Linux in the news
All in one big page
See also: last week's Security page.
Well, the security issue of the week seems to be continuing security problems with Netscape's cache. Dan Brumleve, who reported the original cache-cow bug that we've mentioned the past two weeks, announced son-of-the-cache-cow on October 6th. Netscape has acknowledged the problem, which they call the injection bug. There is no word yet on when a new version, with the problems resolved, will be available. Note that some reports indicate that not all operating systems are vulnerable to this latest hole. Confirmation of the problem on a Linux system has not been seen.
Meanwhile, continuing problems with Netscape, Jim Paris posted this note about how a remote CGI script can be used to crash Netscape 4.05 and 4.5b1. HD Moore dug around in the Mozilla code to "get an idea of why it is crashing".
CERT has sent out an advisory on the NFS security hole. CERT, as is often the case, is a bit slow in getting the word out - we reported this bug in August. Nonetheless, when CERT does get around to saying something, it means that the bad guys are actively exploiting the problem - something that we have seen as well. People with machines attached to the net should be sure that you (1) have the fix applied, or (2) are not running NFS services. Note that you may be running mountd even if you think you aren't using it; it's worth a check.
Richard Zack posted this report of a buffer overflow in dbadmin version 1.0.1 to bugtraq, looking for input on whether or not the problem was exploitable. Here is "Duke's" reply, indicating that there was a potentially exploitable hole. No word yet on any patches for the problem.
A possible denial of service vulnerability was posted to bugtraq. This particular one involves linking a user's .rhosts file to /dev/zero and then checking their mail via IMAP. This means that the problem is not a remote exploit, since the attacker must first have write access to a user directory. However, responses to the post confirmed the problem and indicated that similar DoS were possible using symlink'ed .forward, .qmail, or .plan files. Nick Andrew and Henrik Nordstrom summed it up with the comments, Any service daemons should refuse to read files which are not files (symlinks, device files, pipes and other non-disk-file types) or not owned by the right user with proper permissions. Perhaps this issue will get explored by the Linux Security Audit project ...
Speaking of which, a recent security-audit discussion about the behavior of glibc's opendir and its negative impact on the system has resulted in a modification to glibc. Here is some details on the problem. It was a nasty one with potential side effects including rewinding tape drives as a side effect or tying up all system resources. To get the fixed version of glibc, look for binutils 2.0.98 or 2.0.7, as appropriate.
Kevin Lindsay posted a note announcing version 1.1 of Secure Locate. His note also goes into some detail on how slocate works, in response to some questions he's received.
Miguel de Icaza confirmed a recently reported bug in Midnight Command 4.5.0 (mc). The problem has been fixed in the just released 4.5.1 version.
Computer Security Day (DISC 98) will be held November 2-6, 1998 in Mexico. Individual Responsibility is the slogan for this year (and a good one!). More information can be found at their web-site.
October 15, 1998