Linux in the news
All in one big page
See also: last week's Security page.
Security ReportsFreeBSD: Exploitable hole in ssh-1.2.27. An exploitable hole in ssh-1.2.27 has been reported under FreeBSD and a patch has been released. Note that versions of ssh not compiled with "RSAREF" defined are not vulnerable. Current reports indicate that Debian GNU/Linux and the international rpm packages for ssh are not vulnerable to this problem as a result.
thttpd remotely-exploitable buffer overflow. A buffer overflowin thttpd, a small, fast web server with a limited feature set, has been reported and fixed by the author in an extremely prompt manner. Check below for distribution updates for thttpd.
Red Hat security update for user-mode nfsd. Red Hat has issued an update to nfsd for versions 4.2 and 5.2 of the distribution. The older user-mode NFS daemon had an unpleasant buffer-overflow problem. Those running older systems will want to upgrade. Red Hat 6.x, which is running the 2.2 kernel, is not vulnerable.
Updatesbind: Six different vulnerabilities are described on this ISC page. Upgrades are strongly recommended.
proftpd: Version 1.2.0pre9 of proftpd has produced enough confidence to result in updated packages, the first package updates for proftpd we've seen since late September.
thttpd: A remotely-exploitable buffer overflow has been discovered.
ResourcesSANS: First Tuesday broadcasts. The SANS Institute November First Tuesday broadcasts will include two topics, "The Hunt for RingZero", which talks about investigating reports of heavy scanning activity in September and "The CVE Project", which talks about efforts to "to develop a common language for describing vulnerabilities and consensus list of vulnerabilities and exposures". The broadcasts are free, but registration is required.
EventsThe 12th Annual FIRST Conference. The Call-For-Papers for the Forum of Incident Response and Security Teams (FIRST) Conference has been issued. The conference will be held June 25th through the 30th, in Chicago, IL, USA.
Section Editor: Liz Coolbaugh
November 18, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project