Linux in the news
All in one big page
See also: last week's Security page.
NewsRed Hat's updated sysklog is still not secure? That's the word from Cory Visi, who explains in his Bugtraq posting that the updated version from Red Hat contains Cory's patch, which he states does not fix the original problem. The correct fix is to upgrade to sysklogd-1.3-30. This impacts all versions of Red Hat but will not impact Linux distributions that already use the newer version of sysklogd. Red Hat has been notified.
An update to our reports on security problems with proftpd and wu-ftp is available on our front page.
Security ReportsAn error in the way cfengine handles temporary files has been identified by the maintainer of the Debian cfengine package. The Debian announcement recommends upgrading to their fixed version and provides pointers and instructions for Debian GNU/Linux. The author of cfengine has been notified but an official fix has not yet been released.
ISS issued an advisory on "Super", a utility which allows restricted super user privileges for some users. The advisory tested the problem on Debian GNU/Linux, though Super is also available for other Linux and Unix distributions. Debian uploaded a fix for the problem within a few hours. An official notice of the fix is being held until binary packages for all architectures are available and the mirrors have been updated.
Juan Diego Bolanos filed a report on /tmp problems with all versions of lynx. Follow ups on Bugtraq indicate that this is not a new problem; /tmp problem reports for lynx date back to March of 1998. No one seems to be stepping up to the plate to address the problems, however. In the mean time, Glynn Clements and Piotr Klaban stepped up to suggest some workarounds.
Kenn Humborg reported what turns out to be a problem with the rpms for ssh from ftp.replay.com. His followup describes the source of the problem and indicates that he'll contact the creators of the rpms and ask him to rebuild them.
A security patch for Network Flight Recorder is now available. They recommend installing the patch immediately. It appears to fix a variety of buffer overruns and some difficulties handling large alert queues when the central NFR system cannot be reached. This advisory from NAI details the vulnerability for which the patch was released.
A buffer overflow in snplog was reported by Rupert Weber-Henschel. Check his posting for more details.
HERT reports a buffer overflow in lsof. lsof is a tool used on many systems to list open files. The HERT advisory indicates that the buffer overflow is vulnerable when lsof is installed setuid root or setgid. Vulnerable Linux distributions reported include SuSE, Debian and Red Hat. The workaround is easy, just change the permissions on lsof to 0755.
The Pine Development Team officially responded to last week's pine exploit report. In it, they explain that the problem lies not in pine but in metamail and specifically in the default mailcap file distributed the metamail MIME-support package. Thomas Roessler followed up with a description of how mutt handles the situation.
John D. Hardin updated his MIME-sanitization procmail filter to address the metamail vulnerability that affected pine. Here is his note with pointers to the new version.
Debian released an updated version of their advisory on wu-ftpd.
ResourcesEdward Felton and Gary McGraw have made the entire text of their book, Securing Java, available on the Web. They are also authors of the 1996 "Java Security: HA HA. Take a look and buy a copy to support them if you are impressed with what you find.
Rob Slade has made available his review of "Fighting Computer Crime" by Donn B. Parker, 1998. He dislikes the beginning and end of the book but indicates that there is a great deal of useful information for the security practitioner.
The February 15th edition of CRYPTO-GRAM, Bruce Schneier's monthly newsletter, is now available. [From ISN]
February 18, 1999