Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
PerlMx beta available from ActiveState. ActiveState has released a beta copy of its PerlMx extension to sendmail. PerlMx allows the creation of Perl scripts which run inside the sendmail system; these scripts can do things like reject, log, or rewrite mail. Clearly it's a scheme which gives administrators a flexible way of managing their mail systems.
LWN asked ActiveState about the security implications of having a Perl interpreter running as part of sendmail. It turns out that the PerlMx system runs as a separate process in its own context. Thus, it can run without any sort of special privileges, which makes a lot of things easier. As long as the communication channel between sendmail and PerlMx remains secure, it should be very hard to introduce new security problems with PerlMx.
SSH Communications changes ssh license. SSH Communications has announced a change to its licensing terms for ssh - it can now be used free of charge on Linux and the BSD variants for any purpose. It can also be included in distributions - but you have to be a "qualified developer" and get a license first. Most other applications still require a license fee from the user, though they do generously allow university contractors to use it for free.
This change is an obvious response to the increasing popularity of OpenSSH - why else would it be targeted at users of free systems?. It looks much like too little too late, however. It is still not free software in any way; OpenSSH, instead, is truly free and highly capable. The outcome of this particular battle seems fairly predictable.
August 15 Crypto-Gram newsletter. Bruce Schneier's Crypto-Gram newsletter for August 15 is out. Included therein is a description of Mr. Schneier's new book Secrets and Lies, which, like most of his stuff, should be very good. There is also a heads-up on the possibility of security problems in the Bluetooth protocol. "If Bluetooth is secure, it will be the first time ever that a major protocol has been released without any security flaws. I'm not optimistic."
Vulnerability in Zope 2.*.Digital Creations has issued an advisory regarding a security problem with all versions of Zope prior to the (just announced) 2.2.1 beta 1 release. The vulnerability could allow users who already have sufficient access to edit DTML to give themselves a higher level of access; it does not appear to expose Zope-based sites to the world as a whole. There is a "hotfix" available which closes the hole; see the advisory for details.
There is also a new release of ZEO available; ZEO users who are upgrading to the 2.2.1 beta 1 release will need to apply this upgrade as well.
A number of distributors have issued updates to fix this problem:
Trouble with usermode. The usermode utility allows unprivileged users to shut down and reboot the system. It also, apparently, allows them to put the system into single-user mode, which may not be what the administrator had in mind. A couple of vendors have shipped fixes:
Buffer overflow in UMN gopherd. Some people, evidently, are still using Gopher after all these years. A buffer overflow problem in UMN's gopherd was reported this week. A fix is available, see the announcement for the location (but don't use the patch in that message, see this update instead).
Commercial products. The following commercial products were reported to contain vulnerabilities:
More on Brown Orifice.For those of you wanting to read more about the Netscape "Brown Orifice" vulnerability, here is an advisory from CERT on the subject. "As of the writing of this document, we have not received any reports indicating exploitation of this vulnerability outside of the context of obtaining it from the Brown Orifice web site."
Also of interest is this posting by Andreas Greulich exploring some of the scarier implications of the Brown Orifice problem. It seems that, with some cleverness, BO can be exploited to explore internal web sites (behind) a firewall, and to make use of a user's personal certificates. This is actually a pretty scary bug, at least for some users.SGI kernel update. SGI has finally gotten around to putting out a kernel update fixing the capability vulnerability closed by 2.2.16.
Trustix updates apache-ssl. Trustix has issued an update to its apache-ssl package, which has some file permissions problems.
Perl/mailx updates continue to trickle in; see last week's security page for details on this vulnerability.
This week's updates:
MandrakeSoft updates MandrakeUpdate. Linux-Mandrake's
MandrakeUpdate utility has a /tmp race problem which is fixed with
this update. The problem is described as "a
very low security risk."
Netscape/Mozilla JPEG marker vulnerability.
Netscape/Mozilla JPEG marker vulnerability.Check the July 27th Security Summary for more information.
Update to diskcheck. Conectiva's diskcheck package has a /tmp race problem; an update has been provided.
ResourcesA new mailing list for discussion of penetration testing and network auditing techniques has been announced.
Here's the Linux Security Week Newsletter from the folks at LinuxSecurity.com.
August/September security events.
Section Editor: Liz Coolbaugh
August 17, 2000