Security
Brief items
Security through obsolescence (Register)
Robin Miller considers the virtues of mature software.
Here's an interesting way to secure an Internet-connected computer against
intruders: Make sure the operating system and software it runs are so old
that current hacking tools won't work on it.
An interesting read.
The New Debian Security Build Infrastructure
Woody release manager Anthony Towns shares some information about the new security infrastructure. This new infrastructure is a critical component of the woody release.Super-Secure Linux, Inch by Inch (Wired)
Wired News covers the National Security Agency's Security-Enhanced linux (SElinux). "NSA's Wagner says that SELinux's adoption rate "has exceeded our original expectations. This release has also caused developers of non-Linux systems to consider incorporating similar controls based upon our earlier prototypes.""
If you haven't seem it already, this week's LWN.net leading item is about SELinux and patents.
Complex Linux virus warning (vnunet)
Vnunet covers cross-platform viruses, which might be able to infect Linux systems. "Although the virus was not the first of its kind to infect both Windows and Linux machines, it apparently moved virus-writing techniques "yet another step up the scale of complexity"."
New viruses aim to cross multi platforms (ZDNet)
Robert Lemos worries that although the Simile.D cross-platform virus isn't much of a threat,the techniques it uses may be bad news. Simile.D is one of the few, so far, viruses with the "ability to jump from Windows to Linux and back again."Support discontinued for SuSE 6.4
After Monday, June 17 2002, SuSE will will not provide security fixes for SuSE Linux 6.4 any more. With SuSE 8.0 in release, the announcement isn't a surprise.
Security reports
Security Advisory For Versions of Bugzilla 2.14 Prior To 2.14.2, 2.16 Prior To 2.16rc2
The Bugzilla team has issued a security advisory encouaging all Bugzilla installations to upgrade to the latest versions of Bugzilla released Jun 8th, 2002, 2.14.2 and 2.16rc2. " Various security issues of varying importance have been fixed in Bugzilla 2.14.2. Most of these were fixed already in 2.16rc1, a few were not."Remote vulnerability in Mozilla 1.0
Tom Vogt has reported a frustratring problem with Mozilla 1.0 and earlier. A maliciously crafted stylesheet can cause the X server to crash or consume memory until stopped with a kill -9. Either way, it takes the desktop with it when it goes.CBMS: XSS and SQL Injection holes
Ulf Harnhammar reports that CBMS "is littered with XSS (Cross-site Scripting) and SQL Injection holes."
CBMS is a full featured client/billing system designed from the ground up to cater specifically to hosting providers. The softwares is a PHP script package which uses MySQL. Notable features include automated invoicing, client search, multiple customizable packages for clients and a client viewable real time invoice.
CGIscript.net - csNews.cgi has multiple vulnerabilities
Steve Gustin has reported multiple vulnerabilities in the csNews.cgi script from CGIscript.net "Contact vendor for updated version, only allow completely trusted users to access the application, disable access to .style and *db files through Apache .htaccess files."AlienForm2 CGI script arbitrary file read/write vulnerability
Nick Cleaton reports that the AlienForm2 form to email gateway has a flaw which, subject to file permissions, allows an attacker to read and modify "any file on the server." A suggested fix is included.Format string vulnerabilities in mmmail and mmftpd
Guillaume Pelat has reported format string vulnerabilities in mmmail 0.0.13 and mmftpd 0.0.7. Updated versions which fix both problems are available. Mmmail supplies SMTP and POP3 daemons using MySQ and other features. Mmftpd is a secure FTP server
New vulnerabilities
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404 | ||||||||||||||||||||
| Created: | June 12, 2002 | Updated: | October 27, 2002 | ||||||||||||||||||||
| Description: | Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
No known exploits exist "in the wild" at the present time for any of these issues. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
LPRng accepts jobs from any host.
| Package(s): | LPRng | CVE #(s): | CAN-2002-0378 | ||||||||||||
| Created: | June 12, 2002 | Updated: | October 31, 2002 | ||||||||||||
| Description: | Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Resources
Using tcpserver with Mandrake Linux (MandrakeSecure.net )
Tcpserver is a secure replacement for inetd. This article is of interest to anyone who wants to use tcpserver on Linux allthough the it is, of course, specific to Mandrake Linux.Linux Security Week and Advisory Watch
The June 10th Linux Security Week and June 7th Linux Advisory Watch Newsletters from LinuxSecurity.com are available.Pine 4.44 privacy patch
A patch is available for Pine 4.44 that closes user name and id leaks due to automatic header line insertion. The patch is intended for use by "help desks and other role accounts."Next Generation Secure Remote Log Servers over TCP (LinuxSecurity.com)
Eric "Loki" Hines has written a "Comprehensive Guide to Building Encrypted, Secure Remote Syslog-ng Servers with the Snort Intrusion Detection System."
Events
HiverCon 2002 Announcement
HiverCon 2002 is scheduled for 26 and 27 November, 2002 in Dublin Ireland. The call for papers closes 6 September 2002.Black Hat 2002 Speakers Announced
The event is being held 31 July through 1 August 2002 in Las Vegas, Nevada, USA. " Richard Clarke, Special Advisor to President Bush for Cyberspace Security, will be one of the keynotes headlining the event."Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| June 17 - 19, 2002 | NetSec 2002 | San Fransisco, California, USA |
| June 17 - 19, 2002 | 3rd Annual Information Assurance Workshop | (United States Military Academy)West Point, New York |
| June 24 - 28, 2002 | 14th Annual Computer Security Incident Handling Conference | (Hilton Waikoloa Village)Hawaii |
| June 24 - 26, 2002 | 15th IEEE Computer Security Foundations Workshop | (Keltic Lodge, Cape Breton)Nova Scotia, Canada |
| June 28 - 29, 2002 | Edinburgh Financial Cryptography Engineering 2002 | Edinburgh, Scotland |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Next page:
Kernel development>>