[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.


News and Editorials

Credit your Source. One small irritant that has caught our attention as we wade through postings and advisories, week after week, is the lack of information in say, an advisory from a Linux distributor, about how they found out about the problem for which they are issuing a fix. If they found it via their own bug reporting system or an internal audit, they will occasionally mention that, but they generally don't say, "Found via So-and-so's posting to BugTraq" or "Reported to us by So-and-so". What does that matter? Well, several benefits come about if the sources of information are clearly provided.

First of all, it allows people to check the multiple sources of information, to potentially better understand the problem.

Second, it makes it much easier to determine whether two advisories, that use very different wording, are possibly talking about the exact same problem.

Third, it makes it much easier for the person who originally found to problem to be credited and gives them a higher profile. In a realm where enhanced reputation is the only coin, this matters.

Last though, and possibly most important, it allows people to share with each other their valuable sources. Sources that are referenced most frequently become easy to identify as highly valuable. The mention of a source that is new to many people helps educate everyone.

Of course, none of this is intended to require disclosure in cases where a source prefers to be unidentified. However, the value of the Internet is derived from our ability to link information together. For those of you providing advisories, think of the possibilities behind the addition of one extra line: "Source:".

System Fingerprinting With Nmap (Network Magazine). Network Magazine.com has an in depth look at system identification through the use of network protocols, specifically with the use of nmap. "The easiest way to identify operating systems is to run nmap. Nmap started off as a very functional network and port scanner, but in 1998 Fyodor added operating system fingerprinting techniques."

Security Reports

Netscape 4.75 buffer overflow. According to this FreeBSD advisory, a client-side exploit is enabled in Netscape 4.75 via a buffer overflow. Netscape 4.76, which was released on October 24th, apparently fixes this problem, though finding confirmation of why Netscape 4.76 was released and what problems it has fixed has proven a bit difficult.

format vulnerability in top. This FreeBSD advisory warns of a format string vulnerability in the "top" utility, a popular binary that displays per process cpu and memory usage. Top can be exploited to gain "kmem" privileges, which, in turn, allow access to kernel memory, network traffic, disk buffers and terminal activity. Higher level privileges may also be obtainable. Other BSD and Linux systems should also be impacted.

getnameinfo denial-of-service. The FreeBSD team put out an advisory warning of a denial-of-service vulnerability associated with the getnameinfo function. A patch to fix the problem is included. This problem presumably impacts other BSD versions, as well as Linux.

quake server denial-of-service. An easy method of taking down a remote quake server was publicized on BugTraq this week. Check BugTraq ID 1900 for more information.

nap format string vulnerabilities. Numerous format string vulnerabilities were reported in nap, a terminal-based napster client for Linux. The use of an alternate napster client might be advisable, until an updated version of nap has been made available.

vlock vulnerability. A vulnerability has been reported in vlock, a program that locks a virtual console or all consoles. Under this vulnerability, when vlock is used on Red Hat 7.0 by an unprivileged user to lock all consoles, the console lock can be broken without a password. This vulnerability has not yet been confirmed, nor do we know if it affects distributions other than Red Hat. It does not work on Red Hat 6.x.

BIND 8.2.2-P5 denial-of-service. A potential denial-of-service vulnerability in BIND 8.2.2-P5 was reported this week. Compiled by default without ZXFR support, the server will die if a Zone Transfer request is received, unless the server has been configured to deny Zone Transfer requests. No confirmation of this vulnerability has been seen as of yet.

Commercial products. The following commercial products were reported to contain vulnerabilities:

  • VolanoChatPro, a Java-based chat "solution" apparently stores passwords in plain-text, in a readable file. Here is the vendor response and a followup from the original reporter.

  • Lotus Domino SMTP server contains an exploitable buffer-overflow which can result either in a denial-of-service attack or the execution of code under the uid of the server. An upgrade to Lotus Notes/Domino 5.05 will fix this problem, as well as, apparently, some additional security issues.

  • Lotus Notes R5 clients are reported to fail to give a warning if they receive a clear signed S/MIME e-mail with a broken signature. No confirmation or vendor response has been seen as of yet.


dump-0.4b15 local root access. Check last week's LWN Security Summary for the original report. This exploit only affects dump/restore if they are installed setuid root. As of dump-0.4b18, dump and restore no longer require setuid root. dump-0.4b19-4 is the latest available version.

This week's updates:

nss_ldap race condition. Check last week's LWN Security Summary for the original report. Note that last week, we mentioned that we couldn't find an update for this problem on PADL Software website. Michael Shuey dropped us a note to set the record straight. "I proved that this race condition was a problem a few weeks ago, then notified PADL Software. Shortly thereafter lukeh@padl.com produced nss_ldap-121, which fixed the problem. He then contacted RedHat, who incorporated the newest version (122 by then) into their update. This race condition has been fixed by the upstream maintainer for the past two or three weeks."

This week's updates:

Previous updates:

curl buffer overflow. A buffer overflow in curl, a command-line tool for getting data from a URL, was reported in October.

This week's updates:

Previous updates:

gnorpm tmpfile link vulnerability. Check last week's LWN Security Summary for more details.

This week's updates:

Previous updates:

Apache mod_rewrite vulnerabilty. Files outside of the document root can be accessed, if the mod_rewrite module for Apache is in use. For more details, check the October 5th LWN Security Summary.

This week's updates:

Previous updates:

Pine buffer overflow vulnerability. An exploitable buffer overflow in Pine was reported to BugTraq in early October. The problem involves Pine's handling of incoming mail during an open session. Check the October 5th LWN Security Summary for the initial report. Note that the FreeBSD update below is the first one we've seen for this problem.

Also announced this week was pine 4.30, which, judging by the Changes, fixes this problem.

This week's updates:

Previous updates:

xfce startup script vulnerability. Check the October 5th LWN Security Summary for the original report of this problem. Xfce 3.5.2 was released on October 1st, with a fix.

This week's updates:

esound tmpfile link vulnerability. Check the September 7th LWN Security Summary for the original report of this problem from FreeBSD.

This week's updates:

Previous updates:

Multiple buffer overflows in tcpdump. Last week, FreeBSD reported multiple buffer overflows in tcpdump 3.5, found during an internal audit. This week, they re-released their advisory, to include a corrected version of their original patch for the problem.


Installing Snort 1.6.3 on SuSE 6.x-7.x . This LinuxNewbie article describes how to install snort, a light-weight network intrusion detection system, from source. Although the example system was running SuSE Linux, most of the instructions should carry over to any Linux system.

Software Releases.


Upcoming security events.
Date Event Location
November 13-15, 2000. CSI 27th Annual Computer Security Conference and Exhibition Chicago, IL, USA.
November 19-21, 2000. Privacy by Design Le Chateau Montebello, Quebec, Canada.
November 26-December 1, 2000 Computer Security 2000 and International Computer Security Day (DISC 2000) Mexico City, Mexico
December 3-7, 2000. Asiacrypt 2000 Kyoto, Japan.
December 3-8, 2000. LISA 2000 New Orleans, LA, USA.
December 10-13, 2000. INDOCRYPT 2000 Calcutta, India.
December 11-15, 2000. 16th Annual Computer Security Applications Conference New Orleans, LA, USA.
December 20-21, 2000. The Third International Workshop on Information Security University of Wollongong, NSW, Australia.
December 27-29, 2000. Chaos Communication Congress Berlin, Germany.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

November 9, 2000

LWN Resources

Secured Distributions:
Astaro Security
Engarde Secure Linux
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux

Security Projects
Linux Security Audit Project
Linux Security Module

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

BSD-specific links

Security mailing lists
Linux From Scratch
Red Hat
Yellow Dog

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Security Focus


Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds