Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
Apache 1.3.24 Released. Apache version 1.3.24 has been released. "This version of Apache is principally a security and bug fix release."
Format string exploits in libsafe Libsafe versions prior to 2.0-12 are vulnerable to format string exploits. "Libsafe protection against format string exploits may be easily bypassed using flag characters that are implemented in glibc but are not implemented in libsafe." The current version is libsafe 2.0-13. Steve Beattie pointed out that the Immunix FormatGuard tool is not vulnerable to these kinds of attacks.
Debian Security Advisory - mtr. A buffer overflow problem in mtr may allow an attacker to gain access to the raw socket, which makes IP spoofing and other malicious network activity possible.
Redhat update for imlib. Red Hat has released a security update for imlib that fixes "potential problems loading untrusted images", this vulnerability is exploitablie via the NetPBM package.
Mandrake security alert for kdm. MandrakeSoft has issued a security alert for kdm; it seems that the default configuration allows XDMCP connections from anywhere. The workaround is to make a small configuration file change; see the alert for details.
Webmin local privilege escalation vulnerabilities.
The webmin 0.93 release fixes
local privilege escalation vulnerabilities in the /var/webmin and
web scripts.The following web scripts were reported to contain vulnerabilities:
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
zlib corrupts malloc data structures via double free. This vulnerability impacts all major Linux vendors. It may impact every Linux installation on Earth. Updates are required to zlib and any packages that were statically built with the zlib code. (First LWN report: March 14).
LinuxSecurity describes the vulnerability and coordinated distributor efforts in detail. "Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable."
Updating is recommended. As always, please proceed with caution when applying updates to the kernel.
This week's updates:
Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:
file_uploads = Off
Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.
This week's updates:
Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.
RAV AntiVirus v8.5 for Linux Review (LinuxLookup). Here is a review of RAV AntiVirus v8.5 for Linux. "RAV AntiVirus v8.5 for Linux Mail Servers, Servers, and Workstations is flexible and scalable, allowing independent configuration of the scanning module, fully independent from the Mail Server. In the configuration file you can customize the actions to be taken by RAV when detecting a virus - clean, move, copy, rename, delete, ignore, reject - and benefit of advanced features, like warning the sender, warning the receiver or warning a third party (the server administrator when detecting an external threat)."
Getting Started with Gnu Privacy Guard (Open for Business). Here is a HOWTO article on using GNU Privacy Guard (GPG). "The idea of signing your key is to create a "web of trust," where if John trusts Jim's identity, and Jim trusts Nancy's identity, then John knows he can trust the identity of Nancy too. Most often, signing is reciprocal, so John and Jim probably signed each other's keys, and Jim and Nancy did the same."
Linux security week. The Linux Security Week publication from LinuxSecurity.com is available.
EventsUniNet announced the 1st Information Security Conference at UniNet, InfoSec 2002, which will run from April 15th to 19th on the UniNet IRC network (irc.uninet.edu) in the channel #infosec.
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to firstname.lastname@example.org.
Section Editor: Dennis Tenney
March 28, 2002