Linux in the news
All in one big page
See also: last week's Security page.
NewsMisconfiguration of Shopping Carts is the technical issue behind the news.com article entitled, "Privacy at risk in e-commerce rush. As a result of misconfiguration, client information, including names, addresses and even credit card information, is exposed to the Internet. Joe Harris reported the problem on Bugtraq as well, mentioning his frustration trying to get one commercial vendor to respond to the situation. "We did have a conversation with one (fairly large) commercial vendor (who shall remain nameless) and if the response we got from them was any indication, contacting the remaining vendors would have been futile. This particular vendor couldn't see the problem we had with the software that -they themselves- had installed on behalf of our mutual client. They couldn't understand why we told them to change their software or remove it from the server, even after a long and patient explanation of a little thing called 'liability'.
He posted a a later message, listing six shopping carts found to be misconfigured on a variety of sites. He emphasized that all of these systems could be used correctly and safely. However, many small to medium-sized businesses are not doing so.
Privacy issues involving the apprehension of the Melissa virus author came up at the Congressional hearing held to discuss the impact of the virus. In particular, the cooperation of AOL and a "a unique identifying number attached to Microsoft software" were questioned, but without receiving any useful answers, because the investigation is ongoing. This New York Times article provides more details. It is good to know that such issues aren't being overlooked in the wake of the hysteria about the Melissa virus.
On a separate note, later in the article, there is even a promising quote, indicating that someone involved understands that fixing the software bugs that are exploited by a virus is critical to resolving the problem. "If the only defense is to react to a problem as it occurs, we're always going to be behind". This tends to get overlooked, particularly by vendors that make large amounts of money peddling solutions to detect, rather than prevent, such viruses. This means that commercial vendors will need to respond to such problems in the same way the open source community does: by fixing the actual problem.
Security ReportsA potential problem with the Linux 2.0.X kernel series was discovered as a side effect of a Midnight Commander bug reported to Bugtraq. It seems that the 2.0.X kernels, at least through 2.0.36, do not prevent someone from creating a file with a negative size. The 2.2.X kernel series does not appear to be vulnerable. For more information and a patch, check out Chris Wilson's post, which he also forwarded to Alan Cox for inclusion in the next 2.0.X kernel.
Pointers to security updates from Red Hat for lpr, procmail, rsync and NFS are available on our Distributions page. Anyone running Red Hat should pull down and apply these updates immediately.
UpdatesDebian has issued yet another procmail update. For details, check their announcement. If you have procmail installed, you should acquire the new package.
ResourcesThe latest version of CRYPTO-GRAM, a free newsletter about cryptography issues, is now available.
Section Editor: Liz Coolbaugh
April 22, 1999