Linux in the news
All in one big page
See also: last week's Security page.
News and editorials"Silently fixed" security bugs considered harmful. From Bugtraq: some complaints about the practice of fixing security problems without telling the world about them. Software maintainers will often do this, especially if the security problem is one that they have found themselves, with no known exploits in the outside world. It is nicer to not have to announce a security problem, and nobody is at risk anyway, right?
The problem, of course, is that thousands of users are running code with a security problem and do not know it. In the absence of a pressing need, the buggy code will not be upgraded, and the system remains vulnerable. When somebody eventually digs up the problem in older versions, people who thought they had tight systems find themselves in trouble.
This problem was pointed out by Michal Zalewski, who notes that a few problems have been "silently fixed" in sendmail. Sendmail 8.8.x has some vulnerabilities which have not been announced; users who have not upgraded to 8.9.3 may think they are secure but in fact are not.
The lesson seems clear: it is better to come clean about security problems (at least to the point of saying that they exist) so that people know to upgrade to a fixed version.
Linux trashed by British security consultant. British security consultant Stan Dormer has been advising companies to avoid Linux, according to this ZDNet article. "Dormer criticised the portrayal of Linux in the media as a practical alternative to Windows variants claiming that for the average user, Linux is not a secure option. His conclusions are based on research carried out by his company over a number of weeks."
Security ReportsA vulnerability in StackGuard has been found which could allow attacks to get past its buffer overflow protections in certain circumstances. No known exploits exist at this time, but all users of StackGuard (and the ImmuniX distribution) are recommended to upgrade. See the alert for details on the problem.
Bugs in bind. The Internet Software Consortium has put up a page describing several known vulnerabilities in the bind nameserver. They recommend that all sites should upgrade to version 8.2.2-P3 at first opportunity. As of this writing, we have not yet seen any updates from the Linux distributors; look for updates in the LWN daily page as we receive them.
A new version of dump and restore has been released, see the announcement for further information. There is a security fix to restore in this release that, according to the author, all users should apply. Given that the Linux distributors, thus far, seem not to be in much of a hurry to get new dump packages out there, it may be worthwhile to upgrade dump from the source distribution.
A security problem with Cobalt RaQ2 servers was posted by Chris Adams. Essentially, if a RaQ server runs multiple, independent sites, and administrators of the sites can, if so inclined, interfere with each others operations. The vulnerability lies with the "cgiwrap" program, but was apparently introducted in Cobalt's modifications; cgiwrap on other systems is not vulnerable. Cobalt has issued this advisory which tells how to fix the problem.
A denial of service problem exists with sendmail according to this posting from Michal Zalewski. Sendmail allows any user to rebuild the alias database, which may seem harmless. However, the database is rebuilt in place, meaning that if the process is killed before the rebuild completes, the alias database will be left corrupted and unusable. That essentially shuts down mail on the system.
Problems with Hylafax have been noted. Brock Tellier posted a report on a specific problem with faxalter; subsequent discussion indicated that there are other problems with the package as well. Fixes are not currently available; if you are running Hylafax on your system you may want to stay alert for updates once they come out.
UpdatesRed Hat initscripts update. Red Hat has issued a security advisory for the initscripts package on version 6.1 of the distribution. There exists a race condition which could open up all sorts of holes; applying the update is recommended for all sites. Versions prior to 6.1 do not appear to be vulnerable.
MandrakeSoft updates kvirc MandrakeSoft has issued an update to kvirc which fixes a vulnerability in that package. Linux-Mandrake IRC users should upgrade at first opportunity.
ResourcesReplay.com is no more. The folks at Replay have changed their name to "Zedz Consultants," and their web site - including the definitive Red Hat crypto archive - is now at www.zedz.net.
CaclMgr is available for download, see the announcement for details. CaclMgr appears to be a replacement for sudo with some added features.
Section Editor: Liz Coolbaugh
November 11, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project