2.2.16 is the 2.2.17pre1 release which only addresses bug fixes.

Security Reports

restore. A locally exploitable buffer overflow in restore has been reported and an exploit published. Upgrading to dump-0.4b18 should fix the problem. No vendor packages have been released yet.

wu-ftpd. Michal Zalewski posted the results from a 20 minute "mini-audit" of the source code for wu-ftpd 2.6.0, turning up yet more problems in this server. No information on patches or fixes have yet been seen.

New Kerberos buffer overflow vulnerability. A new exploitable buffer overflow in Kerberos 4 KDC has been reported. This time, in addition to impacting MIT and Cygnus-based Kerberos distributions, the buffer overflow is also present in KTH-krb4 before version 0.10. Patches for the problem are included in the initial report.

• CERT

NFS rpc.lockd Denial-of-Service. A denial-of-service vulnerability has been reported, but not confirmed, in the Linux rpc.lockd code for Linux 2.2.14 and 2.2.16.

snort. Snort 1.6 has been reported vulnerable to a denial-of-service attack, crashing in response to an nmap scan. This problem has been confirmed and Snort 1.6.1 should be released soon with a resolution for this problem. Snort is a light-weight intrusion detection program that runs on Linux, BSD and a variety of other platforms. Check the Snort home page for more details.

FreeBSD advisories. FreeBSD has put out advisories for apsfilter, ssh (FreeBSD-specific, updated advisory) and /dev/random (Alpha platform only). FreeBSD users are strongly encouraged to read the advisories and follow the included instructions.

Commercial products. The following commercial products were reported to contain vulnerabilities:

• ColdFusion Administrator

Updates

Linux kernel capabilities. Check last week's Security Summary for details. Linux kernel 2.2.16 contains fixes for this issue. Note also the errata for 2.2.16 mentioned above. For more information on the 2.2.16 kernel, check the release notes and Alan's thank-you note to the people who helped find and fix these problems.

Note that the sendmail update for this problem is not necessary if you update your kernel.

• sendmail
• Caldera (backported to 2.2.10)
• Conectiva (backported to 2.2.14)
• Slackware
• Trustix

OpenSSH. Check BugTraq ID 1334 for more details.

• Conectiva

Qpopper. Check the May 25th Security Summary for more details. Qpopper 3.0.2 or later should fix this problem.

• Qualcomm (June 1st)
• Debian (June 1st)
• SuSE

Netscape SSL. Problems in the manner that Netscape handled invalid SSL certificates have been fixed in Netscape 4.73. Check the May 18th Security Summary for the initial report. Also check the June 1st Security Summary for additional problems in Netscape 4.73.

• Red Hat (May 25th)
• Caldera

BRU. Check last week's Security Summary for details. Remember, this problem can easily be resolved by a permissions change or an upgrade to BRU 16.0.

• BRU (official response)
• Caldera

Resources

OpenSSH Unix Port 2.1.1p1. A minor update to the Linux port of OpenSSH has been announced. It contains "lots of bugfixes".

Events

June/July security events.

Date	Event	Location
June 19-23, 2000.	12th Annual Canadian Information Technology Security Symposium	Ottawa, Ontario,Canada.
June 25-30, 2000.	12th Annual First Conference,	Chicago, Illinois, USA.
June 26-28, 2000.	SSS2000 Strategic Security Summit (canceled!)	Helsinki, Finland.
June 27-28, 2000.	CSCoRE 2000,"Computer Security in a Collaborative Research Environment"	Long Island, New York, USA.
July 3-5, 2000.	13th IEEE Computer Security Foundations Workshop	Cambridge, England.
July 10-12, 2000.	Fifth Australasian Conference on Information Security and Privacy (ACISP 2000)	Brisbane, Australia.
July 14-16, 2000.	H2K / HOPE 2000	New York, New York, USA.
July 26-27, 2000.	The Black Hat Briefings	Las Vegas, Nevada, USA.
July 28-30, 2000.	DEF CON VIII	Las Vegas, Nevada, USA.

Section Editor: Liz Coolbaugh

Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

Next: Kernel