Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Security page. |
SecurityNews and EditorialsMandrakeSoft hires Jay Beale as security group director. MandrakeSoft has announced the hiring of Jay Beale, the lead developer of the Bastille Linux Project, as the director of its security group. Jay's fit with MandrakeSoft is fairly clear; all of the work he has done with Bastille for securing Red Hat Linux should carry over to Linux-Mandrake without much of a problem. Meanwhile, it is good to see security becoming more and more of an area where the different Linux distributions wish to distinguish themselves. The first such arena was in the installation program; the war for the easiest distribution to install continues, egged on by distribution reviews that primarily target the installation. Meanwhile, though, each Linux distribution vendor must look for other arenas where they can distinguish their product, within the bounds of their Free Software licenses. Security is one such area; better security does not break standards, it enhances them. In addition, improvements in security are fairly measurable. If a distribution is not keeping up, the evidence is easy to find. Just check the list of vulnerabilities on this page, for example, or in the BugTraq database and look for the names that are missing from the list of responses to a problem. More importantly, of course, it is also to see what distributions respond quickly and frequently. We are also starting to see the next step unfold. A few of the vulnerabilities reported recently have cropped up during internal audits at Red Hat, Caldera and SuSE, and others. This is an extremely promising sign. Following in the footsteps of OpenBSD, aggressive code auditing is a critical piece in the puzzle of producing an acceptably secure operating system. Security red alert (eWEEK). Lisa Kosan at eWEEK took a look at business responses to security alerts this week. "The ability to react appropriately to the blizzard of security alerts received every day by most organizations is becoming an increasingly important art for IT and security managers. That's because, as software becomes more complex and more people-bad guys and good-go online, the number of security alerts is going through the roof". Kha0s Linux retired from the list. Several of our readers pointed out in September that the Kha0s Linux had officially closed down. We are generally fairly conservative about removing distributions from our list, but the site remains shut down two months later, so we've officially retired Kha0s Linux from our distributions and secure distributions lists.From the website:
Security ReportsLocal root exploit problem in modutils. Sebastian Krahmer and Michal Zalewski discovered and verified a bug in modutils which can be used locally to gain root privileges. Modutils maintainer Keith Owens has acknowledged the problem and provided a patch which was then rolled into modutils 2.3.19. Note, however, that further discussion proved that this patch did not fix all the problems. Check coverage of this issue on this week's kernel page and expect to see the release of 2.3.20 soon.Modutils 2.1.121 and earlier is not vulnerable. Wichert Akkerman also posted a note stating that modutils 2.3.11 was also not impacted. Presuming this is correct, then Debian 2.2 and later are not vulnerable. This week's updates: Hostile server vulnerability in OpenSSH. It turns out that there is a security bug in OpenSSH prior to 2.3.0 wherein a hostile server can gain access to the client-side X server, even if X forwarding has been disabled. Upgrading to 2.3.0 is recommended.This week's updates:
fetchmail AUTHENTICATE GSSAPI bug. An error in fetchmail's implementation of the AUTHENTICATE GSSAPI command was found exposed when Red Hat released their new IMAP server (see below) this week. Updated fetchmail packages have been released.tcsh symlink vulnerability. A /tmp symbolic link vulnerability was reported in tcsh on October 29th. Check BugTraq ID 1926 for more details. This week's updates:gaim buffer overflow. A buffer overflow in gaim, a GTK-based AOL instant messenger application, can be remotely exploited to execute commands on the server, according to this BugTraq posting from Stan Bubrouski. A patch to fix the problem has been made available and has been applied to the gaim CVS tree as of November 10th, 2000.Star Office 5.2 temporary directory usage. StarOffice 5.2 uses a directory under /tmp which it creates with permissions "777" and maintains as permissions "777", presumably in order to allow the same directory to be used by multiple users in a networked situation. This creates the opportunity for easy mischief, pointed out Christian on BugTraq this week. Star Office 5.2 SP1 is reported to include a fix and a patch for Star Office 5.2 is also promised.Meanwhile, if you are using StarOffice in a non-standable environment, you'll want to set the environment variable "TMP" to a directory you own, to avoid unpleasant side-effects. potential telnetd denial-of-service vulnerability. In case you needed another reason to disable the telnetd service, beyond the inadvisability of using plaintext passwords across the Internet, FreeBSD issued an advisory describing how telnetd could be used to gobble up CPU and disk cycles by a remote attacker with no authenticated access to the server. A patch to fix the problem is included.Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesSuSE Miscellaneous updates. Due to the recent volume of security alerts, SuSE combined the latest information in this miscellaneous advisory. Note that we have linked this advisory into the relevant tables, where appropriate. This advisory also marks the addition of Sebastian Krahmer to the SuSE Security team. Topics: BIND 8.2.2-P5 denial-of-service. A denial-of-service vulnerability was reported in BIND 8.2.2-P5. Check the November 9th LWN Security Summary for the initial report. BIND 8.2.2-P7 was released this week with a fix for the problem.This week's updates:
format vulnerability in BSD top. In last week's LWN Security Summary, we included a link to a FreeBSD advisory about a format string vulnerability in the "top" utility. We stated that other BSD and Linux systems might be impacted. Joseph Zbiciak and Harry Henry Gebel kindly pointed out that top under Linux generally uses /proc to get the information it needs, circumventing the need for gid privileges. As a result, few, if any, Linux systems should be impacted.vlock vulnerability. Last week, we reported on a possible vulnerability in vlock. We still have not received a confirmation of this problem, just reports of systems tested and confirmed not vulnerable.This week's updates:
nss_ldap race condition. Check the November 2nd LWN Security Summary for the original report and last week's LWN Security Summary for a correction to our original report.This week's updates: Previous updates:
dump-0.4b15 local root access. Check the November 2nd LWN Security Summary for the original report. This exploit only affects dump/restore if they are installed setuid root. As of dump-0.4b18, dump and restore no longer require setuid root. dump 0.4b20 was released this week with a fix for the problem.This week's updates:
Multiple buffer overflows in tcpdump. Multiple buffer overflows in tcpdump were reported in our November 2nd edition.This week's updates: Previous updates:GnuPG false signature verification. GnuPG fails to correctly validate multiple signatures in a file. Check the October 19th Security Summary for details. GnuPG 1.0.4 has been released and contains the fix for this problem. Anyone using GnuPG will want to upgrade their package as soon as possible.This week's updates: Previous updates:
usermode inherited environment variable vulnerability. Check the October 12th LWN Security Summary for details.This week's updates:
ncurses buffer overflow. Check the October 12th LWN Security Summary for the initial report of this problem. Updates for this vulnerability continue to trickle in more slowly than usual.This week's updates: Previous updates:Pine buffer overflow vulnerability. An exploitable buffer overflow in Pine was reported to BugTraq in early October. The problem involves Pine's handling of incoming mail during an open session. Check the October 5th LWN Security Summary for the initial report. Pine 4.30 contains a fix for the problem. Note that the updates released this week contain new versions of both pine and IMAP, the latter of which was apparently also vulnerable to the same problem.This week's updates: Previous updates:
ResourcesRed Hat Kerberos packages. Red Hat started included Kerberos 5 with its distribution as of Red Hat 6.2. They've now also released Kerberos packages for Red Hat 6.0 and 6.1. EventsComputer Security 2000. More details on next week's Computer Security 2000 conference, and their plans for International Computer Security Day (November 30th) were posted this week. Speakers will include Simson Garfinkel, Alan Paller, Gene Schultz, Linda McCarthy and Theo de Raadt. Upcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
November 16, 2000
LWN Resources | |||||||||||||||||||||||||||||||||||||||||||||||||||