[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Back page
All in one big page

See also: last week's Security page.


News and Editorials

Come meet the SuSE Linux Security Team. The SuSE Linux Security Team has added some new members in the past couple of weeks. A series of mail exchanges with SuSE gave us some background on the new members and their planned activity, but also the opportunity to find out more about the entire team. So here, with only a bit of fanfare, is the SuSE Linux Security Team, in chronological order of the date they joined the team.

  • Marc Heuse. About two years ago, Marc became the first member of the SuSE Linux Security Team. He joined SuSE from Deutsche Bank, where he held responsibility for network security. His background includes work in a cryptographic company (SecuDE) and other Unix systems administrations work.

    Mark continues to work part-time as part of the SuSE security team, but about a year and a half ago, he also took a full-time job working for KPMG's Information Risk Management Department. You'll find him there doing e-commerce security reviews of organizations such as SAP's mySAP, more German banks, Internet home banking solutions, and more.

  • Thomas Biege. Thomas is currently studying computer science in Dortmund. He has been interested in Unix and Internet security since 1996. Before he started working for SuSE, about a year and a half ago, increasing the team at that time to two, he "played around" with security in his spare time on his Linux machine, releasing bug reports both to BugTraq and to SuSE. Thomas works only part-time for SuSE. With the rest of his time, he works free-lance security jobs, securing systems, setting up firewall, performing penetration tests, source code reviews and more.

  • Roman Drahtmueller. Roman is the first of two recent hires, taking on a full-time position with the SuSE Security Team. He is the important link between the other part-time security staff and the actual maintainers of various pieces of the code. He answers customer questions on the suse-security@suse.de mailing list, writes and releases the security announcements, keeps the work of the maintainers and security people in sync, maintains security packages and is responsible for SuSE internal security. In the past, Roman studied physics in Freiburg, Germany and Connecticut, USA. He has also worked as a security administrator and as a free-lance Security Consultant, building firewalls and such.

  • Sebastian Krahmer. Sebastian, the second of two recent hires, is a computer-science student from Potsdam, Germany. He is well-known for his bug reports to BugTraq, such as the suidperl+mail bug. He is a part-time member of the SuSE security team, with his work focusing on source code auditing, bug fixes and maintaining security packages.

Marc, Sebastian and Thomas handle the source code auditing, development of security-related bug fixes and customer assistance with security-related problems. They also write security papers and develop new security tools. For their work, they monitor and interact with both public and private security mailing lists.

When a team member finds a bug report or exploit that affects SuSE Linux, they notify the rest of the team and then take over responsibility for working on that particular bug. Once a fix is developed, it is sent on to the SuSE maintainers, for integration with the main development trees, and to Roman, who will write up the security advisory and release it once new RPMs are built. Big patches are also sent back to the author of the program involved. Other Linux vendors are informed via a private mailing list.

In addition to this reactive work, the team works pro-actively to audit source code, write and maintain security tools and papers, look around for new tools and generally improve the overall security of SuSE Linux.

Unix, Linux computers vulnerable to damaging new attacks (News.com). News.com reports on "format string" vulnerabilities. "Fans of Unix and its close relative, Linux, pride themselves on the general security of their operating systems compared with Microsoft Windows, which has been plagued with security problems. But the format string issue highlights the fact that weaknesses can lurk for years within software, and that it's hard to track them down among hundreds of thousands of lines of programming code."

Primed and ready (Upside). Upside looks at the expiration of the RSA patent. "Perhaps hoping to stifle any Mozilla-type celebration within the anti-software patent community, RSA Security (RSAS), official administrators of the RSA public key encryption patent, dumped their crown jewel into the public domain on Wednesday, two weeks ahead of schedule."

Security Reports

Horde/IMP format string vulnerability. A format string vulnerability in the Horde library 1.2 and earlier was reported to BugTraq and is remotely exploitable. The Horde library comes from the Horde Project, which develops a set of Web-based productivity, messaging, and project-management applications, under the GPL. The Horde library itself is released under the LGPL. The format vulnerability in the Horde library has been shown to impact IMP, a PHP-based Internet Messaging Program from the Horde Project. In addition, it may impact other, not-yet-reported, applications that use the Horde library. An upgrade to Horde 1.2.1 and IMP 2.2.1 should fix the problem and is strongly recommended.

This week's updates:

pam_smb remotely-exploitable stack buffer overflow. A remotely-exploitable stack buffer overflow has been reported in the pam_smb pluggable authentication module. This is a severe vulnerability, which could lead to a remote root compromise. All versions of pam_smb prior to 1.1.6 are affected. If you are using Samba and pam_smb, an immediate upgrade is strongly urged.

This week's updates:

Linux-Mandrake security update for mod_perl. Linux-Mandrake has issued a security advisory and updated packages to fix a configuration-based security problem in mod_perl.

XMail remotely exploitable buffer overflow. Davide Libenzi's XMail is an Internet and intranet mail server, currently at release 0.59. Aviram Jenik reported a remotely exploitable buffer overflow in all versions of XMail prior to 0.59. Anyone using this software is strongly urged to upgrade to the latest version.

SuSE security update to Apache. SuSE issued an advisory reporting configuration-based security problems with Apache, as shipped with SuSE 6.0 through SuSE 7.0. The misconfigurations could allow CGI source code to be made visible and allow files on the web-server to be modified, if WebDAV has been installed. These problems appear to be specific to SuSE. SuSE users are strongly urged to upgrade their Apache packages, or correct their configurations, immediately.

@stake, Inc. originated the discovery of these problems. They sent advisories for the Apache and WebDAV problems to BugTraq, after SuSE had a chance to make updated packages available.

