Sections:
Main page
Security
Kernel
Distributions
On the Desktop
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page

Security

News and Editorials

Attack on American Crypto?. Not surprisingly, the recent terrorist attacks on New York and Washington D.C. have had a number of effects on security administrators around the world. This week we saw a lot of activity in the area of cryptography software, with much scrambling in anticipation of possible changes to US laws. Here's a sampling of what we have received.

Congress Mulls Stiff Crypto Laws (Wired)
Geeks Gather to Back Crypto (Wired)
Privacy vs Security (ZDNet)
International Security, Privacy and Solidarity (Linuxsecurity)
RFC: increased interest for cryptographic software?
Please make stable NON-US homes for strong crypto projects

DNS mega-hack hits thousands of sites (Register). The Register investigates a breach of security involving the domain name registrar NetNames. "Jonathan Robinson, chief executive at Net Benefit, which runs the NetNames registration and hosting service, told us that the "majority" of its 100,000 customers had their Web traffic re-routed in the hack. He said the firm was focused on restoring services, which were disrupted for more than an hour before being returned to normal between 10am and 10:30am today, [rather] than counting the number of people affected."

Security Reports

Mandrake advisory for Apache. Mandrake-Linux has issued an advisory for apache to address directory indexing and path discovery problems in all versions prior to 1.3.19 of the Apache Web server.

Debian advisory for "most" package. Debian has issued a security advisory for their most package, addressing buffer overflows found in that programs tab expansion handlers.

This was an unusual week, we received no new updates for the following packages:

Updates

Apache-contrib command injection vulnerability. The Apache module mod_auth_mysql 1.4 was found vulnerable to possible bypass authentication by MySQL command injection. See last week's LWN security page for a discussion of the SQL injection problems with a number of Apache modules.

Previous updates:

Bugzilla unauthorized user access. There are security problems with bugzilla, in which valid users can obtain confidential data without authorization. A problem also exists where parameters are not checked properly. See the September 13, 2001 LWN security page for the initial report.

Previous updates:

Red Hat (September 10, 2001) .

Buffer overrun vulnerabilities in fetchmail. (Found by Salvatore Sanfilippo). Two buffer overrun vulnerabilities exist in the much-used fetchmail program. Given a hostile server, arbitrary code can be run on the system running fetchmail. The solution is to upgrade to fetchmail 5.8.17. See the August 16 Security page for the initial report.

Previous updates:

Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001).

The stable release of Debian is not vulnerable.

New updates:

Debian (January 30, 2002) (Japanese version)

Previous updates:

Vulnerabilities in Horde IMP Horde IMP has several vulnerabilities which are fixed in version 2.2.6; see Bugtraq ID's 3066, 3079, 3082, and 3083 for more details.

Previous updates:

Linux Kernel 2.4 Netfilter/IPTables vulnerability. Check the April 19 LWN Security Summary for the original report. The NetFilter team has provided a patch for Linux 2.4.3.

Previous updates:

Mandrake (August 28, 2001)
Progeny (May 17)
Red Hat (June 21), 7.1, default configuration not vulnerable

Mailman security update. Mailman has a number of vulnerabilities, some fairly old. See the September 13, 2001 LWN security page for the initial report.

Previous updates:

Conectiva (September 5, 2001) .

Denial of service vulnerability in OpenLDAP This problem was first identified in a CERT advisory issued in July, 2001. It was covered in the July 19, 2001 LWN security page.

Previous updates:

OpenSSL Pseudo-random number generator weakness A weakness has been discovered in the OpenSSL Pseudo random number generator that can allow an attacker to discover the PNRG's state and predict future values. (First reported July 12).

Previous updates:

Procmail race conditions. See the July 26 Security page for the initial report.

This week's updates:

Mandrake (November 20, 2001)

Previous updates:

Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to 8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23 Security Page for the initial report.

This week's updates:

Red Hat (October 22, 2001) (no explanation of changes from previous update).

Previous updates:

SQL injection vulnerabilities in Apache authentication modules. Several Apache authentication modules have vulnerabilities that could allow an attacker to feed arbitrary SQL code to the underlying database, resulting in a compromise of database integrity and unauthorized access to the server. See the September 6 security page for more information.

New updates:

Previous updates:

Red Hat (October 23, 2001) (mod_auth_pgsql)
Conectiva (September 28, 2001) (mod_auth_pgsql)
Conectiva (September 6, 2001) (mod_auth_mysql)

Squid httpd acceleration ACL vulnerability. This vulnerability could result in unauthorized access to the squid server. See the July 26 Security page for details.

This week's updates:

SuSE (October 30, 2001)

Previous updates:

Red Hat (October 16, 2001) (adds an updated package for 7.2).
Yellow Dog (July 25, 2001)
Caldera (August 9)
Linux-Mandrake (August 2)
Immunix (July 26)
Trustix (July 26)
Red Hat (July 26)

Multiple vendor telnetd vulnerability. This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.

This week's updates:

HP (February 12, 2002)

Previous updates:

Caldera (August 10, 2001)
Conectiva (August 24, 2001)
Debian (August 14, 2001) (SSL version)
Debian (August 14, 2001) (Update for Sparc version)
Mandrake (August 13, 2001)
Mandrake (December 17, 2001) (kerberos version)
Progeny (August 14, 2001)
Red Hat (February 7, 2002) (Update, for Red Hat 5.2, 6.2, 7.0, and 7.1, to the original advisory, issued August 9, 2001.)
Red Hat (August 9, 2001)
Red Hat (August 9, 2001) (kerberos version)
Slackware (August 9, 2001)
SuSE (September 3, 2001)
Yellow Dog (August 10, 2001)
Yellow Dog (August 10, 2001) (kerberos version)

Uucp local user exploits. There is a vulnerability in the command-line argument handling of uucp which can be exploited by a local user to obtain uid/gid uucp. See the September 13, 2001 LWN security page for the initial report.

New updates:

Debian (February 8, 2002) (update to the original advisory issued September 24, 2001.)

Previous updates:

Buffer overruns in Window Maker A buffer overrun exists in Window Maker which could, conceivably, be exploited remotely if the user runs a hostile application. This problem initially appeared in the August 16, 2001 LWN security page.

New updates:

SuSE (September 20, 2001)

Previous updates:

Security audit of xinetd and resulting fixes. Solar Designer has performed an extensive audit of xinetd, looking for certain types of security vulnerabilities. So many problems were found in the code that the resulting patch weighed in at over 100KB. This patch was only fully merged as of xinetd 2.3.3. See the September 6, 2001 LWN security page for the initial report.

This week's updates:

Turbolinux (January 24, 2002)

Previous updates:

Buffer overflows in xloadimage This problem was first covered in the July 12 Security page.

Previous updates:

Events

Upcoming Security Events.

Date Event Location

September 28 - 30, 2001 Canadian Association for Security and Intelligence Studies(CASIS 2001) (Dalhousie University)Halifax, Nova Scotia, Canada.

October 10 - 12, 2001 Fourth International Symposium on Recent Advances in Intrusion Detection(RAID 2001) Davis, CA

November 5 - 8, 2001 8th ACM Conference on Computer and Communication Security(CCS-8) Philadelphia, PA, USA

November 13 - 15, 2001 International Conference on Information and Communications Security(ICICS 2001) Xian, China

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Forrest Cook

September 20, 2001

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel