|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 22 Nov 2001 17:11:14
To : All
Subject : URL: http://www.lwn.net/2001/1122/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]Development
[7]Commerce
[8]Linux in the news
[9]Announcements
[10]Linux History
[11]Letters
[12]All in one big page
See also: [13]last week's Security page.
Security
News and Editorials
Hal Burgiss Introduces Linux Security Quick-Start Guides.
LinuxSecurity.com has published [14]an interview with Hal Burgiss, who
has just produced a couple of quick-start Linux security guides
(linked from the interview). "While there is a wealth of security
related information around, there is not so much addressed to the new
user who might be coming from another platform. It's one thing to say
'turn off all unneeded services', but quite another if you don't know
what's 'needed' and what's not. Or how to know what services are
actually running, and where they are getting started."
OpenSSH 3.0.1 released. OpenSSH 3.0.1 has been [15]released. It
includes a fix for a couple of security problems; both appear to be
minor and difficult (or impossible) to exploit, but an upgrade is
probably a good idea anyway.
Security Reports
Memory exhaustion vulnerability in Postfix. The Postfix mailer [16]has
a vulnerability wherein an attacker could run the Postfix daemon out
of memory, causing it to crash. A fix is included with the report; no
distributor updates have been seen as of this writing.
Trouble with wu-ftpd? A [17]vague message has gone out seeking vendors
who ship the wu-ftpd FTP server daemon. It seems there's a remotely
exploitable problem in that package, though no details are yet
available.
SuSE to discontinue 6.3 support. SuSE has [18]announced that support
for its 6.3 distribution will end on December 10. Thereafter, security
updates will no longer be available. SuSE Linux 6.4 is still supported
for now, until it, too, reaches its two-year anniversary.
A Mandrake Linux update to gnupg. MandrakeSoft has issued [19]an
update to gnupg which removes the setgid root bit from the executable.
This bit was unnecessary, and, it seems, useful for overwriting files
owned by that group. This one appears to be a Mandrake-specific
problem.
web scripts.
The following web scripts were reported to contain vulnerabilities:
* Cabezon Aurelien has found a couple of vulnerabilities in PhpNuke
add-on packages. The [20]Gallery package does not properly check
filenames in URLs, allowing any file on the system to be read. And
the [21]Net Tool Add-on does not check for shell metacharacters,
making it vulnerable to remote command execution exploits.
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
* The Opera web browser has [22]a set of javascript vulnerabilities
which could provide undesired access to user information.
Updates
Session hijacking vulnerability in IMP. Versions of the Horde IMP mail
system prior to [23]2.2.7 have a session hijacking vulnerability that
is well worth fixing. (First LWN report: [24]November 15, 2001).
This week's updates:
* [25]Conectiva (November 16, 2001)
Procmail race conditions. See [26]the July 26 Security page for the
initial report.
This week's updates:
* [27]Mandrake (November 20, 2001)
Previous updates:
* [28]Conectiva (November 6, 2001)
* [29]Red Hat (July 26)
* [30]Yellow Dog (July 25, 2001)
Vulnerabilities in tetex. The tetex package has a temporary file
handling vulnerability; this problem was first reported in [31]the
July 12, 2001 LWN security page.
This week's updates:
* [32]Mandrake (November 20, 2001) (A [33]mktemp update is also
required for 7.x users).
Previous updates:
* [34]Immunix (July 12, 2001)
* [35]Red Hat (October 23, 2001)
Resources
CRYPTO-GRAM Newsletter. Bruce Schneier's [36]CRYPTO-GRAM Newsletter
for November 15 is available. The bulk of this issue is an extended
version of Bruce's response to Microsoft on full disclosure.
"Disclosure does not create security vulnerabilities; programmers
create them, and they remain until other programmers find and remove
them. Everyone makes mistakes; they are natural events in the sense
that they inevitably happen. But that's no excuse for pretending that
they are caused by forces out of our control, and mitigated when we
get around to it."
Events
The 18th annual Chaos Communication Congress will be held in Berlin,
Germany, on December 27 to 29. A [37]call for papers is out for those
who would like to participate.
Upcoming Security Events.
Date Event Location
November 21 - 23, 2001 [38]International Information Warfare Symposium
AAL, Lucerne, Swizerland.
November 21 - 22, 2001 [39]Black Hat Briefings Amsterdam
November 24 - 30, 2001 [40]Computer Security Mexico Mexico City
November 29 - 30, 2001 [41]International Cryptography Institute
Washington, DC
December 2 - 7, 2001 [42]Lisa 2001 15th Systems Administration
Conference San Diego, CA.
December 5 - 6, 2001 [43]InfoSecurity Conference & Exhibition Jacob K.
Javits Center, New York, NY.
December 10 - 14, 2001 [44]Annual Computer Security Applications
Conference New Orleans, LA
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [45]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [46]lwn@lwn.net.
Section Editor: [47]Jonathan Corbet
November 22, 2001
[48]Click Here
LWN Resources
[49]Security alerts archive
Secured Distributions:
[50]Astaro Security
[51]Blue Linux
[52]Castle
[53]Engarde Secure Linux
[54]Immunix
[55]Kaladix Linux
[56]NSA Security Enhanced
[57]Openwall GNU/Linux
[58]Trustix
Security Projects
[59]Bastille
[60]Linux Security Audit Project
[61]Linux Security Module
[62]OpenSSH
Security List Archives
[63]Bugtraq Archive
[64]Firewall Wizards Archive
[65]ISN Archive
Distribution-specific links
[66]Caldera Advisories
[67]Conectiva Updates
[68]Debian Alerts
[69]Kondara Advisories
[70]Esware Alerts
[71]LinuxPPC Security Updates
[72]Mandrake Updates
[73]Red Hat Errata
[74]SuSE Announcements
[75]Yellow Dog Errata
BSD-specific links
[76]BSDi
[77]FreeBSD
[78]NetBSD
[79]OpenBSD
Security mailing lists [80]Caldera
[81]Cobalt
[82]Conectiva
[83]Debian
[84]Esware
[85]FreeBSD
[86]Kondara
[87]LASER5
[88]Linux From Scratch
[89]Linux-Mandrake
[90]NetBSD
[91]OpenBSD
[92]Red Hat
[93]Slackware
[94]Stampede
[95]SuSE
[96]Trustix
[97]turboLinux
[98]Yellow Dog
Security Software Archives
[99]munitions
[100]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[101]CERT
[102]CIAC
[103]Comp Sec News Daily
[104]Crypto-GRAM
[105]LinuxLock.org
[106]LinuxSecurity.com
[107]Security Focus
[108]SecurityPortal
[109]Next: Kernel
[110]Eklektix, Inc. Linux powered! Copyright Л 2001 [111]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/1122/
4. http://lwn.net/2001/1122/kernel.php3
5. http://lwn.net/2001/1122/dists.php3
6. http://lwn.net/2001/1122/devel.php3
7. http://lwn.net/2001/1122/commerce.php3
8. http://lwn.net/2001/1122/press.php3
9. http://lwn.net/2001/1122/announce.php3
10. http://lwn.net/2001/1122/history.php3
11. http://lwn.net/2001/1122/letters.php3
12. http://lwn.net/2001/1122/bigpage.php3
13. http://lwn.net/2001/1115/security.php3
14. http://www.linuxsecurity.com/feature_stories/feature_story-93.html
15. http://lwn.net/2001/1122/a/openssh-3.0.1.php3
16. http://lwn.net/2001/1122/a/postfix.php3
17. http://lwn.net/2001/1122/a/wu-ftpd.php3
18. http://lwn.net/2001/1122/a/suse-disc.php3
19. http://lwn.net/alerts/Mandrake/MDKSA-2001:053-1.php3
20. http://lwn.net/2001/1122/a/phpnuke-gallery.php3
21. http://lwn.net/2001/1122/a/phpnuke-net.php3
22. http://lwn.net/2001/1122/a/opera.php3
23. http://lwn.net/2001/1115/a/imp.php3
24. http://lwn.net/2001/1115/security.php3#imp
25. http://lwn.net/alerts/Conectiva/CLA-2001:437.php3
26. http://lwn.net/2001/0726/security.php3#procmail
27. http://lwn.net/alerts/Mandrake/MDKSA-2001:085.php3
28. http://lwn.net/alerts/Conectiva/CLA-2001:433.php3
29. http://lwn.net/2001/0726/a/rh-procmail.php3
30. http://lwn.net/alerts/YellowDog/YDU-20010725-12.php3
31. http://lwn.net/2001/0712/security.php3#tetex