Mailman writable variable . The external archiving mechanism in all versions of Mail prior to 1.2beta uses an internal variable %(listname), which can be exploited to run arbitrary code. Check this BugTraq posting from Christopher Lindsey, which includes a patch, or BugTraq ID 1667 for more details. An upgrade to Mailman 1.2beta or later is recommended.

tmpwatch fork bomb denial-of-service. tmpwatch, a binary provided with Red Hat 6.1 for use in cleaning up unused files in temporary directories, is vulnerable to a denial-of-service attack. Nested directories can be used to cause a "fork bomb", where the process recursively generates more and more sub-processes. The problem was reported to Red Hat's BugZilla, but no vendor response has been seen as of yet. Subsequent postings pointed out that a system could be defended from such problems either by setting process resources limits or using stmpclean, another, similar program.

Format string vulnerability in muh. muh is an IRC-bouncing tool. Multiple format string vulnerabilities exist in muh 2.05 (and potentially earlier versions). These can be used to crash muh and possibly to execute arbitrary code as the muh user. Here is the original report from Maxime Henrion, and a followup, including an unofficial patch, from Kris Kennaway. The author recommends disabling logging until the program has been patched. An official patch is not yet available.

YaBB.pl input check vulnerabilities. YaBB (formerly www.yabb.org) is a web-based bulletin board system written in Perl. It has been reported that the YaBB.pl perl script fails to apply security checks to input in several places. As a result, arbitrary files on the system can be read. YaBB 9.11.2000 has been released as a result and should fix these problems. Check BugTraq ID 1668 for more details.

Cgi-bin script vulnerabilities. The following cgi-bin scripts have been reported to contain vulnerabilities:

  • phpPhotoAlbum v0.9.9 and earlier versions, can be used to view any directory or file on the web-server. No vendor update.
  • IBM's Net.Data, the db2www component contains a remotely-exploitable buffer overflow that can be used to execute arbitrary code or crash the web-server.

Commercial products. The following commercial products were reported to contain vulnerabilities:

Updates

glibc vulnerabilities. Check last week's Security Summary for more details. The updates below take care of both the ld.so environment variable vulnerability and the locale format string vulnerability. If you do not see an update for your distribution, you may want to check last week's summary for updates that fix at least the ld.so problem.

In addition, for those of you who are reluctant to upgrade your glibc library at this point, this BugTraq posting from Lionel Cons at CERN describes the methods they are using to protect against the recently-reported glibc bugs without upgrading the glibc package. Note that an upgrade is still strongly recommended as your first choice.

This week's updates:

Previous updates:

xpdf symlink race condition. Check the August 31st Security Summary for the original report.

This week's updates:

Previous updates:

screen setuid root vulnerability. A vulnerability in screen 3.9.5 and earlier that can be exploited by a local user to gain root was recently reported last week. Note that screen must be installed setuid root in order to be exploited. Screen 3.9.5 and earlier contain this vulnerability. This week's updates:

Previous updates:
  • Debian (September 7th)
  • Linux-Mandrake (not vulnerable) (September 7th)
  • Red Hat, unofficially reported not vulnerable (September 7th)
  • FreeBSD (September 7th)
  • Conectiva (not vulnerable) (September 7th)
  • NetBSD (September 7th)

mgetty temporary link vulnerability. Check the August 31st Security Summary for details. An upgrade to mgetty 1.2.22 should fix the problem.

This week's updates:

Older updates:

PHP upload vulnerability. Check last week's Security Summary for more details.

This week, the PHP Group provided an official advisory for this problem, with programming recommendations and links to updated PHP packages (4.0.3RC1 and 3.0.17RC1) that contain functionality to help avoid insecure programming practices with PHP.

mopd updates for Linux. Last week, we mentioned a mopd advisory for FreeBSD. If you are using mopd under Linux, you might want to note that the Linux/VAX recommends the use of this mopd-linux port, which is based on the OpenBSD sources and includes the latest security fixes. [Thanks to Andy Phillips].

xchat URL handler bug. Versions of xchat from 1.3.9 through and including 1.4.2 can allow commands to be passed from IRC to a shell. Check BugTraq ID 1601 for more details.

This week's updates:

  • Slackware current upgraded to xchat 1.5.7 (see Changelogs)
Older updates:

Resources

scanssh. Just announced this week, scanssh is a network scanner that probes for running SSH servers and determines their version numbers. "scanssh supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole".

Librnet, Library for Raw Networking. To assist those who wish to develop their own `low-level' network-related software, Gigi Sullivan has released the Librnet library. This is the initial release; note the author's comment: "As stated above, Librnet is far from being complete and stable."

Events

September/October security events.
Date Event Location
September 19-21, 2000. New Security Paradigms Workshop 2000 Cork, Ireland.
September 26-28, 2000. CERT Conference 2000 Omaha, Nebraska, USA.
October 2-4, 2000. Third International Workshop on the Recent Advances in Intrusion Detection (RAID 2000) Toulouse, France.
October 4-6, 2000. 6th European Symposium on Research in Computer Security (ESORICS 2000) Toulouse, France.
October 4-6, 2000. Elliptic Curve Cryptography (ECC 2000) University of Essen, Essen, Germany.
October 11, 2000. The Internet Security Forum Edinburgh, Scotland.
October 14-21, 2000. Sans Network Security 2000 Montery, CA, USA.
October 16-19, 2000. 23rd National Information Systems Security Conference Baltimore, MD, USA.
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Liz Coolbaugh


September 14, 2000


Secure Linux Projects
Bastille Linux
Immunix
Nexus
Secure Linux
Secure Linux (Flask)
Trustix

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara MNU/Linux Advisories LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Yellow Dog Errata

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
Linux Security Audit Project
LinuxSecurity.com
OpenSSH
OpenSEC
Security Focus
SecurityPortal
 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2000 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds