Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page

Security

News and Editorials

Microsoft's security bugs. Perhaps some of you run networks where you have to deal with these things... Certainly the current bug in Windows XP is getting a lot of attention, since it exposes most network-connected systems to a remote exploit. The thing that stands out to some of us is that it took Microsoft five weeks to get a fix out. Not all Linux security problems get fixed immediately, but a vulnerability that exposed almost every network-connected Linux system would see a very quick response.

Fewer people have been concerned about this Internet Explorer bug, but it's really just as bad. Write a web page that feeds IE a .exe file with an image/jpeg MIME header, and IE will happily execute it. You don't even have to be a script kiddie to exploit this one. Be careful out there...

Security Reports

Remotely exploitable security problem in mutt. A couple of new mutt releases (1.2.5.1 and 1.3.25) were announced this week. These releases include a fix for a security problem which, apparently, can be exploited remotely. The nature of the vulnerability is still being kept under wraps.

The Debian Project came out with the first mutt update for this vulnerability that we have seen. Expect to see updates to a number of other distributons shortly.

Problems with libgtop_daemon. The libgtop_daemon package is a GNOME program which makes system information available remotely. LWN reported the remotely exploitable format string and buffer overflow vulnerabilities in that package on December 6th. On November 28th SuSE recommended disabling the libgtop_daemon on systems where it is running until an update is available.

MandrakeSoft has issued what appears to be the first security update to libgtop that fixes the problems. Mandrake Linux systems do not run libgtop by default, but applying the update is a good idea anyway.

Debian security update to gpm. The Debian Project has issued a security update to gpm fixing a format string vulnerability in that package.

EnGarde security update to stunnel. Stunnel has a format string bug described in detail here. EnGarde Secure Linux has already put out a security update addressing the problem.

Red Hat security update to namazu. Red Hat has released a security update to namazu fixing a cross-site scripting problem in that package.

HP security updates to sendmail, ghostscript, and glibc. HP has sent out a bulk security update notice for users of its "HP Secure OS Software for Linux." Updated packages include sendmail (local root exploit), ghostscript (read access to protected files) and glibc (file globbing buffer overflow).

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Magic Enterprise Edition, from Magic Software, has multiple vulnerabilities which are detailed in this post to bugtraq from immutec.
The Aktivate Shopping System for Linux (and other Unices) had a cross site scripting vulnerability reported on bugtraq.

Updates

Buffer overflow problem in glibc. The glibc filename globbing code has a buffer overflow problem. For those who are interested, Global InterSec LLC has provided a detailed description of this vulnerability. This problem was first reported by LWN on December 20th.

This week's updates:

Previous updates:

Mandrake (January 8, 2002) (fix 8.0/PPC problem in original update)
Conectiva (January 3, 2002)
SuSE (December 24, 2001)
Immunix (December 19, 2001)
Mandrake (December 19, 2001)
Trustix (December 19, 2001)
EnGarde (December 17, 2001)
Red Hat (December 14, 2001)

Mailman cross-site scripting vulnerability. This vulnerability was first reported by LWN on December 13th.

This week's updates:

Red Hat (December 19, 2001) ( Red Hat 7.2 )
Red Hat (December 20, 2001) ( PowerTools 7 and 7.1 )

Previous updates:

OpenSSH UseLogin vulnerability. This obscure vulnerability is not of concern to most sites. This problem first appeared in the December 6th LWN security page.

This week's updates:

Turbolinux (January 23, 2002)

Previous updates:

Caldera (December 11, 2001)
Caldera (December 14, 2001) (correct December 11th update)
Conectiva (December 13, 2001)
Debian (December 5, 2001) (backport from OpenSSH 3.0.2)
Mandrake (December 13, 2001)
Red Hat (December 4, 2001) (backport from OpenSSH 3.0.2)
Trustix (December 19, 2001)

Resources

KDE frontend to iptables. Version 2.2.3 of knetfilter was released. Knetfilter may be used with Linux 2.4 to manage the functionality of netfilter. Knetfilter "lets you set up most common firewall configurations, as well as perform more sophisticated management of a complex firewall."

The Linux Intrusion Detection System 1.1.0 for the 2.4.16 (2.4.x) kernel is available. The Linux Intrusion Detection System (LIDS) is a" a patch which enhances the kernel's security by implementing a reference monitor and Mandatory Access Control (MAC). When it is in effect, chosen file access, all system/network administration operations, any capability use, raw device, memory, and I/O access can be made impossible even for root."

Events

Upcoming Security Events.

Date Event Location

January 7 - 9, 2002 2002 Federal Convention on Emerging Technologies: a Homeland Security Forum Las Vegas, Nevada, USA

January 30 - February 2, 2002 Second Annual Privacy and Data Protection Summit Washington D.C., USA

February 15 - 17, 2002 CODECON 2002 San Francisco, California, USA

February 18 - 22, 2002 RSA Conference 2002 San Jose, CA., USA

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

January 3, 2002

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel