Linux in the news
All in one big page
See also: last week's Security page.
The recent licensing changes for ssh version 2.0.8 (announced August 28th) will definitely be putting a crimp into the use of the new version. The new license restricts any use where commercial activity is involved and where the use in any way, directly or indirectly, aims at monetary or other commercial benefit or any use that takes place in commercial organizations and where a salary or similar monetary compensation is paid, unless use can be considered to be EDUCATIONAL USE or is purely for charity.
Although the original license of ssh was somewhat restrictive, this new version will deeply impact the free exchange and usage of this very critical tool. For now, continued use of ssh version 1 is the only available option (if you cannot afford or are uninterested in commercial licensing options), but the licensing changes may put some oomph and heightened interest into the psst project, a totally free replacement for ssh which is still in the development stages.
Some unpleasantness has been found in the NFS server package; it appears to affect all distributions. We currently have information on fixes for Red Hat, Caldera, and TurboLinux. No word from the debian-security-announce list as of yet.
Cisco has made a response to the PIX fragmentation problems that have been previously reported. Temporary workaround should be out in mid-September; meanwhile, if you see an actual attack based on this, they are ready to provide tactical assistance. Further improvements are promised for the future, which is good, since new problems with PIX continue to be reported.
The minicom problems reported this week are old and should not be present in the latest version of minicom, version 1.81, which was released in April. If you are already running the latest version from your vendor, you should not be affected.
Buffer overflow problems have been found and verified in nslookup, due to the way sscanf is used. A patch for the problems is expected shortly. No vendor fixes were announced as of press time. Theo de Raadt published a first cut at a patch to resolve the problem.
SGI published a report on security problems with seyon. The compromise is based on the fact that the SGI installation of seyon is setuid root. So far, TurboLinux and Debian have officially noted that their installations of seyon do not appear to be vulnerable, since they are not installed setuid. No version of Linux has been reported to ship seyon setuid root.
CERT has published their normal Summary of Recent Activity, covering the months of July and August.
Certification for Security Professionals is a new topic, with ISN reporting on the Certified Information Systems Security Professional (CISSP) designation available from ISC2. Someone is making money at this. Somehow it seems unlikely Bugtraq contains many people with this certification, yet they continue to be the best place to start looking for security expertise in our community ...
September 3, 1998