[LWN Logo]

 Main page
 Linux in the news
 Back page
All in one big page

See also: last week's Security page.

News and Editorials

The Myth of Open Source Security (EarthWeb). EarthWeb has run this article by John Viega, author of mailman, the GNU mailing list manager. He takes a look at why the open source process, great for feature development and quick fixes for bugs once found, does not necessarily provide the best environment for developing secure software. "People using open source programs are most likely to look at the source code when they notice something they'd like to change. Unfortunately, that doesn't mean the program gets free security audits by people good at such things. It gets eyeballs looking at the parts of the code they want to change. Often, that's only a small part of the code."

This article is not a flame-bait, open source-bashing piece. It is a rational attempt to look at the development methods of the open source community and determine why there are so many simple, avoidable security problems out there, still waiting to be detected. It can easily be argued that commercially-developed software has as many problems or more.

The real point of the article is that we shouldn't assume that software is secure just because it is open source. Praise open source software for quick response to problems once found, but don't assume that all, or even most, of the problems have been dealt with already. Last, support the work of people who are providing security audits for open source code. Encourage new developers to learn about security issues. Require your own software to be designed with security in mind from the beginning, not as an afterthought.

Linux Kernel Auditing Project. The Linux Kernel Auditing Project has been announced. They are taking on a big bite: auditing of the 2.0.X, 2.2.X and 2.3.X/2.4.X kernel series for potential security problems, as well as developing resolutions for the problem without impairing the performance of the kernel or introducing new bugs. Their goals are laudable and we wish them the best of luck.

OpenSSH 2.1.1 released. A new release of OpenSSH has been announced. This new version, 2.1.1, contains a security fix for a vulnerability in OpenSSH that may exist if the UseLogin feature is enabled (not enabled by default). An upgrade to the latest version is recommended.

In addition to announcing the new version, Theo de Raadt also passed on good news on the adoption of OpenSSH: "We've been completely blown away by the number of people who are switching from commercial ssh to openssh, with over 250,000 people visiting the our web page in the last 3 months. It's really been a silent revolution, because thousands of people welcomed the switch from commercial use of non-licensed software to a free choice, but have not spoken about how they were running non-free software before."

Errata for 2.2.16 and 2.2.17pre1. A few people have hit problems with 2.2.16. Because it is important that people be able to run 2.2.16, due to the security fixes included therein, Alan has released the 2.2.16 errata patch set.

Also aimed at fixing the problems with 2.2.16 is the 2.2.17pre1 release which only addresses bug fixes.

Security Reports

restore. A locally exploitable buffer overflow in restore has been reported and an exploit published. Upgrading to dump-0.4b18 should fix the problem. No vendor packages have been released yet.

wu-ftpd. Michal Zalewski posted the results from a 20 minute "mini-audit" of the source code for wu-ftpd 2.6.0, turning up yet more problems in this server. No information on patches or fixes have yet been seen.

New Kerberos buffer overflow vulnerability. A new exploitable buffer overflow in Kerberos 4 KDC has been reported. This time, in addition to impacting MIT and Cygnus-based Kerberos distributions, the buffer overflow is also present in KTH-krb4 before version 0.10. Patches for the problem are included in the initial report.

NFS rpc.lockd Denial-of-Service. A denial-of-service vulnerability has been reported, but not confirmed, in the Linux rpc.lockd code for Linux 2.2.14 and 2.2.16.

snort. Snort 1.6 has been reported vulnerable to a denial-of-service attack, crashing in response to an nmap scan. This problem has been confirmed and Snort 1.6.1 should be released soon with a resolution for this problem. Snort is a light-weight intrusion detection program that runs on Linux, BSD and a variety of other platforms. Check the Snort home page for more details.

FreeBSD advisories. FreeBSD has put out advisories for apsfilter, ssh (FreeBSD-specific, updated advisory) and /dev/random (Alpha platform only). FreeBSD users are strongly encouraged to read the advisories and follow the included instructions.

Commercial products. The following commercial products were reported to contain vulnerabilities:


Linux kernel capabilities. Check last week's Security Summary for details. Linux kernel 2.2.16 contains fixes for this issue. Note also the errata for 2.2.16 mentioned above. For more information on the 2.2.16 kernel, check the release notes and Alan's thank-you note to the people who helped find and fix these problems.

Note that the sendmail update for this problem is not necessary if you update your kernel.

OpenSSH. Check BugTraq ID 1334 for more details.

Qpopper. Check the May 25th Security Summary for more details. Qpopper 3.0.2 or later should fix this problem.

Netscape SSL. Problems in the manner that Netscape handled invalid SSL certificates have been fixed in Netscape 4.73. Check the May 18th Security Summary for the initial report. Also check the June 1st Security Summary for additional problems in Netscape 4.73.

BRU. Check last week's Security Summary for details. Remember, this problem can easily be resolved by a permissions change or an upgrade to BRU 16.0.


OpenSSH Unix Port 2.1.1p1. A minor update to the Linux port of OpenSSH has been announced. It contains "lots of bugfixes".


June/July security events.
Date Event Location
June 19-23, 2000. 12th Annual Canadian Information Technology Security Symposium Ottawa, Ontario,Canada.
June 25-30, 2000. 12th Annual First Conference, Chicago, Illinois, USA.
June 26-28, 2000. SSS2000 Strategic Security Summit (canceled!) Helsinki, Finland.
June 27-28, 2000. CSCoRE 2000,"Computer Security in a Collaborative Research Environment" Long Island, New York, USA.
July 3-5, 2000. 13th IEEE Computer Security Foundations Workshop Cambridge, England.
July 10-12, 2000. Fifth Australasian Conference on Information Security and Privacy (ACISP 2000) Brisbane, Australia.
July 14-16, 2000. H2K / HOPE 2000 New York, New York, USA.
July 26-27, 2000. The Black Hat Briefings Las Vegas, Nevada, USA.
July 28-30, 2000. DEF CON VIII Las Vegas, Nevada, USA.

Section Editor: Liz Coolbaugh

June 15, 2000

Secure Linux Projects
Bastille Linux
Khaos Linux
Secure Linux
Secure Linux (Flask)

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
ZedZ.net (formerly replay.com)

Miscellaneous Resources
Comp Sec News Daily
Linux Security Audit Project
Security Focus

Next: Kernel

Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds