Linux in the news
All in one big page
See also: last week's Security page.
NewsThe theme of the week seems to be small problems, involving information leakage or general sloppiness. Nothing too big or earthshaking - at least for those of us not running Window systems.
Bencsath Boldizsar reported a problem with sudo wherein it will inform a clever user about the existence and permissions of files in a protected directory. Files in the directory remain inaccessible, but it really would be better to not leak the information about them.
Similarly, a problem exists with ssh 2 - its behavior is different depending on whether an account that an intruder attempts to log in to exists or not. Thus it is possible to find out whether a given account exists on a system or not. See the report from Alfonso Lazaro Tellez for details.
Then, there is a logging problem with su on Red Hat systems, and probably any other system which uses PAM. If an su fails due to a bad password, the sequence of operations seems to be:
Security ReportsCERT recently issued a security advisory for rpc.statd. Please note that Linux systems generally do not run rpc.statd (and those that do run a newer version), so they should not be impacted by this advisory.
A KMail security problem is addressed by this Caldera advisory, which contains pointers to updated rpms. [Recommended upgrade if you use KMail]
The Debian man-db package is vulnerable to a symlink attack and therefore an updated package has been made available. [Recommended upgrade]
UpdatesRed Hat has put out updated versions of wu-ftpd and imap. Upgrades are recommended, though the imap patch only fixes a POP-2 problem on Red Hat 4.x and 5.x systems, and thus will not apply unless you are running the older POP-2 server.
Red Hat has also issued updates for the dev, rxvt, and screen packages, fixing a vulnerability there.
ResourcesMatthew Franz asked us to remind people about his OpenSEC web page. OpenSEC contains a well-organized set of links to open-source-based security tools and a moderated announcement list. A moderated discussion list is also in the works.
SANS Linux security workshop. SANS has issued a call for papers for their "Workshop On Securing Linux," which will be held in San Francisco on December 15 and 16, 1999.
Section Editor: Liz Coolbaugh
June 17, 1999