Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page

Security

News and Editorials

Netscape flaw exposes hard drives (ZDNet). ZDNet is covering the XMLHttpRequest security bug in Mozilla-based browsers. " The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher. The flaw doesn't affect Mozilla 1.0 release candidate 1 because XMLHttpRequest appears to be broken in that release, according to Mozilla developers." (Thanks to Manfred Scheible)

John Villalovos wrote to tell us that the fix for this bug will be in the next Mozilla release.

A world without secrets (ZDNet). ZDNet takes a look at Richard Hunter and his book "World Without Secrets: Business, Crime and Privacy in the Age of Ubiquitous Computing". "His poster child for the evil network army is the infamous Al Qaeda, and the good exemplified by the Open Source movement."

Security Reports

sudo local root exploit. Sudo 1.6.5p2 and earlier can be tricked into allocating less memory than it should when used with the password prompt parameter (-p). A local attacker may use the flaw to gain root privileges. The problem is fixed in sudo 1.6.6.

Updates are available from:

Revised OpenSSH security advisory. The OpenSSH advisory reported last week has been revised. "Buffer overflow in OpenSSH's sshd if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default."

Trustix issued what appears to be the first openssh update from a distributor that fixes the problem.

Squid DNS answer message vulnerabilty. Squid-2.X releases up to and including 2.4.STABLE4 do not check some error and boundary conditions when handling compressed DNS answer messages in the internal DNS. A malicous DNS server could craft a DNS reply that causes Squid to exit with a SIGSEGV.

Updates which fix the problem were released this week by:

Ethereal packet handling vulnerabilities. Ethereal 0.9.3 fixed three packet handling vulnerabilities present in 0.9.2 when it was released by the ethereal team on March 30th. The PROTOS test suite found some flaws in SNMP and LDAP protocols support. Malformed packets could also crash ethereal 0.9.2 due to a ASN.1 zero-length g_malloc problem. The zlib "double free" vulnerability was addressed by the updates for that bug from many distributors.

Conectiva has issued a ethereal security update that addresses the ASN.1 zero_length g_malloc and SNMP and LDAP protocols support vulnerabilities. The zlib "double free" vulnerability was addressed by an earlier zlib update from Connectiva.

Multiple vulnerabilities in icecast. Icecast is a streaming audio broadcasting system. Version 1.3.12 was released on April 10th. "This release is a security update and all users are highly encouraged to upgrade immediately or apply the relevant patches to their own versions. Remember, never run icecast as a priveledged user, especially not as root."

Security updates to icecast 1.3.12 have been released by:

Gentoo (April 26, 2002)
Red Hat (April 24, 2002) (Red Hat Powertools)

Red Hat advisory for docbook. Here is a Red Hat security update for the docbook package.

Caldera Security advisory - fileutils. A race condition in various utilities from the GNU fileutils package may cause a root user to delete the whole filesystem.

PHProjekt multiple vulnerabilities. PHProjekt is an open source groupware suite. Ulf Harnhammar has reported multiple vulnerabilities in PHProjekt organized into five categories.

web scripts. The following web scripts were reported to contain vulnerabilities:

A new version of Blahz-DNS is available which fixes an authentication bypass vulnerability in Blahz-DNS 0.2 and "maybe all versions before."

Proprietary products. The following proprietary products were reported to contain vulnerabilities:

Dnstools has a reported authentication bypass vulnerability.

Updates

Two denial of service vulnerabilities in Cistron RADIUS versions 1.6.5 and prior are described in this CERT advisory for RADIUS. "They are remotely exploitable, and on most systems result in a denial of service." (First LWN report: March 7th, 2002).

This week's updates:

SuSE (April 29, 2002)

Previous updates:

Conectiva (March 6, 2002)
Red Hat (March 4, 2002) (Red Hat Powertools 7.0 or 7.1)

Problem loading untrusted images in imlib. Versions of imlib prior to 1.9.13 used the NetPBM package in ways which "make it possible for attackers to create image files such that when loaded via software which uses Imlib, could crash the program or potentially allow arbitrary code to be executed." (First LWN report: March 28).

This week's updates:

Eridani (May 18, 2002) (Update to the March 27th announcement)
Red Hat (May 16, 2002) (Update to the March 20th advisory))

Previous updates:

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

  
	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability. (First LWN report: March 7).

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

This week's updates:

Caldera (May 16, 2002)

Previous updates:

Conectiva (March 8, 2002)
Debian (March 2, 2002)
EnGarde (March 1, 2002)
Eridani (March 5, 2002)
Mandrake (February 28, 2002)
Mitel Networks (March 7, 2002) (SME Server)
OpenPKG (February 28, 2002)
Red Hat (March 21, 2002)
Slackware (March 5, 2002)
SuSE (February 28, 2002)
Trustix (April 29, 2002) (The February 28th update "did not quite do the trick")
Trustix (February 28, 2002)
Yellow Dog (March 5, 2002)

Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.

Webalizer DNS server based attach vulnerability. The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002).

This week's updates:

Conectiva (April 26, 2002)

Previous updates:

EnGarde (April 23, 2002)

Resources

Building a secure kiosk with Embedded Linux. LinuxDevices features an article on building a Linux based information kiosk. "In this informative and entertaining technical article, embedded developer Patrick Glennon relates his experiences in creating a small Linux-based system for a client that required robust, easy-to-use, low-cost kiosks for conducting surveys at hotels."

Linux security week. The publication from LinuxSecurity.com is available.

Events

Upcoming Security Events.

Date Event Location

May 2 - 3, 2002 cansecwest/core02 Vancouver, Canada

May 4 - 5, 2002 DallasCon Dallas, TX., USA

May 9, 2002 Stanford's Center for Internet and Society Conference on Computer Security Vulnerability Disclosure (Stanford Law School)Stanford, CA, USA

May 12 - 15, 2002 2002 IEEE Symposium on Security and Privacy (The Claremont Resort)Oakland, California, USA

May 13 - 14, 2002 3rd International Common Criteria Conference(ICCC) Ottawa, Ont., Canada

May 13 - 17, 2002 14th Annual Canadian Information Technology Security Symposium(CITSS) (Ottawa Congress Centre)Ottawa, Ontario, Canada

May 27 - 31, 2002 3rd International SANE Conference(SANE 2002) Maastricht, The Netherlands

May 29 - 30, 2002 RSA Conference 2002 Japan (Akasaka Prince Hotel)Tokyo, Japan

May 31 - June 1, 2002 SummerCon 2002 (Renaissance Hotel)Washington D.C., USA

June 17 - 19, 2002 NetSec 2002 San Fransisco, California, USA

June 24 - 28, 2002 14th Annual Computer Security Incident Handling Conference (Hilton Waikoloa Village)Hawaii

June 24 - 26, 2002 15th IEEE Computer Security Foundations Workshop (Keltic Lodge, Cape Breton)Nova Scotia, Canada

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

May 2, 2002

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel