Linux in the news
All in one big page
See also: last week's Security page.
XDM Insecurity revisited was the topic of a discussion on Bugtraq this week started by Jochen Bauer. He pointed out that the first report of XDM security problems was made in November of 1997 by Eric Augustus. Despite this, recent versions of Digital Unix, SuSE Linux and Red Hat Linux (among probably others) still ship with an Xaccess file that is insecure by default.
Suggestions for securing gdm or xdm were made. Overall, though, it was recommended that anyone using xdm or gdm block UDP port 177 on their firewall. Hopefully, the distributions will take a look at this issue and take measures to better secure their base distributions.
Kurt's Closet is a new column on SecurityPortal; the inaugural article is about Linux and encryption. "If an attacker manages to get access to your backup tapes, or gains physical access to a server, your data is suddenly very insecure, despite file permissions. Or if an attacker puts a laptop with sniffing software on your internal network, all that money you spent on securing the fileserver is much wasted. Encrypting your data can solve these problems."
In the growing conflict between law enforcement concerns and privacy issues in the digital age, a Justice Department proposal, to be dubbed the Cyberspace Electronic Security Act (CESA), seeks to extend authorization to law enforcement to decrypt information that it has legally seized. "A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plaintext by law enforcement when encryption is utilized by criminals. " As reported by ZDNN, however, concern is that the bill provides for surreptitious surveillance, by allowing law enforcement officials to break into someone's house, for example, and disable the encryption on someone's computer without informing them, widening the now-rare use of such "wire-tapping" authorizations. CNN and TechWeb also commented upon the bill, outlining concerns from privacy groups.
Meanwhile, it was interesting to note that the original bill carefully states,
"this Act is not intended to make it unlawful for any person to use encryption in the United States for otherwise lawful purposes, regardless of the encryption algorithm selected, key length chosen, or implementation technique or medium used. Similarly, this Act is not intended to require anyone to use third parties for storage of decryption keys, and this Act does not establish any regulatory regime for entities engaging in such an activity. Finally, this Act is not intended to affect export controls on cryptographic products."This paragraph can be taken as an indication that encryption issues are now sensitive enough that the bill proposers wished to distance themselves from them in order to make it easier to find sponsors for the bill. Perhaps the DoJ no longer expects that it can hold back the use of encryption.
Security ReportsMultiple buffer overflows in Windowmaker have been found. No exploits have been reported. Here is the original posting from Stan Bubrouski which outlines the problem.
The first involves a problem with pt_chown, a setuid program that supports non-suid programs that don't have devpts support. Terminal hijacking may be possible as a consequence, along with a root compromise. Until a patch for pt_chown has been made available, the recommended solution is to change the permissions on /usr/libexec/pt_chown. Red Hat 6.0 is vulnerable to this problem.
In addition, Michal reported a new vulerability in wu-ftpd.
QMS 2060 printers allow passwordless access to their root account. This can be exploited to produce a denial-of-service attack or to use resources without proper logging. Check the Bugtraq vulnerability database entry for more details.
UpdatesCaldera Updates. Caldera issued two advisories on August 18th and two more on August 23rd. The first reported a problem with xmonisdn, part of the isdn4k/utils package. This is a configuration problem and will not impact you if you are running with their default configuration.
The second advisory reported a buffer overflow in the termcap library, discovered by the Linux Security Audit Team. The advisory indicates that Caldera OpenLinux 2.2 is not vulnerable to this buffer overflow, so OpenLinux users are not affected.
The advisories on August 23rd covered the XDM issue mentioned above, for which they recommend modifying the Xaccess file, and new netkit-telnet and ncurses packages to correct the in.telnetd problem we mentioned in last week's Security Summary.
Debian updates. Debian also issued an advisory about the issues with the termcap library. Since they have abandoned the use of termcap for terminfo, Debian is generally not impacted. However, if you have compiled your own programs using termcap, you will want to upgrade to their new termcap-compat package.
Four additional advisories from Debian came out, including a potential problem with rsync, and /tmp file handling problems with smtp-refuser, trn and man2html. Upgrades are recommended for all four of these issues.
Debian also issued a comment regarding security problems with seyon, why they cannot issue a fix for them. They recommend that seyon users switch to using minicom instead.
Mandrake updates. Mandrake also issued updated isdnutils packages as a result of the problem with xmonisdn. Check near the bottom of their updates page for more details.
Red Hat updates. Red Hat issued an advisory about problems with in.telnetd, reported by the Linux Security Audit Team. An updated package, telnet-0.10-29, is provided. More information on the problem can be found in last week's Security Summary.
In addition, two more advisories were published on August 25th. One of them addresses the problems mentioned with wu-ftpd while the other address a buffer overflow in crond which could allow a local user access to root privileges. Upgrading to the packages listed in the advisories is recommended.
SuSE updates. No SuSE security updates have been listed since June 30th, 1999.
ResourcesA mailing list for the libnet C library has been announced. "libnet is an API to help with the construction and handling of network packets. It provides a portable framework for low-level network packet handling (use libnet in conjunction with libpcap and you can write some really cool stuff)."
EventsCERT Conference '99 will start on August 30th, 1999, in Omaha, Nebraska. Check their website for more details.
Section Editor: Liz Coolbaugh
August 26, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
Red Hat Errata
Comp Sec News Daily
Linux Security Audit Project