Linux in the news
All in one big page
See also: last week's Security page.
News and EditorialsToward a common naming system for security vulnerabilities. The Common Vulnerabilities and Exposures project has been working since 1999 to create a standard way of talking about security problems. The problem to be solved is real: one distributor may refer to a vulnerability in "login," while another fixes a problem with the PAM libraries. Both are dealing with the same vulnerability, but it can be hard to tell without taking a detailed look. Even more detailed descriptions (i.e. "the buffer overflow in wu-ftpd") can be ambiguous. How is a user to know which problems an update really fixes?
The CVE project steps in by assigning a unique name to each vulnerability. The full set of vulnerabilities is packaged in a "freely downloadable" database - you can do almost anything with CVE except modify it. Last year's mutt format string vulnerability, for example, is CVE-2001-0473.
The process for creating a CVE entry appears to be long; one must get a "candidate number" assigned, then wait for a large "editorial board" to pass judgment on whether a real vulnerability has been described or not. That process appears to be long; the last Linux-related vulnerability with a full CVE number is CVE-2001-0489, a format string vulnerability in gftp which was reported in May, 2001. This is a problem: time is often of the essence when dealing with security incidents. During the period in which a security problem is current, all that is available is an unratified, temporary candidate number. This slowness is likely to slow the adoption of CVE.
Still, the effort is worthwhile. As we rework our handling of security vulnerabilities in the near future, we'll look hard at including CVE identifiers in the database.
Multiple security vulnerabilities in squid. Here is a security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE3. At the minimum, the vulnerabilities could facilitate denial of service attacks; the potential for worse also exists. Sites running squid probably should apply the update sooner rather than later.
Distributor updates seen so far:
IRC connection tracking vulnerability in netfilter. The Netfilter team has released an advisory warning of a bug in the Linux packet filtering code. It seems that when connection tracking is used, and a particular type of IRC connection is made, the firewall can be opened up to all incoming connections to a particular port for a brief period. Only certain configurations are vulnerable; see the advisory for details.
As of this writing, the only distributor update available is from Red Hat. It is a kernel update, of course, and so should be applied carefully.
Red Hat security update to ncurses4. Red Hat has issued a security update to ncurses4 fixing a buffer overrun vulnerability in that package.
Access control vulnerabilities in gnujsp. The gnujsp Java servlet has a set of vulnerabilities which make it possible to bypass access control restrictions on the web server. So far, the only distributor update we have seen is:
UpdatesHeap corruption vulnerability in at. The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th).
This week's updates:
Buffer overflow in CUPS. Versions of the Common Unix Print System prior to 1.1.14 have a buffer overflow vulnerability. (First LWN report: February 14).
This week's updates:
Multiple vulnerabilities in SNMP implementations. Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).
This week's updates:
ResourcesPatching the net's fatal flaws (Business Week). Business Week examines the SNMP vulnerabilities. "So far, the fallout has been minimal. Major attacks using the SNMP hole have failed to materialize. That doesn't mean they won't happen, though."
EventsICICS 2002 CFP. The 4th International Conference on Information and Communications Security will be held in Singapore on December 9 to 12. The Call for papers has gone out; see the ICICS 2002 web page for details.
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to firstname.lastname@example.org.
Section Editor: Jonathan Corbet
February 28, 2002