[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 On the Desktop
 Development
 Commerce
 Linux in the news
 Announcements
 Linux History
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

Kaladix Linux - Paranoid Security Linux Distribution. Kaladix Linux showed up on Freshmeat on June 1st, describing itself as a "Paranoid Security Linux Distribution". It is based on LinuxFromScratch (LFS) with mandatory access controls and access control lists enabled (RSBAC). Also to be included are Openwall, FormatGuard and other similar patches.

They have just barely gotten started, with a 0.3 release expected out soon. Note that the license for Kaladix is listed as "Free for non-commercial use". "I am aware that it is not possible to relicense GPL licensed software. Taking into respect that I do not like companies that make money from my work, I thought of licensing Kaladix Linux free for non-commercial use according to the following assumption: Every single piece of software that is included in Kaladix Linux is still licensed under GPL and may be used by whomsoever for whatsoever. However, the creation of configuration files, the compilation of software packages, my worktime and other various aspects of Kaladix Linux is my service (work) so that I can choose whatever license I wish and can thus assume to be able to distribute Kaladix Linux under a free for non-commercial use license".

Interview with Wietse Venema about his tcp_wrappers license (BSD Today). Fun with licensing continued this week with a look at the license for tcp_wrappers. BSD Today interviewed Wietse Venema, tcp_wrappers author, about its license, which original read, "If someone wants to redistribute the TCP Wrapper code in a manner that is not covered by the Copyright notice, then they are expected to contact me. I am a nice person and I haven't refused permission to anyone yet."

After discussion with many different people, Wietse has updated the license to read, "Redistribution and use in source and binary forms, with or without modification, are permitted provided that this entire copyright notice is duplicated in all such copies".

A nice, simple answer to a licensing problem. Would that all of them could be resolved so quickly and cleanly!

Happy Birthday, PGP. PGP author Phil Zimmerman marked the 10 year anniversary of the release of PGP 1.0 on Tuesday, June 5th. "It was on this day in 1991 that I sent the first release of PGP to a couple of my friends for uploading to the Internet". It quickly grew faster than he had ever dreamed possible. "Volunteers from around the world were clamoring to help me port it to other platforms, add enhancements, and generally promote it".

The anniversary is also covered in this Wired article by Declan McCullagh

Security Reports

OpenSSH tmplink vulnerability. A tmplink vulnerability has been reported in OpenSSH when X forwarding is enabled on both the client and the server. It has been reported fixed in the OpenSSH CVS development tree, but is not yet mentioned in the OpenBSD 2.9 errata page. Until an updated version of OpenSSH is made available, disabling X forwarding for both the client and server might be a good idea. This is also covered in BugTraq ID 2825.

Sendmail multiple race condition vulnerabilities. Michal Zalewski issued a paper describing race conditions in sendmail's signal handlers. As a result, sendmail 8.11.4 and 8.12.0.Beta10 have been released with fixes for these problems. Check 2794 for additional details. No distribution updates for this problem have been reported so far.

man malicious cache file creation vulnerability. Yet more trouble for the beleaguered man command. This week, a new vulnerability was reported in which files are cached in the system cache directory from outside of the system manual page hierarchy search path. It is believed that this can be used together with man, mandb or any other utility which trusts cached filenames in order to gain elevated privileges. A workaround is to eliminate the setuid bit from the 'mandb' binary (not the wrapper).

xinetd default umask vulnerability. Red Hat issued an advisory this week reporting that the default umask for xinetd in Red Hat 7.0 and 7.1 was set to zero. As a result, some daemons started from xinetd that did not set their own permissions were creating world-writable files. The default umask has been set instead to 022. No information has been posted yet on whether this problem is specific to Red Hat or shows up in other distributions (though Red Hat-based distributions are likely vulnerable).

ispell symbolic link vulnerabilities. OpenBSD released patches to fix problems in ispell where the use of mktemp() (instead of mkstemp()) left it vulnerable to symlink attacks. The patches also modify the use of gets() to use fgets() instead. This is also covered under BugTraq ID 2827.

Qualcomm qpopper username buffer overflow. A buffer overflow was introduced into Qualcomm qpopper 4.0, 4.0.2 and 4.0.2 as a result of the way in which the client-supplied username is handled. As a result, a remote root attack is possible. An upgrade to 4.0.3 is strongly recommended.

