On the Desktop
Linux in the news
All in one big page
See also: last week's Security page.
News and EditorialsPHP Nuke remains vulnerable. Two weeks ago LWN reported on a vulnerability in PHP Nuke's file manager functions. As of this writing, there has been no new PHP Nuke release fixing that problem. Meanwhile, a new problem report has come out showing how to exploit the vulnerability to upload arbitrary files and run commands on the server system. This is a serious bug.
The PHP Nuke code is used to run a great many web sites; it is disturbing that a vulnerability of this magnitude, which exposes so many systems, can go unrepaired for so long. Those of you running PHP Nuke sites will want to look at applying the simple source fix from two weeks ago, or moving to the PostNuke variant, which does not have this vulnerability.
Best Practices for Secure Development is a lengthy white paper written by Razvan Peteanu. It covers security from an application developer's point of view, describing how to write programs that are secure from the beginning. Version 4 of this paper has just been announced; this version has been completely rewritten and includes a fair amount of new material. Worth a look.
Security ReportsRace condition in devfs. At the end of September, Alexander Viro posted a description of a race condition vulnerability in the 2.4 device filesystem. This race could be used by a clueful, local attacker to bring down the system. Very few Linux distributions ship with devfs enabled at this point, but Mandrake is an exception. Thus, MandrakeSoft has issued a kernel security update to address the problem. A new kernel package is not yet available; the update contains a workaround boot option which can be used to close the vulnerability for now.
2.4.x packet filtering vulnerability. The 2.4.x netfilter code can, among many other things, filter packets based on their MAC (hardware) address. It turns out that very small packets can evade this filtering and get through the firewall. It is a difficult vulnerability to do anything interesting with, but it should be fixed anyway. A patch was included with the advisory; it should also appear in the 2.4.11 kernel.
ht://Dig configuration file vulnerability. ht://Dig 3.1.0b2 and later have a vulnerability wherein a remote user can specify that an alternate configuration file be used by htsearch. If an attacker has a way of placing a hostile configuration file on the server, this vulnerability could be used to gain access to files on the system. The fix is to upgrade to version 3.1.6 (or 3.2.0b4) or apply the patch contained in the advisory.
Only one distributor update has been seen so far:
Caldera security update to sendmail configuration. Caldera International has issued a security update regarding its sendmail configuration. It seems that the permissions are overly liberal, allowing a denial of service attack by a local user. This isn't a sendmail bug as such; it's a configuration error. The alert contains the fix to close the hole.
web scripts.The following web scripts were reported to contain vulnerabilities:
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
UpdatesBuffer overrun vulnerability in lpr. A buffer overrun vulnerability in lpr has been reported. This time around, an attacker crafts a special, incomplete print job; a subsequent request to view the printer queue causes the overrun to happen. The advisory only mentions BSD systems, but numerous Linux distributions run BSD lpr as well. This problem was first reported in the September 6 LWN security page.
This week's updates:
This week's updates:
Previous updates:slrn executes shell code. The slrn news reader has an interesting problem: evidently slrn will execute any shell code it finds within an article, on the theory that the article is a self-extracting archive. This may have been desirable behavior in 1982, but it presents certain difficulties in modern times. Users of slrn should apply the update. This vulnerability was first reported in the September 27 LWN security page.
This week's updates:
Previous updates:Uucp local user exploits. There is a vulnerability in the command-line argument handling of uucp which can be exploited by a local user to obtain uid/gid uucp. See the September 13, 2001 LWN security page for the initial report.
NSA offers supersecure Linux (CNN). CNN reports briefly on the NSA's security enhanced Linux distro. "SE Linux does not correct any flaws in Linux, but rather serves as an example of how mandatory access controls, including superuser access, can be added to Linux."
Experts: Easy Installations Kill (Wired). Wired covers the SANS Institute's report on computer security which says that events like Code Red and Nimda aren't the network's biggest problems, but default installations are. "System administrators have reported to SANS and other security organizations that holes often go unpatched because the constant barrage of patches and security alerts are overwhelming. So the Top 20 list prioritizes the threats and also offers comprehensive advice on detecting and fixing these dangerous vulnerabilities from dozens of leading security experts."
LinuxSecurity.com's Linux Security Week for October 8 is now available.
Wireless LAN security FAQ. Version 1.1 of the WLAN Security FAQ has been released by Chris Klaus.
Version 2.0 of the Unix Security Checklist is now available from AusCERT.
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to email@example.com.
Section Editor: Jonathan Corbet
October 11, 2001
Security alerts archive
Engarde Secure Linux
NSA Security Enhanced
Linux Security Audit Project
Linux Security Module
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security mailing lists Caldera
Linux From Scratch
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily