For those who haven't been paying attention: Red Hat has sent out a reminder that the end of an era is
approaching. After April 30, Red Hat will no longer produce security
updates for Red Hat Linux 9, the last product in the Red Hat Linux
line. If you have systems running Red Hat Linux, you should be well into
the execution of your migration plan. We have been getting enough mail
asking for articles about Red Hat Linux alternatives, however, that we
suspect many sites have not yet figured out what they are going to do.
For those still in the planning process, here is a quick summary of
alternatives to letting your Red Hat Linux systems go unpatched:
Get Red Hat Linux security updates from elsewhere. The Fedora Legacy Project has been
issuing updates for Red Hat Linux 7.2, 7.3, and 8; updates for Red Hat
Linux 9 should start coming out once Red Hat ceases support.
Fedora Legacy updates are free and, so far, have been reliable, but
its users are depending on a volunteer project for updates into the
future.
A commercial alternative is the Progeny Transition Service
which, for a small monthly fee, will provide updates through at least
the end of 2005.
Switch to a Red Hat Enterprise product. These products offer
high-quality support for years into the future, but the price tag is
relatively steep. See the Red Hat Enterprise
Linux page for more information.
Switch to an RHEL knockoff distribution. Distributions like White Box Enterprise Linux
and cAos Linux use the RHEL
packages and do their best to provide the RHEL feel and support.
These distributions are small and unproven, however, and, to some
people, they push the "free rider" approach a little too far.
Switch to Fedora. Fedora
Core is the successor to Red Hat Linux, and will be familiar to
Red Hat administrators. It is also Red Hat's testing and development
ground for features intended for eventual inclusion in RHEL. Fedora
Core 1 was a reasonably solid release; Fedora Core 2 may be
somewhat more challenging. Note that Fedora has a different security
update policy than Red Hat Linux did: affected packages are updated to the latest
version, rather than having the specific fix backported. Updates for
specific Fedora Core releases should be available for extended periods
of time through the Fedora Legacy Project.
Switch to another distribution entirely. SUSE or Mandrake
Linux would be the most obvious (least disruptive) choices for Red Hat
Linux refugees, but many other distributions are available.
The one option we don't recommend is "do nothing and hope for the best."
Many Red Hat Linux users will find this transition inconvenient and
annoying. But this whole episode demonstrates one of the great strengths
of free software: Red Hat Linux users have several entirely viable
alternatives available to them. Users of proprietary operating systems
tend not to be so lucky.
Debian, Mandrake, Red Hat, and SUSE have joined together to give a common
statement about the Forrester report entitled "Is Linux more Secure than
Windows?". "Despite the report's claim to incorporate a
qualitative assessment of vendor reactions to serious vulnerabilities, it
treats all vulnerabilities as equal, regardless of their risk to users.
As a result, the conclusions drawn by Forrester have extremely limited
real-world value for customers assessing the practical issue of how
quickly serious vulnerabilities get fixed."
Steve Kemp and Jaguar discovered a number of buffer overflow
vulnerabilities in vfte, a version of the fte editor which runs on the
Linux console, found in the package fte-console. This program is
setuid root in order to perform certain types of low-level operations
on the console.
According to a security
advisory from the heimdal project: All releases prior to 0.6.1 and
0.5.3 have a cross-realm vulnerability allowing someone with control over a
realm to impersonate anyone in the cross-realm trust path.
A vulnerability was discovered recently in Interchange, an e-commerce
and general HTTP database display system. This vulnerability can be
exploited by an attacker to expose the content of arbitrary variables.
An attacker may learn SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data.
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
The shar utility (as found in the sharutils package through version 4.2.1) suffers from a stack-based buffer overflow vulnerability; see this advisory for details.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Remote buffer overflow vulnerabilities have been found in Courier-IMAP
and Courier MTA. These exploits may allow the execution of arbitrary
code, allowing unauthorized access to a vulnerable system.
The emil mail filter utility has buffer overflow and format string
vulnerabilities that can be exploited locally and remotely,
It may be possible to craft an email that exploits the vulnerability
and executes arbitrary code.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue.
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue.
A vulnerability was discovered in Midnight Commander, a file manager,
whereby a malicious archive (such as a .tar file) could cause arbitrary
code to be executed if opened by Midnight Commander.
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details.
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information.
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
A remotely-exploitable overflow exists in versions of oftpd 0.3.6 and
earlier, allowing an attacker to crash the oftpd daemon. Issuing a port
command with a number higher than 255 causes the server to crash. The port
command may be issued before any authentication takes place, meaning the
attacker does not need to know a valid username and password in order to
exploit this vulnerability.
Versions of the OpenLDAP server through 2.1.12 suffer from a remotely exploitable denial of service vulnerability; some more information can be found in the OpenLDAP bug tracker.
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation."
Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to
authenticate using a PostgreSQL database. The library does not escape all
user-supplied data that are sent to the database. An attacker could
exploit this bug to insert SQL statements.
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users.
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue.
Samba, a LanManager-like file and printer server for Unix, was found
to contain a vulnerability whereby a local user could use the "smbmnt"
utility, which is setuid root, to mount a file share from a remote
server which contained setuid programs under the control of the user.
These programs could then be executed to gain privileges on the local
system.
A bug was found in the processing of %-encoded characters in a URL in
versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses
Access Control Lists (ACLs), a remote attacker could create URLs that would
not be correctly tested against Squid's ACLs, potentially allowing clients
to access prohibited URLs.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0057 to this issue.
Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0055 to this issue.
Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
packets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user.
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory.
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