Horde IMP Message Attachment symbolic link vulnerability. A symbolic link vulnerability has been reported in the Horde Imp versions prior to 2.2.5. The vulnerability comes from the use of the PHP tempnam function for creating temporary files. Prior to PHP 4.0.5, tempnam used mktemp for creating temporary files instead of mkstemp. Upgrading to Imp 2.2.5 and PHP 4.0.5 is recommended.

fvwm initialization script vulnerability. If no $HOME environment variable is set, fvwm may read the .fvwm2rc from the current directory instead of from the home directory, making it possible for a local attacker to execute commands as another user. fvwm-2.2.5 fixes this issue.

OpenBSD Dup2 VFS Race Condition Denial Of Service Vulnerability. It has been reported that a local user can cause a kernel panic on OpenBSD if a file descriptor shared by two processes is set to null by one process while the other process is asleep. This can be used to facilitate a local denial-of-service attack. All versions of OpenBSD are reportedly vulnerable. No confirmation or advisory for the problem has been posted on the OpenBSD site as of yet.

Acme.Serve 1.7 arbitrary file access vulnerability. Acme.serve is a Java class that contains a small, embeddable HTML browser. By default, Acme.Serve 1.7 allows all connections to browse the entire filesystem. No fix for the problem has been reported so far. Check BugTraq ID 2809 for more details.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Updates

gnupg format string vulnerability. Check the May 31st LWN Security Summary for the initial report. gnupg 1.0.5 and earlier are vulnerable; gnupg 1.0.6 contains a fix for this problem and an upgrade is recommended. Werner Koch also sent out a note warning of minor build programs with gnupg 1.0.6 when compiled without gcc.

This week's updates:

Previous updates:

Webmin environment variable inheritance vulnerability. Check the May 31st LWN Security Summary for the original report.

This week's updates:

  • Caldera, updated packages now available
Previous updates:
  • Caldera, disabling Webmin recommended, no updated packages available yet. (May 31st)

MIT Kerberos FTP daemon buffer overflows. Check the May 24th LWN Security Summary for the initial report. MIT Kerberos 5, all versions, is affected. If anonymous ftp is enabled, a remote root exploit is possible. Otherwise, a local root exploit or a remote root exploit via an authorized login is still possible.

This week's updates:

Previous reports:

Red Hat update to mktemp. Check the May 24th LWN Security Summary for the initial report. This problem is specific to Red Hat Linux prior to version 7 (and other distributions based on Red Hat).

This week's updates:

Previous updates:

man -S heap overflow. Check the May 17th LWN Security Summary for the initial report. The exploitability is definitely on whether or not the man command is installed setgid group man.

This week's updates:

Previous updates:

Resources

Linux Intrusion Detection System (LIDS) 1.0.9 for 2.4.5. LIDS 1.0.9 has been ported over to the 2.4.5 kernel and includes a few other minor bugfixes.

oftpd - a secure anonymous FTP server. oftpd is an anonymous FTP server specifically designed for security. Author Shane Kerr sent us a note describing some of its features and explaining why he chose to implement only anonymous ftp access. "Non-anonymous FTP is a security risk, despite certain FTP extensions that support encryption via SSL or other mechanisms. As used most commonly FTP is a fundamentally flawed protocol, in that it sends passwords in the clear. Because of this I suggest that no matter how secure you make your server software, FTP should be avoided for data transfer, especially since excellent alternatives such as SSH are available".

The first stable release of oftpd occurred in March. The most recent release is 0.3.5, a development release made in mid-April.

Research Paper - ICMP Usage In Scanning v3.0. Ofir Arkin has released version 3 (PDF) of his paper entitled "ICMP Usage In Scanning".

Events

Upcoming Security Events.
Date Event Location
June 7 - 8, 2001TISC 2001Los Angeles, CA, USA
June 11 - 13, 20017th Annual Information Security Conference: Securing the Infocosm: Security, Privacy and RiskOrlando, FL, USA.
June 17 - 22, 200113th Annual Computer Security Incident Handling Conference (FIRST 2001)Toulouse, France
June 18 - 20, 2001NetSec Network Security Conference(NetSec '01)New Orleans, Louisiana, USA.
June 19 - 20, 2001The Biometrics SymposiumChicago, Illinois, USA.
June 19 - 21, 2001PKI Forum Members Meeting(Kempinski Hotel Airport Munchen)Munich, Germany
July 11 - 12, 2001Black Hat Briefings USA '01Las Vegas, Nevada, USA.
August 7, 2001CIBC World Markets First Annual Security & Privacy ConferenceNew York, NY, USA.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


June 7, 2001

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2001 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds