On the Desktop
Linux in the news
All in one big page
See also: last week's Security page.
News and EditorialsThe top 20 Internet security vulnerabilities. SANS has posted a list of the 20 most critical security vulnerabilities on the net. The list makes good reading for anybody concerned about the security of their systems, though it is far from a comprehensive list of problems.
The list is broken down into three large sections. The first concerns itself with general, system-independent problems. These include:
The middle section lists Windows-specific vulnerabilities; readers interested in those are encouraged to go to the SANS page. The final section goes into Unix-specific problems:
A survey of PHP vulnerabilities. "Yet Another Hacker Team" has performed an automated audit of a number of PHP-based packages, and has posted the results. The conclusion: much PHP code is vulnerable to remote exploits. Two PHP features are the source of the problems: (1) PHP allows global variables to be set from an HTTP request, and (2) file operations handle URLs transparently. The combination of the two allows a remote attacker to run arbitrary PHP code on the server; this, in turn, gives that attacker shell access.
The survey makes this claim:
PHP is not insecure by default, but makes insecure programming very easy.
Reasonable people could differ on that point. PHP could be far more secure by simply isolating user-supplied information in a special "request" variable. PHP is great stuff (LWN uses a lot of it), but some aspects of the environment are, indeed, insecure by default.
CRYPTO-GRAM special issue. Bruce Schneier has released a special issue of his CRYPTO-GRAM Newsletter devoted to the events of September 11. "People are willing to give up liberties for vague promises of security because they think they have no choice. What they're not being told is that they can have both. It would require people to say no to the FBI's power grab. It would require us to discard the easy answers in favor of thoughtful answers." Worth a read.
Conectiva cuts off 4.x. Conectiva has served notice that the 4.x versions of its distribution are no longer supported, and no further updates will be available. Conectiva customers running ancient versions of the distribution are encouraged to upgrade to something more recent.
OpenSSH 2.9.9 released.OpenSSH 2.9.9 has been released; it includes a security fix that will be important for people using source-based access control.
A new set of sendmail vulnerabilities.Michal Zalewski has found a new set of vulnerabilities in sendmail; they may be used by a local attacker to obtain unauthorized access to the mail system. Versions of sendmail through 8.12 are vulnerable; 8.12.1 has been released and contains fixes for all of the problems. We'll pass on distributor updates as we see them.
Zope DTML scripting security update.There is a new Zope security update out there, fixing a vulnerability in DTML scripting. A suitably clueful user could use the vulnerability to obtain unauthorized access. A fix has been provided by Zope Corp.; expect updates shortly from the distributors that ship Zope as well.
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001).
The stable release of Debian is not vulnerable.
ResourcesLinux Security Week from LinuxSecurity.com is available in its October 1 edition. Also available is Linux Advisory Watch for September 28.
CERT has a new PGP key, following the expiration of its previous key at the end of September. See the announcement for the new CERT key information.
EventsThe International Cryptography Institute 2001 will be held November 29 and 30 in Washington, DC. Speakers include Dorothy Denning, Whitfield Diffie, Bruce Sterling, and Phil Zimmermann. See the announcement for details.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to firstname.lastname@example.org.
Section Editor: Jonathan Corbet
October 4, 2001
Security alerts archive
Engarde Secure Linux
NSA Security Enhanced
Linux Security Audit Project
Linux Security Module
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security mailing lists Caldera
Linux From Scratch
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily