Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
SSH 1.2.30 released, new restrictive license. Since we published last week's Security Summary, two new versions of SSH 1.2.X have been released, 1.2.29 and 1.2.30. Both of these newer versions include bug-fixes, some of them security-related. In addition, though, as a kicker, both of the new versions have an updated license, directly taken from the ssh 2.X series. The license for ssh 1.X and 2.X has never been totally free, but the original 1.X license allowed both commercial and non-commercial uses in most cases. As of this point, anyone wanting to continue to use the ssh 1.X series will probably need to purchase a commercial license in order to do so (student and faculty members using it for non-commercial or charitable purposes are excepted).
When we posted the above item on the LWN Daily Page earlier this week, we also pointed out the availability of OpenSSH, a free software alternative to SSH from the folks at OpenBSD. OpenSSH supports both the ssh 1 and ssh2 protocols. It seems likely that many people who haven't bothered to move from ssh to openssh, if only because of inertia, may decide to do so now that SSH Communications has decided to further restrict their licensing.
We must, however, include one caveat, courtesy of Dave Finton,
who pushed us to investigate potential patent issues with
OpenSSH. Although OpenSSH itself
is a free software product, openssh 1.X does use the patented RSA
algorithm, which could get a commercial company into trouble, if they
choose to move to it:
ZDNet calls this outcome a Cinderella story, not just because OpenSSH was created as a free alternative to SSH, but because the project was already fully-developed and available to replace SSH Communication's ssh, the minute they chose to restrict their license too far. "The moral of this tale? Next time you encounter a piece of software whose license is too restrictive for your tastes, don't get mad; do what the OpenSSH project did and get even!"
For even more fun, check out the feedback on the above ZDNet article.
One respondent compared the situation to another several years ago:
Rain Forest Puppy's White Paper. In last week's Security Summary, we link to a ZDNet article that discusses a white paper from Rain Forest Puppy on proposed guidelines for researchers and vendors dealing with security issues. The ZDNet article did not provide a URL for RFP's white paper, which is available at http://www.wiretrip.net/rfp/policy.html. (Thanks to Alex Butcher, Brent J. Nordquist and others).
Openhack-interactive security redux (eWeek/ZDNet). eWeek/ZDNet promotes OpenHack, its current challenge/contest to hackers to break into a set of preconfigured systems. "Some in the industry say that hacking contests are just publicity stunts, positing that, since the typical prize money is so small, no hacker worth his or her salt would want to participate. My view is more practical. Hackers who deface Web sites aren't in it for the money. They may not even be in it for the publicity. They do it because they can."
/tmp vulnerabilities in XFree86 4.0.1. Joseph S. Myers reported a /tmp vulnerability in the installation program for XFree86 4.0.1, commenting that he had previously reported the same problem for XFree86 4.0 in March and that other such errors could be found elsewhere in XFree86. BugTraq ID 1430 gives a concise list of the vulnerabilities he has reported. No comment has been seen from the XFree86 development team as of yet, nor any distribution updates.
XFree86 4.0 local root vulnerability. FreeBSD has issued an advisory regarding a vulnerability in XFree86 4.0 that can be exploited by a local user to get root access. They provide updated packages but also discourage the installation of XFree86 4.X on multi-user systems with untrusted local users. They also indicated that XFree86 4.0.1 most likely contains a fix for this problem.
BitchX format bug. BitchX, a popular IRC client, contains an exploitable formatting error, both in 1.0c16 and 75p3. An exploit can take the client down remotely. Patches for both versions have been made available.
ftp setproctitle() vulnerability.A format string vulnerability in setproctitle() impacts multiple versions of ftp, including proftpd, wu-ftpd, FreeBSD, NetBSD and OpenBSD. An upgrade to proftpd 1.2 and FreeBSD 2.2 or later will fix the problem for those platforms.
LPRng incorrect file permissions. LPRng author Patrick Powell posted an advisory reporting that LPRng 3.6.15 and earlier incorrectly installed by default suid root. He identified a manner in which the root privilege could be exploited and recommended that all users of LPRng remove the suid root permissions or upgrade to LPRng 3.6.20, in which the installation no longer assigns suid root.
Note, however, that the removal of root permissions may break compatibility with the older lpr/lpd installations, according to Cy Schubert.
tnef remote compromise. SuSE issued a security advisory regarding a vulnerability in tnef that could be remotely exploited to overwrite system files. tnet is a program that extracts mail packaged in Microsoft Outlook format. Updated packages are provided.
FreeBSD: libedit. FreeBSD has issued an advisory for problems with the libedit library, where its use of a configuration file can be abused to cause a user of libedit to execute commands unknowingly. A patch for the problem is provided.
CGI scripts. The following CGI scripts were reported to contain vulnerabilities:
Commercial products. The following commercial products were reported to contain vulnerabilities:
wu-ftpd.Check the June 15th Security Summary for a link to the mini-audit that turned up the latest set of problems with wu-ftpd. wu-ftpd 2.6.1 contains fixes for this problem. Note that this is not the same problem as multiple vendor ftpd security report listed above.
man/makewhatis vulnerability.A /tmp file vulnerability has been found in makewhatis versions 1.5e and higher. Check last week's LWN Security Summary for the original report.
This week's updates:
dump/restore. A security vulnerability in dump/restore has been fixed as of dump 0.4b18. Check the June 15th Security Summary for details.
canna. Check last week's Security Summary for more details.
Buffer overflow in inn.A buffer overflow in inn 2.2.2 has been reported that can be an issue if the option "verifycancels" in /etc/news/inn.conf is set to "true". Setting this option to "false" should fix the problem.
ISC DHCP client. Check the June 29th Security Summary for more details. An upgrade to 2.0pl1 or 3.0b1pl14 should resolve the problem.
Qpopper. Check the May 25th Security Summary for more details. Qpopper 3.0.2 or later should fix this problem.
OpenSSH. Check the June 15th Security Summary for details.
Majordomo wrapper vulnerability. Check the June 1st Security Summary for the initial report.
Bastille Linux 1.1.1.pre2. A minor update to the Bastille Linux security hardening script has been made available, including bug fixes and improvements to the API library.
Nessus 1.0.2. OpenBSD support has been added, as of this latest minor update to the Nessus security scanner.
Secure-Linux Patch 2.2.16 version 1. The secure-linux patch has been updated to support the latest stable kernel, 2.2.16.
PScan simple security scanner. In response to the growing number of reports of exploitable format string vulnerabilities, Alan DeKok announced PScan, a simple program that checks for potential format string problems in the source code.
Building Internet Firewalls, second edition released. O'Reilly has announced the release of the second edition of "Building Internet Firewalls". "The second edition is much expanded. It covers Linux and Windows NT, as well as Unix platforms. It describes a variety of firewall technologies (packet filtering, proxying, network address translation, virtual private networks) as well as architectures (e.g., screening routers, dual-homed hosts, screened hosts, screened subnets, perimeter networks, internal firewalls)."
Cybernotes (July 3rd). The July 3rd edition of Cybernotes, a publication from the National Infrastructure Protection Center (NIPC), is now available (PDF format). Cybernotes is published bi-weekly and produces a spread-sheet-like listing of reported vulnerabilities and affected operating systems.
July/August security events.
Section Editor: Liz Coolbaugh
July 13, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Nexus
Secure Linux Secure Linux (Flask)
Security List Archives
Firewall Wizards Archive
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily
Linux Security Audit Project