Linux in the news
All in one big page
See also: last week's Security page.
NewsThe Better Business Bureau is launching a web site privacy program, describes this news.com article. BBBOnline will require applicants to indicate whether or not they collect sensitive information, how they use it and how they protect it. This is a commercial program and has the disadvantages of such: 1) you cannot participate without paying them a fee, possibly limiting participation (this problem is offset by a sliding scale for fees) and 2) BBB members in the off-line world are not required to sign up for the privacy program to use the seal, something that indicates a potential commercially-based bias in the program.
Bind 8.2 became available on March 16th. You can find it at this site. One report we've seen indicates that the new version contains a fully-integrated version of the long-awaited secure DNS and can therefore prevent DNS spoofing. No followups or confirmation on this have been found as of yet.
Security ReportsAn OpenSSL/SSLeay Security Alert has been issued. If you have server software that is running SSLeay or OpenSSL 0.9.2 or earlier, which also supports multiple virtual hosts with different client certificate verification, then your software contains an exploitable hole. Although the authors believe the problem really stems from the difficulty configuring OpenSSL to prevent problems, rather than from a bug in their code, they have issued OpenSSL 0.9.2b with a workaround to prevent problems. A more elegant solution will be included in the next full release.
SuSE released two security announcements yesterday. The first announcement addresses a permissions problem with /dev/kmem on SuSE systems, as well as the security problems in the 2.0.35 and earlier Linux kernel versions. The second announcement addresses security problems with Netscape 4.5.
In addition, SuSE has created two new security-related mailing lists. For information on subscribing to suse-security and suse-security-announce, check out this web page.
Last, but not least, SuSE security announcements in English are now indexed and available on the web. Congratulations to SuSE for their work to improve their support and response to security issues!
UpdatesThe security problems in Linux 2.0.35 kernels and earlier have finally filtered around to CIAC. If you haven't upgraded your kernel yet, you may want to check out the advisory for clear information on why it is needed.
ResourcesInteractively build your firewall, or at least the packet filtering rules for your firewall, with Mason, which has just been released under the GPL. Mason is in the early stages, with this initial release numbered 0.12.0. William Stearns, the author, states that, "To the best of my knowledge, it's the first tool for Linux that allows even novices to build a strict packet filtering firewall that is independant of the number and types of interfaces used, while exactly matching the traffic types needed."
A review of "Information Warfare and Security" by Dorothy Denning, 1999, has been provided by Rob Slade. The content of this book not only presents a clear picture of a number of aspects of information warfare, but does so in a very practical manner, informed by the need to use "real world" examples.
EventsThe Internet Society Year 2000 Network and Distributed System Security Symposium, also known as NDSS 2000, has issued a Call-For-Papers. The event will be held February 2nd through the 4th, 2000, in San Diego, California, USA.
Section Editor: Liz Coolbaugh
March 25, 1999