See also: last week's Security page.

Security

News and Editorials

Red Hat Unveils CVE Security Compatibility. Red Hat announced that their security alerts and advisories, including updates issued through the Red Hat Network, will use Common Vulnerabilities and Exposures (CVE) standard names. The CVE project has been working since 1999 to create a standard way of talking about security problems. So far, fifty one organizations have declared that seventy six network security products or services are, or will be CVE-compatible.

Other Linux distributors who have adopted CVE at some level include Caldera, Debian, EnGarde Secure Linux and Mandrake Linux. LWN published a brief introduction to CVE in our February 28th security section.

New Evans Data Survey Reports Security Breaches Rare in Linux Environment. An Evans Data Corp. survey looks at Linux security statistics. "According to CERT, a center for Internet security expertise operated by Carnegie Mellon University, the total number of computer attacks has almost doubled every year since 1988. However, the rarity of security breaches in the Linux environment is illustrated by the fact that 78% of respondents to the survey have never experienced an unwanted intrusion and 94% have operated virus-free."

Open sourcers wear the white hats (ZDNet). Here's an article by Bruce Perens about the difference in the security of open-source and proprietary software. "In contrast, open source has a lot of "white hats" looking at the source. They often do find security bugs while working on other aspects of the code, and the bugs are reported and closed. However, open source can still profit from a formal security review, just as proprietary code can, and there is an accelerating trend to do formal security reviews in open-source projects."

Security Reports

IMP 2.2.8 released. Version 2.2.8 of IMP has been released, it fixes some vulnerabilities. "The Horde team announces the availability of IMP 2.2.8, which prevents some potential cross-site scripting (CSS) attacks. Site administrators should consider upgrading to IMP 3 (our first recommendation), but if this is not possible, IMP 2.2.8 should be used to prevent these potential attacks."

Red Hat Security Advisory - tcpdump. Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These updates close vulnerabilities present in versions of tcpdump up to 3.5.1 and various other bugs.

Red Hat Security Advisory - logwatch. Updated Red Hat Linux 7.2 logwatch packages are available that fix tmp file race conditions which can cause a local user to gain root privileges. Here's the same alert for the Red Hat Powertools logwatch.

web scripts. The following web scripts were reported to contain vulnerabilities:

• Steve Gustin has reported a remote code execution vulnerability in csGuestBook, csLiveSupport, csNewsPro and csChatRBox. Updates that fix the vulnerability are available from CGIScript.net

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

• Emumail has a reported vulnerability in emumail.cgi which allows viewing of arbitrary files on the server.

Updates

Apache spoofed information logging vulnerabilty. Versions of apache prior to 1.3.24 sometimes put invalid client hostnames in the log file. A remote attacker may exploit this behavior to insert spoofed information into the webserver logs. The fix is to upgrade to the recent Apache 1.3.24 release. (First LWN report: March 28th).

This week's updates:

• Eridani (April 5, 2002) .

rsync supplementary groups vulnerability. Ethan Benson reported that rsyncd fails to remove supplementary groups (such as root) from the server process after changing to the specified unprivileged uid and gid. "This seems only serious if rsync is called using "rsync --daemon" from the command line where it will inherit the group of the user starting the server (usually root)." (First LWN report:  March 14th, 2002).

This week's updates:

• Caldera (April 3, 2002)
• Conectiva (March 14, 2002)
• EnGarde (March 11, 2002)
• Mandrake (March 13, 2002)
• Mandrake (April 17th, 2002) (Mandrake 8.1/ia64)
• Red Hat (March 21, 2002)
• Slackware (March 12, 2002)

Multiple vulnerabilities in SNMP implementations. Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).

This week's updates:

• SuSE (April 8, 2002) (ucdsnmp)

Previous updates:

• Caldera (January 22, 2002)
• Conectiva (February 14, 2002)
• Debian (February 28, 2002) (first update caused some problems)
• Debian (February 14, 2002)
• Eridani Linux (February 22, 2002)
• Mandrake (February 15, 2002)
• Red Hat (February 12, 2002)
• Yellow Dog (February 11, 2002)

zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code. (First LWN report: March 14).

LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable."

Updating is recommended. As always, please proceed with caution when applying updates to the kernel.

This week's updates:

• Caldera (April 4, 2002) (libz and derived packages)
• Caldera (April 3, 2002) (rsync)

Previous updates:

• Conectiva (March 14, 2002) (zlib and derived packages)
• Debian (March 11, 2002) (nine packages)
• EnGarde (March 11, 2002) (zlib kernel popt rsync)
• Eridani (March 22, 2002) (kernel update to March 13 alert)
• Eridani (March 13, 2002) (libz)
• Eridani (March 13, 2002) (vnc dump cvs rsync kernel)
• Mandrake (March 13, 2002) (packages containing zlib)
• Mandrake (March 12, 2002) (zlib)
• Mandrake (March 12, 2002) (twelve packages including kernel)
• OpenPKG (March 12, 2002) (zlib cvs gnupg rrdtool rsync)
• Red Hat (March 21, 2002) (Powertools 6.2 VNC update to March 11 fix; sparc64 kernel for Red Hat 6.2)
• Red Hat (March 15, 2002) (kernel for Red Hat 6.2 & 7.0)
• Red Hat (March 11, 2002) (Red Hat Linux; also apply the March 15 kernel update)
• Red Hat (March 11, 2002) (Red Hat Powertools)
• SuSE (March 11, 2002) (libz/zlib)
• SuSE (March 11, 2002) (eight packages including kernel)
• Slackware (March 12, 2002) (zlib)
• Slackware (March 12, 2002) (rsync)
• Slackware (March 12, 2002) (cvs)
• Trustix (March 18, 2002) (zlib and derived packages)

See also: articles in ZDNet and The Register about the zlib vulnerability. And, these reports from ZDNet and Vnunet on this vulnerability in some of Microsoft's major applications.

Resources

Linux security week. The and publications from LinuxSecurity.com are available.

Network security tips for managers (ZDNet). While not Linux (or Unix) specific, this article does contain some good security tips. "To see what may be listening on the computers in your network, you should use a simple hacker's tool known as a port scanner. Software is used across a network listens to network information on a port. There are a number of ports available on most servers. By using a tool known as a port scanner, a hacker checks for every possible piece of network software. If it answers, the hacker tries to find more information about the computer. The hacker then tries to exploit that port. However, you can use it just as a list of what's listening on a computer and check to make sure you don't have unnecessary software running."

Events

Upcoming Security Events.

Date	Event	Location
April 14 - 15, 2002	Workshop on Privacy Enhancing Technologies 2002	(Cathedral Hill Hotel)San Francisco, California, USA
April 15 - 19, 2002	InfoSec 2002	UniNet IRC network (irc.uninet.edu) - channel #infosec
April 16 - 19, 2002	The Twelfth Conference on Computers, Freedom & Privacy	(Cathedral Hill Hotel)San Francisco, California, USA
April 23 - 25, 2002	Infosecurity Europe 2002	Olympia, London, UK
May 1 - 3, 2002	cansecwest/core02	Vancouver, Canada
May 4 - 5, 2002	DallasCon	Dallas, TX., USA
May 12 - 15, 2002	2002 IEEE Symposium on Security and Privacy	(The Claremont Resort)Oakland, California, USA
May 13 - 14, 2002	3rd International Common Criteria Conference(ICCC)	Ottawa, Ont., Canada
May 13 - 17, 2002	14th Annual Canadian Information Technology Security Symposium(CITSS)	(Ottawa Congress Centre)Ottawa, Ontario, Canada
May 27 - 31, 2002	3rd International SANE Conference(SANE 2002)	Maastricht, The Netherlands
May 29 - 30, 2002	RSA Conference 2002 Japan	(Akasaka Prince Hotel)Tokyo, Japan

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

LWN Resources


Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel