See also: last week's Security page.

Security

News and Editorials

Why Cover BSD?. One question that has been asked of us a few times is why we cover BSD security reports in LWN, including FreeBSD, NetBSD and OpenBSD. After all, LWN is dedicated to the Linux community, right? Well, in many ways, our community is the Free Software and Open Source community, to which the BSD operating systems definitely belong. So reporting on BSD is not totally outside our mandate. On the other hand, it could be quickly pointed out that other Free Software operating systems exist that we don't cover.

So why BSD? Well, aside from the kernel of the operating system, there is a tremendous overlap in applications between BSD and Linux. The shared Unix legacy guarantees that will continue. That means that a reported problem under OpenBSD or FreeBSD may very well impact one or more Linux distributions, if not all of them. So reporting BSD problems can give a heads-up of potential Linux problems. Of course, there are Free Software applications that overlap with other operating systems, both Free and commercial. Yet we don't cover those.

So why BSD? We've made no secret of our respect for the security work done by the OpenBSD team and their aggressive, pro-active stance on fixing bugs. We've encouraged Linux developers to review and learn from that work. We like the work that FreeBSD has done to improve its own security, including producing good quality advisories, with well-organized information. Yet that alone would not necessarily justify covering all BSD alerts.

In the end, it is the sum of those qualities above that has inspired our choice to include BSD. It is part of our goal to encourage cooperation and collaboration between Free operating systems based on the Unix model. BSD reports are sometimes the first report of a problem that we see, which may well impact Linux systems. Once we've covered some BSD reports, it seems best to provide consistent coverage, to allow people in the BSD community to benefit from the synthesis as well and to encourage free sharing of information between Linux and BSD security experts.

Most importantly, we don't want Linux to fall behind (or stay behind, depending on your perspective) the BSD operating systems when it comes to security. A healthy competition will hopefully inspire and produce better security for both Linux and BSD.

So for now, we'll continue to intermix BSD reports with the Linux reports. Whether you agree or disagree, you're always welcome to drop us a note to let us know what you think.

Forget your password -- fingerprint scans more and more common (Techserver.com). Biometric scanners are the subject of this Techserver.com article, which speaks of their growing use.

"I think people are a little bit suspicious that there will be some national database that will be put together and people will be tracked. I think that's a false fear," said James L. Wayman, an engineering professor at San Jose State University and former director of the U.S. National Biometric Test Center.

For example, fingerprint scanners do not keep the prints themselves on file, but merely record where patterns on the fingers end or change directions. That template of "minutiae points" cannot be used to re-create the original fingerprint, only to confirm that the print belongs to the right person, someone allowed to gain access.

November CRYPTO-GRAM newsletter. Bruce Schneier's Crypto-Gram for November is out. It covers digital signatures, the cracking of Microsoft, and various other security-related topics.

Wietse Venema receives NLUUG award. The board of the Netherlands Unix User Group NLUUG has chosen Wietse Venema as the recipient of their NLUUG 2000 award. "Wietse Venema receives this award as a token of appreciation for his many contributions to the community of Unix and open systems. Wietse's best known work has been targeted at improving the security of Unix systems in an internet environment. Amongst other things, he is the co-author of the security analysis tool "Satan". He is also the main author of "Postfix", a replacement for the notorious (security-wise) "Sendmail" program. His most recent work encompasses a toolkit for analyzing system status after an intrusion."

New Zealand Anti-Hacking Bill Faces Select Committee (Newsbytes). Those of you interested in security-related legislation outside of the U.S. or Europe may want to check out this Newsbytes article on proposed legislation in New Zealand. "A planned amendment to New Zealand's crime bill that would outlaw malicious hacking for the first time - while also controversially allowing security services the freedom to hack into citizens' computers and intercept e-mail and faxes - has passed through to the Government's Law and Order Select Committee".

Security Reports

cups. Two problems were reported with CUPS, the Common Unix Printing System. The first problem allowed printers served by CUPS to be accessible from anywhere on the Internet. A second bug caused CUPS to broadcast to everywhere, keeping open dial-on-demand lines. The Linux-Mandrake advisory below was our first sighting of the problem, but does not indicate whether or not this was discovered internally or reported externally.

This week's updates:

• Linux-Mandrake
• Debian

Vixie cron problems. Systems using vixie cron where the /var/spool/cron directory is given permissions 755 are vulnerable to a symlink attack that can be exploited to allow the execution of arbitrary commands. Check Michal Zalewski's original post or BugTraq ID 1960 for more details.

Debian systems and systems where vixie cron has been installed manually appear to be the most likely to be vulnerable.

A workaround is to reset the permissions on /var/spool/cron to 700.

This week's updates:

• Debian
• Slackware, unofficially reported not vulnerable (does not use vixie cron)
• Linux-Mandrake, unofficially reported not vulnerable (correct permissions)
• FreeBSD, unofficially reported not vulnerable (except to group wheel)
• Red Hat and Red Hat-derived distributions, unofficially reported not vulnerable

• SuSE, not vulnerable (November 16th)

joe symlink vulnerability. A symlink vulnerability in the joe editor was reported this week (and a slight correction to the original report as well).

This week's updates:

• Linux-Mandrake
• Red Hat
• Immunix
• Slackware
• Debian

ethereal buffer overflow. A buffer overflow in the ethereal network protocol analyzer was reported this week. The buffer overflow is very similar to the recently reported buffer overflow in tcpdump. ethereal 0.8.14 was released this week with a fix for the problem.

This week's updates:

• Debian

gnomehack buffer overflow. An exploit for gnomehack was published this week. It uses a buffer overflow in gnomehack to gain egid games (presuming gnomehack is setgid games). It was commented that this same vulnerability likely exists in nethack as well. Check the SecurityPortal Linux Security List for the published exploit.

FreeBSD deny_incoming problem. FreeBSD reported a problem with ppp under FreeBSD only, where the behavior of the ppp code is inconsistent with its documentation. In particular, the use of deny_incoming is likely to produce unexpected, and potentially unfortunate, results. A patch to correct the problem is provided, though it is also recommended that a true packet filter be used instead.

• dcforum, a remote input validation vulnerability was reported and a vendor patch is available.
• Dnstools version 1.10, a fix for a format string vulnerability was incomplete.
• CGIForum 1.0 is vulnerable to a directory transversal problem. The author has been notified.
• AdCycle banner management system, denial-of-service vulnerability and exposure of management passwords. A workaround is provided. It is believed that this vulnerability is being actively exploited.
• Quikstore Shopping Cart, exposure of web-server files. The vendor has been notified and a fix is promised soon.
• Big Brother CGI scripts prior to v1.5d3 can be used to view sensitive files or gather the names of valid accounts. A patch to fix the problem has been made available by the vendor.

Commercial products. The following commercial products were reported to contain vulnerabilities:

• Watchguard Firebox II, denial of service vulnerability, acknowledged by Watchguard Technologies, with a fix promised earlier this week.
• Oracle cmctl, any user can gain the euid and egid of the Oracle server. Oracle has acknowledged the problem and is working on a fix.
• Real Networks RealServer, memory contents disclosure vulnerability. Real Networks has confirmed the problem and provided an updated 7.0 server.

Updates

Local root exploit problem in modutils. Check last week's Security Summary and Kernel Page for the original report and details.

Modutils 2.3.20 was released this week. This version fixes the various local root compromise vulnerabilities found in all recent versions of modutils; an upgrade is recommended - even if you just upgraded to 2.3.19, which only fixed some of the problems. Expect the distributors to come out with packaged versions shortly.

This week's updates:

• Red Hat
• Linux-Mandrake
• Debian
• Immunix
• Red Hat, error in previous package updates for Red Hat 6.2 and 7.0
• Kondara

• SuSE (November 16th, partial fix only)

Hostile server vulnerability in OpenSSH. Check the November 16th LWN Security Summary for details. Upgrading to 2.3.0 is recommended.

This week's updates:

• Debian
• Red Hat

• Linux-Mandrake (November 16th)
• Linux-Mandrake, correction to package updates (November 16th)
• Kondara (November 16th)
• Trustix (November 16th)

BIND 8.2.2-P5 denial-of-service. A denial-of-service vulnerability was reported in BIND 8.2.2-P5. Check the November 9th LWN Security Summary for the initial report. BIND 8.2.2-P7 was released last week with a fix for the problem.

This week's updates:

• SuSE 6.0 through 6.4

• Conectiva (November 16th)
• Conectiva, updated (November 16th)
• Definite Linux (November 16th)
• Debian (November 16th)
• Linux-Mandrake (November 16th)
• Red Hat (November 16th)
• Slackware (November 16th)
• CERT (November 16th)
• Caldera (November 16th)
• Immunix (November 16th)
• Kondara (November 16th)
• Trustix (November 16th)
• SuSE 7.0, not vulnerable (November 16th)

Netscape 4.75 buffer overflow. First spotted via this FreeBSD advisory and reported on November 9th, a buffer overflow in Netscape 4.75 enables a client-side exploit. Check the November 9th LWN Security Summary for our original report. Netscape 4.76, which was released on October 24th, fixes the problem.

This week's updates:

• Red Hat
• Immunix

• FreeBSD (November 9th)

vlock vulnerability. Originally reported in the November 9th LWN Security Summary, vlock, a virtual console locking problem, was reportedly unlockable by an unprivileged user. Wichert Akkerman dropped us a note this week to confirm the problem, but only when pam_pwdb was used. Debian, for example, uses pam_unix and is therefore not vulnerable.

This week's updates:

• Debian, not vulnerable

• Red Hat 6.x, unofficially reported not vulnerable
• SuSE, not vulnerable (November 16th)

quake server denial-of-service. Check the November 9th LWN Security Summary for the original report (or BugTraq ID 1900). This week, ProQuake 1.02 was released with a fix for this problem.

Multiple buffer overflows in tcpdump. Multiple buffer overflows in tcpdump were reported in our November 2nd edition.

This week's updates:

• Debian
• SuSE

• FreeBSD (November 2nd)
• SuSE (November 16th)

tcsh symlink vulnerability. A /tmp symbolic link vulnerability was reported in tcsh on October 29th. Check BugTraq ID 1926 for more details.

This week's updates:

• FreeBSD

• Debian (November 16th)
• Linux-Mandrake (November 16th)
• SuSE (November 16th)

curl buffer overflow. A buffer overflow in curl, a command-line tool for getting data from a URL, was reported in October.

This week's updates:

• FreeBSD

• Debian (October 19th)
• Red Hat (October 26th)
• Red Hat, updated advisory, problems were introduced in the packages provided via the original advisory. (November 16th)

Format string vulnerabilities in PHP. Check the October 19th LWN Security Summary for the original report. PHP 3.0.17 and 4.0.3 contain the fixes for these problems.

This week's updates:

• FreeBSD

• Debian (October 19th)
• Caldera (October 19th)
• Linux-Mandrake (October 19th)
• Conectiva (October 19th)
• Red Hat (October 26th)
• Immunix (October 26th)

Pine/IMAP buffer overflow vulnerability. Check the October 5th LWN Security Summary for the initial report. Pine 4.30 contains a fix for the problem. Note, some of the updates below contain only pine updates, while others include both pine and imapd updates.

This week's updates:

• Linux-Mandrake

• FreeBSD (September 21st)
• FreeBSD (November 2nd)
• Slackware Changelog (November 9th)
• Slackware, official advisory (November 16th)
• Red Hat, includes the introduction of SSL support. (November 16th)

thttpd exposes world readable files. Check the October 5th LWN Security Summary for the original report.

This week's updates:

• FreeBSD

mgetty temporary link vulnerability. Check the August 31st Security Summary for details. An upgrade to mgetty 1.2.22 should fix the problem.

This week's updates:

• FreeBSD

• Conectiva (August 31st)
• Caldera (August 31st)
• Linux-Mandrake (September 7th)
• Red Hat (September 14th)

man/makewhatis vulnerability. A /tmp file vulnerability was reported in makewhatis versions 1.5e and higher. Check the July 6th LWN Security Summary for the original report.

This week's updates:

• Kondara

• Red Hat (July 6th)
• Linux-Mandrake (July 13th)
• Caldera (July 13th)
• SuSE (not vulnerable) (July 13th)
• Trustix (July 13th)

Resources

CERT Summary. The November 20th CERT Summary has been published. rpc.statd and ftpd lead the list of problems which continue to be actively exploited, while the recent bind problems have been added to the list, even though no reports of their exploitation have been received yet.

Weekly Security Tools Digest (SecurityPortal). For updated security tools, a good place to check would be SecurityPortal's Weekly Security Tools Digest.

Events

Upcoming security events.

Date	Event	Location
November 26-December 1, 2000	Computer Security 2000 and International Computer Security Day (DISC 2000)	Mexico City, Mexico
December 3-7, 2000.	Asiacrypt 2000	Kyoto, Japan.
December 3-8, 2000.	LISA 2000	New Orleans, LA, USA.
December 10-13, 2000.	INDOCRYPT 2000	Calcutta, India.
December 11-15, 2000.	16th Annual Computer Security Applications Conference	New Orleans, LA, USA.
December 20-21, 2000.	The Third International Workshop on Information Security	University of Wollongong, NSW, Australia.
December 27-29, 2000.	Chaos Communication Congress	Berlin, Germany.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel