See also: last week's Security page.

Security

News and Editorials

Too much trust in open source? (ZDNet). ZDNet looks at the recent security vulnerabilities and asks whether free software is really more secure. Quoting Linus Torvalds: "In the open-source community, the community has so far been pretty good at policing itself without the embarrassment. Do bugs happen? Yes, of course. But do they get found and fixed without a new virus of the week that costs a few billion dollars of user time? You bet."

Analysts: Security flaws won't undermine Linux (ComputerWorld). ComputerWorld talks to security analysts about recent security problems. "Alan Paller, research director at the SANS Institute, a Bethesda, Md.-based nonprofit security group, said it's not a surprise that more vulnerabilities are showing up in Linux, since the operating system is being used more widely in corporate computing. The larger deployment of the operating system means more problems are likely to be seen in larger numbers, Paller said." (Thanks to Jay R. Ashworth)

March CRYPTO-GRAM newsletter. Bruce Schneier's CRYPTO-GRAM Newsletter for March is out. It looks at the SNMP vulnerabilities, the IETF draft "responsible disclosure" standard, cryptography and terrorism, and more. "CERT took on the task of coordinating the [SNMP] fix with the major software vendors, and has said that the reason publication was delayed so long is that there were so many vendors to contact. CERT even had problems with vendors not taking the problem seriously, and had to spend considerable effort to get the right people to pay attention. Lesson #1: If bugs are secret, many vendors won't bother patching their systems."

Security Reports

Mandrake Linux update for rsync. Ethan Benson reported that rsyncd fails to remove supplementary groups (such as root) from the server process after changing to the specified unprivileged uid and gid. Mandrake has provided an rsync update which fixes the problem. "This seems only serious if rsync is called using "rsync --daemon" from the command line where it will inherit the group of the user starting the server (usually root)."

web scripts. The following web scripts were reported to contain vulnerabilities:

• ARSC Really Simple Chat v1.0.1 and v1.0 had a system information path disclosure vulnerability reported by Ahmet Sabri Alper in this advisory. The problem is fixed in version 1.0.1pl1.
• Ahmet Sabri Alper has also reported cross site scripting vulnerabilities in News-TNK, BG Guestbook and Board-TNK which "would allow a remote attacker to send information to victims from untrusted web servers, and make it look as if the information came from the legitimate server."

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Updates

Apache mod_ssl buffer overflow vulnerability. According to this announcement "modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment[...]." (First LWN report: March 7).

This week's updates:

• Caldera (March 18, 2002)

Previous updates:

• Conectiva (March 4, 2002)
• Debian (March 10, 2002)
• EnGarde (March 1, 2002)
• Eridani (March 7, 2002)
• Mandrake (March 7, 2002)
• Red Hat (March 13, 2002) (Red Hat Secure Web Server)
• Red Hat (March 6, 2002) (Red Hat 7, 7.1 & 7.2)
• Trustix (February 28, 2002)

Buffer overflow in CUPS. Versions of the Common Unix Print System prior to 1.1.14 have a buffer overflow vulnerability. (First LWN report: February 14).

This week's updates:

• Conectiva (April 3, 2002)

Previous updates:

• Debian (February 13, 2002)
• Mandrake (February 15, 2002)
• Red Hat (March 13, 2002) (Red Hat Powertools)
• SuSE (February 27, 2002)
• SuSE (February 23, 2002) (withdrawn; it introduced an unrelated bug)

Remotely exploitable buffer overflow in Ecartis/Listar. Janusz Niewiadomski and Wojciech Purczynski reported a remotely exploitable buffer overflow in address_match(). The other vulnerabilities in their report not addressed by the updates listed below are "ineffective privilege dropping in listar" and "multiple local vulnerabilities." Listar is a mailing list manager similar to Majordomo or Listserv. (First LWN report: March 14).

This week's updates:

• Debian (March 19, 2002)

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

  
	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7).

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

This week's updates:

• Caldera (May 16, 2002)

Previous updates:

• Conectiva (March 8, 2002)
• Debian (March 2, 2002)
• EnGarde (March 1, 2002)
• Eridani (March 5, 2002)
• Mandrake (February 28, 2002)
• Mitel Networks (March 7, 2002) (SME Server)
• OpenPKG (February 28, 2002)
• Red Hat (March 21, 2002)
• Slackware (March 5, 2002)
• SuSE (February 28, 2002)
• Trustix (April 29, 2002) (The February 28th update "did not quite do the trick")
• Trustix (February 28, 2002)
• Yellow Dog (March 5, 2002)

Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.

zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code. (First LWN report: March 14).

LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable."

Updating is recommended. As always, please proceed with caution when applying updates to the kernel.

This week's updates:

• Caldera (April 4, 2002) (libz and derived packages)
• Caldera (April 3, 2002) (rsync)

Previous updates:

• Conectiva (March 14, 2002) (zlib and derived packages)
• Debian (March 11, 2002) (nine packages)
• EnGarde (March 11, 2002) (zlib kernel popt rsync)
• Eridani (March 22, 2002) (kernel update to March 13 alert)
• Eridani (March 13, 2002) (libz)
• Eridani (March 13, 2002) (vnc dump cvs rsync kernel)
• Mandrake (March 13, 2002) (packages containing zlib)
• Mandrake (March 12, 2002) (zlib)
• Mandrake (March 12, 2002) (twelve packages including kernel)
• OpenPKG (March 12, 2002) (zlib cvs gnupg rrdtool rsync)
• Red Hat (March 21, 2002) (Powertools 6.2 VNC update to March 11 fix; sparc64 kernel for Red Hat 6.2)
• Red Hat (March 15, 2002) (kernel for Red Hat 6.2 & 7.0)
• Red Hat (March 11, 2002) (Red Hat Linux; also apply the March 15 kernel update)
• Red Hat (March 11, 2002) (Red Hat Powertools)
• SuSE (March 11, 2002) (libz/zlib)
• SuSE (March 11, 2002) (eight packages including kernel)
• Slackware (March 12, 2002) (zlib)
• Slackware (March 12, 2002) (rsync)
• Slackware (March 12, 2002) (cvs)
• Trustix (March 18, 2002) (zlib and derived packages)

See also: articles in ZDNet and The Register about the zlib vulnerability. And, these reports from ZDNet and Vnunet on this vulnerability in some of Microsoft's major applications.

Resources

Paranoid Penguin: Hardening Sendmail (Linux Journal). Mick Bauer shares his secrets of a secure sendmail install. "Well, contrary to popular belief, sendmail isn't a total loss where security is concerned, nor does it require learning the arcane syntax of sendmail.cf (although hardcore sendmail gurus do indeed master it). This month we examine these and other sendmail security controversies, using sendmail's handy m4 macros to rapidly build a secure but functional Simple Mail Transport Protocol (SMTP) gateway to handle internet mail."

The Linux Virus Writing HOWTO. Alexander Bartolich's Linux Virus Writing HOWTO describes "how to write parasitic file viruses infecting ELF executables on Linux/i386. Though it contains a lot of source code, no actual virus is included."

Linux security week. The and publications from LinuxSecurity.com are available.

Events

Upcoming Security Events.

FOSE SELinux Panel. There is a Security Enhanced Linux (SELinux) panel at the FOSE conference in Washington D.C. today, Thursday, March 21, 2002.

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel