Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsA truly free ssh? This week's Debian Weekly News contained a link to this posting by James Troup. It seems that ssh 1.2.12 was published under a license that was still compatible with the Debian Free Software Guidelines (DFSG). OpenBSD has picked up that version of ssh and is working on "ripping out the patented algrothims (IDEA, etc.)" and, of course, they will have to fix the security problems in this older version. It is far enough along that OpenBSD has added it to their base system. This is excellent news! If anyone has more direct experience or knowledge with what OpenBSD is doing here, we'd love to hear about it.
What does "Secure" mean? A couple of new products showed up this month, both making claims to that word. The first, titled Secure DSL, made this editor wonder if perhaps an encrypted DSL line service was being offered. Closer perusal of the product description shows that it is simply the addition of firewalling capabilities: "The system works by securing each DSL line with network-based, packet firewalls, so precluding outside attacks." Now, firewalls are a good and necessary thing, but all the evidence of the past year clearly proves that they do not guarantee a "secure" line. With a starting price of $30,000 (aimed at ISPs), it is not a low-end solution, either.
The second product that caught our eye was the BRICKhouse from SAGE, a Linux-based web server appliance that they claim provides a "bullet-proof" web-site solution. This one was more interesting to examine. "BRICKHouse is a highly scalable Linux-based Web server that raises the standard on Internet security by incorporating an innovative approach to security called Process-Based Security (PBS)." By limiting access to files on a per-process, rather than per-user, basis, they believe they can prevent both malicious damage to the site and potential down-time. It is an interesting approach and deserves closer investigation.
Do watch out for the marketing, though! One person's "secure" is another person's "insecure". Stick with the rule that "security is a process, not a state". That said, if either product enhances your current security or addresses your needs, it will be worth a look (with a particular bias towards the Linux-based BRICKhouse :-).
In the on-going cryptography battles, the US Federal government has achieved one of their short-term goals, winning a new hearing on the issue of whether or not they have the right to regulate encryption, this time in front of an eleven-member panel of judges. "The existing regulations 'allow the government to restrain speech indefinitely, with no clear criteria for review,' said Judge Betty Fletcher in the 2-1 ruling. That, she wrote, prevents professors such as Bernstein from engaging in valuable scientific expression." Here's hoping that their new hearing only re-affirms the status of cryptography as a form of free speech.
ZDNet Labs admitted it was their choice not to apply security patches to the Red Hat system used in the recent PC Week challenge. LinuxToday waxed eloquent on that choice, which has called the integrity of ZDNet Labs into question, since they did choose to apply the latest service packs to the NT box.
Security Reportskvt: A buffer overflow in kvt was reported to BugTraq this week. However, it seems the KDE Team was already aware of the problem, since the most recent version of KDE now ships without kvt. No patched version of kvt seems to currently exist and most people seem to be using other alternatives, such as xterm. Note, though, that if you want to keep kvt around for some reason, you'll need to save it off before applying the latest KDE updates. Otherwise, it will disappear during the upgrade process.
mirror: The mirror package contains a perl script which is used to duplicate directory hierarchies across machines and is popular for maintaining "mirror" sites. A vulnerability in this package can allow a remote site operator to create or overwrite files on the local machine. Vendor fixes for this problem are starting to come in. Check below in the updates section for details.
mutt: A buffer overflow has been found which can allow someone to send an email message containing commands that are then executed as the user. An immediate upgrade to mutt 1.0pre3 is recommended. Several vendor updates have already come out; check below.
UpdatesAll the following are security-related updates.
SuSE has released yet another new update to sccw, which fixes a vulnerability in this (setuid root) utility. Upgrades are recommended. Note that this is a different sccw update than the one that came out last week - more problems have come up since then.
ResourcesEthereal 0.7.5 was released on September 24th. Although clearly still pre-release, ethereal has started garnering mentions on newsgroups, where people apparently have found its protocol analysis capabilities very useful.
Section Editor: Liz Coolbaugh
October 7, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project