Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsNovember Crypto-Gram Newsletter. The November issue of Bruce Schneier's Crypto-Gram newsletter is out, and definitely worth a look. Covered topics include computer security (he doesn't think it will get any better), the DVD crack, and a delightful look at Windows CE security: "Microsoft encrypts your Windows NT password when stored on a Windows CE device. But if you look carefully at their encryption algorithm, they simply XOR the password with 'susageP', Pegasus spelled backwards. Pegasus is the code name of Windows CE. This is so pathetic it's staggering."
CNet takes a look at the buffer overflow in this commentary by Paul Fest. "Buffer overflows have been the most common form of security vulnerability for the past 10 years," according to a new paper published by the Oregon Graduate Institute of Science & Technology (OGI) and funded in part by the Defense Advanced Research Projects Agency (DARPA). "Because these kinds of attacks enable anyone to take total control of a host, they represent one of the most serious classes of security threats."
Crispin Cowan was the lead author for the OGI paper and will be presenting it next year at DARPA's Information Survivability Expo and at SANS 2000. It is good to see buffer overflows get wider media coverage, since new programmers clearly are not being taught how to properly develop and test their code. "'We're not learning the lessons of the past,' said Matt Bishop, associate professor of computer science at the University of California at Davis and author of an upcoming book on computer security. 'We knew how to handle buffer overflows in the 1960s and '70s. '"
Crispin dropped a note to BugTraq with feedback on questions he asked of that community while putting the paper together and included a link to a pdf version of the paper. However, that link did not appear to be working when we tried it.
More comments on ssh-1.2.27 exploitable hole. In last week's Security Summary, we mentioned an exploitable hole in ssh-1.2.27 which shows up if the package is compiled with "RSAREF" defined. We mentioned that FreeBSD contained packages that were known to be exploitable, while Debian GNU/Linux and the international rpm packages were not. Please note that the non-international rpms may indeed be vulnerable. You can check your ssh installation by typing:
% ssh -Vwhich, if the packages are vulnerable, will report:
Compiled with RSAREF.If your packages report that you are vulnerable, you should consider acquiring packages that are not vulnerable and reinstalling, pulling down the source code and compiling it yourself or taking a look at OpenSSH instead.
Security Reportsqpopper. The Qualcomm 3.X versions of qpopper contain an exploitable buffer overflow. The 2.X versions of qpopper do not appear to be vulnerable. For more information, check out the Security Focus vulnerability entry. Qualcomm has fixed the problem with qpopper3.0b22, which is now available.
UpdatesSlackware has announcements of security updates for Slackware 7.0 and Slackware 4.0, including bind, nfs-server, pine, syslog and more.
inn. A buffer overflow in inn 2.2.1 and prior makes this service vulnerable to a remote denial-of-service attack.
pine: When handling email containing HTML, pine expands URLs containing environment variables defined on the local machine. Several attacks are made possible as a result, including remote execution of arbitrary commands. [SecurityFocus description].
proftpd: Version 1.2.0pre9 of proftpd has produced enough confidence to result in updated packages, the first package updates for proftpd we've seen since late September. (Old)Definite Linux dropped us a note to let us know that the release of ssh shipped with Definite Linux is not vulnerable to the recent security flaw caused by the inclusion of the RSAREF libraries.
syslog: Denial-of-service problem triggered by the creation of too many processes to handle client/server communications. [ SecurityFocus description].
Note that the method being used to fix the syslog Denial-of-Service attack in recent updates is not preferred by everyone. Balazs Scheidler posted this note to Bugtraq describing his concerns with the method being used and an alternate method that will be used by syslog-ng in an upcoming release.
SuSE announces security tools. SuSE announced the availability of open source security tools developed by SuSE, including the SuSE FTP Proxy, SuSE Firewall, Harden Suse, which is a script to harden a SuSE Linux system, as well as several others. It is good to see more and more distributions get serious about security, especially since the Secure Linux projects have been very quiet as of late.
Bruce v1.0 Early Access 1. Bruce is "a flexible, Java-based infrastructure that permits centralized security management of small, medium and large-sized intranets." It is from Sun and released under the Sun community source license. It is only supported for Solaris, however Linux is listed among the target platforms for the final release version. It is likely to remain source-code available (but not "free" software) and free for use for non-commercial entities, plus possible internal company use.
Section Editor: Liz Coolbaugh
December 2, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project