[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and Editorials

Debian to phase out security support for 2.1. The Debian Project has announced its intent to phase out security support for the 2.1 ("slink") distribution. Their expectation is that most users have already upgraded to 2.2. They are looking for feedback on the idea; now is the time to scream if this idea bothers you.

We, ourselves, will be waiting eagerly to hear whether or not there is any negative feedback to this announcement. If there is not, it will be amazing, and a strong indication of a difference between Debian customers and those of other distributions. Red Hat, for example, officially supports security updates for Red Hat 4.2 and 5.2, and it isn't difficult to go out and find customers still using those distributions.

Why would someone choose not to upgrade? Well, there is the issue of "if it isn't broken, don't fix it". Everyone these days has too little time to do too much work. If a system is quietly working away in the corner, doing what you want it to do without requiring any intervention, why risk breaking it? Remember all those systems that have clocked a year or more of uptime? Well, that implies, for non-Debian systems, that they haven't upgraded their distribution in at least that amount of time.

Other issues can crop up as well. Kernel changes between major distributions can pose new demands on memory, disk and other hardware. As a result, some distributions choose to run with older kernels. TINY Linux is an example of this. It is based on Slackware 4.0 and the Linux 2.0.X kernel in order to meet their goal of supporting old, slow systems with minimal memory and disk. With the need to have good security on all systems being so aptly demonstrated by this year's distributed-denial-of-service attacks, it is important to provide security fixes for these machines as well, not just systems that have been upgraded to the latest distribution.

Most of all, no matter how easy the upgrade, it takes time to do good backups, verify them and thoroughly test a system after an upgrade. As a result, many people probably upgrade their systems as much as six months or more after the last major release.

Debian, though, is a slightly different kettle of fish. Most Debian users upgrade their systems piecemeal, bit by bit, on a frequent basis. It may be more unusual to find someone that is still running exactly the same Debian that they installed from CD. So maybe the Debian community will prove us wrong, by voicing no concern over this policy change. Either that, or the ones that don't complain are the same people that aren't going to bother to install a security update in any case.

The EFF and Linux Journal call for SDMI challenge boycott. The Electronic Frontier Foundation and Don Marti at Linux Journal have both called for a boycott of the the Secure Digital Music Initiative (SDMI)'s hackSDMI challenge. "The Electronic Frontier Foundation (EFF) urges the Internet community to boycott this contest and refrain from helping the recording industry perfect a way to undermine our fair use rights."

SDMI is a new format for music, designed to replace the MP3, which allows the implementation of control over how and when the music is played. This can include the devices upon which it can be played, whether or not you can make a backup, even whether or not you can listen to it once or ten times. As a result, it allows the implementation of practices that prevent not only widespread copying, but much of the "fair use" practices that are common today. It is backed by a consortium of over 100 companies in the music industry and planned to replace MP3 by Christmas this year.

In court, the ease in which the CSS DVD format was decrypted was of at least some embarrassment to the plaintiffs, if not a valid defense. This hacker challenge seems geared both to prevent a similar embarrassment for SDMI and as a marketing ploy to demonstrate the "security" of the new SDMI format. As security professionals, our time is here to be used to help make our computers and networks more secure -- not to support someone's marketing plan or future legal defense. We concur with the proposed boycott.

Here are some additional articles on the topic for those of you who are interested:

September CRYPTO-GRAM newsletter. The September CRYPTO-GRAM newsletter is out. It discusses full disclosure of security problems, the PGP vulnerability, and whether Bruce Schneier's parents should be sued for creating and distributing a piece of circumvention technology (namely, Bruce).

Security Reports

klogd/sysklogd format string vulnerability. A format string vulnerability in klogd was reported on BugTraq. klogd receives messages from the Linux kernel and forwards them to syslog. In Linux distributions, it is generally packaged with syslog as "sysklogd". This vulnerability has been proven to be locally exploitable to gain root and may potentially be remotely exploitable or exploitable via knfsd. The problem affects Linux and many other versions of Unix. An immediate upgrade is strongly recommended.

Note from this BugTraq posting by Solar Designer that the updates below also include fixes for some syslog-specific bugs as well, notably in both printchopped() and printline().

From the large number of timely updates you see below, it is easy to guess that this vulnerability was actually found about a week ago originally and then reported to both Linux and Unix vendors, allowing them to have fixes available immediately after the vulnerability announcement was made.

This week's updates:

Note that Red Hat appears to be having problems with their redhat-watch mailing list. As a result, we've seen multiple advisories for some issues and no advisories for others. Red Hat users may want to check the Red Hat Errata or the BugTraq mailing list regularly for updates until the problem is resolved.

eject exploitable buffer overflows. FreeBSD has issued a security advisory for eject after an internal audit found ways that this setuid root program can be used locally to gain root privileges. They've provided updates packages for FreeBSD. This problem is not limited to FreeBSD, so advisories from other BSD and Linux distributors can be expected to follow.

listmanager exploitable buffer overflows. FreeBSD also put out updated listmanager packages. Listmanager is not Open Source software, but is freely distributable. The author has reported locally exploitable buffer overflow vulnerabilities in versions previous to 2.105.1.

pine malformed X-Keywords denial-of-service. FreeBSD issued a belated advisory for pine4, with fixes for a problem processing mail messages with malformed X-Keywords header lines. These caused pine to crash, allowing a user-level denial-of-service attack.

cgi-bin scripts. The following cgi-bin scripts were reported to contain vulnerabilities:

  • MultiHTML, can be used to get read access to every file on the system. No solution provided.

Commercial products. The following commercial products were reported to contain vulnerabilities:


Linux-Mandrake security update to mod_php3. MandakeSoft has issued a security update to the Apache PHP3 module. There is not, however, a problem with PHP itself; instead, many scripts which process file uploads have a bug which can allow them to be subverted. The update provides a new function which makes it easier to write secure PHP code. Anybody using PHP for file uploads should have a look at this advisory.

xpdf symlink race condition. Check the August 31st Security Summary for the original report.

Debian users should also note that xpdf-i versions prior to 0.90-7 are also vulnerable. Updated packages are available at http://non-us.debian.org/dists/proposed-updates/ (or your nearest non-US mirror).

This week's updates:

Previous updates:

xchat URL handler bug. Versions of xchat from 1.3.9 through and including 1.4.2 can allow commands to be passed from IRC to a shell. Check BugTraq ID 1601 for more details.

This week's updates:

Older updates:

screen setuid root vulnerability. A vulnerability in screen 3.9.5 and earlier that can be exploited by a local user to gain root was recently reported in the September 7th Security Summary. Note that screen must be installed setuid root in order to be exploited. Screen 3.9.5 and earlier contain this vulnerability. This week's updates:

  • Red Hat (affects Red 5.2 and earlier only)
  • FreeBSD, official advisory
Previous updates:
  • Debian (September 7th)
  • Linux-Mandrake (not vulnerable) (September 7th)
  • Red Hat, 6.X unofficially reported not vulnerable (September 7th)
  • FreeBSD, unofficial report (September 7th)
  • Conectiva (not vulnerable) (September 7th)
  • NetBSD (September 7th)
  • SuSE (September 14th)

Mailman. A vulnerability was reported in mailman 2.0beta3 and 2.0beta4 and fixed in 2.0beta5. Check the August 3rd LWN Security Summary for more details.

Note that the fixes below do not address the more recently reported Mailman writable variable vulnerability covered in last week's LWN Security Summary.

This week's updates:

Previous updates:
  • Conectiva (August 3rd)
  • Linux-Mandrake (mailman not shipped) (August 10th)
  • Red Hat (Secure Web Server) (August 10th)
  • Debian (only the woody development version is impacted) (August 10th)

glibc vulnerabilities. Check the September 7th LWN Security Summary for the initial reports and last week's LWN Security Summary for more details and workarounds.

This week's updates:

Previous updates:

Horde/IMP format string vulnerability. Check last week's Security Summary for more details. Horde 1.2 and 1.3 have been patched in the CVS trees for this problem. The Horde team also has made available a patched version of IMP 2.2.2. This version is part 2 of a security vulnerability present in 2.2.0 (and earlier "pre" releases) that was only partially fixed in 2.2.1. Users of IMP 2.2 on production systems are strongly encouraged to upgrade.


Updated security tools. Here are some Open Source security tools for which minor updates have been made available in the past week:

  • nessus 1.0.5, a remote security scanner, now supports XML output and 64-bit compatibility. In addition, new security checks have been added and performance improvements have been made.


September/October security events.
Date Event Location
September 26-28, 2000. CERT Conference 2000 Omaha, Nebraska, USA.
October 2-4, 2000. Third International Workshop on the Recent Advances in Intrusion Detection (RAID 2000) Toulouse, France.
October 4-6, 2000. 6th European Symposium on Research in Computer Security (ESORICS 2000) Toulouse, France.
October 4-6, 2000. Elliptic Curve Cryptography (ECC 2000) University of Essen, Essen, Germany.
October 11, 2000. The Internet Security Forum Edinburgh, Scotland.
October 14-21, 2000. Sans Network Security 2000 Montery, CA, USA.
October 16-19, 2000. 23rd National Information Systems Security Conference Baltimore, MD, USA.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

September 21, 2000

Secure Linux Projects
Bastille Linux
Secure Linux
Secure Linux (Flask)

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds