Linux in the news
All in one big page
See also: last week's Security page.
Olaf Kirch reported that systems running libc5.3.X (libc5) may still be vulnerable to the mountd exploits, even after upgrading to recent NFS packages. This is due to a bug in the older libc which causes a 1 byte overrun, which is sufficient to allow a root compromise. Until an nfs-server update is available (Olaf will be releasing one soon) that checks for this potential problem, you will need libc-5.4 (glibc) or newer to be safe. Even this may not be sufficient if you use directory names greater than 40 characters, due to another bufferrun in the newer libc packages.
Olaf attached a patch for libc to his report for those that wish to close this immediately. The first set of repaired packages have been announced by S.u.S.E.. It specifically mentions both the nfsserver problems and the libc5 hole. Expect to see followups from the other distributions soon.
Dan Brumleve published the existence of yet another Netscape security problem, this one being an exploitable MIME type buffer overflow. It can be used to crash the browser and potentially compromise root, though the latter has not yet been demonstrated.
Fyodor published a list of operating system preferences at major security sites, which he garnered off the net using his latest version of nmap, a utility for port scanning large networks. Of course his choice of what is a major security site is presumably biased, but the results are fun in any case. No surprise to us, Linux was most popular, followed by other Unices. The version of nmap he used won't be released for a while yet.
Sandia Labs has announced what they call the world's smallest combination lock. The device uses microelectromechanical system (MEMS) and contains a series of tiny notched gears "so small that a microscope is required to see them" and is touted as much more reliable than software, since it is less subject to manipulations. (Pointer to the article was found in the ISN mailing list.)
The 1999 Network and Distributed System Security (NDSS) Symposium will be held in February, in San Diego, CA. Tutorials are also offered, in addition to the primary program. See the web site for more information.
October 22, 1998