Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsHow are distributors doing with security updates? Below you'll find the writeup of the rsync vulnerability, along with a large number of distributor updates which fix the problem. The rsync vulnerability is severe; relatively few sites run globally available rsync servers, but those which do are open to a remote root exploit. So it is good to see that most distributors are responding quickly to the problem.A look at the list of updates reveals, however, that a couple of the major distributors have not issued updates. This delay, if it continues much longer, will be hard to justify. The fix is known and available; why would a distributor want to leave its customers open to a vulnerability of this magnitude? One of the missing distributors is Turbolinux. We are pleased to note that the company did come out with a few security updates this week (but not for rsync). We are less pleased to note that these updates were (according to The Turbolinux security page) the first from Turbolinux since June, 2001. It will be a nice day when a distributor need not issue a single security update for six months, but that is not where we are at now. Distributors have a responsibility to fix known security problems in their distributions. Anybody who is trying to choose between distributions for an important application would do well to consider how well the candidate distributors are living up to that responsibility. Security response is a very direct indication of how much importance a distributor places on security, and on the integrity of its customers' systems. (For more information, see the distributor's security pages, linked in the right-hand column of this page, or the LWN Security Alert Archive). Security ReportsA remotely exploitable hole in rsync. A vulnerability has been found in the rsync server: it seems that the server did not pay enough attention to the sign of numbers it reads from the client connection. This oversight allows an attacker to write bytes containing zero almost anywhere in the stack, with results similar to those caused by buffer overflows. Sites running rsync in its daemon mode are thus vulnerable to remote root compromises. Versions of rsync prior to 2.5.2 are vulnerable.Here are the vendor updates we have seen so far:
Trouble with OpenLDAP object protection rules. OpenLDAP (and, specifically, slapd prior to 2.0.20) has a vulnerability which allows an attacker to delete attributes from the database. Updates seen so far:
Temporary file handling vulnerability in sane. Yellow Dog Linux
has a security update to its
sane-backends package fixing a temporary file vulnerability.
web scripts. Proprietary products. The following proprietary products were reported to contain vulnerabilities:UpdatesHeap corruption vulnerability in at. The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th).This week's updates:
Denial of service vulnerability in CIPE. The CIPE VPN package has a vulnerability which can cause the hosting system to crash. (First LWN report: January 17, 2002). This week's updates: Previous updates: Temporary file handling bug in enscript Enscript has a temporary file handling bug. (First LWN report: January 24, 2002). This week's updates: Previous updates: Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001). The stable release of Debian is not vulnerable. New updates:
Previous updates:
Buffer overflow in groff. The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely. This week's updates: Previous updates: Remotely exploitable security problem in mutt. Most of the major distributions have provided updates for this buffer overflow vulnerabilty which was fixed in mutt versions 1.2.5.1 and 1.3.25. This is a remotely exploitable hole; applying the update is a very good idea. It was first mentioned in the January 3rd LWN security page. This week's updates: Previous updates:
OpenSSH UseLogin vulnerability. This obscure vulnerability is not of concern to most sites. This problem first appeared in the December 6th LWN security page. This week's updates: Previous updates:
This vulnerability is remotely exploitable; updating is a good idea. Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein). This week's updates: Previous updates:
This week's updates: Previous updates: Nasty security hole in sudo. The sudo package, used to provide limited administrator access to systems, has an unpleasant vulnerability which makes it relatively easy for a local attacker to obtain root access. If you have sudo on a system with untrusted users, you probably want to disable it until you can get a fix installed. (First LWN report: January 17th).This week's updates: Previous updates:
Remote command execution vulnerability in uucp. The uuxqt utility in the uucp package does not properly check its options, allowing an attacker to run arbitrary commands. (First LWN report: January 24, 2002). This week's updates: Previous updates: wu-ftpd buffer overflow. The wu-ftpd FTP server contains a remotely exploitable buffer overflow vulnerability; anybody running this package should already have upgraded. Versions up through 2.6.1 are vulnerable, as are 2.7.0 testing snapshots. (First LWN report: November 29). This week's updates: Previous updates:
This week's updates: Previous updates:
This week's updates: Previous updates:
ResourcesWhite paper on SQL injection. SPI Labs has released a white paper (in PDF format) on SQL injection attacks.EventsUpcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Jonathan Corbet |
January 31, 2002
LWN Resources | ||||||||||||||||||