Sections:
Main page
Security
Kernel
Distributions
On the Desktop
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page

Security

News and Editorials

New NSA SELinux release. A new release of the NSA's Security Enhanced Linux has been announced. This version is based on the 2.4.9 kernel; the most interesting new feature, though, is likely to be that this release is built on the new Linux security module architecture. It's the first release of this work as part of an integrated product, and thus it gives an indication of how future secure Linux releases will look.

The security module project, remember, started after the Kernel Summit last March. Linus Torvalds had stated that he wanted the various security projects to agree on a framework for hooking security extensions into the kernel, so that users could easily experiment with (and switch between) them. Work on the security module project has been proceeding quickly, to the point that the developers are beginning to consider proposing it for inclusion in the 2.5 kernel. Assuming there ever is a 2.5 kernel, of course.

The SELinux release is a good step in that direction, since it provides a demonstration of a security-enhanced kernel using the new architecture. It will also allow for wider testing of the security module code and help to shake out the remaining problems.

See the NSA Security-Enhanced Linux pages for more information. The generic security module code can be found on the Linux Security Module page.

CERT's quarterly summary is available; as usual, it points out the security vulnerabilities that (in CERT's opinion) people should be most worried about. It is dominated this time around by Windows-specific problems - Code Red, Sircam, etc. There is one issue in the list that is relevant for Linux users, though: the telnetd vulnerability. The current list of telnetd updates appears in the "Updates" section below; anybody who is still running telnet should be sure to apply the relevant update to their systems.

Security Reports

Buffer overflow in AOLserver. The AOLserver web server has been reported to crash when fed a long authorization string as input. Such problems are usually exploitable, though no exploit has yet been reported in this case. Older versions of AOLserver (3.0, 3.2) are vulnerable; the current version (3.4) is not.

String handling problems in xinetd. A new set of problems has been found in xinetd, having to do with how it handles strings. Versions prior to 2.3.1 are vulnerable, and should be upgraded. As of this writing, the only distributor update available is from Conectiva.

web scripts. The following web scripts were reported to contain vulnerabilities:

The PHProjekt groupware suite contains a vulnerability allowing any user to view and modify other users' data. The fix is to upgrade to version 2.4a.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Cisco has reported a vulnerability in its CBOS operating system that runs on its 600-series routers - such as its widely-used DSL routers. A denial of service is possible through excessive traffic to the router's web-based configuration port, which is enabled by default.
Netscape 6.01a has a temp file vulnerability which could be used by a suitably talented and lucky local attacker to overwrite system files.

Updates

Linux Kernel 2.4 Netfilter/IPTables vulnerability. Check the April 19 LWN Security Summary for the original report. The NetFilter team has provided a patch for Linux 2.4.3.

Previous updates:

Mandrake (August 28, 2001)
Progeny (May 17)
Red Hat (June 21), 7.1, default configuration not vulnerable

Denial of service vulnerability in OpenLDAP This problem was first identified in a CERT advisory issued in July, 2001. It was covered in the July 19, 2001 LWN security page.

Previous updates:

Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to 8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23 Security Page for the initial report.

This week's updates:

Red Hat (October 22, 2001) (no explanation of changes from previous update).

Previous updates:

Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.

This week's updates:

HP (February 12, 2002)

Previous updates:

Caldera (August 10, 2001)
Conectiva (August 24, 2001)
Debian (August 14, 2001) (SSL version)
Debian (August 14, 2001) (Update for Sparc version)
Mandrake (August 13, 2001)
Mandrake (December 17, 2001) (kerberos version)
Progeny (August 14, 2001)
Red Hat (February 7, 2002) (Update, for Red Hat 5.2, 6.2, 7.0, and 7.1, to the original advisory, issued August 9, 2001.)
Red Hat (August 9, 2001)
Red Hat (August 9, 2001) (kerberos version)
Slackware (August 9, 2001)
SuSE (September 3, 2001)
Yellow Dog (August 10, 2001)
Yellow Dog (August 10, 2001) (kerberos version)

Buffer overflows in xloadimage This problem was first covered in the July 12 Security page.

Previous updates:

Resources

LinuxSecurity.com's weekly newsletters (Linux Security Week and Linux Advisory Watch are available.

Events

RAID 2001, the Fourth International Symposium on Recent Advances in Intrusion Detection, will happen in Davis, California, on October 10 to 12. A call for participation has been posted.

The 14th Annual Computer Security Incident Handling Conference will be held on June 24 to 28 at the Hilton Waikoloa Village in Hawaii. The call for papers has been issued; the submission deadline is November 16.

Upcoming Security Events.

Date Event Location

September 11 - 13, 2001 New Security Paradigms Workshop 2001(NSPW) Cloudcroft, New Mexico, USA

September 28 - 30, 2001 Canadian Association for Security and Intelligence Studies(CASIS 2001) (Dalhousie University)Halifax, Nova Scotia, Canada.

October 10 - 12, 2001 Fourth International Symposium on Recent Advances in Intrusion Detection(RAID 2001) Davis, CA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

August 30, 2001

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel