Sections: Main page
Security Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page
See also: last week's Security page.
|
News and Editorials
Microsoft's security bugs.
Perhaps some of you run networks where you have to deal with these
things... Certainly the current bug in Windows
XP is getting a lot of attention, since it exposes most
network-connected systems to a remote exploit. The thing that stands out
to some of us is that it took Microsoft five weeks to get a fix out. Not
all Linux security problems get fixed immediately, but a vulnerability
that exposed almost every network-connected Linux system would see a very
quick response.
Fewer people have been concerned about this Internet
Explorer bug, but it's really just as bad. Write a web page that
feeds IE a .exe file with an image/jpeg MIME header,
and IE will happily execute it. You don't even have to be a script
kiddie to exploit this one. Be careful out there...
Security Reports
Remotely exploitable security problem in mutt.
A couple of new mutt releases (1.2.5.1 and 1.3.25)
were announced this week. These releases include a fix for a security
problem which, apparently, can be exploited remotely. The nature of the
vulnerability is still being kept under wraps.
The Debian Project came out with the first mutt update for this vulnerability that we have seen.
Expect to see updates to a number of other distributons shortly.
Problems with libgtop_daemon.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th SuSE
recommended
disabling the libgtop_daemon on systems where it is running until
an update is available.
MandrakeSoft has issued what appears to be the
first security update to libgtop that fixes the problems.
Mandrake Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
Debian security update to gpm.
The Debian Project has issued a
security update to gpm fixing a format string vulnerability in that
package.
EnGarde security update to stunnel.
Stunnel has a format string bug described in detail here.
EnGarde Secure Linux has already put out a
security update addressing the problem.
Red Hat security update to namazu.
Red Hat has released a security
update to namazu fixing a cross-site scripting problem in that
package.
HP security updates to sendmail, ghostscript, and glibc.
HP has sent out a bulk security update
notice for users of its "HP Secure OS Software for Linux." Updated
packages include sendmail (local root exploit), ghostscript (read access
to protected files) and glibc (file globbing buffer overflow).
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
Updates
Buffer overflow problem in glibc.
The glibc filename globbing code has a buffer overflow problem.
For those who are interested, Global InterSec LLC has provided
a detailed description
of this vulnerability.
This problem was first reported by LWN on December 20th.
This week's updates:
Previous updates:
Mailman cross-site scripting vulnerability. This vulnerability
was first reported by LWN on December 13th.
This week's updates:
Previous updates:
OpenSSH UseLogin vulnerability. This obscure vulnerability
is not of concern to most sites.
This problem first appeared
in the December 6th
LWN security page.
This week's updates:
Previous updates:
Resources
KDE frontend to iptables.
Version 2.2.3 of knetfilter was released.
Knetfilter may be used with Linux 2.4
to manage the functionality of netfilter. Knetfilter "lets you set up most
common firewall configurations, as well as perform more sophisticated
management of a complex firewall."
The Linux Intrusion Detection System 1.1.0 for the 2.4.16 (2.4.x) kernel
is available. The Linux Intrusion
Detection System (LIDS) is a" a patch which
enhances the kernel's security by implementing a reference monitor and
Mandatory Access Control (MAC). When it is in effect, chosen file access,
all system/network administration operations, any capability use, raw
device, memory, and I/O access can be made impossible even for root."
Events
Upcoming Security Events.
Date | Event | Location |
January 7 - 9, 2002 | 2002 Federal Convention on Emerging Technologies: a Homeland Security Forum | Las Vegas, Nevada, USA |
January 30 - February 2, 2002 | Second Annual Privacy and Data Protection Summit | Washington D.C., USA |
February 15 - 17, 2002 | CODECON 2002 | San Francisco, California, USA |
February 18 - 22, 2002 | RSA Conference 2002 | San Jose, CA., USA |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Section Editor: Dennis Tenney
|
January 3, 2002
LWN Resources
Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix
Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH
Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive
Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata
BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD
Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog
Security Software Archives
munitions
ZedZ.net (formerly replay.com)
Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
|