Security
Welcome to the new LWN.net Security Page
Our first site code upgrade in nearly four years introduces an integrated security alert and vulnerability database. Our archive of security alerts dating back to July, 2001 now lives in a PostgreSQL relational database. Vulnerabilities and alerts are actually linked to each other. Recent alerts and vulnerabilities use Common Vulnerabilities and Exposures (CVE) numbers to uniquely identify each vulnerability.Today you can browse alerts and vulnerabilities using the links at the top of each page. When viewing an alert, you can view the corresponding vulnerability description with a mouse click.
In the future expect, and please continue to suggest, ways for us to better provide you with the security information you seek.
US TurboLinux Security Severely Out of Date (iDEFENSE Labs)
iDEFENSE Labs has issued a security advisory for the US TurboLinux distribution.
The collective security weakness of the outstanding issues listed
below is staggering. The following is a list of the most serious
problems for which most other Linux vendors have provided updates on
their US sites. It represents the outstanding security problems
associated with the limited TurboLinux distributions and updates that
have been available on the US sites only.
LWN has pointed out in the past that Turbolinux has not been serious about security updates. With luck this advisory - or, perhaps, the UnitedLinux effort - will help get this distributor back on track.
Brief items
Unique Preventative IDS for Linux
Scott Wimer, Chief Technology Officer of Cylant, dicusses preventive security in this paper.
The recent vulnerabilities with OpenSSH software demonstrate that even intensive auditing cannot necessarily root out all the defects from software. As software systems become larger and more complex, intensive auditing becomes more expensive and more difficult. Software audits
simply cannot be relied upon to find all of the security vulnerabilities in any given system.
Biometric Access Protection Devices and their Programs Put to the Test (c't)
C't has published a study of eleven biometric access controls intended to prevent unauthorized access. "In our attempts at outfoxing the protective programs and devices we have concentrated on the first method: direct attempts at deceiving the systems with the aid of obvious procedures (such as the reactivation of latent images) and obvious feature forgeries (photographs, videos, silicon fingerprints)."Also see Bruce Schneier's previously published CRYPTO-GRAM newsletter for May for a look at a technique for fooling fingerprint scanners with fake fingers made of gelatin.
Security reports
Download Sites Hacked, Source Code Backdoored (Security Focus)
Brian McWilliams reports on the recent contamination of Fragroute with a backdoor. "According to program developer Dug Song, the source code to the Dsniff, Fragroute, and Fragrouter security tools was contaminated on May 17th after an attacker gained unauthorized access to his site, Monkey.org."Note: Copies of Dsniff, Fragroute or Fragrouter downloaded from Monkey.org between May 17th and May 24th are contaminated and require replacement. For more details, see Dug Song's post to bugtraq about the incident.
OpenSSH 3.2.3 released
Following on the heels of the last release, OpenSSH version 3.2.3 has been announced. This version fixes a few bugs that showed up in version 3.2.2.Ethereal 0.9.4 released
Ethereal 0.9.4 was released on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Information Disclosure Vulnerability in IDS 0.8x
IDS is a CGI script that generates a multi-gallery photo album for a website on the fly. IDS 0.8x is reported to have a directory disclosure vulnerability.CGIscript.net - csPassword.cgi has multiple vulnerabilities
Steve Gustin has reported multiple vulnerabilities in the csPassword.cgi script from CGIscript.net "Make sure you only allow trusted users to use the csPassword application and make sure your web server in configured to deny requests for .ht* and *.tmp files."Caldera Security Advisory - Volution Manager
Volution Manager stores the unencrypted Directory Administrator's password in the /etc/ldap/slapd.conf file. This vulnerability will be corrected in the next release of Volution Manager.(Proprietary product) Informix SE-7.25 Local Vulnerability
A buffer overflow vulnerability was reported in Informix SE-7.25 if INFORMIXDIR enviroment variable is defined with a size greater than 2023 bytes.
New vulnerabilities
Denial of service vulnerability in version 9 of BIND
| Package(s): | bind | CVE #(s): | CAN-2002-0400 | ||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | August 19, 2002 | ||||||||||||||||||||||||
| Description: | Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running BIND 8, and thus will not be vulnerable. News articles on the vulnerability appear in the Register and Network World Fusion News. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Ghostscript arbitrary command execution vulnerability
| Package(s): | ghostscript | CVE #(s): | CAN-2002-0363 | ||||||||||||||||
| Created: | June 5, 2002 | Updated: | June 12, 2002 | ||||||||||||||||
| Description: | Ghostscript may be used to execute arbitrary commands with a maliciously formed PostScript file.
Since ghostscript is frequently used while printing documents, updating
is strongly recommended.
The vulnerability has been fixed in the 6.53 source release of GNU Ghostscript. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
| Package(s): | mailman | CVE #(s): | CAN-2002-0388 | ||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | August 28, 2002 | ||||||||||||||||||||||||
| Description: | Barry A. Warsaw announced the release of Mailman 2.0.11 "which fixes two cross-site scripting exploits, one reported by "office" in the admin login page, and another reported by Tristan Roddis in the Pipermail index summaries. It is recommended that all sites upgrade their 2.0.x systems to this version." | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
String format bug in pam_ldap logging
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0374 | ||||||||||||||||
| Created: | June 5, 2002 | Updated: | October 29, 2002 | ||||||||||||||||
| Description: | The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump | CVE #(s): | CAN-2002-0380 | ||||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | October 9, 2002 | ||||||||||||||||||||||||||||
| Description: | A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Uucp authentication agent, in.uucdp, bad string termination
| Package(s): | uucp | CVE #(s): | |||||
| Created: | June 5, 2002 | Updated: | June 5, 2002 | ||||
| Description: | The in.uucpd authentication agent in the uucp package does not properly terminate some long input strings. | ||||||
| Alerts: |
| ||||||
xchat IC server based dns query vulnerability
| Package(s): | xchat | CVE #(s): | CAN-2002-0382 | ||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | September 24, 2002 | ||||||||||||||||||||
| Description: | A malicious IRC server may return a response to a /dns query that executes arbitrary commands with the privileges of the user running XChat. Versions of XChat prior to 1.8.9 are vulnerable. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Updated vulnerabilities
Ethereal packet handling vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0353 | ||||||||
| Created: | June 5, 2002 | Updated: | June 12, 2002 | ||||||||
| Description: | Ethereal 0.9.3 fixed three
packet handling vulnerabilities present in 0.9.2 when it was released
by the ethereal team on March 30th.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. (First LWN
report: May 2).
Update: The May 19, 2002 release of Ethereal 0.9.4 fixes four potential security issues in Ethereal 0.9.3.Please see the new vulnerability for more information. | ||||||||||
| Alerts: |
| ||||||||||
Remotely-exploitable buffer overflow vulnerability in fetchmail
| Package(s): | fetchmail | CVE #(s): | CAN-2002-0146 | ||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | June 18, 2002 | ||||||||||||||||||||
| Description: | Fetchmail versions prior to 5.9.10 have a buffer overflow vulnerability that may be exploited by a malicious IMAP server. The fetchmail client allocated memory to store the sizes of the messages it is attempting to retrieve based on a message count provided by the IMAP server. A malicious IMAP server could provide an artifically large message count to force the fetchmail process to write data outside of the allocated memory. (First LWN report: May 9). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
UW imapd remotely exploitable buffer overflow
| Package(s): | imap | CVE #(s): | CAN-2002-0379 | ||||||||||||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | December 20, 2002 | ||||||||||||||||||||||||||||||||||||
| Description: | UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23). | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
OpenSSH 3.2.2 fixes multiple vulnerabilities
| Package(s): | openssh | CVE #(s): | |||||
| Created: | June 5, 2002 | Updated: | June 5, 2002 | ||||
| Description: | The OpenSSH developers have
released OpenSSH 3.2.2. Security fixes in this release are:
"
- fixed buffer overflow in Kerberos/AFS token passing - fixed overflow in Kerberos client code - sshd no longer auto-enables Kerberos/AFS - experimental support for privilege separation [...] - only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger" (First LWN report: May 23). | ||||||
| Alerts: |
| ||||||
UTF8 interaction bug in the perl-Digest-MD5 module
| Package(s): | perl-Digest-MD5 | CVE #(s): | |||||||||
| Created: | June 5, 2002 | Updated: | June 5, 2002 | ||||||||
| Description: | Versions prior to 2.20 of the perl-Digest-MD5 module have a bug in the UTF8 interaction with perl that produces UTF8 strings with improper MD5 digests. (First LWN report: May 16). | ||||||||||
| Alerts: |
| ||||||||||
Resources
CERT Summary CS-2002-02
The CERT Coordination Center (CERT/CC) issued their CERT quaterly summary "to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information."Announcing Fenris 0.06
Fenris 0.06 has been released by Michal Zalewski. "This release brings you much improved debugging capabilities, from a console-based debugging GUI [...], to core functionality fixes, anti-debugger techniques detection, better performance, or an updated write-up on debugging burneye-protected code."Linux Security Week and Advisory Watch
The June 3 Linux Security Week from LinuxSecurity.com is available, as are the Linux Advisory Watch Newsletters from May 24 and May 31.Book Review: SSH, The Secure Shell - The Definitive Guide
Danny Yee has reviewed SSH, The Secure Shell - The Definitive Guide published by O'Reilly & Associates in 2001.
Events
Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| June 6 - 7, 2002 | Qualys Security Conference | (Hotel Nikko)San Francisco, CA |
| June 17 - 19, 2002 | NetSec 2002 | San Fransisco, California, USA |
| June 24 - 28, 2002 | 14th Annual Computer Security Incident Handling Conference | (Hilton Waikoloa Village)Hawaii |
| June 24 - 26, 2002 | 15th IEEE Computer Security Foundations Workshop | (Keltic Lodge, Cape Breton)Nova Scotia, Canada |
| June 28 - 29, 2002 | Edinburgh Financial Cryptography Engineering 2002 | Edinburgh, Scotland |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Next page:
Kernel development>>