Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsDuplicate key IDs for PGP-signed mail. Povl H. Pedersen posted a note to BugTraq describing the discovery of a duplicate key ID when a friend of his was verifying a PGP-signed email address. "The problem is, that the PGP servers expects all key IDs to be unique numbers, and does not expect 2 users to have the same keyID. And with the current amount of users, we are starting to get multiple users with the same keyID."
This issue will need to be dealt with, and quickly. The existence of a duplicate key ID could allow falsified mail. If a duplicate key ID can be generated by accident, presumably it can also be generated on purpose, as well. Network Associates was not directly informed of the problem, which was posted today, so no response from them is yet available.
ARIP: Association of Responsible Internet Providers. One result from the long weeks of discussion of distributed denial-of-service attacks on BugTraq has been the creation of a mailing list to discuss potentially creating an organization to promote and recognize responsible behavior on the part of Internet Service Providers (ISPs). David Nesting posted a note summarizing responses to his suggestion that such an organization be created. It contains a pointer to the mailing list, as well as to other organizations that are dealing with this issue, including NANOG (The North American Network Operators' Group) and ISPF (Internet Service Providers' Forum).
Security and Apache: An Essential Primer (LinuxPlanet). LinuxPlanet has a tutorial on securing a Linux/Apache system. "Chances are that your Web site has at least a few pages that you really don't want published to the Internet at large. How do you keep the Black Hats from seeing them, whilst not impeding the access of the White Hats who need the pages?"
New site on Linux security (Upside). Upside ran this article on the launch of LinuxSecurity.com. "Last month's denial of service uproar has intensified attention to Internet security. Coincidentally -- or perhaps not, depending on your viewpoint -- last month also saw the debut of LinuxSecurity.com, a new website completely dedicated to Linux operating system security issues."
Security Reportsdump/restore. A new version of the Linux dump/restore package with a fix for the potentially exploitable buffer overflows in dump/restore has been made available. Note also that comments on BugTraq indicate that NetBSD and OpenBSD versions of dump/restore are not impacted by this problem. However, there was one report that the FreeBSD version of dump is vulnerable.
Remote vulnerability in nmh. Versions of nmh prior to 1.0.3 can be made to execute arbitrary commands via the mhshow command. Check this note for more details. (First reported March 2nd, 2000.)
dosemu problem in Corel Linux. Corel Linux contains an improperly configured dosemu package, which can allow local users to execute commands as root. Check BugTraq ID 1030 for more details. No other Linux distributions have been reported to be vulnerable.
Fixes for this can be found on the DOSemu site.
mtr-0.42. A new version of mtr, a program that does a full-screen combination of ping and traceroute at a higher speed than traceroute, has been announced, in reaction to problems with management of root privileges. An upgrade is recommended, if you are using this tool.
ResourcesOpenSSH 1.1.2p1 for Linux. A new version of the Linux port of OpenBSD's OpenSSH program has been announced. An upgrade is recommended due to the inclusion of an important RSA key generation fix.
GNU userv 1.0.0. userv is a program for invoking an executable in situations of limited trust.
Section Editor: Liz Coolbaugh
March 9, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
LinuxSecurity.com Linux Security Audit Project