Security

Guest article: Germany sees security in free software

[This article was contributed by LWN reader Burt Janz]

Earlier this month, Schwäbisch Hall began an IBM-hosted initiative to convert hundreds of its city-run computers to Linux. With Sony announcing that it would be dropping Microsoft Office in favor of StarOffice on most consumer systems sold in Europe, the availability of OEM-hosted Open Source desktop applications may be prompting the next step in the adoption of Linux as an alternative to Microsoft - especially in government.

Now, another initiative to convert Germany's government computer operations to Linux has been announced. Joachim Jacobs, the Federal Commissioner for Data Security, apparently feels that Open Source provides a more secure set of network management tools than those available under Windows, and will begin the conversion by moving mail, file services, DHCP and DNS, and other network services to Linux. Additionally, up to 75 desktop systems will also be converted to Linux.

In his announcement, Mr. Jacobs addressed one of the primary issues cited by anti-Linux advocates: training. Herr Jacobs knows that there will be a certain amount of retraining necessary in moving to Linux, but also knows that Linux is sufficiently close to UNIX in most of his required operations so that these retraining costs should be minimal.

However, Mr. Jacobs also attacks the retraining issue in another realm: the desktop. This is the one area where Linux opponents are most vocal, and the place where Microsoft is placing its largest bets. Mr. Jacob's response to the issue is simple: since he has to retrain people every five years or so, and since he has to have a budget to do it, why not retrain them to use Open Source instead of Windows? This is a compelling argument, and could be used to make the case for "test conversions" to Linux in the corporate world.

(See also: this Heise News article (in German)).

Comments (2 posted)

December CRYPTO-GRAM Newsletter

Bruce Schneier's CRYPTO-GRAM Newsletter for December is out; it looks at counterattacks, the new U.S. Department of Homeland Security, and the Internet's next big thing: "I think the next big Internet security trend is going to be crime. Not the spray-painting cow-tipping annoyance-causing crime we've been seeing over the past few years. Not the viruses and Trojans and DDoS attacks for fun and bragging rights. Not even the epidemics that sweep the Internet in hours and cause millions of dollars of damage. Real crime."

Full Story (comments: none)

CERT advisory on SSH vulnerabilities

CERT has issued an advisory describing a number of SSH vulnerabilities which can lead to remote root exploits. OpenSSH is not affected by these problems; neither is lsh.

Full Story (comments: none)

exim: format string vulnerability

Package(s):	exim	CVE #(s):
Created:	December 17, 2002	Updated:	December 17, 2002
Description:	Versions of exim prior to 4.10 have a format string vulnerability which may be used, in certain limited circumstances, for a local root exploit; see this advisory for details.
Alerts:	Gentoo 200212-5 exim 2002-12-16

Comments (none posted)

fetchmail: buffer overflow

Package(s):	fetchmail	CVE #(s):	CAN-2002-1365
Created:	December 17, 2002	Updated:	October 20, 2003
Description:	Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:	Immunix IMNX-2003-7+-023-01 fetchmail, fetchmailconf 2003-10-17 Mandrake MDKSA-2003:011 fetchmail 2003-01-27 EnGarde ESA-20030127-002 fetchmail-ssl 2003-01-27 SCO Group CSSA-2003-001.0 fetchmail 2003-01-09 SuSE SuSE-SA:2003:001 fetchmail 2003-01-02 Debian DSA-216-1 fetchmail 2002-12-24 Red Hat RHSA-2002:293-09 fetchmail 2002-12-17 Conectiva CLA-2002:554 fetchmail 2002-12-16

Comments (3 posted)

micq: Denial of service

Package(s):	micq	CVE #(s):
Created:	December 13, 2002	Updated:	April 24, 2003
Description:	Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash.
Alerts:	Red Hat RHSA-2003:118-01 mICQ 2003-04-24 Debian DSA-211-1 micq 2002-12-13

Comments (none posted)

MySQL: multiple vulnerabilities

Package(s):	mysql	CVE #(s):
Created:	December 13, 2002	Updated:	April 10, 2003
Description:	The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems.
Alerts:	Immunix IMNX-2003-7+-008-01 mysql 2003-04-08 EnGarde ESA-20030127-001 MySQL 2003-01-27 Red Hat RHSA-2002:288-22 MySQL 2003-01-15 SuSE SuSE-SA:2003:003 mysql 2003-01-02 Trustix 2002-0086 mysql 2002-12-19 Mandrake MDKSA-2002:087 MySQL 2002-12-18 Debian DSA-212-1 mysql 2002-12-17 Conectiva CLA-2002:555 MySQL 2002-12-17 OpenPKG OpenPKG-SA-2002.013 mysql 2002-12-16 Gentoo 200212-2 mysql 2002-12-15 EnGarde ESA-20021213-033 MySQL 2002-12-13

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):	net-snmp	CVE #(s):	CAN-2002-1170
Created:	December 17, 2002	Updated:	November 7, 2003
Description:	The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:	Conectiva CLA-2003:778 net-snmp 2003-11-07 Red Hat RHSA-2002:228-11 net-snmp 2002-12-17

Comments (none posted)

Linux Security Week

The December 16 Linux Security Week Newsletter from LinuxSecurity.com is available.

Full Story (comments: none)

Paper: Session Fixation

ACROS Security has published a white paper on a new class of vulnerability that they call "session fixation." Essentially, some web applications allow a form of session "pre-hijacking," where an attacker can create a known session and cause the victim to log in to it.

Full Story (comments: none)