Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsBastille Linux 1.0.0 is out. Bastille Linux - a project to produce a highly secure distribution - has released version 1.0.0. This version is not a separate distribution; instead, it takes the form of the "Bastille Linux hardening script," a script which tightens up a Red Hat 6.0 system (6.1 support is forthcoming).
Commercial PGP to be available worldwide. Network Associates has announced that it has been granted a license "to export its full strength PGP encryption software to virtually all countries worldwide without restriction." The granting of this license represents a major change of thinking on the part of the U.S. Government, which has always sought to keep strong crypto products off the international market.
This turnaround suggests one of two things: (1) the government has figured out how to break PGP, or (2) they have concluded that the economic harm of preventing such exports far outweighs the (almost nonexistent) "national security" benefits. In any case, it looks like the resistance to widespread deployment of cryptography is slowly fading away - at least in the U.S. The benefits for systems security are clear.
What pure or applied technical measures can be taken to protect the Internet against future forms of attack? Packet Storm has announced the Storm Chaser 2000 contest which will award $10,000 to the person who can come up with the best answer to that question. Submissions must be in the form of a white paper describing the measures. Those who wish to enter should get writing soon, the deadline is January 10.
Security ReportsThe 2.0 kernel has a denial-of-service vulnerability which allows local users to crash the system with a malicious ping command. If you are running a 2.0.x system, you may want to either (1) restrict access to ping, or (2) install an updated ping which works around the problem. Stephen White posted such a ping for Red Hat 5.2 systems. Neither workaround fixes the real problem, but both can prevent crashes in the short term.
In the longer term, a fix is being prepared now, and it appears that a new 2.0 release will be forthcoming.
UpdatesCERT has put out an advisory on the ssh buffer overflow problem; this advisory does not say much that was not reported in last week's LWN. There does not seem to be an immediate fix to RSAREF available; the quickest fix seems to be to install the international version of SSH instead. Note that the RSAREF problem can also affect other programs, including SSL implementations that use it.
A separate ssh problem was pointed out by Markus Friedl. It seems that the ssh server will allow the client to select an encryption type of "none," meaning that everything goes in the clear. This is a problem, of course, since the whole purpose of installing ssh is to avoid clear-text communications...
An update to htdig was released by the Debian project. This update fixes a remotely-exploitable vulnerability, and should be installed soon.
SuSE updates wvdial. SuSE has issued an update to wvdial which fixes a problem (possible exposure of dialup passwords) found there.
ResourcesImmunix.org is back online. Immunix.org, home of the Immunix distribution and the paper on buffer overflows mentioned in last week's LWN, has overcome its communications problems and is back on the net.
SecurID authentication in Apache is now possible with the use of the new SecurID module which has just been released.
Section Editor: Liz Coolbaugh
December 16, 1999
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project