[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.


News and Editorials

Workarounds for the Linux capabilities vulnerability. In last week's Security Summary, we discussed a potential workaround for the Linux kernel capabilities vulnerability, for sites unable/unwilling to upgrade to the Linux 2.2.16/2.2.17 kernel series to get the proper fix. Our workaround involved the use of capcheck, a loadable kernel module which replaces the "capset" system call with a much more restrictive version.

This week on BugTraq, Patrick Reynolds posted a followup discussing ways in which /dev/mem can be used both to re-enable capabilities that have been disabled and to load custom, module-like code, even if you have disabled loadable modules on your system. It is worth a read.

Alternative ftpd servers. In light of the recent problems with wu-ftpd, and previous problems with proftpd (see the 1999 December 2nd Security Summary), suggestions for more secure ftpd servers for Linux have been popping up on BugTraq. This is not, by any means, an exhaustive list, but the following packages may be worth a look.

  • ftp-BSD. This is a Linux port of the OpenBSD ftpd server.
  • publicfile. This is an anonymous, read-only ftpd server from D.J. Bernstein (author of qmail).

eWEEK Challenges Public to Hack Web Site. This week's challenge from eWEEK promises to allow people to attempt to crack security on a variety of different platforms, including "Solaris, Windows2000, Windows NT, OpenBSD and Linux". A report on the number of intrusion attempts per operating system, vulnerabilities found, etc., is promised at the end. Overall, though, security contests have rarely been found a particularly effective way of testing the true security of a system. In addition, as we've seen in the past, another key question is whether or not eWEEK has the internal expertise to deploy all of the aforementioned operating systems in a secure manner.

The Motives and Psychology of the Black-hat Community (SecurityFocus). SecurityFocus is publishing a series of articles entitled "Know Your Enemy". This week's article focuses on motives. "They may not be technically competent, or even understand the tools they are using. However by focusing on a large number of systems, they can achieve dramatic results. This is not a threat to take lightly. They are not concerned about what harm they may cause. They focus only on achieving their goals."

Security Reports

ISC DHCP client root vulnerability. The Internet Software Consortium (ISC) has issued a warning regarding a root vulnerability reported by the folks at OpenBSD in ISC's Open Source reference implementation of DHCP. An upgrade to 2.0pl1 or 3.0b1pl14 should resolve the problem.

Glftpd. Permissions in Glftpd 1.18 through 1.21b8 can be bypassed allowing protected files and directories to be accessed via a problem with the privpath directive according to this report. As a result, Glftpd 1.21 has been released with a resolution for this problem.

NetBSD: bad key generation in libdes. NetBSD has issued an advisory as a result of the installation of a new libdes library on June 24th. On systems that do not have a /dev/urandom device, this library creates a security vulnerability. An update to NetBSD-current since 20000622 is recommended.

FreeBSD: IP options processing errors. FreeBSD has issued an advisory concerning problems in the manner in which IP options are processed in the IP stack. Data corruption or a kernel panic can result. Also check NetBSD Security Advisory 2000-002, which describes an instance of this vulnerability. A kernel patch is provided to fix the problem, though it can also be resolved by an upgrade to 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT. Note that an exploit for this vulnerability has been published.

sawmill. Sawmill, a site log statistics package, has been reported to contain a couple of vulnerabilities that could allow remote access to pretty much any file on the system. The vendor/maintainer has been notified and a patch/fix is promised in the near future.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Updates

wu-ftpd. Check the June 15th Security Summary for a link to the mini-audit that turned up the latest set of problems with wu-ftpd.

Linux kernel capabilities. Check the June 8th Security Summary for details. Linux kernel 2.2.16, along with a 2.2.16 errata patch set, is required to resolve this problem.

SuSE: reminder after kernel upgrade. SuSE's Thomas Biege sent around a reminder to people to execute 'mk_initrd' and 'lilo' after upgrading their kernel packages, in response to some customer problem reports.

Zope. Zope 2.1.6 and 2.2beta1 contain a remotely-exploitable security problem. Zope 2.1.7 contains a fix. For more information, check last week's Security Summary.

Linux-Mandrake 7.1. Linux-Mandrake issued an advisory with links to package updates for bind, cdrecord, dump, fdutils, kdesu, xemacs, xlockmore. These are the same packages for which updated versions for Linux-Mandrake 7.0 were published last week.

Debian XFree86 3.3.6. Debian has issued new XFree86 packages which, according to this week's Debian Weekly News, contain patches for " fixing a denial of service attack, a symlink attack, and 4 security holes in Xlib". Debian does not appear to have issued an official advisory about the updated packages.

Resources

Bruce v1.0 Early Access 3 (Beta). The Early Access 3 (Beta) of Sun's Networked Host-Vulnerability Scanner, Bruce, has been announced. Bruce is released under the Sun Community Source License (SCSL).

Events

July security events.
Date Event Location
July 3-5, 2000. 13th IEEE Computer Security Foundations Workshop Cambridge, England.
July 10-12, 2000. Fifth Australasian Conference on Information Security and Privacy (ACISP 2000) Brisbane, Australia.
July 14-16, 2000. H2K / HOPE 2000 New York, New York, USA.
July 26-27, 2000. The Black Hat Briefings Las Vegas, Nevada, USA.
July 28-30, 2000. DEF CON VIII Las Vegas, Nevada, USA.

Section Editor: Liz Coolbaugh


June 29, 2000


Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds