Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsMore ssh problems! This time, ssh 1.2.27 with RSAREF2 defined was found to contain another buffer overflow which can make the machine running sshd allow an unauthorized login according to this CORE SDI security advisory and this followup by Niels Provos. Note that the vulnerability is not specific to ssh; any code that uses RSAREF2 may be impacted.
Although OpenSSH is not vulnerable to an exploit as a result, it is impacted, as explained in this OpenBSD advisory, along with other several other OpenBSD packages. US citizens will need to review this issue since they mention "(This crypto problem only burns Americans!)"
Bastille Linux 0.93beta. Good news from the headwaters of
efforts to create secure Linux implementation: Basille Linux
0.93beta has been announced. This is the beginning of a code freeze,
so they are moving towards the release of their first stable version.
It also seems to indicate that the homepage for the Bastille project
has moved to http://bastille-linux.sourceforge.net/.
Open source SRP provides an alternative for secure authentication. SecurityFocus' Kurt Seifried takes a look at SRP, the Stanford SRP Authentication Project. "SRP provides several benefits over traditional methods, the biggest being that no actually encryption of the data takes place, meaning SRP can be exported legally from the US. SRP also makes no use of the patented RSA algorithm (typically used in key exchanges), so you can legally use it in the US (without having to pay RSA). "
A problem with the shadow in Slackware 7.0 was reported on BugTraq and reputes to allow a brute force attack on the password file. This report has not be confirmed and no word from the Slackware team has come out as of yet.
The official PostgreSQL RPMs up through 6.5.3-1 had a permission problem, reported by the RPM Maintainer, Lamar Owen. Updated RPMs are now available and a simple fix is mentioned for people who have already installed older RPMs.
Updatesdump: fixes for a security problem when symbolic links are restored (see original announcement).
ORBit, esound, and gnome-core: A easily guessable source for random data was used in ORBit and esound which might allow an attacker to guess the authentication keys used to control access to these services. In addition, TCP Wrappers support has been added to gnome-session.SecurityFocus entry] (Old)
Section Editor: Liz Coolbaugh
December 9, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project