Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page

Security

News and Editorials

Apache 1.3.24 Released. Apache version 1.3.24 has been released. "This version of Apache is principally a security and bug fix release."

Security Reports

Format string exploits in libsafe Libsafe versions prior to 2.0-12 are vulnerable to format string exploits. "Libsafe protection against format string exploits may be easily bypassed using flag characters that are implemented in glibc but are not implemented in libsafe." The current version is libsafe 2.0-13. Steve Beattie pointed out that the Immunix FormatGuard tool is not vulnerable to these kinds of attacks.

Squid proxy cache security update. Squid-2.X releases up to and including 2.4.STABLE4 are vulnerable to attack from a malicous DNS server. The problem is fixed in Squid-2.4.STABLE6 problem.

Debian Security Advisory - mtr. A buffer overflow problem in mtr may allow an attacker to gain access to the raw socket, which makes IP spoofing and other malicious network activity possible.

Redhat update for imlib. Red Hat has released a security update for imlib that fixes "potential problems loading untrusted images", this vulnerability is exploitablie via the NetPBM package.

Mandrake security alert for kdm. MandrakeSoft has issued a security alert for kdm; it seems that the default configuration allows XDMCP connections from anywhere. The workaround is to make a small configuration file change; see the alert for details.

Komba Samba share browser password disclosure vulnerability. The problem is fixed in Komba2 0.7.3. All prior versions are vulnerable.

Webmin local privilege escalation vulnerabilities. The webmin 0.93 release fixes local privilege escalation vulnerabilities in the /var/webmin and /etc/webmin/servers/ directories.

web scripts. The following web scripts were reported to contain vulnerabilities:

Penguin Traceroute has a remote command execution vulnerability with this proposed fix and a useful comment on the proposed fix.
csSearch versions 2.3 and have a remote code execution vulnerability; download csSearch 2.5 to correct the problem. There is no charge to download the script; a name and email address are required. csSearchPro is available for purchase.

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Updates

zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code. (First LWN report: March 14).

LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable."

Updating is recommended. As always, please proceed with caution when applying updates to the kernel.

This week's updates:

Caldera (April 4, 2002) (libz and derived packages)
Caldera (April 3, 2002) (rsync)

Previous updates:

Conectiva (March 14, 2002) (zlib and derived packages)
Debian (March 11, 2002) (nine packages)
EnGarde (March 11, 2002) (zlib kernel popt rsync)
Eridani (March 22, 2002) (kernel update to March 13 alert)
Eridani (March 13, 2002) (libz)
Eridani (March 13, 2002) (vnc dump cvs rsync kernel)
Mandrake (March 13, 2002) (packages containing zlib)
Mandrake (March 12, 2002) (zlib)
Mandrake (March 12, 2002) (twelve packages including kernel)
OpenPKG (March 12, 2002) (zlib cvs gnupg rrdtool rsync)
Red Hat (March 21, 2002) (Powertools 6.2 VNC update to March 11 fix; sparc64 kernel for Red Hat 6.2)
Red Hat (March 15, 2002) (kernel for Red Hat 6.2 & 7.0)
Red Hat (March 11, 2002) (Red Hat Linux; also apply the March 15 kernel update)
Red Hat (March 11, 2002) (Red Hat Powertools)
SuSE (March 11, 2002) (libz/zlib)
SuSE (March 11, 2002) (eight packages including kernel)
Slackware (March 12, 2002) (zlib)
Slackware (March 12, 2002) (rsync)
Slackware (March 12, 2002) (cvs)
Trustix (March 18, 2002) (zlib and derived packages)

See also: articles in ZDNet and The Register about the zlib vulnerability. And, these reports from ZDNet and Vnunet on this vulnerability in some of Microsoft's major applications.

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

  
	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7).

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

This week's updates:

Caldera (May 16, 2002)

Previous updates:

Conectiva (March 8, 2002)
Debian (March 2, 2002)
EnGarde (March 1, 2002)
Eridani (March 5, 2002)
Mandrake (February 28, 2002)
Mitel Networks (March 7, 2002) (SME Server)
OpenPKG (February 28, 2002)
Red Hat (March 21, 2002)
Slackware (March 5, 2002)
SuSE (February 28, 2002)
Trustix (April 29, 2002) (The February 28th update "did not quite do the trick")
Trustix (February 28, 2002)
Yellow Dog (March 5, 2002)

Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.

Resources

RAV AntiVirus v8.5 for Linux Review (LinuxLookup). Here is a review of RAV AntiVirus v8.5 for Linux. "RAV AntiVirus v8.5 for Linux Mail Servers, Servers, and Workstations is flexible and scalable, allowing independent configuration of the scanning module, fully independent from the Mail Server. In the configuration file you can customize the actions to be taken by RAV when detecting a virus - clean, move, copy, rename, delete, ignore, reject - and benefit of advanced features, like warning the sender, warning the receiver or warning a third party (the server administrator when detecting an external threat)."

Getting Started with Gnu Privacy Guard (Open for Business). Here is a HOWTO article on using GNU Privacy Guard (GPG). "The idea of signing your key is to create a "web of trust," where if John trusts Jim's identity, and Jim trusts Nancy's identity, then John knows he can trust the identity of Nancy too. Most often, signing is reciprocal, so John and Jim probably signed each other's keys, and Jim and Nancy did the same."

Linux security week. The publication from LinuxSecurity.com is available.

Events

UniNet announced the 1st Information Security Conference at UniNet, InfoSec 2002, which will run from April 15th to 19th on the UniNet IRC network (irc.uninet.edu) in the channel #infosec.

Upcoming Security Events.

Date Event Location

April 1 - 7, 2002 SANS 2002 Orlando, FL., USA

April 5 - 7, 2002 Rubicon Detroit, Michigan, USA

April 7 - 10, 2002 Techno-Security 2002 Conference Myrtle Beach, SC

April 14 - 15, 2002 Workshop on Privacy Enhancing Technologies 2002 (Cathedral Hill Hotel)San Francisco, California, USA

April 15 - 19, 2002 InfoSec 2002 UniNet IRC network (irc.uninet.edu) - channel #infosec

April 16 - 19, 2002 The Twelfth Conference on Computers, Freedom & Privacy (Cathedral Hill Hotel)San Francisco, California, USA

April 23 - 25, 2002 Infosecurity Europe 2002 Olympia, London, UK

May 1 - 3, 2002 cansecwest/core02 Vancouver, Canada

May 4 - 5, 2002 DallasCon Dallas, TX., USA

May 12 - 15, 2002 2002 IEEE Symposium on Security and Privacy (The Claremont Resort)Oakland, California, USA

May 13 - 14, 2002 3rd International Common Criteria Conference(ICCC) Ottawa, Ont., Canada

May 13 - 17, 2002 14th Annual Canadian Information Technology Security Symposium(CITSS) (Ottawa Congress Centre)Ottawa, Ontario, Canada

May 27 - 31, 2002 3rd International SANE Conference(SANE 2002) Maastricht, The Netherlands

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

March 28, 2002

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel