Sections:
Main page
Security
Kernel
Distributions
Development
Commerce
Linux in the news
Announcements
Letters
All in one big page

Security

News and Editorials

The Honeynet Project Reverse Challenge. The Honeynet Project has announced a new challenge for the security community. It differs from last year's Forensic Challenge, however: "The goal of this challenge is to develop reverse engineering skills amongst the security community. Your mission, if you should choose to accept, is to analyze and report on a binary captured in the wild." The captured binary was released on May 5th. There are actually prizes being offered this time around.

Jeffrey Reava has suggested a couple of resources that "may be helpful in putting together an analysis environment." Please remember that the subject is a binary "captured in the wild" and take appropriate precautions.

NewScientist.com has also run an article about the contest.

Security Reports

Multiple vulnerabilities in tcpdump. Version 3.5.2 fixed a buffer overflow vulnerability in all prior versions. However, newer versions, including 3.6.2, are vulnerable to another buffer overflow in the AFS RPC functions that was reported by Nick Cleaton.

This Conectiva announcement addresses both vulnerabilities. The February 12th Red Hat security advisory updates tcpdump to version 3.5.2, which does not have the AFS vulnerability.

Both problems appear to have been reported and fixed in FreeBSD some months ago. The CIAC report on the vulnerability in versions prior to 3.5.2 is dated October 31, 2000. Nick Cleaton's FreeBSD security advisory on the AFS RPC bug, and reference to a fix for FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21, 2002. So the Linux distributors are running a little slow on this one. (Thanks to Michael Richardson).

Heap corruption vulnerability in imlib. A new problem has been found with the imlib library; this heap corruption bug could, perhaps, lead to remote exploits. Note that this is a different problem than the NetPBM vulnerability (reported below); a new update is required to fix it. So far, the only update we have seen for the new vulnerability is this one from Conectiva.

Webmin/Usermin vulnerabilities. Webmin is a web-based interface for system administration for Unix. Webmin has cross-site scripting and session ID spoofing vulnerabilities which are fixed in version 0.970.

Gentoo security update to evolution. There is a security update to evolution available for Gentoo Linux fixing the malformed header processing vulnerability in that package.

Red Hat Security Advisory: Nautilus. Red Hat has posted a security update to nautilus. "The metadata file code in Red Hat Linux 7.2 can be tricked into chasing a symlink and overwriting the symlink target."

SuSE security update to sysconfig. SuSE has updated its sysconfig package fixing a (SuSE-specific) problem where DHCP clients can be compromised via spoofed DHCP reply packets.

Packet Storm warning. "On May 5, a file was added to Packet Storm which was found to contain a linux virus known as Linux.Jac.8759. The file, 73501867, is an exploit for PHP in binary form." Packet Storm is "a non-profit organization comprised of security engineers dedicated to providing the information necessary to secure the World's networks." (Thanks to Giorgio Zoppi).

Updates

Problem loading untrusted images in imlib. Versions of imlib prior to 1.9.13 used the NetPBM package in ways which "make it possible for attackers to create image files such that when loaded via software which uses Imlib, could crash the program or potentially allow arbitrary code to be executed." (First LWN report: March 28).

This week's updates:

Eridani (May 18, 2002) (Update to the March 27th announcement)
Red Hat (May 16, 2002) (Update to the March 20th advisory))

Previous updates:

mod_python remote vulnerability. Version 2.7.7 of mod_python has been announced. "This release (as far as I could tell adequately) addresses the security issue whereby a module indirectly imported by a published module could then be accessed via the publisher." Upgrades are recommended. (First LWN report: April 18).

This week's updates:

Mozilla XMLHttpRequest file disclosure vulnerability. This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2).

This week's updates:

Red Hat (May 13, 2002)

Previous updates:

The fix is in Mozilla 1.0 branch nightly builds dated 2 May 2002 or later.

ZDNet also covered the vulnerability with a focus on its presence in Netscape.

Resources

Linux security week. The and publications from LinuxSecurity.com are available.

GnuPG version 1.0.7 released. Version 1.0.7 of the Gnu Privacy Guard (GnuPG), the open replacement for PGP has been released. This version features a large number of changes and improvements.

Events

Upcoming Security Events.

Mark your calendars - DEFCON 10. The announcement has gone out: DEFCON 10, "largest hacker convention on the planet," will be held August 2 to 4 in Las Vegas.

Date	Event	Location
May 9, 2002	Stanford's Center for Internet and Society Conference on Computer Security Vulnerability Disclosure	(Stanford Law School)Stanford, CA, USA
May 12 - 15, 2002	2002 IEEE Symposium on Security and Privacy	(The Claremont Resort)Oakland, California, USA
May 13 - 14, 2002	3rd International Common Criteria Conference(ICCC)	Ottawa, Ont., Canada
May 13 - 17, 2002	14th Annual Canadian Information Technology Security Symposium(CITSS)	(Ottawa Congress Centre)Ottawa, Ontario, Canada
May 27 - 31, 2002	3rd International SANE Conference(SANE 2002)	Maastricht, The Netherlands
May 29 - 30, 2002	RSA Conference 2002 Japan	(Akasaka Prince Hotel)Tokyo, Japan
May 31 - June 1, 2002	SummerCon 2002	(Renaissance Hotel)Washington D.C., USA
June 17 - 19, 2002	NetSec 2002	San Fransisco, California, USA
June 24 - 28, 2002	14th Annual Computer Security Incident Handling Conference	(Hilton Waikoloa Village)Hawaii
June 24 - 26, 2002	15th IEEE Computer Security Foundations Workshop	(Keltic Lodge, Cape Breton)Nova Scotia, Canada

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney

May 9, 2002

LWN Resources

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

Next: Kernel