Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsBugtraq gets a new moderator. After six years of running the Bugtraq mailing list, Elias Levy (also known as Aleph1) has announced that he is moving on. "I'd like to think I did not do a half-bad job, but you are the judge of that." From LWN's point of view, Aleph1 has done a great job; Bugtraq is and remains the premier, required-reading list for anybody interested in computer and network security. He'll be missed, but we'll expect new and interesting things to come from his direction as he moves on to new challenges.We wish the new moderator, David Ahmad, the best of luck as he takes over this responsibility.
October CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM newsletter for October is out. Covered topics include cyberterrorism vs. "cyberhooliganism," the Nimda worm, the SANS top 20 vulnerabilities, and the SSSCA. I have long argued that the entertainment industry doesn't want people to have computers. Computers give users too much capability, too much flexibility, too much freedom. The entertainment industry wants users to sit back and consume things. They are trying to turn a computer into an Internet Entertainment Platform, along the lines of a television or VCR. This bill is a large step in that direction. Worth a read, as always. Microsoft doesn't like disclosure. Microsoft has fingered the culprit for all those worms which have been feeding on its products: disclosure of security vulnerabilities, otherwise known as "information anarchy." The company is starting a new push to try to get security experts to clamp down on vulnerability information. In the words of Scott Culp, the manager of Microsoft's Security Response Center: But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin. In other words, "trust us, we'll tell you what to do." There are signs that some parts of Microsoft, at least, are taking security a bit more seriously. The company would be will advised to put its efforts into supporting those groups, rather than trying to keep information on its vulnerabilities as proprietary as its software. Security ReportsLogin vulnerability in PostNuke. The PostNuke web portal system (up to version 0.64) has a vulnerability which can allow an attacker to log into other users' accounts. A fix is included in the report. It appears that PhpNuke is also vulnerable to this attack. (We also still have not seen a new PhpNuke release fixing the severe, widely-exploited vulnerability in version 5.2.)Buffer overflow vulnerability in snes9x. Snes9x is a Super Nintendo emulator which runs on Linux; it is occasionally installed setuid root (though most Linux distributions do not ship it this way). There is a buffer overflow vulnerability in version 1.37 which may be exploited by a local attacker to get root access on the system. A new version is available from the snes9x web site which fixes the problem.
Improper credentials from login. A problem with the
login program (in the util-linux package) can, in some situations,
cause a user to be given the credentials of another user at login. Use of
the pam_limits module, in particular, can bring about this
problem. In general, distributions using the default PAM configuration are
not vulnerable; an upgrade is probably a good idea anyway.
Updates seen so far:
This week's updates: Previous updates:
OpenSSH restricted host vulnerability. Versions of OpenSSH prior to 2.9.9 have a vulnerability that can allow logins from hosts which have been explicitly denied access. The fix is to upgrade to OpenSSH 2.9.9. This problem first appeared in the October 4 LWN security page. This week's updates:
This week's updates: EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
October 18, 2001
LWN Resources | ||||||||||||||||||||||||||||||