Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page

Security

News and Editorials

Bugtraq gets a new moderator. After six years of running the Bugtraq mailing list, Elias Levy (also known as Aleph1) has announced that he is moving on. "I'd like to think I did not do a half-bad job, but you are the judge of that." From LWN's point of view, Aleph1 has done a great job; Bugtraq is and remains the premier, required-reading list for anybody interested in computer and network security. He'll be missed, but we'll expect new and interesting things to come from his direction as he moves on to new challenges.

We wish the new moderator, David Ahmad, the best of luck as he takes over this responsibility.

October CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM newsletter for October is out. Covered topics include cyberterrorism vs. "cyberhooliganism," the Nimda worm, the SANS top 20 vulnerabilities, and the SSSCA.

I have long argued that the entertainment industry doesn't want people to have computers. Computers give users too much capability, too much flexibility, too much freedom. The entertainment industry wants users to sit back and consume things. They are trying to turn a computer into an Internet Entertainment Platform, along the lines of a television or VCR. This bill is a large step in that direction.

Worth a read, as always.

Microsoft doesn't like disclosure. Microsoft has fingered the culprit for all those worms which have been feeding on its products: disclosure of security vulnerabilities, otherwise known as "information anarchy." The company is starting a new push to try to get security experts to clamp down on vulnerability information. In the words of Scott Culp, the manager of Microsoft's Security Response Center:

But regardless of whether the remediation takes the form of a patch or a workaround, an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.

In other words, "trust us, we'll tell you what to do."

There are signs that some parts of Microsoft, at least, are taking security a bit more seriously. The company would be will advised to put its efforts into supporting those groups, rather than trying to keep information on its vulnerabilities as proprietary as its software.

Security Reports

Login vulnerability in PostNuke. The PostNuke web portal system (up to version 0.64) has a vulnerability which can allow an attacker to log into other users' accounts. A fix is included in the report. It appears that PhpNuke is also vulnerable to this attack. (We also still have not seen a new PhpNuke release fixing the severe, widely-exploited vulnerability in version 5.2.)

Buffer overflow vulnerability in snes9x. Snes9x is a Super Nintendo emulator which runs on Linux; it is occasionally installed setuid root (though most Linux distributions do not ship it this way). There is a buffer overflow vulnerability in version 1.37 which may be exploited by a local attacker to get root access on the system. A new version is available from the snes9x web site which fixes the problem.

Improper credentials from login. A problem with the login program (in the util-linux package) can, in some situations, cause a user to be given the credentials of another user at login. Use of the pam_limits module, in particular, can bring about this problem. In general, distributions using the default PAM configuration are not vulnerable; an upgrade is probably a good idea anyway.

Updates seen so far:

Updates

Configuration file vulnerability in ht://Dig. The ht://Dig search engine contains a vulnerability which allows a remote user to specify an alternate configuration file. If that user is able to place a suitable file in a location where ht://Dig can read it, the system may be compromised. See the original report from the ht://Dig project for details. This vulnerability first appeared in the October 11 LWN security page.

This week's updates:

Red Hat (October 30, 2001)

Previous updates:

OpenSSH restricted host vulnerability. Versions of OpenSSH prior to 2.9.9 have a vulnerability that can allow logins from hosts which have been explicitly denied access. The fix is to upgrade to OpenSSH 2.9.9. This problem first appeared in the October 4 LWN security page.

This week's updates:

Previous updates:

SuSE (December 6, 2001)
SuSE (December 3, 2001)
Conectiva (October 24, 2001)
Immunix (October 17, 2001)
Mandrake (October 16, 2001)
Red Hat (October 19, 2001) (Adds support for version 7.2).
Red Hat (October 9, 2001)
Trustix (October 17, 2001)

DTML scripting vulnerability in Zope. Versions 2.2.0 through 2.4.1 of Zope have a vulnerability that can allow a suitably clever attacker to circumvent the normal Zope access control mechanism. A fix from Zope Corp. is available which closes the hole. This vulnerability was first reported in the October 4 LWN security page.

This week's updates:

Events

Upcoming Security Events.

Date Event Location

November 5 - 8, 2001 8th ACM Conference on Computer and Communication Security(CCS-8) Philadelphia, PA, USA

November 13 - 15, 2001 International Conference on Information and Communications Security(ICICS 2001) Xian, China

November 19 - 22, 2001 Black Hat Briefings Amsterdam

November 21 - 23, 2001 International Information Warfare Symposium AAL, Lucerne, Swizerland.

November 24 - 30, 2001 Computer Security Mexico Mexico City

November 29 - 30, 2001 International Cryptography Institute Washington, DC

December 2 - 7, 2001 Lisa 2001 15th Systems Administration Conference San Diego, CA.

December 5 - 6, 2001 InfoSecurity Conference & Exhibition Jacob K. Javits Center, New York, NY.

December 10 - 14, 2001 Annual Computer Security Applications Conference New Orleans, LA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

October 18, 2001

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel