See also: last week's Security page.

News and Editorials

Hacking for the Common Good? (ZDNet). Lewis Z. Koch over at ZDNet discusses a supposed "white paper" from Rain Forest Puppy on how vendors and hackers finding vulnerabilities ought to interact. Note that we don't dispute the existence of the white paper -- though we find it annoying and irresponsible that ZDNet doesn't bother to provide a link to the paper they are discussing. The topic is just the same rules of the game that have been discussed on BugTraq many times -- act courteously, whether you have found a vulnerability to report or you are a vendor receiving a vulnerability report.

We actually found Alfred Huger's recent comments on posting vulnerabilities more humorous and a good reminder for novice and expert alike. Here is a portion of his "rules":

Release timing

1. Do not, release your vulnerability just prior to a holiday. It causes more grief than you can possibly imagine. If you are interested in engendering deep seated ill will against your organization, company or person - disregard this rule.

2. Do not, release your vulnerability on a Friday - people rarely enjoy working the weekend. If you're trying to brand your company by releasing your advisory (and most of you are) it's important to make the best impression. This will not do so.

3. Do not, release with remarkably vague details and no fix information. This is like yelling fire in a dance hall. Not pretty.

4. Do not, release your advisory on a weekend, read rule 1 and 2.

Bar FTP and Telnet?. Simson L. Garfinkel recommended Universities bar the use of ftp and telnet, at a symposium at the University of Pennsylvania. "Mr. Garfinkel also urged the more than 300 residential-network managers and student-coordinators attending the conference to stop the common practice of using unencrypted passwords to secure network-user accounts. 'But you won't,' he chided. 'And so you're going to keep having accounts broken into.'"

Security Reports

SSH 1.2.27+Kerberos vulnerability. It sounds like deja-vu: SSH 1.2.27 was originally released last year in response to a vulnerability present when SSH was compiled with Kerberos support enabled. Now Richard E. Silverman has reported another Kerberos-related vulnerability in 1.2.27. As a result, ssh 1.2.28 has hit the download sites and should contain a fix for the problem. Again, you are not affected if you are using ssh 1.2.27 compiled without Kerberos support, ssh 2.X or an alternate program, such as OpenSSH.

imwheel. A vulnerability in imwheel were discussed in the April 27th Security Summary. This week, Red Hat published an updated version of their advisory, documenting multiple vulnerabilities in imwheel and recommending its removal under most circumstances.

Here are the older imwheel advisories:

• Linux-Mandrake (April 20th)
• SuSE (not vulnerable) (April 27th)
• Red Hat (April 27th)

Debian Security Advisory - canna. The canna package as distributed in Debian GNU/Linux 2.1 can be remotely exploited to gain access. This has been fixed in version 3.5b2-24slink1, and they recommend that you upgrade your canna package immediately.

makewhatis tmplink vulnerability. A tmplink vulnerability has been reported in makewhatis, part of the man package. This can be exploited to manipulate files without permission or elevate permissions locally. Check BugTraq ID 1434 for more details.

This week's updates:

• Red Hat

vpopmail remote exploit vulnerability. vpopmail prior to version 4.8 can be remotely exploited to execute arbitrary code on a server. An advisory has been posted with details and information on upgrading to version 4.8. vpopmail is an extension to qmail for managing virtual domains and user accounts.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Updates

wu-ftpd. Check the June 15th Security Summary for a link to the mini-audit that turned up the latest set of problems with wu-ftpd.

• WU-FTPD source code patch (June 29th)
• Debian (June 29th)
• Caldera (June 29th)
• Connectiva (June 29th)
• Red Hat (June 29th)
• SuSE (June 29th)
• Slackware (June 29th)
• Linux-Mandrake

ISC DHCP client. Check last week's Security Summary for more details. An upgrade to 2.0pl1 or 3.0b1pl14 should resolve the problem.

• OpenBSD (June 29th)
• Debian (June 29th)
• Linux-Mandrake
• Conectiva (not included in distribution)

dump/restore. A security vulnerability in dump/restore has been fixed as of dump 0.4b18. Check the June 15th Security Summary for details.

• Conectiva

Netscape SSL. Problems in the manner that Netscape handled invalid SSL certificates have been fixed in Netscape 4.73. Check the May 18th Security Summary for the initial report. Also check the June 1st Security Summary for additional problems in Netscape 4.73.

• Red Hat (May 25th)
• Caldera (June 15th)
• LinuxPPC

Resources

White Paper: ICMP usage in scanning. Ofir Arkin has released a research paper entitled ICMP usage in scanning. "In this paper I have tried to outline what can be done with the ICMP protocol regarding scanning. The paper deals with plain Host Detection techniques, Host Detection techniques using ICMP error messages generated from probed hosts, Inverse Mapping, Trace routing, OS finger printing methods with ICMP, and which ICMP traffic should be filtered on a Filtering Device."

Events

July/August security events.

Date	Event	Location
July 3-5, 2000.	13th IEEE Computer Security Foundations Workshop	Cambridge, England.
July 10-12, 2000.	Fifth Australasian Conference on Information Security and Privacy (ACISP 2000)	Brisbane, Australia.
July 14-16, 2000.	H2K / HOPE 2000	New York, New York, USA.
July 26-27, 2000.	The Black Hat Briefings	Las Vegas, Nevada, USA.
July 28-30, 2000.	DEF CON VIII	Las Vegas, Nevada, USA.
August 14-17, 2000.	9th Usenix Security Symposium	Denver, Colorado, USA.
August 14-18, 2000.	Ne2000 (Networking 2000)	Lunteren, The Netherlands
August 18-20, 2000.	Hack Forum 2000	Ukraine
August 20-24, 2000.	Crypto 2000	Santa Barbara, California, USA
Aug 22-23, 2000.	WebSec 2000	San Francisco, California, USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list.

Section Editor: Liz Coolbaugh

Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

Next: Kernel