Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Linux History Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsWorld Governments Choosing Linux for National Security (GovTech). Government Technology has an article on how security conscious governments are looking at Linux. "Security experts tend to agree that computers are less prone to hacking and viruses when running open-source software like Linux or the Web server Apache. When vulnerabilities are found, programmers can fix them by tinkering with the code and publishing the results." (Thanks to Robert K. Nelson). Is Open-Source Security Software Safe? (BusinessWeek). Business Week considers Guardent's firewall box and whether companies will trust it. "Most important, removing the cost of software licenses makes a huge difference in the competitive field of managed security services, where Guardent hopes to make a big splash. Co-founder McCall thinks he can maintain profit margins in the 60% to 70% range with the open-source appliance. All of this might sound familiar to those who have watched Red Hat's struggle to create a workable model, one in which software is free and service revenues generate the profit." (Thanks to David A. Wheeler). Guardent announces security appliance. Guardent has announced the availability of its "Security Defense Appliance," which is built on Linux. Along with the appliance customers are expected to buy a range of security monitoring and response services. Security ReportsOpenSSH restricted command vulnerability clarification. Last week LWN reported that Red Hat issued the first update we had seen for the OpenSSH restricted command vulnerability first reported in the September 27 LWN security page. In fact, Immunix issued an alert in October and Debian fixed the vunerabilty in unstable on November 30th (Debian stable is not vulnerable). (Thanks to Seth Arnold and Matt Zimmerman). Conectiva security update to mailman. Conectiva has issued a security update to mailman which fixes the cross-site scripting problem in that package. Debian security update to wmtv. The Debian Project has issued a security update to wmtv fixing a really silly local root compromise vulnerability in that package. web scripts. The following web scripts were reported to contain vulnerabilities:
UpdatesPostfix session log memory exhaustion. Postfix 20010228, and some earlier verions, have a denial of service vulnerability. The SMTP session log could grow to an unreasonable size. (First LWN report: November 29, 2001). This week's updates: Previous updates: Cyrus SASL format string vulnerability. A format string bug in the Cyrus SASL authentication API for mail clients and servers may be remotely exploitable. (First LWN report: November 29, 2001). This week's updates: Previous updates:
Directory indexing and path discovery in Apache. Versions of Apache prior to version 1.3.19 are vulnerable to a custom crafted request that can cause modules to misbehave and return a listing of the directory contents by avoiding the error page. (First LWN report: September 20, 2001). This week's updates: Previous updates:
ResourcesWeb Security, Privacy, and Commerce, Second Edition. O'Reilly has announced the release of the second edition of Web Security, Privacy, and Commerce by Gene Spafford and Simson Garfinkel. Advanced Encryption Standard (AES) is a US cryptographic standard described in this government publication (PDF format). which was announced on December 4th. "AES was developed to replace the Data Encryption Standard (DES) in a multi-year effort that began in 1997. The AES specifies a cryptographic algorithm that can be used to protect electronic data by encrypting (enciphering) and decrypting (deciphering) information." EventsCERT Conference 2002 has issued a call for papers. This fourth annual CERT Conference will be held in Omaha, Nebraska, USA August 6 - 9, 2002.
CodeCon 2002 is scheduled for February 15, 16, and 17 in San Francisco,
California, USA. Those who would like to participate have until January 1st
to answer
the call for presentations.
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Dennis Tenney |
December 13, 2001
LWN Resources | |||||||||||||||