Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page

Security

News and Editorials

Toward a common naming system for security vulnerabilities. The Common Vulnerabilities and Exposures project has been working since 1999 to create a standard way of talking about security problems. The problem to be solved is real: one distributor may refer to a vulnerability in "login," while another fixes a problem with the PAM libraries. Both are dealing with the same vulnerability, but it can be hard to tell without taking a detailed look. Even more detailed descriptions (i.e. "the buffer overflow in wu-ftpd") can be ambiguous. How is a user to know which problems an update really fixes?

The CVE project steps in by assigning a unique name to each vulnerability. The full set of vulnerabilities is packaged in a "freely downloadable" database - you can do almost anything with CVE except modify it. Last year's mutt format string vulnerability, for example, is CVE-2001-0473.

The process for creating a CVE entry appears to be long; one must get a "candidate number" assigned, then wait for a large "editorial board" to pass judgment on whether a real vulnerability has been described or not. That process appears to be long; the last Linux-related vulnerability with a full CVE number is CVE-2001-0489, a format string vulnerability in gftp which was reported in May, 2001. This is a problem: time is often of the essence when dealing with security incidents. During the period in which a security problem is current, all that is available is an unratified, temporary candidate number. This slowness is likely to slow the adoption of CVE.

Still, the effort is worthwhile. As we rework our handling of security vulnerabilities in the near future, we'll look hard at including CVE identifiers in the database.

Security Reports

Multiple security vulnerabilities in squid. Here is a security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE3. At the minimum, the vulnerabilities could facilitate denial of service attacks; the potential for worse also exists. Sites running squid probably should apply the update sooner rather than later.

Distributor updates seen so far:

IRC connection tracking vulnerability in netfilter. The Netfilter team has released an advisory warning of a bug in the Linux packet filtering code. It seems that when connection tracking is used, and a particular type of IRC connection is made, the firewall can be opened up to all incoming connections to a particular port for a brief period. Only certain configurations are vulnerable; see the advisory for details.

As of this writing, the only distributor update available is from Red Hat. It is a kernel update, of course, and so should be applied carefully.

Red Hat security update to ncurses4. Red Hat has issued a security update to ncurses4 fixing a buffer overrun vulnerability in that package.

Access control vulnerabilities in gnujsp. The gnujsp Java servlet has a set of vulnerabilities which make it possible to bypass access control restrictions on the web server. So far, the only distributor update we have seen is:

Debian (February 21, 2002)

Updates

Heap corruption vulnerability in at. The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th).

This week's updates:

Eridani Linux (February 22, 2002)

Previous updates:

Debian (January 16, 2002)
Debian (January 18, 2002) (first update did not fix the problem).
Mandrake (January 18, 2002)
Red Hat (February 7, 2002) (update to the original advisory, issued January 22, 2002, to fix a Red Hat 6.2 specific problem)
Red Hat (January 22, 2002) Red Hat Linux 7.2 is not vulnerable; earlier releases are.
Slackware (January 22, 2002)
SuSE (January 16, 2001)
Yellow Dog (January 27, 2002)

Buffer overflow in CUPS. Versions of the Common Unix Print System prior to 1.1.14 have a buffer overflow vulnerability. (First LWN report: February 14).

This week's updates:

Conectiva (April 3, 2002)

Previous updates:

Debian (February 13, 2002)
Mandrake (February 15, 2002)
Red Hat (March 13, 2002) (Red Hat Powertools)
SuSE (February 27, 2002)
SuSE (February 23, 2002) (withdrawn; it introduced an unrelated bug)

Multiple vulnerabilities in SNMP implementations. Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).

This week's updates:

SuSE (April 8, 2002) (ucdsnmp)

Previous updates:

Caldera (January 22, 2002)
Conectiva (February 14, 2002)
Debian (February 28, 2002) (first update caused some problems)
Debian (February 14, 2002)
Eridani Linux (February 22, 2002)
Mandrake (February 15, 2002)
Red Hat (February 12, 2002)
Yellow Dog (February 11, 2002)

Resources

Patching the net's fatal flaws (Business Week). Business Week examines the SNMP vulnerabilities. "So far, the fallout has been minimal. Major attacks using the SNMP hole have failed to materialize. That doesn't mean they won't happen, though."

LinuxSecurity.com newsletters. The Linux Advisory Watch and Linux Security Week newsletters from LinuxSecurity.com are available.

Events

ICICS 2002 CFP. The 4th International Conference on Information and Communications Security will be held in Singapore on December 9 to 12. The Call for papers has gone out; see the ICICS 2002 web page for details.

Upcoming Security Events.

Date Event Location

February 28 - March 1, 2002 Secure Trusted OS Consortium - Quarterly Meeting(STOS) (Hyperdigm Research)Chantilly, VA, USA

March 11 - 14, 2002 Financial Cryptography 2002 Sothhampton, Bermuda

March 18 - 21, 2002 Sixth Annual Distributed Objects and Components Security Workshop (Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA

March 18 - 20, 2002 InfoSec World Conference and Expo/2002 Orlando, FL, USA

April 1 - 7, 2002 SANS 2002 Orlando, FL., USA

April 5 - 7, 2002 Rubicon Detroit, Michigan, USA

April 7 - 10, 2002 Techno-Security 2002 Conference Myrtle Beach, SC

April 14 - 15, 2002 Workshop on Privacy Enhancing Technologies 2002 (Cathedral Hill Hotel)San Francisco, California, USA

April 16 - 19, 2002 The Twelfth Conference on Computers, Freedom & Privacy (Cathedral Hill Hotel)San Francisco, California, USA

April 23 - 25, 2002 Infosecurity Europe 2002 Olympia, London, UK

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Jonathan Corbet

February 28, 2002

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel