Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
Debian took a month to distribute a fix for a glibc buffer overflow vulnerability. This week's glibc updates from Debian and Slackware distribute a fix for the problem about a month after the first update from Red Hat on December 14th.
You may wonder why Debian, with over eight hundred developers and a dedicated security team, took so long to distribute a fix for such a basic vulnerability. The short answer is that with a half dozen architectures the only way to change glibc is very carefully.
This note from Martin Schulze illustrates the care with which Debian manages a distribution for six different architectures. Tending the necessary balance between release management and getting out security fixes for core components is a serious challenge. As Mr. Schulze notes, "we have to be extraordinary careful. This takes time."
January CRYPTO-GRAM Newsletter. Here's Bruce Schneier's CRYPTO-GRAM Newsletter for January. The main topic this time around is the Windows UPnP vulnerability. "To think, some time ago I criticized eEye for not waiting long enough before releasing a vulnerability. Shows how hard it is to get the balance right."
Nasty security hole in sudo. The sudo package, used to provide limited administrator access to systems, has an unpleasant vulnerability which makes it relatively easy for a local attacker to obtain root access. If you have sudo on a system with untrusted users, you probably want to disable it until you can get a fix installed.
Remotely exploitable vulnerability in pine. Pine has an unpleasant vulnerability in URL handling vulnerability which can lead to command execution by remote attackers. Updates fixing the problem were released this week by Slackware, EnGarde and Red Hat. This vulnerability is remotely exploitable; updating is a good idea.
EnGarde Secure Linux security update to LIDS. EnGarde Secure Linux released a security update to LIDS (Linux Intrusion Detection System) fixing a number of locally exploitable vulnerabilities.
Debian security update to gzip. The Debian Project has issued a security update to gzip fixing a buffer overflow problem in that package.
Debian security update to cipe.The Debian Project has issued a security update to the cipe VPN package fixing a denial of service vulnerability.
Yellow Dog Linux released a whole list of updates that they evidently forgot to send out until now.
Geeklog 1.3 vulnerability. According to this post to BugTraq the version of Geeklog released last December 30th has a vulnerability which "allows any user to assume the identity of any other registered user, including the administrative user." Instructions on where to obtain a fix are on the Geeklog website.
Pi3Web Webserver v2.0 is subject to a denial of service attach which crashes the daemon according to this brief description posted to BugTraq.
Bugzilla upgrade to version 2.14.1. This is a security update with patches for a number of security-related bugs described in this announcement. "All users of Bugzilla, the bug-tracking system from mozilla.org [...] are strongly recommended to update to version 2.14.1". The problem was first reported by LWN in the January 10th Security page.
Previous updates:a detailed description of this vulnerability. This problem was first reported by LWN on December 20th.
This week's updates:
Format string vulnerability in groff. A format string problem exists in groff; apparently it could be remotely exploited when it is configured to be used with the lpd printing system. (First LWN report: August 16, 2001).
The stable release of Debian is not vulnerable.
This week's updates:
Securing Linux Servers for Service Providers by Bill Half, Sr. Consulting I/T Architect, is now available in PDF format from this link inside the IBM Linux Technology Center website. (Thanks to Steve Fox).
Upcoming Security Events.
Sixth Annual Distributed Objects and Components Security Workshop has extended the call for papers to January 26. "The workshop, hosted by the Object Management Group and co-sponsored by Promia, Inc. and the National Security Agency (NSA), will provide a forum for discussing the issues associated with securing integrated application systems." The workshop will be held March 18 through 21, 2002 in Baltimore, Maryland, USA.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to email@example.com.
Section Editor: Dennis Tenney
January 17, 2002