Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsLicensing issues on "open source" security software. It appears that the argument that security software must be provided along with the source code is starting to be more widely accepted. We are seeing more security software produced by commercial organizations released as "open source software" (as opposed to tools developed by individuals or volunteer groups, which are frequently released under open source or free software licenses). We listed the announcement of one such tool last week, ITS4.
One of our readers, Alexandre Dulaunoy, pointed out that the license for ITS4 is not compatible with the Open Source definition from OSI because it explicitly restricts the use of the software for revenue generation. "Use by individuals and non-profit organizations is always allowed. Companies are permitted to use this program as long as it is not used for revenue-generating purposes."
Clearly RST chose to release the source code for ITS4 in order to show their confidence in their own code, to facilitate bug fixes and maybe even to accept improvements from others, but not in order to help produce a world where all software is free. This is their right. However, they should be strongly encouraged to call their software "source-code-provided", not "open source", or the value of that term will be diluted.
Another example of this comes with the announcement of the "open-sourcing of the Linux Tripwire product". The question of whether or not the product will truly be "open source" is unanswered. The product itself will not be released until Q3 2000 and no licensing information for it is yet available. One reader expressed a concern that Tripwire, Inc. may not understand the implication of releasing the source code for the Linux Tripwire product under an open source license. If the source code truly becomes open source, there will be nothing to prevent anyone from porting it to other operating systems, including, for example, NT, where Tripwire, Inc, currently generates revenue from selling its commercial, closed source version.
It is early days to point fingers. Tripwire is an excellent product and we hope to see it released under an actual open source/free software license, especially given the current backing of Caldera/Red Hat/SGI/VA Linux for this project. Having this type of integrity-validation tool as part of a base Linux distribution will be a "very good thing". The point is that calling a product "open source" should not be done until the license for it is available for scrutiny, and then only if it meets the Debian Free Software Guidelines or the Open Source Definition.
This week's discussion topics. SSH security was a major topic on BugTraq this week, particularly in reference to combining SSH with X forwarding and agent forwarding. The issue is that, in cases where you are using an SSH client to connect to an untrusted server, or to a server that may have been compromised, the X forwarding feature of SSH will make you much more vulnerable. OpenSSH has now disabled X forwarding by default. You can do the same by using "ssh -x". It is probably a good idea to always run without X forwarding enabled unless you know you need it.
For more SSH information, you might want to check out SecurityPortal's second SSH article. This one focuses on OpenSSH. (Thanks to John Villalovos.)
Apache 1.3.12 released. Apache 1.3.12 was released on February 25th. It contains fixes for the `cross site scripting'' security alerts described in advisories from CERT and Apache.org. An upgrade to this version is highly recommended.
Security hole in ht://Dig. The ht://Dig search engine has a security hole which can allow a remote intruder to read files on your system that you did not wish to export. Version 3.1.5, just released, closes this hole; an upgrade is recommended. See the alert for details. A full security audit of ht://Dig is now being started. Anyone who wishes to help with them can contact them at firstname.lastname@example.org.
Distribution updates for ht://Dig:
Please note that our mention of the Debian update on the daily page this week contained an incorrect URL, pointing to an earlier Debian update to htdig from last December. Our apologies. If you checked the update via the daily page, you may wish to double-check it here.
Remote vulnerability in nmh. Versions of nmh prior to 1.0.3 can be made to execute arbitrary commands via the mhshow command. Check this note for more details.
Buffer overflow in dump. The dump command contains a buffer overflow, according to Yong-jun, Kim.
Another MySQL update. The latest version of MySQL contains fixes for the remote access vulnerability, discussed in the February 10 LWN security page. Distribution updates for MySQL have been released from:
ResourcesSun releases host vulnerability scanner. Sun has released an early version of its Sun Enterprise Network Security Service (SENSS) security scanner system. It's written in Java, and supports Linux as a tier-1 platform. The licensing is the usual SCSL, which is not optimal, but it does get the system out there where people can work with and use it.
ITS4 1.0.1 released. Here is the announcement for ITS4 1.0.1.
Nessus version 0.99.6. A new development version of Nessus, a remote security scanner, has been announced. Upgrades are recommended for anyone using an older version of Nessus.
Saint 2.0 beta 1. Speaking of security scanners, a new beta release of Saint has been announced.
Secure-Linux patch. 2.2.14 version 2 is a new version of the Secure-Linux patch, updated for the 2.2.14 kernel.
EventsSANE 2000. A reminder about SANE 2000, an international conference on System Administration and Networking, coming up in the Netherlands this May ...
Section Editor: Liz Coolbaugh
March 2, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project