Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Letters All in one big page See also: last week's Security page. |
SecurityNews and EditorialsRed Hat Unveils CVE Security Compatibility. Red Hat announced that their security alerts and advisories, including updates issued through the Red Hat Network, will use Common Vulnerabilities and Exposures (CVE) standard names. The CVE project has been working since 1999 to create a standard way of talking about security problems. So far, fifty one organizations have declared that seventy six network security products or services are, or will be CVE-compatible. Other Linux distributors who have adopted CVE at some level include Caldera, Debian, EnGarde Secure Linux and Mandrake Linux. LWN published a brief introduction to CVE in our February 28th security section. New Evans Data Survey Reports Security Breaches Rare in Linux Environment. An Evans Data Corp. survey looks at Linux security statistics. "According to CERT, a center for Internet security expertise operated by Carnegie Mellon University, the total number of computer attacks has almost doubled every year since 1988. However, the rarity of security breaches in the Linux environment is illustrated by the fact that 78% of respondents to the survey have never experienced an unwanted intrusion and 94% have operated virus-free." Open sourcers wear the white hats (ZDNet). Here's an article by Bruce Perens about the difference in the security of open-source and proprietary software. "In contrast, open source has a lot of "white hats" looking at the source. They often do find security bugs while working on other aspects of the code, and the bugs are reported and closed. However, open source can still profit from a formal security review, just as proprietary code can, and there is an accelerating trend to do formal security reviews in open-source projects." Security ReportsIMP 2.2.8 released. Version 2.2.8 of IMP has been released, it fixes some vulnerabilities. "The Horde team announces the availability of IMP 2.2.8, which prevents some potential cross-site scripting (CSS) attacks. Site administrators should consider upgrading to IMP 3 (our first recommendation), but if this is not possible, IMP 2.2.8 should be used to prevent these potential attacks." Red Hat Security Advisory - tcpdump. Updated tcpdump, libpcap, and arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These updates close vulnerabilities present in versions of tcpdump up to 3.5.1 and various other bugs. Red Hat Security Advisory - logwatch. Updated Red Hat Linux 7.2 logwatch packages are available that fix tmp file race conditions which can cause a local user to gain root privileges. Here's the same alert for the Red Hat Powertools logwatch. web scripts. The following web scripts were reported to contain vulnerabilities:
Proprietary products. The following proprietary products were reported to contain vulnerabilities:
UpdatesApache spoofed information logging vulnerabilty. Versions of apache prior to 1.3.24 sometimes put invalid client hostnames in the log file. A remote attacker may exploit this behavior to insert spoofed information into the webserver logs. The fix is to upgrade to the recent Apache 1.3.24 release. (First LWN report: March 28th). This week's updates:
rsync supplementary groups vulnerability. Ethan Benson reported that rsyncd fails to remove supplementary groups (such as root) from the server process after changing to the specified unprivileged uid and gid. "This seems only serious if rsync is called using "rsync --daemon" from the command line where it will inherit the group of the user starting the server (usually root)." (First LWN report: March 14th, 2002). This week's updates:
Multiple vulnerabilities in SNMP implementations. Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14). This week's updates:
Previous updates:
zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code. (First LWN report: March 14). LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable." Updating is recommended. As always, please proceed with caution when applying updates to the kernel. This week's updates:
Previous updates:
See also: articles in ZDNet and The Register about the zlib vulnerability. And, these reports from ZDNet and Vnunet on this vulnerability in some of Microsoft's major applications. ResourcesLinux security week. The and publications from LinuxSecurity.com are available. Network security tips for managers (ZDNet). While not Linux (or Unix) specific, this article does contain some good security tips. "To see what may be listening on the computers in your network, you should use a simple hacker's tool known as a port scanner. Software is used across a network listens to network information on a port. There are a number of ports available on most servers. By using a tool known as a port scanner, a hacker checks for every possible piece of network software. If it answers, the hacker tries to find more information about the computer. The hacker then tries to exploit that port. However, you can use it just as a list of what's listening on a computer and check to make sure you don't have unnecessary software running." EventsBlack Hat Briefings 2002 call for papers. Black Hat has issued this reminder that the Black Hat 2002 Call for Papers closes May 1st. The conference is held from July 31-August 1, 2002 at the Caesars Palace Hotel and Resort in Las Vegas, NV, USA.Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net. Section Editor: Dennis Tenney |
April 11, 2002
LWN Resources | ||||||||||||||||||||||||||||||||||||