Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
News and EditorialsCome meet the SuSE Linux Security Team. The SuSE Linux Security Team has added some new members in the past couple of weeks. A series of mail exchanges with SuSE gave us some background on the new members and their planned activity, but also the opportunity to find out more about the entire team. So here, with only a bit of fanfare, is the SuSE Linux Security Team, in chronological order of the date they joined the team.
Marc, Sebastian and Thomas handle the source code auditing, development of security-related bug fixes and customer assistance with security-related problems. They also write security papers and develop new security tools. For their work, they monitor and interact with both public and private security mailing lists. When a team member finds a bug report or exploit that affects SuSE Linux, they notify the rest of the team and then take over responsibility for working on that particular bug. Once a fix is developed, it is sent on to the SuSE maintainers, for integration with the main development trees, and to Roman, who will write up the security advisory and release it once new RPMs are built. Big patches are also sent back to the author of the program involved. Other Linux vendors are informed via a private mailing list. In addition to this reactive work, the team works pro-actively to audit source code, write and maintain security tools and papers, look around for new tools and generally improve the overall security of SuSE Linux. Unix, Linux computers vulnerable to damaging new attacks (News.com). News.com reports on "format string" vulnerabilities. "Fans of Unix and its close relative, Linux, pride themselves on the general security of their operating systems compared with Microsoft Windows, which has been plagued with security problems. But the format string issue highlights the fact that weaknesses can lurk for years within software, and that it's hard to track them down among hundreds of thousands of lines of programming code." Primed and ready (Upside). Upside looks at the expiration of the RSA patent. "Perhaps hoping to stifle any Mozilla-type celebration within the anti-software patent community, RSA Security (RSAS), official administrators of the RSA public key encryption patent, dumped their crown jewel into the public domain on Wednesday, two weeks ahead of schedule." Security ReportsHorde/IMP format string vulnerability. A format string vulnerability in the Horde library 1.2 and earlier was reported to BugTraq and is remotely exploitable. The Horde library comes from the Horde Project, which develops a set of Web-based productivity, messaging, and project-management applications, under the GPL. The Horde library itself is released under the LGPL. The format vulnerability in the Horde library has been shown to impact IMP, a PHP-based Internet Messaging Program from the Horde Project. In addition, it may impact other, not-yet-reported, applications that use the Horde library. An upgrade to Horde 1.2.1 and IMP 2.2.1 should fix the problem and is strongly recommended.This week's updates: pam_smb remotely-exploitable stack buffer overflow. A remotely-exploitable stack buffer overflow has been reported in the pam_smb pluggable authentication module. This is a severe vulnerability, which could lead to a remote root compromise. All versions of pam_smb prior to 1.1.6 are affected. If you are using Samba and pam_smb, an immediate upgrade is strongly urged.This week's updates:
Linux-Mandrake security update for mod_perl. Linux-Mandrake has issued a security advisory and updated packages to fix a configuration-based security problem in mod_perl. XMail remotely exploitable buffer overflow. Davide Libenzi's XMail is an Internet and intranet mail server, currently at release 0.59. Aviram Jenik reported a remotely exploitable buffer overflow in all versions of XMail prior to 0.59. Anyone using this software is strongly urged to upgrade to the latest version.SuSE security update to Apache. SuSE issued an advisory reporting configuration-based security problems with Apache, as shipped with SuSE 6.0 through SuSE 7.0. The misconfigurations could allow CGI source code to be made visible and allow files on the web-server to be modified, if WebDAV has been installed. These problems appear to be specific to SuSE. SuSE users are strongly urged to upgrade their Apache packages, or correct their configurations, immediately.@stake, Inc. originated the discovery of these problems. They sent advisories for the Apache and WebDAV problems to BugTraq, after SuSE had a chance to make updated packages available. Mailman writable variable . The external archiving mechanism in all versions of Mail prior to 1.2beta uses an internal variable %(listname), which can be exploited to run arbitrary code. Check this BugTraq posting from Christopher Lindsey, which includes a patch, or BugTraq ID 1667 for more details. An upgrade to Mailman 1.2beta or later is recommended.tmpwatch fork bomb denial-of-service. tmpwatch, a binary provided with Red Hat 6.1 for use in cleaning up unused files in temporary directories, is vulnerable to a denial-of-service attack. Nested directories can be used to cause a "fork bomb", where the process recursively generates more and more sub-processes. The problem was reported to Red Hat's BugZilla, but no vendor response has been seen as of yet. Subsequent postings pointed out that a system could be defended from such problems either by setting process resources limits or using stmpclean, another, similar program.Format string vulnerability in muh. muh is an IRC-bouncing tool. Multiple format string vulnerabilities exist in muh 2.05 (and potentially earlier versions). These can be used to crash muh and possibly to execute arbitrary code as the muh user. Here is the original report from Maxime Henrion, and a followup, including an unofficial patch, from Kris Kennaway. The author recommends disabling logging until the program has been patched. An official patch is not yet available.YaBB.pl input check vulnerabilities. YaBB (formerly www.yabb.org) is a web-based bulletin board system written in Perl. It has been reported that the YaBB.pl perl script fails to apply security checks to input in several places. As a result, arbitrary files on the system can be read. YaBB 9.11.2000 has been released as a result and should fix these problems. Check BugTraq ID 1668 for more details.Cgi-bin script vulnerabilities. The following cgi-bin scripts have been reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
Updatesglibc vulnerabilities. Check last week's Security Summary for more details. The updates below take care of both the ld.so environment variable vulnerability and the locale format string vulnerability. If you do not see an update for your distribution, you may want to check last week's summary for updates that fix at least the ld.so problem.In addition, for those of you who are reluctant to upgrade your glibc library at this point, this BugTraq posting from Lionel Cons at CERN describes the methods they are using to protect against the recently-reported glibc bugs without upgrading the glibc package. Note that an upgrade is still strongly recommended as your first choice. This week's updates:
xpdf symlink race condition. Check the August 31st Security Summary for the original report.This week's updates: Previous updates:
screen setuid root vulnerability. A vulnerability in screen 3.9.5 and earlier that can be exploited by a local user to gain root was recently reported last week. Note that screen must be installed setuid root in order to be exploited. Screen 3.9.5 and earlier contain this vulnerability. This week's updates: Previous updates:
mgetty temporary link vulnerability. Check the August 31st Security Summary for details. An upgrade to mgetty 1.2.22 should fix the problem. This week's updates: Older updates:
PHP upload vulnerability. Check last week's Security Summary for more details. This week, the PHP Group provided an official advisory for this problem, with programming recommendations and links to updated PHP packages (4.0.3RC1 and 3.0.17RC1) that contain functionality to help avoid insecure programming practices with PHP. mopd updates for Linux. Last week, we mentioned a mopd advisory for FreeBSD. If you are using mopd under Linux, you might want to note that the Linux/VAX recommends the use of this mopd-linux port, which is based on the OpenBSD sources and includes the latest security fixes. [Thanks to Andy Phillips]. xchat URL handler bug. Versions of xchat from 1.3.9 through and including 1.4.2 can allow commands to be passed from IRC to a shell. Check BugTraq ID 1601 for more details. This week's updates:
Resourcesscanssh. Just announced this week, scanssh is a network scanner that probes for running SSH servers and determines their version numbers. "scanssh supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole". Librnet, Library for Raw Networking. To assist those who wish to develop their own `low-level' network-related software, Gigi Sullivan has released the Librnet library. This is the initial release; note the author's comment: "As stated above, Librnet is far from being complete and stable." EventsSeptember/October security events.
Section Editor: Liz Coolbaugh |
September 14, 2000
| |||||||||||||||||||||||||||