[LWN Logo]
[LWN.net]

Sections:
 Main page
 Security
 Kernel
 Distributions
 Development
 Commerce
 Linux in the news
 Announcements
 Letters
All in one big page

See also: last week's Security page.

Security


News and Editorials

Flaw weakens Linux security software (News.com). News.com looks at the Netfilter security problem. "Security is a nagging concern for the computer industry, which must juggle new features with the risk that they open up new problems. While the firewall problem the Netfilter programmers discovered is limited to a few versions of Linux, a more serious problem emerged earlier this month affecting numerous operating systems using standard network management software."

Building a Virtual Honeynet (LinuxSecurity). This LinuxSecurity article describes the author's experiences with building a virtual honeynet on his existing Linux box. "A honeynet is only one type of honeypot which is supposed to emulate a real production network, while a honeypot is a single host designed as a lure-and-log system (i.e. a system with a packet sniffer and a keylogger to log all activity on it, and most likely programs that simulate vulnerable services)."

Security Reports

Both PHP3 and PHP4 have vulnerabilities in their file upload code which can lead to remote command execution. This one could be ugly; sites using PHP should apply updates at the first opportunity. If an update isn't available for your distribution, users of PHP 4.0.3 and later are encouraged to consider disabling file upload support by adding this directive to php.ini:

	file_uploads = Off

CERT has issued this advisory on the problem. This article in the Register also talks about the vulnerability.

Developers using the 4.2.0 branch, are not vulnerable because because file upload support was completely rewritten for that branch.

Distributor updates seen so far:

Further complicating the matter, the updates may not fix the problem yet...

Apache mod_ssl buffer overflow vulnerability. According to this announcement "modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002) make use of the underlying OpenSSL routines in a manner which could overflow a buffer within the implementation. This situation appears difficult to exploit in a production environment[...]."

Distributor updates seen so far:

Two denial of service vulnerabilities in Cistron RADIUS versions 1.6.5 and prior are described in this CERT advisory for RADIUS. "They are remotely exploitable, and on most systems result in a denial of service."

Updates are available for:

Security vulnerability in Zope. There is a security fix for Zope available. It seems that the calculation of user privileges is not always done as it should be, and users could, in some situations, get access to things they shouldn't be allowed to touch.

Debian Security Advisory - xsane. Debian has released an update for xsane. Tim Waugh found several insecure uses of temporary files in the xsane program, which is used for scanning. This was fixed for Debian/stable by moving those files into a securely created directory within the /tmp directory.

Debian security update to cfs. Here is this cfs update from Debian fixing a set of buffer overflows there.

Debian Security Advisory for CVS. Updated packages are available to fix an improper variable initialization in the CVS server. This problem has been fixed in version 1.10.7-9 for the stable Debian distribution and in versions newer than 1.11.1p1debian-3 for the testing and unstable distribution of Debian.

DCP-Portal content management system information path disclosure vulnerability. This Bugtraq post describes the vulnerability which may "enable a remote user to reveal the absolute path to the web root and also more information about the system might be revealed."

web scripts. The following web scripts were reported to contain vulnerabilities:

  • Multiple vulnerabilities in the AeroMail Web-based email client (implemented in PHP) are described in this Bugtraq post.

Updates

Cyrus SASL format string vulnerability. A format string bug in the Cyrus SASL authentication API for mail clients and servers may be remotely exploitable. (First LWN report: November 29, 2001).

This week's updates:

Previous updates:

Multiple vulnerabilities in SNMP implementations. Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).

This week's updates:

Previous updates:

Multiple security vulnerabilities in squid. Here is a security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE3. At the minimum, the vulnerabilities could facilitate denial of service attacks; the potential for worse also exists. Sites running squid probably should apply the update sooner rather than later. (First LWN report: February 28th).

This week's updates:

Previous updates:

Fixes 8 available from SmoothWall. The SmoothWall Project has released fixes 8, which provides major upgrades to Apache, OpenSSL, OpenSSH and applies counter controls to theoretical exploits which could potentially affect many Linux distributions.

Resources

The CERT Coordination Center (CERT/CC) has issued the quaterly CERT summary "to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information." The last regularly scheduled CERT summary was issued in November 2001.

"Fingerprinting Port 80 Attacks: A look into web server, and web application attack signatures: Part Two." by Zenomorph is available from here. The paper "deals with detecting web application/web server attacks along with figuring out what it may mean" to the "average administrator. and developer."

The draft Guidelines on Securing Public Web Servers is available for public comment from the United States National Institute of Standards and Technology (NIST). NIST is seeking comments and suggestions on this draft. If you are interested, the document is available from NIST.

Open Source Security Testing Methodology Manual 2.0 has been posted for peer-review. More information is available in the announcement. The manual is available for download from here.

Linux security week. The Linux Security Week and Linux Advisory Watch publications from LinuxSecurity.com are available.

IT Security Cookbook Now Available (LinuxSecurity). LinuxSecurity talks with Sean Boran, author of "IT Security Cookbook". "LinuxSecurity.com: Why is it important for IT professionals to read your cookbook?

Sean Boran: Because it starts at the top (policies) and goes all the way down to technical recommendations."

Events

RAID 2002 Last Call for Papers. The Fifth International Symposium on Recent Advances in Intrusion Detection has issued this last call for papers. RAID 2002 will be held in Zurich, Switzerland October 16-18, 2002. It is organized by Swiss Federal Institute of Technology and IBM Research Division. The deadline for submissions is the end of March 2002.

DEF CON TEN Call for Papers. DEF DON TEN has issued this call for papers. "Papers and presentations are now being accepted for DEF CON TEN, the largest 'hacking' convention on the planet. Papers and requests to speak will be received and reviewed from NOW until July 1st."

Upcoming Security Events.
Date Event Location
March 11 - 14, 2002Financial Cryptography 2002Sothhampton, Bermuda
March 18 - 21, 2002Sixth Annual Distributed Objects and Components Security Workshop(Pier 5 Hotel at the Inner Harbor)Baltimore, Maryland, USA
March 18 - 20, 2002InfoSec World Conference and Expo/2002Orlando, FL, USA
April 1 - 7, 2002SANS 2002Orlando, FL., USA
April 5 - 7, 2002RubiconDetroit, Michigan, USA
April 7 - 10, 2002Techno-Security 2002 ConferenceMyrtle Beach, SC
April 14 - 15, 2002Workshop on Privacy Enhancing Technologies 2002(Cathedral Hill Hotel)San Francisco, California, USA
April 16 - 19, 2002The Twelfth Conference on Computers, Freedom & Privacy(Cathedral Hill Hotel)San Francisco, California, USA
April 23 - 25, 2002Infosecurity Europe 2002Olympia, London, UK
May 1 - 3, 2002cansecwest/core02Vancouver, Canada
May 4 - 5, 2002DallasConDallas, TX., USA
May 12 - 15, 20022002 IEEE Symposium on Security and Privacy(The Claremont Resort)Oakland, California, USA
May 13 - 14, 20023rd International Common Criteria Conference(ICCC)Ottawa, Ont., Canada
May 13 - 17, 200214th Annual Canadian Information Technology Security Symposium(CITSS)(Ottawa Congress Centre)Ottawa, Ontario, Canada

For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.

Section Editor: Dennis Tenney


March 7, 2002

LWN Resources
Security alerts archive

Secured Distributions:
Astaro Security
Castle
Engarde Secure Linux
Immunix
Kaladix Linux
NSA Security Enhanced
Openwall GNU/Linux
Trustix

Security Projects
Bastille
Linux Security Audit Project
Linux Security Module
OpenSSH

Security List Archives
Bugtraq Archive
Firewall Wizards Archive
ISN Archive

Distribution-specific links
Caldera Advisories
Conectiva Updates
Debian Alerts
Kondara Advisories
Esware Alerts
LinuxPPC Security Updates
Mandrake Updates
Red Hat Errata
SuSE Announcements
Turbolinux
Yellow Dog Errata

BSD-specific links
BSDi
FreeBSD
NetBSD
OpenBSD

Security mailing lists
Caldera
Cobalt
Conectiva
Debian
Esware
FreeBSD
Kondara
LASER5
Linux From Scratch
Linux-Mandrake
NetBSD
OpenBSD
Red Hat
Slackware
Stampede
SuSE
Trustix
turboLinux
Yellow Dog

Security Software Archives
munitions
ZedZ.net (formerly replay.com)

Miscellaneous Resources
CERT
CIAC
Comp Sec News Daily
Crypto-GRAM
LinuxLock.org
LinuxSecurity.com
Security Focus
SecurityPortal

 

Next: Kernel

 
Eklektix, Inc. Linux powered! Copyright © 2002 Eklektix, Inc., all rights reserved
Linux ® is a registered trademark of Linus Torvalds