Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsA Secure and Open Society (ComputerWorld Canada). An interview with OpenBSD developer and recognized security guru Theo de Raadt, entitled A Secure and Open Society, takes a look at what OpenBSD has done differently to make itself possibly the most secure operating system available today. " The secret is straightforward. de Raadt and his peers assume that every single bug found in the code occurs elsewhere. de Raadt admits it sounds simple, but just rooting security bugs out of the entire source tree took 10 full-time developers one and a half years to complete."
A simple concept, but one that requires a tremendous amount of effort to implement. Another view of the effort required was produced by this interaction on BugTraq. First, H D Moore complained about buffer overflows in applications shipped with SuSE Linux that had been previously reported, but continued to persist. Note that these applications were not installed with enhanced privileges, but could potentially be run by a more privileged process. Marc Heuse responded, bringing to light the problem caused when such bugs are fixed, but the fixes are not incorporated into the developer tree, due to lack of time or interest on the part of the developer/maintainer. The bugfixes produced by OpenBSD, for example, are all made available, but do not generally get incorporated into the developer's tree, leaving versions of the software for other free operating systems vulnerable.
So blame the developers? Bad policy. Encourage the developers. Pay the developers. After all, without them the software wouldn't exist at all. Best of all, educate the developers, just as much as the end user, the system administrator and the distributor, to care about security, even when the immediate risk level seems small. We are all only as safe as the weakest link in this chain.
Linux kernel-related vulnerabilities. The latest stable kernel prepatch, 2.2.15pre16, contains two security fixes that will make the update to 2.2.15, once released, more imperative. In addition, if a fix comes out quickly enough for the reported UDP masquerading vulnerability, that will be included in 2.2.15 before it is released as well.
gpm-root improper permissions handling.
gpm-root improper permissions handling.Egmont Koblinger posted a report of improper permissions handling in gpm-root, a tool included in the gpm package. He followed up with a patch when it was pointed out that gpm is now a package looking for a new maintainer. Alessandro Rubini, author of gpm-root, also followed up, promising that a fix for the problem will be included with gpm 1.19.1, which should be released in a few days. That will presumably be the last version of gpm released, unless a new maintainer steps to the plate.
SuSE: IMAP vulnerability. SuSE has published an advisory for a vulnerability in the IMAP server that could allow an attacker to create or delete mail folders. Few details are included, but a fix has been made available.
Subtle data corruption of TCP streams. Wietse Venema posted an analysis of a problem with data corruption of TCP streams when TCP-level options are turned on. Eventually, the problem was traced down to an unnamed bandwidth management system.
Updatesmh/nmh. See discussion in the March 9th, 2000 LWN Security Summary.
usermode. See discussion in the January 6th, 2000 LWN Security Summary.
Section Editor: Liz Coolbaugh
March 30, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Security Software Archives
ZedZ.net (formerly replay.com)
Comp Sec News Daily
Linux Security Audit Project