Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsSSH Communications opens SSH trademark issue. This week, Tatu Ylonen opened up a trademark issue involving terms "ssh" and "secure shell". He sent notes out to two public mailing lists, including this note, posted to the openssh-unix-dev@mindrot.org development list, and this note to BugTraq. In them, he requests that the OpenSSH and ScanSSH projects cease to use the string "SSH" as part of their product names.
[Editor note: We have confirmed that the second posting was sent to BugTraq, but rejected by the moderator due to lack of relevance. ScanSSH author Niels Provos reports he never received a copy of the note before it was posted publicly to NewsForge. He also stated that ScanSSH was created in September of 2000 in order to allow an assessment of the adoption rate of the SSH 2 protocol and he was never made aware of any IP issue at the time.] You'll find additional coverage and reader postings on this issue on both Slashdot and LinuxToday. In addition, you'll find letters to the editor on the topic already in this week's Letters to the Editor section. Two opposed viewpoints are represented in these community exchanges. On one hand, many people consider Tatu's notes to have been politely worded and are sympathetic with confusion caused by multiple products containing the word "SSH". They feel his request for name changes is reasonable and have already moved forward to suggesting alternatives (SHH, FRESH, ESH, Secure Telnet, ...) On the other hand, many people don't consider the name change request reasonable, regardless of the wording (and the politeness of the wording can be argued if you look at statements like, "OpenSSH is doing a disservice to the whole Internet security community by lengthing the life cycle of the fundamentally broken SSH1 protocols", which is not particularly polite, nor necessarily accurate). The arguments on their side include:
So which is it? A reasonable request that ought to be granted to prevent legal wrangles? Or an unreasonable attempt to punish well-founded competing projects by restricting them from using the name of the protocol that they implement in their products? For the good of the community, we, of course, would rather see some compromise between these two positions that would result in all of us ceasing to wrangle about it and getting a chance to move on with developing better software and improving security. The search for such a compromise is difficult, though, given the strong emotional reactions that are cropping up on both sides, at least initially. So let's look at a couple of possible scenarios and their long-term impact.
Standards are developed in order to produce interoperability and foster competition. Trade-marking the name of the standard is simply incompatible with those goals. Fixes for XFree86 vulnerabilities show up from Debian. XFree86 security issues were a common theme throughout the year 2000. Unfortunately, distribution updates fixing such problems had a tendency to show up late, if ever. For example, in October, 2000, we discussed a list of XFree86 security issues, many of them reported by Chris Evans. Between then and now, we've only reported one distribution update in response to that extensive report. It was from Conectiva and only addressed one of the security problems.This week, Debian has come out with their XFree86 security update. It addresses twelve XFree86 security issues in XFree86 3.3.6 reported by "Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox, and others". The fixes are also authored by a numerous and well-known group, "including Aaron Campbell, Paulo Cesar Pereira de Andrade, Keith Packard, David Dawes, Matthieu Herrb, Trevor Johnson, Colin Phipps, and Branden Robinson". The massive size of this set of fixes gives some glimpse into the question as to why distributions have been so slow in getting updates out. Nonethless, with the release of the Debian updates, it is to be hoped that updates from other distributions will follow much more quickly. This week's updates: Security Reportsssh daemon remotely-exploitable integer overflow. A remotely-exploitable integer overflow was reported this week in ssh daemons that include deattack.c. This includes SSH Communications' ssh 1.2.24 and later (but not their ssh 2.X products) and versions of OpenSSH prior to 2.3.0. This vulnerability can lead to a remote attacker executing arbitrary code locally under the uid of the ssh daemon (usually root). OpenSSH users are encouraged to upgrade immediately to 2.3.0. Users of SSH Communications' ssh daemon are encouraged to upgrade to SSH Comunications SSH 2.4 (with ssh1 support disabled).This week's updates: Multiple Linux kernel 2.2 and 2.4 vulnerabilities. Caldera Systems issued an advisory this week reporting two security problems affecting both the Linux 2.2 and 2.4 kernel trees. The first vulnerability allows large parts of Linux kernel memory to be read by passing a negative offset to sysctl. The second vulnerability is a race condition where ptrace is attached to a setuid program and used to modify that program.Following this report, Red Hat issued their advisory, which included their fixes for the sysctl and ptrace problems, as well as a fix for an unspecified vulnerability specific to the Pentium III patch. Note that the Red Hat advisory credits Solar Designer for discovering the sysctl bug, but this in incorrect. Solar Designer posted a note stating that Chris Evans discovered and reported the sysctl bug. The security fixes for sysctl and ptrace have been integrated into 2.2.19pre9; the Pentium III bug only affects the 2.2 kernel series if the Pentium III patches have been applied. Linux 2.4 was not vulnerable to the ptrace issue. Fixes for the sysctl and Pentium III bugs have been integrated into the -ac development tree. This week's updates: ja-xklock local root compromise. FreeBSD reported a local root compromise in ja-xklock, a "localized" xlock clone which is part of the FreeBSD ports. ja-xklock does not appear to be popular under Linux, but may show up on other BSD systems. mars_nwe potential remote root compromise. FreeBSD reported a potential remote root compromise in their mars_nwe port, due to a format string vulnerability. Mars_nwe is Novell Netware server emulator. This vulnerability is not specific to FreeBSD. elvis-clone exploitable buffer overflow. A remote root compromise is possible due to an exploitable buffer overflow in two elvis-clones in FreeBSD, ja-elvis and ko-helvis. The buffer overflow was found in the elvrec utility, as a result of an internal audit. This vulnerability is not specific to FreeBSD. dc20ctrl locally-exploitable buffer overflow. dc20ctrl, a program for controlling Kodak DC20 digital cameras, contains a buffer overflow that can be exploited locally, reports FreeBSD. The overflow can be exploited to gain access to the serial port devices on FreeBSD, however the program itself is not specific to FreeBSD. FreeBSD-specific advisories. FreeBSD released the following advisories this week for vulnerabilities specific to FreeBSD:
m4 buffer overflow. A buffer overflow in m4 has been reported and confirmed on Slackware 7.1.0 and Red Hat 6.1. Oddly enough, there has been no follow-up to these reports and no update to m4 has been published. LICQ/GnomeICU denial-of-service vulnerability. Sending an RTF (Rich Text Format) file to LICQ or GnomeICU on a target computer will crash the application, reports No Strezzz Cazzz. Both are applications that support ICQ-based communications. No updates to to LICQ have been published. GnomeICU 0.95.1 and 0.95.2 have been released, but the descriptions of these updates do not indicate whether or not this problem has been solved.Note that a similar problem was reported in kicq and a patch for it has been released. MySQL buffer overrun. MySql version 3.23.33 was released this week and contains a fix for two buffer overruns, one in the libmysqlclient library and the other in DROP DATABASE. Web scripts. The following Web scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
UpdatesSSH protocol 1.5 key session recovery vulnerability. Check last week's LWN Security Summary for the initial report.Note that our original coverage contained errors due to our incorrect interpretation of the original advisory. We reported that OpenSSH 2.3.0 and earlier were vulnerable (in addition to ssh1.2.31 and earlier), because a patch to correct the problem had been introduced into the OpenSSH tree. We received feedback this week from Theo de Raadt, Iván Arce and Markus Friedl correcting that impression. In fact, OpenSSH 2.2.0 and later are not exploitable via this vulnerability. The maximum number of concurrent unauthenticated connections is automatically defaulted to 10 and random early drop can also be enabled. Multiple vulnerabilities in bind 8.2.2 and bind 4. Check the February 1st LWN Security Summary for the initial reports. Bind 8.2.3 contains fixes for the problems with 8.2.2. Bind 4 fixes are also available, but an upgrade to bind 8 or even bind 9 is generally considered a preferable approach.This week's updates: Previous updates:
Multiple vulnerabilities in ProFTPD. Check the February 8th, 2001 LWN Security Summary for details. ProFTPD 1.2.0rc3 contains fixes for all the above problems.This week's updates: Previous updates:
man -l format string vulnerability. Check the February 8th LWN Security Summary for details. Note that only distributions with a man command that supports the "-l" option are affected. This would include SuSE, Debian and distributions derived from them.This week's updates: Secure Locate buffer overflow. Check the November 30th, 2000 LWN Security Summary for the original report of this problem.This week's updates: Previous updates:
Netscape 4.75 buffer overflow. First spotted via this FreeBSD advisory and reported on November 9th, a buffer overflow in Netscape 4.75 enables a client-side exploit. Check the November 9th LWN Security Summary for our original report. Netscape 4.76, which was released on October 24th, fixes the problem.This week's updates: Previous updates:
ResourcesScanSSH. Niels Provos has released a protocol scanner, currently named ScanSSH, which can be used to help find vulnerable SSH daemons so they can be upgraded quickly. Ramenfind 0.4. A new version of the Ramenfind script was released this week. It handles a new Ramen variant that showed up this past week. That should also be a reminder to everyone to apply your security updates, the best way to protect against the Ramen worm. EventsCall for Papers: New Security Paradigms Workshop (NSPW). Crispin Cowan sent out the Call-For-Papers for this year's New Security Paradigms Workshop, which is being held September 11th through the 14th, 2001, in Cloudcroft, New Mexico, USA. "In order to preserve the small, focused nature of the workshop, participation is limited to authors of accepted papers and conference organizers. Because we expect new paradigms we accept wide-ranging topics in information security. Any paper that presents a significant shift in thinking about difficult security issues or builds on a previous shift is welcomed." Upcoming security events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Liz Coolbaugh |
February 15, 2001
LWN Resources | ||||||||||||||||||||||||||