Linux in the news
All in one big page
See also: last week's Security page.
Debian has announced their fixes for the zgv buffer overrun and a possible security flaw in the fsp package.
After much debate, it has been confirmed that Netscape 4.5 on all platforms can be used to read system files from a remote location. Georgi Guninski filed the original report on Bugtraq, which sparked a lively debate and a great deal of feedback. As a result, it appears that all versions of Netscape 4.X are vulnerable except 4.08. For those fans of Netscape 3.X, take heart; Netscape 3.04 was tested and found not to be vulnerable.
ZDnet reported a Linux Worm on November 30th. No confirmation for their claim was found and it was followed by more rational reportingfrom CNet and CERT. In short, a vulnerability in IMAP was found and fixed in June, but sites that have not upgraded their copy of IMAP are vulnerable to an attack. The attack is not a worm of any kind. As Jed Pickel of CERT said, "'It's something we see every single day,' added Jed Pickel, 'It's not anything out of the ordinary.
XFree86 3.3.3 contains several security fixes, for those that missed the announcement elsewhere. Aleph One posted a short list of the fixes to Bugtraq.
American Power Conversion Company (APCC) is beta-testing new firmware to fix the APC PowerNet SNMP Adapter Security Issues we've previously reported. Paul Mansfield, who contacted APCC about the vulnerabilities initially, posted a a followup report.
The November issue of the SANS Security Digest is available. Particularly for people supporting multiple operating systems, it is a good review of recent security reports, in case there are any applicable to you which you missed. This is a free service of the Systems and Network Security Institute, a "Cooperative Research and Education Institute".
December 3, 1998