Sections: Main page
Security Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page
See also: last week's Security page.
|
News and Editorials
Apache 1.3.24 Released. Apache version 1.3.24 has been released.
"This version of Apache is principally a security and bug fix
release."
Security Reports
Format string exploits in libsafe Libsafe versions
prior to 2.0-12 are vulnerable to format
string exploits.
"Libsafe protection against format string exploits may be easily bypassed
using flag characters that are implemented in glibc but are not
implemented in libsafe."
The current version is libsafe
2.0-13.
Steve Beattie pointed out that the Immunix FormatGuard tool
is not vulnerable to these kinds of attacks.
Squid proxy cache security update. Squid-2.X
releases up to and including 2.4.STABLE4 are vulnerable to attack from a malicous DNS server. The problem is fixed in Squid-2.4.STABLE6 problem.
Debian Security Advisory - mtr.
A buffer overflow problem in mtr may allow an attacker to gain access to the raw socket, which makes IP
spoofing and other malicious network activity possible.
Redhat update for imlib.
Red Hat has released a security update for imlib that fixes "potential problems
loading untrusted images", this vulnerability is exploitablie via the
NetPBM package.
Mandrake security alert for kdm.
MandrakeSoft has issued a
security alert for kdm; it seems that the default configuration
allows XDMCP connections from anywhere. The workaround is to make a
small configuration file change; see the alert for details.
Komba
Samba share browser password disclosure vulnerability. The problem is fixed
in Komba2
0.7.3.
All prior versions are vulnerable.
Webmin local privilege escalation vulnerabilities.
The webmin 0.93 release fixes
local privilege escalation vulnerabilities in the /var/webmin and
/etc/webmin/servers/ directories.
web scripts.
The following web scripts were reported to contain vulnerabilities:
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
Updates
zlib corrupts malloc data structures via double
free. This vulnerability impacts all major Linux vendors. It may
impact every Linux installation on Earth.
Updates are required to zlib and any
packages that were statically built with the zlib code.
(First LWN report: March 14).
LinuxSecurity
describes the vulnerability and coordinated distributor efforts
in detail.
"Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc,
vnc, and many other programs that have the ability to use network
compression are potentially vulnerable."
Updating is recommended.
As always, please proceed with caution when applying updates to
the kernel.
This week's updates:
Previous updates:
- Conectiva (March 14, 2002)
(zlib and
derived packages)
- Debian (March 11, 2002)
(nine packages)
- EnGarde (March 11, 2002)
(zlib kernel popt rsync)
- Eridani
(March 22, 2002) (kernel update to March 13 alert)
- Eridani (March 13, 2002)
(libz)
- Eridani (March 13, 2002)
(vnc dump cvs
rsync kernel)
- Mandrake (March 13, 2002)
(packages
containing zlib)
- Mandrake (March 12, 2002)
(zlib)
- Mandrake (March 12, 2002)
(twelve
packages including kernel)
- OpenPKG (March 12, 2002)
(zlib
cvs gnupg rrdtool rsync)
- Red Hat (March 21, 2002)
(Powertools 6.2
VNC update to March 11 fix; sparc64 kernel for Red Hat 6.2)
- Red Hat (March 15, 2002)
(kernel for Red
Hat 6.2 & 7.0)
- Red Hat (March 11, 2002)
(Red
Hat Linux; also apply the March 15 kernel update)
- Red Hat (March 11, 2002)
(Red Hat Powertools)
- SuSE (March 11, 2002)
(libz/zlib)
- SuSE (March 11, 2002)
(eight packages including kernel)
- Slackware (March 12, 2002)
(zlib)
- Slackware (March 12, 2002)
(rsync)
- Slackware (March 12, 2002)
(cvs)
- Trustix (March 18, 2002)
(zlib and derived
packages)
See also: articles in ZDNet and The Register
about the zlib vulnerability. And, these reports from
ZDNet and
Vnunet
on this vulnerability in some of Microsoft's major applications.
Both PHP3 and PHP4 have vulnerabilities in
their file upload code which can lead to remote command execution.
This one could be ugly; sites using PHP should apply updates at the first
opportunity. If an update isn't available for your distribution, users
of PHP 4.0.3 and later are encouraged to consider disabling file upload
support by adding this directive to php.ini:
file_uploads = Off
CERT has issued this advisory on the problem.
This article in
the Register also talks about the vulnerability.
(First LWN report: March 7).
Developers using the 4.2.0 branch, are not vulnerable because
because file upload support was completely rewritten for that branch.
This week's updates:
Previous updates:
- Conectiva (March 8, 2002)
- Debian (March 2, 2002)
- EnGarde (March 1, 2002)
- Eridani (March 5, 2002)
- Mandrake (February 28, 2002)
- Mitel Networks (March 7, 2002) (SME Server)
- OpenPKG (February 28, 2002)
- Red Hat (March 21, 2002)
- Slackware (March 5, 2002)
- SuSE (February 28, 2002)
- Trustix (April 29, 2002)
(The
February 28th update "did not quite do the trick")
- Trustix (February 28, 2002)
- Yellow Dog (March 5, 2002)
Update: Despite some
concern expressed in an earlier report by LWN, these updates do,
in fact, fix the problem. The original update from the php team
fixes the security hole but introduces a "rare segfault condition"
that is not a security problem.
Resources
RAV AntiVirus v8.5 for Linux Review (LinuxLookup).
Here is a
review of RAV AntiVirus v8.5 for Linux. "RAV AntiVirus v8.5 for
Linux Mail Servers, Servers, and Workstations is flexible and scalable,
allowing independent configuration of the scanning module, fully
independent from the Mail Server. In the configuration file you can
customize the actions to be taken by RAV when detecting a virus - clean,
move, copy, rename, delete, ignore, reject - and benefit of advanced
features, like warning the sender, warning the receiver or warning a
third party (the server administrator when detecting an external
threat)."
Getting Started with Gnu Privacy Guard (Open for Business).
Here is a HOWTO
article on using GNU Privacy Guard (GPG). "The idea of signing
your key is to create a "web of trust," where if John trusts Jim's
identity, and Jim trusts Nancy's identity, then John knows he can trust
the identity of Nancy too. Most often, signing is reciprocal, so John and
Jim probably signed each other's keys, and Jim and Nancy did the
same."
Linux security week. The
publication
from LinuxSecurity.com is available.
Events
UniNet announced the 1st Information Security Conference
at UniNet, InfoSec 2002, which will run from April 15th to 19th on the
UniNet IRC network (irc.uninet.edu) in the channel #infosec.
Upcoming Security Events.
Date | Event | Location |
April 1 - 7, 2002 | SANS 2002 | Orlando, FL., USA |
April 5 - 7, 2002 | Rubicon | Detroit, Michigan, USA |
April 7 - 10, 2002 | Techno-Security 2002 Conference | Myrtle Beach, SC |
April 14 - 15, 2002 | Workshop on Privacy Enhancing Technologies 2002 | (Cathedral Hill Hotel)San Francisco, California, USA |
April 15 - 19, 2002 | InfoSec 2002 | UniNet IRC network (irc.uninet.edu) - channel #infosec |
April 16 - 19, 2002 | The Twelfth Conference on Computers, Freedom & Privacy | (Cathedral Hill Hotel)San Francisco, California, USA |
April 23 - 25, 2002 | Infosecurity Europe 2002 | Olympia, London, UK |
May 1 - 3, 2002 | cansecwest/core02 | Vancouver, Canada |
May 4 - 5, 2002 | DallasCon | Dallas, TX., USA |
May 12 - 15, 2002 | 2002 IEEE Symposium on Security and Privacy | (The Claremont Resort)Oakland, California, USA |
May 13 - 14, 2002 | 3rd International Common Criteria Conference(ICCC) | Ottawa, Ont., Canada |
May 13 - 17, 2002 | 14th Annual Canadian Information Technology Security Symposium(CITSS) | (Ottawa Congress Centre)Ottawa, Ontario, Canada |
May 27 - 31, 2002 | 3rd International SANE Conference(SANE 2002) | Maastricht, The Netherlands |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Section Editor: Dennis Tenney
|
March 28, 2002
LWN Resources
Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix
Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH
Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive
Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata
BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD
Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog
Security Software Archives
munitions
ZedZ.net (formerly replay.com)
Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal
|