Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Linux History
Letters
All in one big page
See also: last week's Security page.
|
News and Editorials
Linux virus on the loose. Articles in
IT-Director and
Newsbytes claim there is a
Linux virus making the rounds. According to Newsbytes:
"Like the initial RST, the new variant identified by Qualys is
designed to infect binary files in the Linux Executable and Linking Format
(ELF) and create a "back door" on an infected system that gives a
remote attacker full control."
A Rough Year for SSH (Linux Journal). The Linux Journal looks at the
troubles faced by SSH over the last year. "Several groups focused
their attentions on this cornerstone of the net, and several problems
emerged. ssh has emerged from this scrutiny a stronger product."
Open-source security tools gain favor (ZDNet). This ZDNet
Tech Update article is about open-source software in the enterprise security market.
"Open-source security tools are gaining appeal in the enterprise as IT
managers and CIOs search for ways to step up security while holding down
costs."
Security Reports
Debian and Red Hat security updates to exim.
It seems that, for certain exim configurations,
a properly crafted mail message may cause an arbitrary command to be
executed. Not good; upgrades are recommended.
The updates available so far are for
Debian and Red Hat Powertools.
Exim is only available from Red Hat in the Powertools package. It is not
vulnerable in the default Powertools configuration.
Conectiva security update to proftpd.
Conectiva has issued an update to
proftpd fixing a couple of remotely exploitable vulnerabilities in
that package.
Mandrake Linux security update to bind.
MandrakeSoft has issued a
security update to bind. The problem appears to be incorrect
permissions on some of bind's configuration files; it would seem to be a
Mandrake-specific vulnerability.
Bugzilla upgrade to version 2.14.1. This security
update has patches for a number of security-related bugs
described in this announcement.
All users of Bugzilla, the bug-tracking system from mozilla.org, who are
using a version of Bugzilla installed from a downloaded tarball or package
file are strongly recommended to update to version 2.14.1.
Heap overflow in snmpnetstat.
Axioma Security Research posted this description of
a remotely exploitable vulnerability in snmpnetstat on bugtraq.
Snmpnetstat is part of the ucd-snmp package.
The problem was researched on Red Hat Linux 7.1.
Updates
Directory indexing and path discovery in Apache. Versions of
Apache prior to version 1.3.19 are vulnerable to a custom crafted
request that can cause modules to misbehave and
return a listing of the directory contents by avoiding the error page.
(First LWN
report: September 20, 2001).
This week's updates:
Previous updates:
Buffer overflow problem in glibc.
The glibc filename globbing code has a buffer overflow problem.
For those who are interested, Global InterSec LLC has provided
a detailed description
of this vulnerability.
This problem was first reported by LWN on December 20th.
This week's updates:
Previous updates:
Problems with libgtop_daemon.
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th SuSE
recommended
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
This week's updates:
Previous updates:
Remotely exploitable security problem in mutt.
Most of the major distributions have provided updates for
this buffer overflow vulnerabilty which was
fixed in mutt versions 1.2.5.1 and 1.3.25.
This is a remotely exploitable hole; applying the update is
a very good idea.
It was first mentioned in
the January 3rd
LWN security page.
This week's updates:
Previous updates:
Cross-site scripting problem in namazu.
This vulnerability was first reported in
the January 3rd
LWN security page.
This week's updates:
Previous updates:
Format string bug in stunnel.
Stunnel has a format string bug described in detail here.
Versions prior to 3.15 are not vulnerable.
LWN first reported the problem on January 3rd.
This week's updates:
Previous updates:
Resources
Trent Jaeger, David Safford, and Hubertus Franke of the IBM
T.J. Watson Research Center have authored two new white papers on
security topics .
The first is "Linux Security for the Enterprise: Executive Summary" and
the second is "Security Requirements for the Deployment of the Linux
Kernel in Enterprise Systems".
The papers
are available from the IBM Linux
Technology Center website .
(Thanks to Steve Fox).
Guidelines on Firewalls and Firewall Policy. NIST Special Publication 800-41,
Guidelines on Firewalls and Firewall Policy, is now available from
here
(PDF format). "This document contains an
overview of recent developments in firewall technology, and guidance on
configuring firewall environments. It discusses firewall access control,
active content filtering, DMZs, and co-location with VPNs, web and email
servers, and intrusion detection."
Events
Upcoming Security Events.
The USENIX Security Symposium 2002 call for papers is available
here.
The submission deadline has been extended to February 1, 2002.
This year the symposium is scheduled for August 5th to 9th in San Francisco, CA, USA.
"If you are working on any practical aspects of security or applications
of cryptography, the program committee would like to encourage you to
submit a paper."
The New Security Paradigms Workshop 2002 has issued this call for papers. "In order to preserve the small,
focused nature of the workshop,
participation is limited to authors of accepted papers and conference
organizers". This ACM/SIG sponsored workshop will be held
September 23rd to 26th at the Chamberlain Hotel in Hampton, Virginia, USA.
| Date | Event | Location |
| January 7 - 9, 2002 | 2002 Federal Convention on Emerging Technologies: a Homeland Security Forum | Las Vegas, Nevada, USA |
| January 30 - February 2, 2002 | Second Annual Privacy and Data Protection Summit | Washington D.C., USA |
| February 15 - 17, 2002 | CODECON 2002 | San Francisco, California, USA |
| February 18 - 22, 2002 | RSA Conference 2002 | San Jose, CA., USA |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Section Editor: Dennis Tenney
|
January 10, 2002
LWN Resources
Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix
Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH
Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive
Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata
BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD
Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog
Security Software Archives
munitions
ZedZ.net (formerly replay.com)
Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
|
![[LWN Logo]](http://old.lwn.net/images/lcorner.png)
![[LWN.net]](http://old.lwn.net/images/security.png)
Copyright © 2002
Eklektix, Inc., all rights reserved
Next: Kernel