Linux in the news
All in one big page
See also: last week's Security page.
Red Hat sent out a notice saying that their version of CDE is full of nasty security bugs. One can reasonably assume that most other CDE implementations out there have the same problems. Their notice says it all: "Because CDE is not Open Source software, we have no ability to fix either the minor bugs that have been reported over the last year, or these more important security bugs." There is no fix available. Red Hat has announced that they will cease to sell CDE.
Reports of new exploits of rpc.mountd are trickling in. So far, the confirmations of the problems have been made against nfs-server-2.2beta29-5. The latest version of nfs-server included in Red Hat 5.1, for example, is nfs-server-2.2beta29-7. It is likely that the sites that are being affected have not upgraded to this version. It is highly recommended that sites either firewall NFS packets from the Internet, disable their NFS services if they are not being used or upgrade to the latest version. This much forwarded note from the Moria Security Team goes into more details on the exploits and how to protect against them.
Reports are that knfsd 0.4.21 or 0.4.22 are also vulnerable, but no confirmations have been received as of yet.
inetd is also coming under attack again. The attacks appear to be reproductions of the old octopus exploits from a long time ago (many, many connections within a short amount of time). xinetd has been recommended as a superior replacement for inetd, for sites hit with these problems. Again, no official fixes have been reported so far, nor do we have a confirmation that the sites being affected are running the latest version of inetd, so these exploits may be affecting known holes that haven't been closed.
A workshop on security in large-scale distributed computing systems will be held on October 20th in conjunction with the IEEE Symposium on Reliable Distributed Systems.
October 1, 1998