Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsTrustix Secure Linux 1.0 released. Trustix 1.0, a "secure Linux" distribution out of Norway, has been released. It is aimed at server tasks in particular, and includes strong encryption support. The distribution is also downloadable from http://www.trustix.com. Their mission statement explains their plans in more detail. There doesn't seem to be anything earth-shattering involved, just the incorporation of many security recommendations into the default distribution. It seems to be primarily aimed at supporting their consulting and administrative services.
Duplicate key IDs for PGP-signed mail. We've gotten lots of mail about this issue that we reported on last week. First of all, the problem actually reported turned out to be a case of a PGP server returning the wrong key, not one of a duplicate key, as Florian Weimer pointed out.
Second, followup on BugTraq that came out after we published covered the issue of duplicate keys in detail. The PGP FAQ describes the ability to generate a duplicate key as the "deadbeef attack". It is part of the PGP specification and the reason why key signatures and fingerprints are also important parts of the PGP verification process. Here is a pointer to the information on signing your key.
It was also pointed out that PGP servers should not assume that key ids are unique, according to the RFCs, and should therefore return all matches for a given keyid. For more information, check the relevant thread on BugTraq.
Preventing Distributed Denial of Service Attacks (O'Reilly). The O'Reilly Network talks about prevention of DDOS attacks. "If you want to prevent distributed denial of service attacks on your hosts, the best hope you have is to prevent your own hosts and networks from being used to cause denial of service attacks on others and to encourage other network and system administrators to do the same."
SuSE: IMAP update. SuSE has released an advisory covering a vulnerability in the IMAP server, along with an update to resolve the problem.
StarOffice StarScheduler vulnerabilities. Two vulnerabilities have been reported in StarOffice's groupware server, StarScheduler. These vulnerabilities can allow remote root access, a denial-of-service attack and improper read access to files. These problems were apparently reported to Sun on February 6th, but no fixes have been made available. Disabling StarScheduler or restricting access to the relevant port (801) is recommended.
mtr. Version 0.42 of mtr fixed vulnerabilities in its method of dealing with root privileges. This week, the first distribution update for mtr has become available.March 2nd Security Summary, TurboLinux has released their update for this problem.
MySQL. TurboLinux also put out an update for the security hole in MySQL covered in the March 2nd Security Summary.
Printtool. A vulnerability in printtool as installed on Red Hat Linux 6.1 has been reported. Debian is not vulnerable to this problem.
ResourcesBruce Schneier's CRYPTO-GRAM. The March 15th edition of CRYPTO-GRAM has been released. One interesting tidbit: a law case where cracking software was successfully labeled a "burglary tool".
Mason mailing lists established. A set of mailing lists for the Mason automated Linux firewall builder has been announced. Mason is an interesting tool that seeks to ease the detailed process of setting up Linux firewall rules.
Section Editor: Liz Coolbaugh
March 16, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project