Linux in the news
All in one big page
See also: last week's Security page.
A klogd vulnerability has been reported for Red Hat 5.x (including 5.2) and Slackware 3.x. This is a potentially exploitable buffer overflow. No updates for this problem have been released as of yet.
A genuine hole in ssh, in the kerberos authentication code, has been found by Peter Benie and confirmed by ssh author Tatu Ylonen. A patch has been provided. Note, this hole only applies to ssh binaries compiled with both "--with-kerberos5" and "--enable-kerberos-tgt-passing".
On a separate, unrelated note, Crispin Cowan has made pre-compiled StackGuard-protected ssh binaries available. Note, only people within the United States can legally download these.
If you are running secure-linux and plan on upgrading to Red Hat 5.2, you may be interested in Ernst Jan Plugge's patch to the secure-linux patch. It will work on the 2.0.35 version of the secure-linux patch. You can check out Ernst's post, for the patch, more details and for the location of Solar Designer's secure-linux patch.
Cisco has officially reported vulnerabilities in their Cisco 7xxx router family, which may allow packets from outside the firewall to get through to unauthorized areas inside the firewall. Cisco states in their announcement that they are not aware of any incident where these vulnerabilities have been exploited. Workarounds are provided, and schedules for fixes are included.
If you are using any of the perl-CGI scripts from www.cgi-resources.com, you may wish to check out this posting. It lists several scripts that have vulnerabilities, including HAMcards Postcard, Hot Postal Services and a couple of others.
Job de Haas posted a note about Vulnerabilities with Swish, a search engine. The vulnerabilities could allow remote access to the web server with the user id of user underneath which the web server is run.
Bugtraq maintainer Aleph One commented this week that Bugtraq has passed the 26000 subscriber mark. Congratulations! It is good to hear that so many people are interested in security.
An article last week that received little publicity, this CNet article mentions that a new set of federal regulations have gone into effect as a result of the Digital Millenium Copyright Act. These regulations require Internet Service Providers (ISPs) to register with the U.S. Copyright Office in order to receive the act's protection against copyright infringement lawsuits. [From the ISN mailing list.]
Red Hat has issued a security update for the "zgv" and "svgalib" packages. This update covers all versions from 4.2 through 5.2.
November 12, 1998