Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsA couple of responses to Scott Culp. As might be expected, the "information anarchy" essay by Microsoft's Scott Culp drew some responses. We'll pass on a couple of them. Here's Eric Raymond's response, written in Eric's typical style.Cryptographers and security experts have known for years that peer review of open source code is the only reliable way to verify the effectiveness of encryption systems and other security software. So Microsoft's closed-source mode of development guarantees that customers will continue getting cracked and Microsoft will continue pointing the finger of blame everywhere except where it actually belongs.
Elias Levy, meanwhile, responded in this SecurityFocus article. A successful attacker requires three things: the opportunity to launch an attack, the capacity to successfully execute the attack, and the motivation to attack. An opportunity to launch an attack requires a vulnerable system and an access path to the system. The capability to successfully execute the attack requires knowledge of the vulnerability and the tools to exploit it. Proponents of the information dictatorship argument are targeting the second requirement of a successful attacker: his capability to launch an attack. This approach to the problem of computer security is flawed, and can only fail.
Overall, there has been a distinct lack of people rushing out to back up Microsoft's view on security disclosure. Even people who are uncomfortable with those who circulate exploit tools have remained quiet. Make sure your ssh is current. Here's a NewsBytes article on a new ssh exploit going around. In its February advisory, Bindview stated that it was aware of no working exploits for the overflow flaw in the SSH daemon. But last week, rumors spread in the hacker underground that scripts were available to gain "root" or system-level access to vulnerable systems. And in recent days, system operators have posted reports on security mailing lists saying they are receiving remote scans from attackers attempting to locate vulnerable systems running SSH. There has been little in the way of confirmation of this exploit from any other source. Nonetheless, now would be a good time to check ssh/OpenSSH installations and make sure they are current. A remote root exploit based on ssh is the sort of thing that extreme nastiness (i.e. horrific Linux-based worms) is made. Security ReportsTwo kernel security bugs explained. Here is Rafal Wojtczuk's explanation (from Bugtraq) of the two security bugs found in recent Linux kernels. They are:
Note that there are, apparently, some other kernel security issues out there that have not, yet, been explained publicly. Updates seen so far:
Two bugs with apache. Apache 1.3.22 fixes a couple of minor issues with the apache web server. The "split-logfile" program can be used to overwrite any file that is writable by the web server account, and which ends in ".log". That script tends not to be shipped with most Linux distributions. The other vulnerability could lead to the delivery of undesired directory listings in some situations. Updates seen so far: Debian security update to nvi. The Debian Project has released a security update to nvi fixing "a very stupid format string vulnerability" in that package. "Even if we don't believe that this could lead into somebody gaining access of another users account if he hasn't lost his brain, we recommend that you upgrade your nvi packages."gftp can expose passwords. The Debian Project has put out an update to gftp fixing a problem in that package: it displays login passwords in plain text. In the interest of thwarting shoulder surfers, applying the update is probably a good idea.
A pile of Debian security alerts. Here's another set of alerts which have come out of Debian in the last week:
Denial of service in 6tunnel. The 6tunnel utility, used for
IPv6 tunneling, has a denial of service
vulnerability that allows an attacker to cause the 6tunnel server to
crash. Affected users should upgrade to version 0.09 or later.
Proprietary products.
UpdatesConfiguration file vulnerability in ht://Dig. The ht://Dig search engine contains a vulnerability which allows a remote user to specify an alternate configuration file. If that user is able to place a suitable file in a location where ht://Dig can read it, the system may be compromised. See the original report from the ht://Dig project for details. This vulnerability first appeared in the October 11 LWN security page.This week's updates: Previous updates:
OpenSSH restricted host vulnerability. Versions of OpenSSH prior to 2.9.9 have a vulnerability that can allow logins from hosts which have been explicitly denied access. The fix is to upgrade to OpenSSH 2.9.9. This problem first appeared in the October 4 LWN security page. This week's updates:
New updates: Previous updates:
This week's updates: Previous updates:
Improper credentials from login. A problem with the login program (in the util-linux package) can, in some situations, cause a user to be given the credentials of another user at login. Use of the pam_limits module, in particular, can bring about this problem. In general, distributions using the default PAM configuration are not vulnerable; an upgrade is probably a good idea anyway. This problem was first reported in October 18 LWN security page. This week's updates: Previous updates:
This week's updates: Previous updates:
ResourcesLinuxSecurity.com has put out its Linux Advisory Watch and Linux Security Week postings, as usual.EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
October 25, 2001
LWN Resources | ||||||||||||||||||||||||||||||