Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsA new PhpNuke at last. Back in September, a severe vulnerability was reported in PhpNuke; with a carefully-formed URL, arbitrary files could be uploaded to the server. Fixes were available, but the PhpNuke project itself was entirely silent on the matter for over a month. Not exactly what one wants to see when faced with a complete, well-documented, remote vulnerability.Finally, however, the project has responded; a look at the PhpNuke downloads page shows that version 5.3 was released on November 7. This release includes, of course, the relevant security fixes. Any PhpNuke sites out there that have not already applied the unofficial fix will certainly want to upgrade now. Bug secrecy vs. full disclosure (ZDNet). ZDNet is running a lengthy piece by Bruce Schneier responding to Microsoft's attempts to silence those who disclose security vulnerabilities. "What we've learned during the past eight or so years is that full disclosure helps much more than it hurts. Since full disclosure has become the norm, the computer industry has transformed itself from a group of companies that ignores security and belittles vulnerabilities into one that fixes vulnerabilities as quickly as possible. A few companies are even going further, and taking security seriously enough to attempt to build quality software from the beginning: to fix vulnerabilities before the product is released." Security ReportsRed Hat security update to lpr. Red Hat has updated lpr to fix a remotely exploitable hole in that package. If you have lpr running on your (6.x only) systems, this one is almost certainly worth applying.Horde IMP 2.2.7 security release. If you're running the Horde IMP mail system, do have a look at the IMP 2.2.7 release, which contains a fix for a nasty session hijacking vulnerability. No distributor updates have been as of this writing.Red Hat updates iptables. Red Hat has issued an iptables update fixing a (Red Hat specific) problem wherein the firewall rules could fail to be set up at boot time. UpdatesConfiguration file vulnerability in ht://Dig. The ht://Dig search engine contains a vulnerability which allows a remote user to specify an alternate configuration file. If that user is able to place a suitable file in a location where ht://Dig can read it, the system may be compromised. See the original report from the ht://Dig project for details. This vulnerability first appeared in the October 11 LWN security page.This week's updates: Previous updates:
This week's updates:
Previous updates:
Webalizer tag vulnerability. The "webalizer" logfile analysis program has a vulnerability which can allow an attacker to place arbitrary HTML tags into the reports. When the reports are viewed, these tags can be used toward unpleasant ends, including cross-site scripting attacks. A fix is available which closes the vulnerability. (First reported in the November 8, 2001 LWN security page). This week's updates: Previous updates Remotely exploitable buffer overflow in w3m. w3m is a text-based browser similar to Lynx. A buffer overflow in w3m can be triggered when a base-64 encoded string longer than 32 characters is found in a MIME header field. Source code patches to fix the problem were posted to the w3m developers' list. (First LWN report: June 28, 2001). This week's updates: Previous updates:
Debian security update to ssh-nonfree. The Debian Project has released a security update to its non-free ssh package fixing the remotely exploitable vulnerability there. This vulnerability has long been fixed in OpenSSH, but it remains in the non-free version. The real recommendation is to switch to OpenSSH; however, there is a new non-free ssh package available for those not wanting to make that change. ResourcesBastille-Linux 1.3.0-pre1 is available from the Bastille-Linux web site. This version is oriented toward the hardening of Red Hat Linux 7.2. It is a testing prerelease, so the usual cautions apply.vsftpd 1.0.0 released. Chris Evans has announced the 1.0.0 release of his "very secure FTP daemon." It may be version 1.0, but vsftp already has a track record: apparently Red Hat used it to handle the load (15,000 concurrent users) when 7.2 was released. Chris is contemplating a very secure ssh server as his next project. ssh exploit analysis. A detailed analysis of the ssh crc32 compensation attack detector exploit has been posted by David A. Dittrich. Those interested in the low-level mechanics of how this (old) exploit was managed should have a look. Brute force web application session ID exploits are the subject of this paper published by iDEFENSE labs. LinuxSecurity.com's newsletters, Linux Advisory Watch and Linux Security Week, for this week are available. EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
November 15, 2001
LWN Resources | |||||||||||||||||||||||||||