32. http://lwn.net/alerts/Mandrake/MDKSA-2001:086.php3
33. http://lwn.net/2001/1121/a/lm-mktemp.php3
34. http://lwn.net/2001/0712/a/imm-tetex.php3
35. http://lwn.net/alerts/RedHat/RHSA-2001:102-10.php3
36. http://lwn.net/2001/1122/a/crypto-gram.php3
37. http://lwn.net/2001/1122/a/ccc.php3
38. http://www.sympinfowarfare.ch/
39. http://www.blackhat.com/
40. http://www.seguridad2001.unam.mx/
41. http://www.nipli.org/isse/events/2001/cryptography
42. http://www.usenix.org/events/lisa2001/
43. http://www.infosecurityevent.com/
44. http://www.acsac.org/
45. http://securityfocus.com/calendar
46. mailto:lwn@lwn.net
47. mailto:lwn@lwn.net
48. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
49. http://lwn.net/alerts/
50. http://www.astaro.com/products/index.html
51. http://bluelinux.sourceforge.net/
52. http://castle.altlinux.ru/
53. http://www.engardelinux.org/
54. http://www.immunix.org/
55. http://www.kaladix.org/
56. http://www.nsa.gov/selinux/
57. http://www.openwall.com/Owl/
58. http://www.trustix.com/
59. http://www.bastille-linux.org/
60. http://lsap.org/
61. http://lsm.immunix.org/
62. http://www.openssh.com/
63. http://www.securityfocus.com/archive/1
64. http://www.nfr.net/firewall-wizards/
65. http://www.jammed.com/Lists/ISN/
66. http://www.calderasystems.com/support/security/
67. http://www.conectiva.com.br/atualizacoes/
68. http://www.debian.org/security/
69. http://www.kondara.org/errata/k12-security.html
70. http://www.esware.com/actualizaciones.html
71. http://linuxppc.org/security/advisories/
72. http://www.linux-mandrake.com/en/fupdates.php3
73. http://www.redhat.com/support/errata/index.html
74. http://www.suse.de/security/index.html
75. http://www.yellowdoglinux.com/resources/errata.shtml
76. http://www.BSDI.COM/services/support/patches/
77. http://www.freebsd.org/security/security.html
78. http://www.NetBSD.ORG/Security/
79. http://www.openbsd.org/security.html
80. http://www.calderasystems.com/support/forums/announce.html
81. http://www.cobalt.com/support/resources/usergroups.html
82. http://distro.conectiva.com.br/atualizacoes/
83. http://www.debian.org/MailingLists/subscribe
84. http://www.esware.com/lista_correo.html
85. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
86. http://www.kondara.org/mailinglist.html.en
87. http://l5web.laser5.co.jp/ml/ml.html
88. http://www.linuxfromscratch.org/services/mailinglistinfo.php
89. http://www.linux-mandrake.com/en/flists.php3
90. http://www.netbsd.org/MailingLists/
91. http://www.openbsd.org/mail.html
92. http://www.redhat.com/mailing-lists/
93. http://www.slackware.com/lists/
94. http://www.stampede.org/mailinglists.php3
95. http://www.suse.com/en/support/mailinglists/index.html
96. http://www.trustix.net/support/
97. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
98. http://lists.yellowdoglinux.com/ydl_updates.shtml
99. http://munitions.vipul.net/
100. http://www.zedz.net/
101. http://www.cert.org/nav/alerts.html
102. http://ciac.llnl.gov/ciac/
103. http://www.MountainWave.com/
104. http://www.counterpane.com/crypto-gram.html
105. http://linuxlock.org/
106. http://linuxsecurity.com/
107. http://www.securityfocus.com/
108. http://www.securityportal.com/
109. http://lwn.net/2001/1122/kernel.php3
110. http://www.eklektix.com/
111. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2001/1122/security.php3 |
Sergey Lentsov |
22 Nov 2001 17:11:14 |
|
|
