Linux in the news
All in one big page
See also: last week's Security page.
NewsDejaNews is the focus of a privacy concern, according to this ZDnet article. Of course, in this case, DejaNews does not actually use any of the information it collects, but the existence of their data leaves them open to court subpoenas and more that can elicit information out of the databases that DejaNews has created. "Peter Neumann, moderator of the RISKS forum, which Smith first told of the problem, said the DejaNews story is a classic. "It's benign neglect, basically," he said."
One of the author's of the RSA encryption technique, Adi Shamir, has put together a description of a machine that can reletively easily break the RSA code. For more information, check out this New York Times article. Of course, RSA with shorter (i.e. 512 bit) keys has been considered relatively insecure for a while, so this is not particularly surprising.
SecurityPortal.com has a cover story this week on The Buffer Overflow Problem. It is a good introduction to what buffer flows are, how they happen, the potential consequences, etc. They also talk about the StackGuard product and provide links to articles from AlephOne on stack smashing and more.
Security ReportsMore wu-ftpd exploits are being published. Bugtraq contains a thread about the latest report, affecting wuftp2.4.2academbeta12-18. In the thread, Gregory Newby posted an excellent note, which talks about ways to configure your ftpaccess file to foil many of these exploits. Chad Price also reminded people that the VR patches to the wuftp academic version
A serious security problem with Oracle 8.0.5 can crop up if you have installed and configured the Intelligent Agent option. If you do so, it will install the oratclsh binary setuid with an ownership of root, making it very easy for anyone with a knowledge of tcl to execute commands on your system with root privileges. From this Bugtraq thread, this problem has been confirmed with 8.0.5 on Linux, Solaris, and Digital Unix.
Oracle has been updated and the problem will be fixed in 8.0.5. There are mixed reports on whether or not it was fixed with 18.104.22.168. Meanwhile, anyone using oracle should check for the oratclsh binary and make sure it is owned by the oracle install process and not setuid.
UpdatesA recently reported bug in ICQ-WebServer (see this note was repaired with build 1701, according to this update.
ResourcesEthereal version 0.61 has been released. Ethereal is a network packet analyzer, essentially a GUI that can either read information from a live network stream or from a captured tcpdump. For more information, check out the Ethereal website.
Netxmon is a new, X-based, session sniffer. The announcement gives a bit of background on why it was written. Note that ttywatcher, a well-known tool that performs a similar function, also has an X interface.
NSORG is a new security-related website for which a request-for-comment was posted to the comp.security.unix mailing list this week.
Section Editor: Liz Coolbaugh
May 6, 1999