Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsRecommended reading: Bruce Schneier's Crypto-gram newsletter for September 15th. It contains a lengthy essay on why open source is critical for secure systems.
"Comparing the security of Linux with that of Microsoft Windows is not very instructive. Microsoft has done such a terrible job with security that it is not really a fair comparison. But comparing Linux with Solaris, for example, is more instructive. People are finding security problems with Linux faster and they are being fixed more quickly. The result is an operating system that, even though it has only been out a few years, is much more robust than Solaris was at the same age."(Thanks to Karl Vogel, Wright-Patterson AFB).
USA Today has run an article about how the U.S. government is waking up to free software.
"Security -- a perennial concern at government installations -- suddenly becomes manageable. Organizations with special needs will hire programmers to make small tweaks to existing packages, saving thousands of dollars that would otherwise have been spent on custom programming. Military bases finally have a way to get at the heart of their computer-security problems instead of relying on suppliers to fix their problems for them."
Linux-Mandrake has announced the creation of a new mailing list for security updates.
Additions to our security links in the right-hand column were made this week for both Yellow Dog Linux and Linux-Mandrake. We thank both of them for their commitment to security and for helping us share the most up-to-date information on their distributions with our readers.
Security ReportsZope 2.0.1 has been released. It contains fixes for an unpleasant vulnerability, so if you are running Zope 2.0, you will want to apply this upgrade immediately.
The problems with ProFTPD continue. Even as we announced ProFTPD 1.2.0pre6, an exploit for the new version came out. As a result, at least one Linux distribution, SuSE Linux, put out an advisory recommending that ProFTPD be deinstalled, or at least deactivated, and anon-ftpd, or the Open BSD-based ftpd that they ship with SuSE, be used instead. LinuxPPC did release an update for pre6, but most of the other distributions have been quiet, perhaps adopting a wait-and-see attitude. A patch for pre6 has been made available and a new version is expected out shortly.
ASUS mother boards have a function, Wake-On-Lan, which allows them to remotely trigger a power-on for a system if a packet is received via a network or modem port. Is this a security problem, asked R.S. Heuman on the Bugtraq lists? It could be, if you set it to wake on any packet. Apparently it can be set to trigger only on "special" packets and is meant to be a feature, allowing your system to conserve power when it is not actively receiving mail or being used. Of more concern, commented Alan Cox, are machines that can be remotely shutdown via your network. Apparently some of them use a password scheme, but use unencrypted passwords.
Lynx versions 2.8.2 and earlier pass information unchecked to external programs, such as telnet, allowing command-line parameters to be passed and used maliciously. Updates for this problem are listed below.
A buffer overflow in cfingerd 1.4.2 and earlier was announced on BugTraq today, along with an exploit. If you use cfingerd, you may want to disable it until a patch or update is available. Note that the vulnerability is a local, not remote, vulnerability.
UpdatesUpdates for mars_nwe reported so far:
Lynx updates reported so far:
An update to pb and pg:
An update to sccw:
ResourcesAn English translation of Michael Schmidt's long and detailed artcle on FreeS/WAN ("Free Secure WAN") is now available. FreeS/WAN still has some limitations, but it is developing very well and already much improved over the originally released version. "FreeS/WAN's goal is the protection of a growing segment of the Internet community against passive eavesdropping by private, but even more by government-related organizations, with inexpensive retail PCs." Michael Schmidt also sent thanks to Kai Martius, for assisting with the translation.
Bifrost is a Linux-based Firewall project, geared for flash disks around 35-45MB in size. Bifrost can be used as an edge router and/or a firewall. Bifrost distributions load directly onto the flash disk and support both the 2.0 and 2.2 kernel series. (Thanks to Karl-Koenig Koenigsson)
EventsThe Internet Security Conference will be held October 11th through the 15th at the Boston World Trade Center, Boston, Massachusetts, USA. For more information, check out their website.
Section Editor: Liz Coolbaugh
September 23, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project