Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
News and EditorialsHelix GNOME advisories. Two advisories came out this week for security problems in Helix GNOME packages, including:
It is interesting to notice these problems, particularly since security is one area in which the GNOME project, and Helix, have not taken as active a stance as some could wish. For example, when asked about security issues at the recent press conference for the announcement of the GNOME Foundation, Miguel de Icaza's response was that people concerned about security should join the GNOME team and do something about it. This is an example of expecting to go back and "fix" a product to make it secure, rather than designing security into a product from the beginning. In addition, the latitude given an average Open Source project to allow it to develop according to the interests of the developers who happen to choose to get involved is much wider than the latitude given to the product of a commercial company. Helix GNOME is a hybrid of both; it is available via the GPL, but also a key product of a new commercial company. It is important that Helix realize the difference in their position, now that they are no longer just donating their time to a worthy cause. Last, with the addition of Helix GNOME Update and Installer, the developers have moved from the GNOME application space, where security is often considered less critical, to the arena of systems administration, where security is extremely important, if not paramount. That needs to signal a change in focus to the Helix developers. A security design review would be an excellent idea; pro-active auditing of their code (and the GNOME code) for security problems is even more essential. Otherwise, we may be dealing with security advisories for Helix GNOME on a regular basis. Note that neither of the advisories above will apply to GNOME as shipped with most Linux distributions. They will only apply if you have downloaded and installed Helix GNOME. The World's Most Secure Operating System (The Standard).
Of course, Helix GNOME and the GNOME project should not be singled out as
the only Open Source projects that need to rethink their approaches to
security. The Standard took a look at OpenBSD and, in particular, Theo
de Raadt, in this
article. They found much to admire and many reasons why Open Source
projects in general should consider following their example.
"OpenBSD's proactive approach is unique among open-source systems,
which normally rely on user
reports and public forums to find vulnerabilities. The
Linux security philosophy, for example, can be
summed up as 'more eyes means better security' - that is,
since the source code is open to peer
review, bugs will be quickly spotted and patched.
De Raadt scoffs at that credo. Most reviewers of open-source
code, he says, are amateurs. Security Checkup (eWeek). Want to know what it would be like to have a security audit done for your company or organization? This eWeek article details the experience of a bank that recently did so. "...the increasing popularity of security audits is a manifestation of a growing trend among all enterprises to view security as far more than just something techies can fix with some network software". CERT advisory on rpc.statd vulnerability. CERT has issued an advisory regarding the rpc.statd vulnerability first announced in July. The usual drill with CERT applies - if they have actually put out an advisory, that means the hole is being actively exploited. If you have not yet applied the update, you should have a look and think about doing so. This week's prize for "Clueless Media Report" goes to Henry Kingman, who picked up the CERT advisory and therefore reported a "new Linux NFS vulnerability" in this article, in spite of the fact that the Debian and Red Hat advisories that he linked into his article are both from July. Security Reportsxlockmore. A bug in xlockmore and a patch for the problem was posted to BugTraq this week. Check BugTraq ID 1585 for more details. This vulnerability may be exploited to execute arbitrary code with root privileges on some systems. On others, including the latest Debian release, such a root exploit is not possible, but access to encrypted passwords from /etc/shadow is. An update to xlockmore 4.17.1 is recommended.GNOME-lokkit. Alan Cox reported a bug in the GNOME-Lokkit firewall package which could result in exposed network ports contrary to the user's request. An update to GNOME-Lokkit 0.41 should fix this problem.ntop. A new problem in ntop 1.3.1 has been reported when run in web mode (-w). FreeBSD has put out updated packages that disable the -w mode, but reports other potential problems with the package. Personal suggestion: consider not using ntop. If that is not an option, read the FreeBSD advisory for other suggested workarounds.Multiple buffer overflows in top. Ben Lull reported multiple buffer overflows in the procps top included with Slackware Linux. An unofficial patch is included with the post. No confirmation from the Slackware team has been seen, as of yet.xchat URL handler bug. Versions of xchat from 1.3.9 through and including 1.4.2 can allow commands to be passed from IRC to a shell. Check BugTraq ID 1601 for more details.PHP-Nuke. The PHP-Nuke web portal is reported to erroneously allow access to administrator privileges. This has been fixed as of the latest version.gopherd. A buffer overflow in the University of Minnesota's Gopher Daemon can be exploited to gain root access. No fix for this has been made available so far. Check BugTraq ID 1591 for more details.darxite. Guido Bakker reported a vulnerability in the darxite daemon, a program written by Ashley Montanaro and used to retrieve files via FTP or HTTP. This bug can be used to execute arbitrary code under the login of the process running darxite. Check BugTraq ID 1598 for more details.Jukka Lahtinen minicom. An installation-dependent vulnerability has been reported in minicom on Red Hat 6.1 and 6.2 and Slackware 7.0. SuSE and Linux-Mandrake are reported not vulnerable. FreeBSD has been both reported vulnerable and not vulnerable; no final information is yet available. This bug will allow the creation of files with ownership uucp. Vulnerable systems running uucp can have system configuration files overwritten.Originally reported by Michal Zalewski, more information can be found via BugTraq ID 1599. CGI scripts. The following CGI scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesAnother Zope update. It turns out that the fix for the Zope "mutable object" security hole (discussed in last week's LWN weekly edition) did not entirely solve the problem. Thus, a new update has been posted. Zope sites which let untrusted users edit DTML should apply the new patch.Netscape 'Brown Orifice' vulnerability.Check the August 10th Security Summary for information on the Brown Orifice vulnerability. Two weeks later, fixed versions of netscape have finally become available. dhcp. A second set of problems with the ISC dhcp client was reported in the July 20th Security Summary. Older updates:
cvsweb. Versions of cvsweb prior to 1.86 may allow remote reading/writing of arbitrary files as the cvsweb user. Check the July 20th Security Summary for the original report from Joey Hess. The FreeBSD advisory also contains a good summary of the problem. Older updates:
proftpd format string vulnerability. FreeBSD has released new advisory with information on upgrading proftpd to fix the ftp setproctitle() format string vulnerability discussed in the July 13th Security Summary. ResourcesFeature: Securing Linux-Mandrake (Rootprompt). Rootprompt has written up a description of recommended steps to take to secure a Linux-Mandrake system. "If you are going to be allowing POP or IMAP connections to your host, install stunnel. stunnel is a program that can take any connection on a port and turn it into an encrypted SSL connection." EventsAugust/September security events.
Section Editor: Liz Coolbaugh |
August 24, 2000
| ||||||||||||||||||||||||