Sections: Main page Security Kernel Distributions On the Desktop Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsAttack on American Crypto?. Not surprisingly, the recent terrorist attacks on New York and Washington D.C. have had a number of effects on security administrators around the world. This week we saw a lot of activity in the area of cryptography software, with much scrambling in anticipation of possible changes to US laws. Here's a sampling of what we have received.
DNS mega-hack hits thousands of sites (Register). The Register investigates a breach of security involving the domain name registrar NetNames. "Jonathan Robinson, chief executive at Net Benefit, which runs the NetNames registration and hosting service, told us that the "majority" of its 100,000 customers had their Web traffic re-routed in the hack. He said the firm was focused on restoring services, which were disrupted for more than an hour before being returned to normal between 10am and 10:30am today, [rather] than counting the number of people affected." Security ReportsMandrake advisory for Apache. Mandrake-Linux has issued an advisory for apache to address directory indexing and path discovery problems in all versions prior to 1.3.19 of the Apache Web server. Debian advisory for "most" package. Debian has issued a security advisory for their most package, addressing buffer overflows found in that programs tab expansion handlers. This was an unusual week, we received no new updates for the following packages:UpdatesApache-contrib command injection vulnerability. The Apache module mod_auth_mysql 1.4 was found vulnerable to possible bypass authentication by MySQL command injection. See last week's LWN security page for a discussion of the SQL injection problems with a number of Apache modules.Previous updates: Bugzilla unauthorized user access. There are security problems with bugzilla, in which valid users can obtain confidential data without authorization. A problem also exists where parameters are not checked properly. See the September 13, 2001 LWN security page for the initial report.Previous updates: Buffer overrun vulnerabilities in fetchmail. (Found by Salvatore Sanfilippo). Two buffer overrun vulnerabilities exist in the much-used fetchmail program. Given a hostile server, arbitrary code can be run on the system running fetchmail. The solution is to upgrade to fetchmail 5.8.17. See the August 16 Security page for the initial report. Previous updates:
Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001). The stable release of Debian is not vulnerable. New updates:
Previous updates:
Previous updates:
Linux Kernel 2.4 Netfilter/IPTables vulnerability. Check the April 19 LWN Security Summary for the original report. The NetFilter team has provided a patch for Linux 2.4.3.Previous updates:
Previous updates: Denial of service vulnerability in OpenLDAP This problem was first identified in a CERT advisory issued in July, 2001. It was covered in the July 19, 2001 LWN security page.Previous updates:
Previous updates:
This week's updates: Previous updates: Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to 8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23 Security Page for the initial report.This week's updates:
Previous updates:
New updates: Previous updates:
This week's updates: Previous updates:
Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
This week's updates: Previous updates:
New updates:
Buffer overruns in Window Maker A buffer overrun exists in Window Maker which could, conceivably, be exploited remotely if the user runs a hostile application. This problem initially appeared in the August 16, 2001 LWN security page. New updates: Previous updates:
This week's updates: Previous updates:
Previous updates:
EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Forrest Cook |
September 20, 2001
LWN Resources | |||||||||||||||