LWN - Security

Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Back page
All in one big page

News and Editorials

PerlMx beta available from ActiveState. ActiveState has released a beta copy of its PerlMx extension to sendmail. PerlMx allows the creation of Perl scripts which run inside the sendmail system; these scripts can do things like reject, log, or rewrite mail. Clearly it's a scheme which gives administrators a flexible way of managing their mail systems.

LWN asked ActiveState about the security implications of having a Perl interpreter running as part of sendmail. It turns out that the PerlMx system runs as a separate process in its own context. Thus, it can run without any sort of special privileges, which makes a lot of things easier. As long as the communication channel between sendmail and PerlMx remains secure, it should be very hard to introduce new security problems with PerlMx.

SSH Communications changes ssh license. SSH Communications has announced a change to its licensing terms for ssh - it can now be used free of charge on Linux and the BSD variants for any purpose. It can also be included in distributions - but you have to be a "qualified developer" and get a license first. Most other applications still require a license fee from the user, though they do generously allow university contractors to use it for free.

This change is an obvious response to the increasing popularity of OpenSSH - why else would it be targeted at users of free systems?. It looks much like too little too late, however. It is still not free software in any way; OpenSSH, instead, is truly free and highly capable. The outcome of this particular battle seems fairly predictable.

August 15 Crypto-Gram newsletter. Bruce Schneier's Crypto-Gram newsletter for August 15 is out. Included therein is a description of Mr. Schneier's new book Secrets and Lies, which, like most of his stuff, should be very good. There is also a heads-up on the possibility of security problems in the Bluetooth protocol. "If Bluetooth is secure, it will be the first time ever that a major protocol has been released without any security flaws. I'm not optimistic."

Security Reports

Vulnerability in Zope 2.*. Digital Creations has issued an advisory regarding a security problem with all versions of Zope prior to the (just announced) 2.2.1 beta 1 release. The vulnerability could allow users who already have sufficient access to edit DTML to give themselves a higher level of access; it does not appear to expose Zope-based sites to the world as a whole. There is a "hotfix" available which closes the hole; see the advisory for details.

There is also a new release of ZEO available; ZEO users who are upgrading to the 2.2.1 beta 1 release will need to apply this upgrade as well.

A number of distributors have issued updates to fix this problem:

Conectiva
Debian (only pre-release versions of Potato vulnerable).
FreeBSD
Linux-Mandrake
Red Hat (Zope is part of the PowerTools product).

Trouble with usermode. The usermode utility allows unprivileged users to shut down and reboot the system. It also, apparently, allows them to put the system into single-user mode, which may not be what the administrator had in mind. A couple of vendors have shipped fixes:

Buffer overflow in UMN gopherd. Some people, evidently, are still using Gopher after all these years. A buffer overflow problem in UMN's gopherd was reported this week. A fix is available, see the announcement for the location (but don't use the patch in that message, see this update instead).

Commercial products. The following commercial products were reported to contain vulnerabilities:

Brian Masney has reported a problem with the Totalbill system (a billing application for ISPs) which allows remote users to run programs as root.
The version of FlagShip which is distributed on the Red Hat Linux 6.0 application CD was reported to have some world-writable executable files.
VeriCAD, too, has a world-writable file problem.

Updates

More on Brown Orifice. For those of you wanting to read more about the Netscape "Brown Orifice" vulnerability, here is an advisory from CERT on the subject. "As of the writing of this document, we have not received any reports indicating exploitation of this vulnerability outside of the context of obtaining it from the Brown Orifice web site."

Also of interest is this posting by Andreas Greulich exploring some of the scarier implications of the Brown Orifice problem. It seems that, with some cleverness, BO can be exploited to explore internal web sites (behind) a firewall, and to make use of a user's personal certificates. This is actually a pretty scary bug, at least for some users.

SGI kernel update. SGI has finally gotten around to putting out a kernel update fixing the capability vulnerability closed by 2.2.16.

Trustix updates apache-ssl. Trustix has issued an update to its apache-ssl package, which has some file permissions problems.

Perl/mailx updates continue to trickle in; see last week's security page for details on this vulnerability.

SuSE Linux
Conectiva
Yellow Dog Linux (two updates: mailx, and perl).
Red Hat (August 8)
Debian (August 8)
Caldera (August 9)
Linux-Mandrake (August 9)

NFS/rpc.statd . Check the July 20th LWN Security Summary for the initial report.

This week's updates:

SuSE

Previous updates:

Debian (2.1 not vulnerable) (July 20th)
Conectiva (July 20th)
Linux-Mandrake (July 20th)
Caldera (rpc.statd not shipped with OpenLinux) (July 20th)
Trustix (July 20th)
Red Hat (July 20th, updated this week) (July 27th)

MandrakeSoft updates MandrakeUpdate. Linux-Mandrake's MandrakeUpdate utility has a /tmp race problem which is fixed with this update. The problem is described as "a very low security risk."

Netscape/Mozilla JPEG marker vulnerability. Check the July 27th Security Summary for more information.

Conectiva
Red Hat (August 8)
Linux-Mandrake (August 8)
TurboLinux (August 2)

Update to diskcheck. Conectiva's diskcheck package has a /tmp race problem; an update has been provided.

Resources

A new mailing list for discussion of penetration testing and network auditing techniques has been announced.

Here's the Linux Security Week Newsletter from the folks at LinuxSecurity.com.

Events

August/September security events.

Date Event Location

August 20-24, 2000. Crypto 2000 Santa Barbara, California, USA

August 22-23, 2000. WebSec 2000 San Francisco, California, USA

September 1-3, 2000. ToorCon Computer Security Expo San Diego, California, USA.

September 11-14, 2000. InfowarCon 2000 Washington, DC, USA.

September 13-14, 2000. The Biometric Consortium 2000 Gaithersburg, MD, USA.

September 19-21, 2000. New Security Paradigms Workshop 2000 Cork, Ireland.

September 26-28, 2000. CERT Conference 2000 Omaha, Nebraska, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

August 17, 2000

Secure Linux Projects
Bastille Linux
Immunix
Khaos Linux
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal

Next: Kernel