Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsToo much trust in open source? (ZDNet). ZDNet looks at the recent security vulnerabilities and asks whether free software is really more secure. Quoting Linus Torvalds: "In the open-source community, the community has so far been pretty good at policing itself without the embarrassment. Do bugs happen? Yes, of course. But do they get found and fixed without a new virus of the week that costs a few billion dollars of user time? You bet." Analysts: Security flaws won't undermine Linux (ComputerWorld). ComputerWorld talks to security analysts about recent security problems. "Alan Paller, research director at the SANS Institute, a Bethesda, Md.-based nonprofit security group, said it's not a surprise that more vulnerabilities are showing up in Linux, since the operating system is being used more widely in corporate computing. The larger deployment of the operating system means more problems are likely to be seen in larger numbers, Paller said." (Thanks to Jay R. Ashworth) March CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM Newsletter for March is out. It looks at the SNMP vulnerabilities, the IETF draft "responsible disclosure" standard, cryptography and terrorism, and more. "CERT took on the task of coordinating the [SNMP] fix with the major software vendors, and has said that the reason publication was delayed so long is that there were so many vendors to contact. CERT even had problems with vendors not taking the problem seriously, and had to spend considerable effort to get the right people to pay attention. Lesson #1: If bugs are secret, many vendors won't bother patching their systems." Security Reports
Mandrake Linux update for rsync.
Ethan Benson reported that
rsyncd fails to remove supplementary groups (such as root)
from the server process after changing to the specified unprivileged
uid and gid.
Mandrake has provided an rsync update which fixes the problem.
"This seems only serious if rsync is called using "rsync
--daemon" from the command line where it will inherit the group of the
user starting the server (usually root)."
web scripts.
Proprietary products. The following proprietary products were reported to contain vulnerabilities:UpdatesApache mod_ssl buffer overflow vulnerability. According to this announcement "modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment[...]." (First LWN report: March 7). This week's updates: Previous updates:
Buffer overflow in CUPS. Versions of the Common Unix Print System prior to 1.1.14 have a buffer overflow vulnerability. (First LWN report: February 14). This week's updates: Previous updates:
Remotely exploitable buffer overflow in Ecartis/Listar. Janusz Niewiadomski and Wojciech Purczynski reported a remotely exploitable buffer overflow in address_match(). The other vulnerabilities in their report not addressed by the updates listed below are "ineffective privilege dropping in listar" and "multiple local vulnerabilities." Listar is a mailing list manager similar to Majordomo or Listserv. (First LWN report: March 14). This week's updates: Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini: file_uploads = Off CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7). Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch. This week's updates: Previous updates:
Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem. zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code. (First LWN report: March 14). LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable." Updating is recommended. As always, please proceed with caution when applying updates to the kernel. This week's updates:
Previous updates:
See also: articles in ZDNet and The Register about the zlib vulnerability. And, these reports from ZDNet and Vnunet on this vulnerability in some of Microsoft's major applications. ResourcesParanoid Penguin: Hardening Sendmail (Linux Journal). Mick Bauer shares his secrets of a secure sendmail install. "Well, contrary to popular belief, sendmail isn't a total loss where security is concerned, nor does it require learning the arcane syntax of sendmail.cf (although hardcore sendmail gurus do indeed master it). This month we examine these and other sendmail security controversies, using sendmail's handy m4 macros to rapidly build a secure but functional Simple Mail Transport Protocol (SMTP) gateway to handle internet mail." The Linux Virus Writing HOWTO. Alexander Bartolich's Linux Virus Writing HOWTO describes "how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included." Linux security week. The and publications from LinuxSecurity.com are available. EventsUpcoming Security Events. FOSE SELinux Panel. There is a Security Enhanced Linux (SELinux) panel at the FOSE conference in Washington D.C. today, Thursday, March 21, 2002.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Dennis Tenney |
March 21, 2002
LWN Resources | |||||||||||||||||||||||||||||||||||||||||||||