Linux in the news
All in one big page
See also: last week's Security page.
News and Editorials
Netscape flaw exposes hard drives (ZDNet). ZDNet is covering the XMLHttpRequest security bug in Mozilla-based browsers. " The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher. The flaw doesn't affect Mozilla 1.0 release candidate 1 because XMLHttpRequest appears to be broken in that release, according to Mozilla developers." (Thanks to Manfred Scheible)
John Villalovos wrote to tell us that the fix for this bug will be in the next Mozilla release.
A world without secrets (ZDNet). ZDNet takes a look at Richard Hunter and his book "World Without Secrets: Business, Crime and Privacy in the Age of Ubiquitous Computing". "His poster child for the evil network army is the infamous Al Qaeda, and the good exemplified by the Open Source movement."
sudo local root exploit. Sudo 1.6.5p2 and earlier can be tricked into allocating less memory than it should when used with the password prompt parameter (-p). A local attacker may use the flaw to gain root privileges. The problem is fixed in sudo 1.6.6.
Updates are available from:The OpenSSH advisory reported last week has been revised. "Buffer overflow in OpenSSH's sshd if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default."
Trustix issued what appears to be the first openssh update from a distributor that fixes the problem.
Squid DNS answer message vulnerabilty.
Squid-2.X releases up to and including 2.4.STABLE4 do not check
some error and boundary conditions when handling compressed DNS
answer messages in the internal DNS. A malicous DNS
server could craft a DNS reply that causes Squid to exit with a SIGSEGV.
Updates which fix the problem were released this week by:
Updates which fix the problem were released this week by:Ethereal packet handling vulnerabilities. Ethereal 0.9.3 fixed three packet handling vulnerabilities present in 0.9.2 when it was released by the ethereal team on March 30th. The PROTOS test suite found some flaws in SNMP and LDAP protocols support. Malformed packets could also crash ethereal 0.9.2 due to a ASN.1 zero-length g_malloc problem. The zlib "double free" vulnerability was addressed by the updates for that bug from many distributors.
Conectiva has issued a ethereal security update that addresses the ASN.1 zero_length g_malloc and SNMP and LDAP protocols support vulnerabilities. The zlib "double free" vulnerability was addressed by an earlier zlib update from Connectiva.
Multiple vulnerabilities in icecast. Icecast is a streaming audio broadcasting system. Version 1.3.12 was released on April 10th. "This release is a security update and all users are highly encouraged to upgrade immediately or apply the relevant patches to their own versions. Remember, never run icecast as a priveledged user, especially not as root."
Security updates to icecast 1.3.12 have been released by:
Red Hat advisory for docbook. Here is a Red Hat security update for the docbook package.
Caldera Security advisory - fileutils. A race condition in various utilities from the GNU fileutils package may cause a root user to delete the whole filesystem.
PHProjekt multiple vulnerabilities. PHProjekt is an open source
groupware suite. Ulf Harnhammar has reported multiple vulnerabilities in PHProjekt organized into five categories.
web scripts.The following web scripts were reported to contain vulnerabilities:
Proprietary products.The following proprietary products were reported to contain vulnerabilities:
UpdatesTwo denial of service vulnerabilities in Cistron RADIUS versions 1.6.5 and prior are described in this CERT advisory for RADIUS. "They are remotely exploitable, and on most systems result in a denial of service." (First LWN report: March 7th, 2002).
This week's updates:
Problem loading untrusted images in imlib. Versions of imlib prior to 1.9.13 used the NetPBM package in ways which "make it possible for attackers to create image files such that when loaded via software which uses Imlib, could crash the program or potentially allow arbitrary code to be executed." (First LWN report: March 28).
This week's updates:
Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:
file_uploads = Off
Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.
This week's updates:
Update: Despite some concern expressed in an earlier report by LWN, these updates do, in fact, fix the problem. The original update from the php team fixes the security hole but introduces a "rare segfault condition" that is not a security problem.
Webalizer DNS server based attach vulnerability. The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002).
This week's updates:
Building a secure kiosk with Embedded Linux. LinuxDevices features an article on building a Linux based information kiosk. "In this informative and entertaining technical article, embedded developer Patrick Glennon relates his experiences in creating a small Linux-based system for a client that required robust, easy-to-use, low-cost kiosks for conducting surveys at hotels."
Linux security week. The Linux Security Week publication from LinuxSecurity.com is available.
Upcoming Security Events.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to email@example.com.
Section Editor: Dennis Tenney
May 2, 2002