Linux in the news
All in one big page
See also: last week's Security page.
NewsProposed security updates to the POSIX standard which languished in committee and were eventually discarded have been made available for public download in their unfinished form from Winfried Truemper's site, through his effort, with assistance from Mary Shepherd (IEEE) and Casey Schaufler (SGI), the former technical editor of the standard. Redistribution is not allowed, but now the ideas that were included for process capabilities, audit and information labeling are available for review and hopefully development, where appropriate. Open source implementations may provide a base for an unofficial standard, since the official process was unsuccessful. IEEE is to be applauded for their decision to release these materials.
Winfried's comments on why the standards remained unfinished and were eventually dropped are very polite. If you are interested in a more complete comment, check out Jason Zions' comments as well.
The Security and Freedom through Encryption (SAFE) Act has made it out of the House sub-committee, further than it got last year. ComputerWorld commented on the bill's passage and on the amendments that were slapped onto it before it made it out the door. The most potentially dangerous one they mentioned, "One of the amendments grants the Secretary of Commerce the authority to deny the export of any "custom-made" encryption products designed for "use in harming national security, use in the sexual exploitation of children [or] use by organized crime." The actual bill text we found did not include the text of this amendment, which will be critical to determine whether or not it can be used to restrict products produced for other purposes that could possibly be misused for one of these categories.
The LOMAC Loadable Kernel Module (Low Water-Mark Mandatory Access Control) version 0.1 is now available. This is a security enhancement to protect the integrity of processes and data and includes a partially functional prototype for non-SMP Linux 2.0.X systems. For more information, source code and documentation (all available under the GPL), check out ftp://ftp.tislabs.com/pub/lomac.
Security ReportsTcpdump was the subject of a bug report on Bugtraq which pointed out that tcpdump would go into an infinite loop upon receipt of a specific mal-formed package. This is not considered to be a large problem, since routers generally drop malformed packets, but it leaves tcpdump vulnerable to packets on a local network. A patch for the problem has been provided.
A serious security problem with sdr, the session directory tool for the MBONE, was discovered and reported to the sdr developers by Olaf Kirch. They confirmed the problem and are working on a fix. Until one is available, they recommend that you do not use sdr.
UpdatesRed Hat has put out three security-related updates in the past week, including updates for XFree86, PHP and KDE. All of these updates replace packages that had exploitable security problems, so they are essential upgrades for anyone using them.
Debian released an updated mailman package to fix a problem in the current package that could be used to forge authentication cookies and get unauthorized access to administration webpages. For more information on the vulnerability, check out this information from the mailman developers. This is a recommended upgrade for anyone using the mailman package.
ResourcesGNU autoconf test macros to test for functions from older systems that may emulate secure functions without providing the improved security have been created and made available by Duncan Simpson. For more information, check out his Bugtraq posting.
Securing your File System in Linux is the title of this article from Jim Reavis at Security.com. It is a good introduction to people new to the topic and serves as a well-organized review for the more experienced.
The Linux Security Audit Project now has a website on which members of the audit project can record what software packages they have found and the result of their audits. For more information, check out the announcement. Note that the website has been created, but there are no entries in the database as of yet.
The ISN mailing list, whose archives we list as a resource, appears to have ceased abruptly on June 10th, according to both our records and the archive. Mail to the mailing list address fails with "user unknown". If anyone knows the status of this list, or why it terminated, we would be interested to hear.
EventsJune 28th is the deadline for papers for the SANS 1999 Workshop On Securing Linux coming up in December in San Francisco.
Section Editor: Liz Coolbaugh
June 24, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
Red Hat Errata
Linux Security Audit Project