On the Desktop
Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
Second coming of Code Red. CERT posted a warning to administrators regarding the potential resurfacing of the Code Red worm this past week. The worm was expected to awaken on Tuesday, July 31st, 2001 starting at 8PM. The report noted that after an 11 day quiet period the worm would likely begin to spread again from previously infected systems in a mutated form.
While Microsoft has taken some heat for the spread of the worm, experts are worried a second outbreak might raise the costs of dealing with the virus even higher, with the first wave having approached $1.2 billion in lost services so far.
By early morning on Wednesday the worm had resurfaced, and by late afternoon had affected upwards of 135,000 systems. The growth of infected systems once again appears to be exponential, but mixed reports were made as to whether this second round of infections would eventually be worse than the first outbreak or less severe.
Late Tuesday afternoon, Cisco posted an update to their advisory for the Code Red worm which describes the potential impact on their customers from side affects of the worm.
When the traffic from the worm reaches a significant level, a Cisco CSS 11000 series Content Service Switch may suffer a memory allocation error that leads to memory corruption and will require a reboot. The defect is documented in DDTS CSCdu76237.
While none of this directly impacts Linux users, it indirectly affects everyone on the Internet due to the potential such attacks have to slow or even stop the movement of traffic. Fortunately, at least by press time for LWN.net, round 2 in this battle seems to have gone to the administrators.
Linux kernel IP masquerading vulnerability. A report was posted to BugTraq this week on a remotely exploitable IP masquerading vulnerability in the Linux kernel. The problem includes the Linux 2.2 ip_masq_irc module and involves situations where certain browser or MUA helper applications can cause firewalls to act as proxies to open inbound connections when they shouldn't. A patch has been provided by the IP MASQ 2.2 maintainer, JuanJo Ciarlante.
RATS 1.1 (beta). A new beta version of the source code auditing tool RATS has been released, adding the ability to scan both Perl and Python code for vulnerabilities.
Debian security updates for apache and apache-ssl. There have been reports that the 'apache' http daemon, as included in the Debian 'stable' distribution, is vulnerable to the 'artificially long slash path directory listing vulnerability'. There are fixes available in apache-ssl 1.3.9-13.3 and apache_1.3.9-14. It is recommended that you upgrade your packages immediately.
Trustix advisory for PHPLib. Trustix Secure Linux issued an advisory for PHPLib to address problems where an attacker can execute scripts from another server.
Long messages ids in elm cause buffer overflows. An advisory was issued by Linux-Mandrake this week for the elm mail client to address an issue with long headers causing buffer overflows.
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
Multiple Horde IMP vulnerabilities.Check the July 26th Security Summary for details.
This week's updates:
Squid httpd acceleration ACL vulnerability.Check the July 26th Security Summary for details. Squid 2.3STABLE4 is affected; earlier versions are not. Red Hat 7.0 is reported to be vulnerable, while earlier and later versions are not. Debian is reported not vulnerable. A patch to fix the problem is available.
This week's updates:
Cracking activity at all-time high (Register). According to statistics compiled by the Honeynet Project, cracking activity is at an all-time high. "Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the Internet. From this the people behind the project concluded that 'the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours'. Scary stuff."
Hacking Vegas at Black Hat and DEF CON: One Geek's Experience (Linux Journal). Linux Journal covers the Black Hat Briefings and DEF CON. "Darth Elmo had the good fortune to attend both this year. Unlike many Black Hat attendees he went with somewhat more of an underground perspective, or at least a non-corporate one. And unlike many DEF CON attendees, Darth can remember where he was, what he saw and what he drank for most of the time he was there. Here, then, are one geek's observations and opinions on these two fine events."
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to email@example.com.
Section Editor: Michael Hammel
August 2, 2001
Security alerts archive
Engarde Secure Linux
NSA Security Enhanced
Linux Security Audit Project
Linux Security Module
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security mailing lists Caldera
Linux From Scratch
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily