[LWN Logo]
[Timeline]
Date:         Tue, 1 Aug 2000 15:09:54 -0500
From: InfoSec News <isn@C4I.ORG>
Subject:      [ISN] Linux Security Week, July 31, 2000
To: ISN@SECURITYFOCUS.COM

Forwarded by: newsletter-admins@linuxsecurity.com

+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|  July 31, 2000                             Volume 1, Number 14      |
|                                                                     |
|  Editorial Team:  Benjamin Thomas         ben@linuxsecurity.com     |
|                   Chris Parker            cparker@linuxsecurity.com |
+---------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security
newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security
headlines and system advisories.

This week, advisories for gpm, man, dhcp-client, Zope, openldap,
BitchX, pam, and nfs-utils were released.  DHCP-client and nfs-utils
vulnerabilities can both theoretically be used to gain remote root
access.

* LinuxSecurity.com just released the LinuxSecurity Quick Reference
Card. The reference is intended to provide a starting point for
improving system security.  It includes references to security
resources, tips for securing Linux, and other general security
information.

http://www.linuxsecurity.com/articles/documentation_article-1208.html

Our feature this week is an interview with Carr Biggerstaff & Thomas
Haigh of Secure Computing, by Dave Wreski.  The interview discusses
the state of Linux and security, its place in secure business data
centers, and their work with the National Security Agency to create a
Type-Enforced version of Linux.

http://www.linuxsecurity.com/feature_stories/secure-1.html

Our sponsor this week is WebTrends. Their Security Analyzer has the
most vulnerability tests available for Red Hat & VA Linux. It uses
advanced agent-based technology, enabling you to scan your Linux
servers from your Windows NT/2000 console and protect them against
potential threats. Now with over 1,000 tests available.

http://www.webtrends.com/redirect/linuxsecurity1.htm


HTML Version Available:
http://www.linuxsecurity.com/newsletter.html


---------------------
Advisories This Week:
---------------------


* Mandrake: gpm vulnerability
July 28th, 2000

Many security flaws existed in the gpm package, which is used to
control the mouse in a terminal outside of X Windows.  As well, a
denial of service attack via /dev/gpmctl is possible.  All security
issues with the gpm package have been addressed with this update.

http://www.linuxsecurity.com/advisories/mandrake_advisory-586.html


* Mandrake: openldap NOT vulnerable July 28th, 2000

OpenLDAP installs the ud binary with mode 755 and the default group,
taken from the installing user's primary gid or the gid of the
directory itself.  Depending on the gid used, this can cause the file
to be group-writable for an extended group.  It has been determined
that Linux-Mandrake is not vulnerable to the recent openldap
permission problem.

http://www.linuxsecurity.com/advisories/caldera_advisory-584.html


* Mandrake: Zope vulnerability
July 28th, 2000

7.1 and previous versions of Zope have a serious security flaw in one
of the base classes in the DocumentTemplate package that is
inadequately protected.  This flaw allows the contents of DHTML
Documents or DHTML Methods to be changed remotely or through DHTML
code without forcing proper user authorization.

http://www.linuxsecurity.com/advisories/mandrake_advisory-588.html


* Debian: dhcp-client vulnerability
July 28th, 2000

The versions of the ISC DHCP client in Debian 2.1 (slink) and Debian
2.2 (potato) are vulnerable to a root exploit. The OpenBSD team
reports that the client inappropriately executes commands embedded in
replies sent from a dhcp server. This means that a malicious dhcp
server can execute commands on the client with root privileges.

http://www.linuxsecurity.com/advisories/Debian_advisory-585.html


* Conectiva: BitchX vulnerability
July 28th, 2000

The irc client BitchX can be taken down remotely by inviting the user
to a channel with format strings in its name. By receiving the
invitation, BitchX will crash immediately.

http://www.linuxsecurity.com/advisories/other_advisory-583.html


* TurboLinux: dhcp vulnerability
July 28th, 2000

Current and previous version of the DHCP client is vulnerable to
malicious DHCP servers. The client can execute arbitrary commands
given to it in responses from a DHCP server.  A maliciously placed
DHCP can answer to any local DHCP client, thus providing an avenue to
remotely exploit root privileges on the client.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-587.html


* Conectiva: nfs-utils vulnerability
July 27th, 2000

A vulnerability was found in the Conectiva nfs-utils which allows
remote root access.  It is the same vulnerability that Redhat's
nfs-utils had.

http://www.linuxsecurity.com/advisories/other_advisory-579.html


* Conectiva: pam vulnerability
July 27th, 2000

This module incorrectly identifies remote X logins for displays other
than :0 (:1, :2, etc.) as local ones, thus giving the console to this
user. Having the console, the remote user could issue commands like
reboot to remotely reboot the system (after providing his or her
password).

http://www.linuxsecurity.com/advisories/other_advisory-580.html


* Conectiva: gpm vulnerability
July 27th, 2000

There is a condition that, if exploited by an attacker, could lead to
gpm removing arbitrary files in the system.

http://www.linuxsecurity.com/advisories/other_advisory-582.html


* Conectiva: man vulnerability
July 27th, 2000

The man package has a script called makewhatis that is run weekly by
the cron daemon as root. This script creates a directory in /tmp and
some files under it with predictable names, thus making it possible
for a local attacker to alter any file in the system via symlink
attacks.

http://www.linuxsecurity.com/advisories/caldera_advisory-581.html


* Debian: userv vulnerability
July 27th, 2000

The version of userv that was distributed with Debian GNU/Linux 2.1 /
slink had a problem in the fd swapping algorithm: it could sometimes
make an out-of-bounds array reference. It might be possible for local
users to abuse this to carry out unauthorized actions or be able to
take control for service user accounts.

http://www.linuxsecurity.com/advisories/debian_advisory-578.html


* RedHat: gpm vulnerability
July 26th, 2000

1. gpm did not perform adequate checking of setgid return values in
the gpm-root helper program.  This resulted in an avenue of attack
where local users could execute arbitrary commands with elevated group
privileges. 2. /dev/gpmctl was writable by users who were not on the
console.  A user could perform a local denial of service attack by
flooding the socket.

http://www.linuxsecurity.com/advisories/redhat_advisory-577.html


* Conectiva: openldap vulnerability
July 26th, 2000

Our previous update introduced a logrotate script for the ldap logs.
This script incorrectly signals the klogd daemon and kills it. This
new update also upgrades the openldap package to version 1.2.11 which
fixes some bugs in the 1.2.10 release.

http://www.linuxsecurity.com/advisories/other_advisory-576.html


-----------------------
Top Articles This Week:
-----------------------


Host Security News:
-------------------

* Grey-hat hacking
July 24th, 2000

Enterprises hiring reformed crackers to expose their soft underbellies
will only add to the more than $2.6 trillion lost worldwide annually
because of security intrusions, warns professional services firm
PricewaterhouseCoopers. The shift from business-to-consumer (B2C) to
business-to-business (B2B) marketplaces could accelerate this trend at
exponential rates.

http://www.linuxsecurity.com/articles/hackscracks_article-1192.html


* Forensics
July 24th, 2000

This article describes the actions  taken to investigate an actual
security  breach.

http://www.linuxsecurity.com/articles/host_security_article-1187.html



Network Security News:
----------------------

* Debate erupts over disclosure of software security holes
July 28th, 2000

In a contentious keynote speech that created an uproar at the Black
Hat Briefings security conference here yesterday, security researcher
Marcus Ranum charged that the full disclosure of software
vulnerabilities isn't improving computer security. Instead, Ranum
said, it only encourages attacks by what he called "armies of script
kiddies."  Many security experts and corporate users believe that
publicizing software flaws will improve security by forcing software
vendors to improve the quality of their products and to quickly fix
potentially damaging bugs - a point that was reiterated by several
audience members and other speakers at the Black Hat conference.

http://www.linuxsecurity.com/articles/hackscracks_article-1229.html


* Study: Internet's structure vulnerable to organized attack
July 28th, 2000

The Internet's reliance on a few key nodes makes it especially
vulnerable to organized attacks by hackers and terrorists, according
to a new study on the structure of the worldwide network.

http://www.linuxsecurity.com/articles/general_article-1221.html


* Denial-of-service threat gets engineering community's attention
July 27th, 2000

The Internet engineering community is developing technology that
promises to minimize the damage these hacker attacks cause by quickly
identifying the computer systems where they originate. The Internet
Engineering Task Force (IETF) last week launched a working group to
develop ICMP Traceback Messages, which would let network managers
discover the path that packets take through the Internet.

http://www.linuxsecurity.com/articles/network_security_article-1211.h
tml


* Apache Guide: Apache Authentication, Part 1
July 24th, 2000

In this article, I'm going to cover the standard way of protecting
parts of your Web site that most of you are going to use. In the next
part I'll talk about using databases, rather than text files, to
contain your user and group information. Somewhere in here I'll talk
about using things other than usernames and passwords to protect your
web site from "intruders"--such as the IP address of the visitor.

http://www.linuxsecurity.com/articles/server_security_article-1191.ht
ml


* Linux Networking: Using Ipchains
July 24th, 2000

The article examines the basic concepts pertaining to routing, network
address translation (NAT), firewalls, and a program called ipchains.
Individual sections address each concept. The last section combines
the basics into a sample configuration for linking a local network to
the Internet.

http://www.linuxsecurity.com/articles/network_security_article-1189.h
tml



Cryptography News:
------------------

* Digital Signatures and Stolen Automobiles
July 28th, 2000

Digital signatures require extensive safekeeping. Unlike passwords,
you can't store them in your head. The number sequence is too long.
You have to store the signature on a smart card, keep it on your hard
drive, or carry it around on a disk. Since the signature depends upon
non-repudiation as the key selling point, you better not let anyone
else get his or her hands on it. Figuring ways to protect your digital
signature from your teenager, your estranged spouse, a crazy love
interest, or a housekeeper may be a challenge.

http://www.linuxsecurity.com/articles/host_security_article-1226.html


* Default Passwords and What You Can Do About Them
July 28th, 2000

This is a huge problem because companies buy lots and lots of hardware
and software that they need to deploy quickly. This often results in
minimal configuration effort being made, and the default passwords are
usually left in, due to carelessness, or for the simple fact that the
people installing it don't know (hardware vendors like 3Com have
placed backdoors in hardware so that they can help the customer
recover)

http://www.linuxsecurity.com/articles/network_security_article-1227.h
tml



Vendor/Product/Tools News:
--------------------------

* Linux developers hunt for kernel bugs
July 27th, 2000

Linux developers have begun an ambitious project to identify security
problems with the open source operating system before they trouble end
users. The Linux Kernel Auditing Project is an attempt to audit the
Linux kernel for any security holes. The project also aims to educate
Linux developers on how to write code securely and thereby stay ahead
of crackers in creating a secure operating environment.

http://www.linuxsecurity.com/articles/projects_article-1210.html


* New Security Audits Radically Reduce Cost of Securing Your Website
July 24th, 2000

SecuritySpace.com, http://www.SecuritySpace.Com, a leading security
portal, today launched the Desktop Security Audit, a new tool that
will radically reduce the cost of finding and fixing website and
PC-based security holes.

http://www.linuxsecurity.com/articles/vendors_products_article-1188.h
tml



General News:
-------------

* LinuxSecurity.com Releases the LinuxSecurity Quick Reference Card
July 28th, 2000

This Quick Reference Card is intended to provide a starting point for
improving the security of your system. Contained within include
references to security resources around the net, tips on securing your
Linux box, and general security information.

http://www.linuxsecurity.com/articles/documentation_article-1208.html


* A hacker in a white hat
July 26th, 2000

My local county newspaper has a story on Brian Martin from
attrition.org. "A recent news release describing Brian Martin awards
him a most unusual title: ex-hacker. Martin, a thin young man with a
wide smile, laughs at the characterization but doesn't dispute it. The
security consultant says he used to run with a group of teens and
twentysomethings in Denver who would spend their free time "hacking"
(breaking into computer systems) and "phreaking"  (breaking into phone
systems) when they weren't frequenting clubs and bars."

http://www.linuxsecurity.com/articles/general_article-1205.html


* US downplays wiretap risks
July 26th, 2000

United States officials are trying to calm concerns about a new FBI
internet-wiretapping system called Carnivore, describing it as a
"small-scale device" and insisting that fears of broad online
surveillance are exaggerated.  Carnivore allows US law enforcement
agencies to find and follow the e-mails of a criminal suspect among
the flood of other data passing through an internet service provider.

http://www.linuxsecurity.com/articles/privacy_article-1202.html


* Online Privacy 101
July 25th, 2000

The nonprofit advocacy group that has stamped its privacy seal of
approval on nearly 2,000 Web sites will team up with a dozen major
Internet companies to launch a consumer education campaign.  TRUSTe
plans to announce its "Privacy Partnership 2000 Campaign" on Tuesday
morning. The goal is to educate online consumers about privacy issues
and individual rights through newspaper, radio and Internet
advertising.

http://www.linuxsecurity.com/articles/privacy_article-1196.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".