Linux in the news
All in one big page
See also: last week's Security page.
News and editorials
NSA Linux?. Here's a press release from Secure Computing Corporation stating that it has been awarded a contract from the National Security Agency to develop "a robust and secure Linux platform." Many people speculated that the results would not be openly released, given the nature of the NSA. However, this post from Mike Beede at Secure Computing indicates that the results will be released under the GPL.
More details are promised in the near future. Mike closed with the comment, "Having a secure operating system available to the community will also benefit us, by giving us a non-proprietary platform for our security products."
Linux vs Microsoft: Who solves security problems faster?. Security Portal has taken a look at response times to bug fixes, in an effort to determine whether the response time for open source software is truly shorter. The results: "Red Hat had the best score, with 348 recess days on 31 advisories, for an average of 11.23 days from bug to patch. Microsoft had 982 recess days on 61 advisories, averaging 16.10 days from bug to patch. Sun proved itself to be very slow, although having only 8 advisories it accumulated 716 recess days, a whopping three months to fix each bug on average."
The results turned out well enough, this time, but given that patches for most open source security problems come out almost simultaneous to initial announcements, or within only a few days, it is unfortunate that an average of 11 days occurred before Red Hat updates followed. If the same tests were done on all Linux distributors, some might fare slightly better, but most would fare worse. The time is coming where more attention needs to be paid to getting security updates out in a timely manner for all Linux distributions.
Responses flow in to new cryptographic rules. For good news, check out the Cracking DES book from the EFF, which has been put back online. A lot of press articles took a look at the issue as well:
No privacy protection for e-mail or chat sessions. This New York Times article describes the decision in a recent case in Washington state, where the judge chose to allow as evidence e-mail and recordings of chat sessions. "After all, the judge said, Townsend chose to 'communicate via e-mail and/or ICQ . . . with the knowledge that the computer itself is a transmission and recording device.'" Others believe the judge has taken a first step down a slippery slope.
MySQL. In last week's Security Page, we mentioned a security problem in MySQL. MySQL version 3.22.30 has been released and contains a fix for this problem. An upgrade is highly recommended.
Yams 0.5.7 - Security Fix Release. Yams 0.5.7 has been released. It fixes a problem where the customer id was being stored as a hidden field in some of the order pages. It would have been possible for users to modify this id.
sendmail concerns. Back in December, Michal Zalewski posted a list of procmail/sendmail bugs, at least one of which included a concern about a security issue with sendmail. Gregory Neil Shapiro posted an official reply this week. "We have run through the possible scenarios we could find and do not believe this to a threat."
Updateslpr/lprold: problems with potential IP spoofing and the ability to specify an alternate configuration file.
ResourcesBruce Schneier's CRYPTO-GRAM. The January 15th edition of CRYPTO-GRAM describes "publicity attacks". "I call this kind of thing a publicity attack. It's a blatant attempt by nCipher to get some free publicity for the hardware encryption accelerators, and to scare e-commerce vendors into purchasing them. And people fall for this, again and again." It also contains Bruce's comments on the new cryptography regulations and a great deal of fun links.
ssh-proxy. Magosanyi Arpad has released the code to a partially-developed ssh-proxy. "A serious programmer does not give out such a code. I wouldn't either, but I have to abort this project of mine here and I hope someone will find it interesting enough to keep on."
Section Editor: Liz Coolbaugh
January 20, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project