Linux in the news
All in one big page
See also: last week's Security page.
According to this Wired News article, the Clinton administration has convinced the thirty three countries involved in the Wassenaar Arrangement to impose similar restrictions on cryptography as those adopted by the United States. Check out the website for the Wassenaar Arrangement for links to the various countries involved and their National Export Controls. Note that Finland, Australia and the Netherlands are part of the Wassenaar Arrangement.
John McDonald reported a remote vulnerability in bootpd . However, many operating systems are not affected by this problem, including tested versions of Linux and FreeBSD. Exploits have been written for OpenBSD and BSDI. OpenBSD released a patch for the problem on November 28th. Irwin Tillman noted that unpatched versions of CMU dhcpd 3.3.7 had the same problem, since it traces its origin to bootpd. Princeton patch 6 is reported to have fixed the problem.
Salvatore Sanfilippo has written hping, a tcp-based ping command for those of you that can find a use for such a tool. As with the original ping command, it is vulnerable to a sigalrm bomb attack, so it should not be setuid root. It is open source and GPL code.
Another source code offering, cheops, is a network "swiss army knife", offering a point and click interface to a network using a combination of several different network tools. The announcement also mentions ways to possibly tell if someone tries to use cheops as a scanning tool against your site.
On the distribution front, Debian has released a new version of fte to fix a problem where fte does not drop its root privileges correctly. This is a large security hole, allowing users to "read and write files with root priviliges, and execute all programs as root." Debian recommends upgrading the package immediately.
Chip Christian reported an interesting vulnerability in SecurID. It seems that if you have it configured to use NIS, but NIS is unavailable, SecurID will default to providing a root shell for logins. Note that the software he used is over three years old. Security Dynamics has been notified.
A Call for Papers for the Symposium "Architectures, Tools and Algorithms For Networks, Parallel and Distributed Systems" has been released. This will be held during the ISAS Conference, in Orlando, Florida, U.S.A from July 30th to August 3, 1999.
Robert M. Slade posted reviews of three cryptography books to the ISN mailing list. From the ISN archives, here are his reviews of The Information Systems Security Officer's Guide, the Cryptography and Network Security and Java Cryptography.
December 10, 1998