Security
Brief items
Keeping older Debian distributions secure
The Debian Project has sent out a survey in an attempt to figure out how many users are still using the "Potato" distribution. The project's goal is clear: they want to figure out when they can stop providing security updates for that version of the distribution. Pulling the plug on Potato may seem a bit premature, given that Woody was only released back in July. But, for Debian, this move is already late; remember that support for Debian 2.1 ("Slink") was withdrawn just one month after the Potato release.Debian is different from most distributions, of course, in that its users are expected to upgrade quickly. Given the ease of the process, there is generally little reason to wait. But the simple fact is that people do not like to upgrade working systems. If a computer is happily doing the tasks assigned to it, why thrash up the operating system and break things? Commercial distributors understand this inertia, and most of them go out of their way to support old distributions for at least a couple of years. As a volunteer-driven distributor, the Debian Project has had the freedom to cut off support sooner (because it does not have paying customers), and the need to do that, because it does not have paid developers who can be sent off to patch holes in ancient packages.
The fact that the Debian Project is asking for input this time, rather than simply cutting off support after one month, shows a new sensitivity toward the needs of users beyond the Debian developer community. This is a good thing, of course, but Debian, by its nature, will still be limited in the amount of support it can provide for older versions of its distribution. This is an area where companies that ship commercial versions of Debian could contribute back to the project. By paying somebody to fix security problems in older versions of Debian GNU/Linux, these distributors can enhance the value of their own products while supporting the project that supports them.
So far, no vendor of Debian-based distributions has stepped up to this plate. Indeed, Debian-based distributors tend not to bother with security updates at all, since the Debian Project itself does such a good job with them. If these companies are serious about using Debian as a base for a commercial product, however, they are going to have to get a bit more serious about long-term support. Otherwise, they are likely to find their customers going elsewhere.
CodeWeavers adds KLEZ immunity
CodeWeavers has announced a new version (1.3.1) of its CrossOver Office product which features immunity to the KLEZ virus. "Whenever KLEZ attempts to run its .EXE file from the TMP directory, CrossOver Office 1.3.1 spawns a message to the user warning them that they may launching an application that could potentially harm their computer." Bringing Windows applications to Linux is a good thing for many users, but great care must be taken to not port Windows problems as well...
New vulnerabilities
linuxconf: bad sendmail configuration file creation
| Package(s): | linuxconf | CVE #(s): | |||||
| Created: | November 6, 2002 | Updated: | November 6, 2002 | ||||
| Description: | The linuxconf "mailconf" module can create sendmail configurations which allow the server to run as an open relay, instantly turning your site into a spammer's tool and getting you onto blacklists. | ||||||
| Alerts: |
| ||||||
log2mail: buffer overflow
| Package(s): | log2mail | CVE #(s): | |||||
| Created: | November 6, 2002 | Updated: | November 6, 2002 | ||||
| Description: | Enrico Zini discovered a buffer overflow in log2mail, a daemon for watching logfiles and sending lines with matching patterns via mail. The log2mail daemon is started upon system boot and runs as root. A specially crafted (remote) log message could overflow a static buffer, potentially leaving log2mail to execute arbitrary code as root. | ||||||
| Alerts: |
| ||||||
luxman: pathname vulnerability
| Package(s): | luxman | CVE #(s): | CAN-2002-1245 | ||||
| Created: | November 6, 2002 | Updated: | November 6, 2002 | ||||
| Description: | LuxMan is a maze game which, one would think, would not be much of a threat. It has, however, a pathname vulnerability that can be turned into a local root exploit. Versions through 0.41 are vulnerable. | ||||||
| Alerts: |
| ||||||
Mozilla: Privacy leak and other vulnerabilities
| Package(s): | mozilla | CVE #(s): | CAN-2002-1126 CAN-2002-1091 | ||||||||
| Created: | November 1, 2002 | Updated: | February 13, 2003 | ||||||||
| Description: | Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to corrupt heap memory and execute arbitrary code via a GIF image with a zero width. See also Mozilla's Recently fixed security issues page. All users are encouraged to upgrade to this latest stable 1.0.x release of Mozilla. | ||||||||||
| Alerts: |
| ||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | ||||||||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | ||||||||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Resources
Linux Security Week
The LinuxSecurity.com Linux Security Week Newsletter for November 4 is available.
Page editor: Jonathan Corbet
Next page:
Kernel development>>