Linux in the news
All in one big page
See also: last week's Security page.
We mentioned security problems with klogd in our column last week. This week, Red Hat issued an advisory for sysklogd and provided updated rpms for the problem. One of the sysklogd maintainers posted a comment to Bugtraq on the security problem, indicating that the current version of klogd is not vulnerable to the reported buffer overrun, which was fixed some time ago. In a corollary note, Debian reported that they are not vulnerable to the problem because they are using a current version of sysklogd.
Red Hat also came out with updated Samba rpms for an installation permissions problem with Samba initially reported in Red Hat 5.2, but, it turns out, affecting all Red Hat versions. Debian examined the security problems and declared the Debian was not impacted; no upgrades to Debian systems are required.
Here's an update on the Xinetd /tmp race problem we mentioned last week. First, S.u.S.E. updates for Xinetd are available at ftp.suse.com. Next, Marc Heuse posted a long message with more information on the problem and his updated security fix for it.
Flemming S. Johansen posted a nice summary of recent Bugtraq discussions of the Netscape browser's "What's Related" feature. It covers how the feature can be abused and mentions a lot of other resources and links that discuss both Netscape's and other applications' implementation of this type of functionality. In short, you will likely want to disable this "feature".
Duncan Simpson posted this report of buffer overruns in catdoc. No official updates have been posted, but his report includes a patch.
Buffer overflow vulnerabilities in Junkbuster were reported to Debian. They announced that these vulnerabilities were fixed in version 2.0-3.2. All later versions are okay. An immediate ugprade of junkbuster is recommended.
Marcelo Tosatti reported a /tmp race problem with bootpd. No official updates to bootpd have been reported as of yet.
Tatu Ylonen put out an official comment on the "sshdwarez" or "sshdexp" binaries that has been running around. They claim to be ssh exploits, but are actually a basic trojan program that will add entries to your password file and report them back to the author, if you choose to run the binary.
KDE 1.0 klock can be exploited to gain root access to a system because of the way it attempts to run a supporting binary, kblankscrn.kss. If that binary is not in the same directory as klock, your system may be vulnerable.
Perhaps not too surprisingly, the above report was swiftly followed by a report of multiple KDE security vulnerabilities. David Andersen's comment was, The general problem is that KDE trusts user supplied environment variables too much. KDE has responded quickly with a fix that modifies KDE screensavers and klock so that they no longer run setuid root.
SSH Communications Security issued a press release describing their planned support for the Twofish encryption method. This will be available in ssh versions 2.0.11 and above, not in the widely used 1.2.X versions, which have a more liberal licensing policy.
S.u.S.E. has released a patch for the "umlaut import bug" reported in Linux Office Suite 99. The patch apparently fixes a problem with importing MS Word 97 documents into Applixware.
November 19, 1998