Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
Workarounds for the Linux capabilities vulnerability. In last week's Security Summary, we discussed a potential workaround for the Linux kernel capabilities vulnerability, for sites unable/unwilling to upgrade to the Linux 2.2.16/2.2.17 kernel series to get the proper fix. Our workaround involved the use of capcheck, a loadable kernel module which replaces the "capset" system call with a much more restrictive version.
This week on BugTraq, Patrick Reynolds posted a followup discussing ways in which /dev/mem can be used both to re-enable capabilities that have been disabled and to load custom, module-like code, even if you have disabled loadable modules on your system. It is worth a read.
Alternative ftpd servers. In light of the recent problems with wu-ftpd, and previous problems with proftpd (see the 1999 December 2nd Security Summary), suggestions for more secure ftpd servers for Linux have been popping up on BugTraq. This is not, by any means, an exhaustive list, but the following packages may be worth a look.
eWEEK Challenges Public to Hack Web Site. This week's challenge from eWEEK promises to allow people to attempt to crack security on a variety of different platforms, including "Solaris, Windows2000, Windows NT, OpenBSD and Linux". A report on the number of intrusion attempts per operating system, vulnerabilities found, etc., is promised at the end. Overall, though, security contests have rarely been found a particularly effective way of testing the true security of a system. In addition, as we've seen in the past, another key question is whether or not eWEEK has the internal expertise to deploy all of the aforementioned operating systems in a secure manner.
The Motives and Psychology of the Black-hat Community (SecurityFocus). SecurityFocus is publishing a series of articles entitled "Know Your Enemy". This week's article focuses on motives. "They may not be technically competent, or even understand the tools they are using. However by focusing on a large number of systems, they can achieve dramatic results. This is not a threat to take lightly. They are not concerned about what harm they may cause. They focus only on achieving their goals."
ISC DHCP client root vulnerability.The Internet Software Consortium (ISC) has issued a warning regarding a root vulnerability reported by the folks at OpenBSD in ISC's Open Source reference implementation of DHCP. An upgrade to 2.0pl1 or 3.0b1pl14 should resolve the problem.
Glftpd. Permissions in Glftpd 1.18 through 1.21b8 can be bypassed allowing protected files and directories to be accessed via a problem with the privpath directive according to this report. As a result, Glftpd 1.21 has been released with a resolution for this problem.
NetBSD: bad key generation in libdes. NetBSD has issued an advisory as a result of the installation of a new libdes library on June 24th. On systems that do not have a /dev/urandom device, this library creates a security vulnerability. An update to NetBSD-current since 20000622 is recommended.
FreeBSD: IP options processing errors. FreeBSD has issued an advisory concerning problems in the manner in which IP options are processed in the IP stack. Data corruption or a kernel panic can result. Also check NetBSD Security Advisory 2000-002, which describes an instance of this vulnerability. A kernel patch is provided to fix the problem, though it can also be resolved by an upgrade to 3.4-STABLE, 4.0-STABLE or 5.0-CURRENT. Note that an exploit for this vulnerability has been published.
sawmill. Sawmill, a site log statistics package, has been reported to contain a couple of vulnerabilities that could allow remote access to pretty much any file on the system. The vendor/maintainer has been notified and a patch/fix is promised in the near future.
Commercial products. The following commercial products were reported to contain vulnerabilities:
wu-ftpd.Check the June 15th Security Summary for a link to the mini-audit that turned up the latest set of problems with wu-ftpd.
SuSE: reminder after kernel upgrade. SuSE's Thomas Biege sent around a reminder to people to execute 'mk_initrd' and 'lilo' after upgrading their kernel packages, in response to some customer problem reports.
Zope. Zope 2.1.6 and 2.2beta1 contain a remotely-exploitable security problem. Zope 2.1.7 contains a fix. For more information, check last week's Security Summary.
Linux-Mandrake 7.1. Linux-Mandrake issued an advisory with links to package updates for bind, cdrecord, dump, fdutils, kdesu, xemacs, xlockmore. These are the same packages for which updated versions for Linux-Mandrake 7.0 were published last week.
Debian XFree86 3.3.6. Debian has issued new XFree86 packages which, according to this week's Debian Weekly News, contain patches for " fixing a denial of service attack, a symlink attack, and 4 security holes in Xlib". Debian does not appear to have issued an official advisory about the updated packages.
July security events.
Section Editor: Liz Coolbaugh
June 29, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Nexus
Secure Linux Secure Linux (Flask)
Security List Archives
Firewall Wizards Archive
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily
Linux Security Audit Project