|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 04 Oct 2001 17:57:04
To : All
Subject : URL: http://www.lwn.net/2001/1004/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]On the Desktop
[7]Development
[8]Commerce
[9]Linux in the news
[10]Announcements
[11]Linux History
[12]Letters
[13]All in one big page
See also: [14]last week's Security page.
Security
News and Editorials
The top 20 Internet security vulnerabilities. SANS has posted a list
of [15]the 20 most critical security vulnerabilities on the net. The
list makes good reading for anybody concerned about the security of
their systems, though it is far from a comprehensive list of problems.
The list is broken down into three large sections. The first concerns
itself with general, system-independent problems. These include:
* Default installations of operating systems. Many OS installations
leave vulnerabilities, and install more software than is needed.
* Accounts with nonexistent or weak passwords. Some things haven't
changed in decades.
* Bad backups. This, of course, is a general systems administration
problem. If a site's backups have not been checked recently for
completeness and restorability, there are probably problems.
* Large numbers of open ports. Many systems run services they do not
need.
* Lack of address filtering on networks. A properly configured
network needs to be sure that both incoming and outgoing packets
carry reasonable addresses.
* Insufficient logging. Without complete and secure logs, detection
and analysis of intrusions is impossible.
* Vulnerable CGI programs. The net probably has not yet begun to see
the degree of mayhem that bad CGI programming can cause.
The middle section lists Windows-specific vulnerabilities; readers
interested in those are encouraged to go to the SANS page. The final
section goes into Unix-specific problems:
* Buffer overflows in rpc services.
* Sendmail vulnerabilities. After a relatively quiet period,
sendmail seems to be turning up more problems again - see below.
* Bind vulnerabilities.
* The rsh, rlogin, and rcp commands, which send passwords in clear
text and which enable users to set up uncontrolled webs of trust.
* Vulnerabilities in the lpd subsystem.
* Sadmind and mountd. The former is Solaris-specific, but all
systems supporting NFS have mountd.
* Bad SNMP passwords.
A quick look at this list reveals that many of the problems are old,
and very few of them are difficult to address. Network security is
hard, but, in many cases, even the easy things have not been done.
A survey of PHP vulnerabilities. "Yet Another Hacker Team" has
performed an automated audit of a number of PHP-based packages, and
has [16]posted the results. The conclusion: much PHP code is
vulnerable to remote exploits. Two PHP features are the source of the
problems: (1) PHP allows global variables to be set from an HTTP
request, and (2) file operations handle URLs transparently. The
combination of the two allows a remote attacker to run arbitrary PHP
code on the server; this, in turn, gives that attacker shell access.
The survey makes this claim:
PHP is not insecure by default, but makes insecure programming very
easy.
Reasonable people could differ on that point. PHP could be far more
secure by simply isolating user-supplied information in a special
"request" variable. PHP is great stuff (LWN uses a lot of it), but
some aspects of the environment are, indeed, insecure by default.
CRYPTO-GRAM special issue. Bruce Schneier has released [17]a special
issue of his CRYPTO-GRAM Newsletter devoted to the events of
September 11. "People are willing to give up liberties for vague
promises of security because they think they have no choice. What
they're not being told is that they can have both. It would require
people to say no to the FBI's power grab. It would require us to
discard the easy answers in favor of thoughtful answers." Worth a
read.
Conectiva cuts off 4.x. Conectiva has [18]served notice that the 4.x
versions of its distribution are no longer supported, and no further
updates will be available. Conectiva customers running ancient
versions of the distribution are encouraged to upgrade to something
more recent.
Security Reports
OpenSSH 2.9.9 released.
[19]OpenSSH 2.9.9 has been released; it includes a security fix that
will be important for people using source-based access control.
A new set of sendmail vulnerabilities.
Michal Zalewski has [20]found a new set of vulnerabilities in
sendmail; they may be used by a local attacker to obtain unauthorized
access to the mail system. Versions of sendmail through 8.12 are
vulnerable; 8.12.1 has been released and contains fixes for all of the
problems. We'll pass on distributor updates as we see them.
Zope DTML scripting security update.
There is [21]a new Zope security update out there, fixing a
vulnerability in DTML scripting. A suitably clueful user could use the
vulnerability to obtain unauthorized access. A fix has been provided
by Zope Corp.; expect updates shortly from the distributors that ship
Zope as well.
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
* The Cisco PIX firewall has [22]a vulnerability in its mailguard
facility; the restrictions on SMTP commands can be bypassed by an
attacker.
Updates
Format string vulnerability in groff. A format string problem exists
in groff; apparently it could be remotely exploited when it is
configured to be used with the lpd printing system.
New updates:
* [23]Conectiva (October 2, 2001)
Previous updates:
* [24]Debian (August 10, 2001)
* [25]Progeny (August 16, 2001)
SQL injection vulnerabilities in Apache authentication modules.
Several Apache authentication modules have vulnerabilities that could
allow an attacker to feed arbitrary SQL code to the underlying
database, resulting in a compromise of database integrity and
unauthorized access to the server. See [26]the September 6 security
page for more information.
New updates:
* [27]Conectiva (September 28, 2001) (mod_auth_pgsql)
Previous updates:
* [28]Conectiva (September 6, 2001) (mod_auth_mysql)
Resources
Linux Security Week from LinuxSecurity.com is [29]available in its
October 1 edition. Also available is [30]Linux Advisory Watch for
September 28.
CERT has a new PGP key, following the expiration of its previous key
at the end of September. See [31]the announcement for the new CERT key
information.
Events
The International Cryptography Institute 2001 will be held November 29
and 30 in Washington, DC. Speakers include Dorothy Denning, Whitfield
Diffie, Bruce Sterling, and Phil Zimmermann. See [32]the announcement
for details.
Upcoming Security Events.
Date Event Location
October 10 - 12, 2001 [33]Fourth International Symposium on Recent
Advances in Intrusion Detection(RAID 2001) Davis, CA
November 5 - 8, 2001 [34]8th ACM Conference on Computer and
Communication Security(CCS-8) Philadelphia, PA, USA
November 13 - 15, 2001 [35]International Conference on Information and
Communications Security(ICICS 2001) Xian, China
November 19 - 22, 2001 [36]Black Hat Briefings Amsterdam
November 21 - 23, 2001 [37]International Information Warfare Symposium
AAL, Lucerne, Swizerland.
November 24 - 30, 2001 [38]Computer Security Mexico Mexico City
November 29 - 30, 2001 [39]International Cryptography Institute
Washington, DC
December 2 - 7, 2001 [40]Lisa 2001 15th Systems Administration
Conference San Diego, CA.
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [41]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [42]lwn@lwn.net.
Section Editor: [43]Jonathan Corbet
October 4, 2001
[44]Click Here
LWN Resources
[45]Security alerts archive
Secured Distributions:
[46]Blue Linux
[47]Castle
[48]Engarde Secure Linux
[49]Immunix
[50]Kaladix Linux
[51]NSA Security Enhanced
[52]Openwall GNU/Linux
[53]Trustix
Security Projects
[54]Bastille
[55]Linux Security Audit Project
[56]Linux Security Module
[57]OpenSSH
Security List Archives
[58]Bugtraq Archive
[59]Firewall Wizards Archive
[60]ISN Archive
Distribution-specific links
[61]Caldera Advisories
[62]Conectiva Updates
[63]Debian Alerts
[64]Kondara Advisories
[65]Esware Alerts
[66]LinuxPPC Security Updates
[67]Mandrake Updates
[68]Red Hat Errata
[69]SuSE Announcements
[70]Yellow Dog Errata
BSD-specific links
[71]BSDi
[72]FreeBSD
[73]NetBSD
[74]OpenBSD
Security mailing lists [75]Caldera
[76]Cobalt
[77]Conectiva
[78]Debian
[79]Esware
[80]FreeBSD
[81]Kondara
[82]LASER5
[83]Linux From Scratch
[84]Linux-Mandrake
[85]NetBSD
[86]OpenBSD
[87]Red Hat
[88]Slackware
[89]Stampede
[90]SuSE
[91]Trustix
[92]turboLinux
[93]Yellow Dog
Security Software Archives
[94]munitions
[95]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[96]CERT
[97]CIAC
[98]Comp Sec News Daily
[99]Crypto-GRAM
[100]LinuxLock.org
[101]LinuxSecurity.com
[102]OpenSEC
[103]Security Focus
[104]SecurityPortal
[105]Next: Kernel
[106]Eklektix, Inc. Linux powered! Copyright Л 2001 [107]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/1004/
4. http://lwn.net/2001/1004/kernel.php3
5. http://lwn.net/2001/1004/dists.php3
6. http://lwn.net/2001/1004/desktop.php3
7. http://lwn.net/2001/1004/devel.php3
8. http://lwn.net/2001/1004/commerce.php3
9. http://lwn.net/2001/1004/press.php3
10. http://lwn.net/2001/1004/announce.php3
11. http://lwn.net/2001/1004/history.php3
12. http://lwn.net/2001/1004/letters.php3
13. http://lwn.net/2001/1004/bigpage.php3
14. http://lwn.net/2001/0927/security.php3
15. http://www.sans.org/top20.htm
16. http://lwn.net/2001/1004/a/php-vulnerabilities.php3
17. http://lwn.net/2001/1004/a/cryptogram-special.php3
18. http://lwn.net/2001/1004/a/conectiva-cutoff.php3
19. http://lwn.net/2001/1004/a/openssh.php3
20. http://lwn.net/2001/1004/a/sendmail-vulnerabilities.php3
21. http://lwn.net/2001/1004/a/zope-dtml-fmt.php3
22. http://lwn.net/2001/1004/a/cisco-smtp.php3
23. http://lwn.net/alerts/Conectiva/CLA-2001:428.php3
24. http://lwn.net/alerts/Debian/DSA-072-1.php3
25. http://lwn.net/alerts/Progeny/PROGENY-SA-2001-33.php3
26. http://lwn.net/2001/0906/security.php3
27. http://lwn.net/alerts/Conectiva/CLA-2001:427.php3
28. http://lwn.net/alerts/Conectiva/CLA-2001:421.php3
29. http://lwn.net/2001/1004/a/security-week.php3
30. http://lwn.net/2001/1004/a/advisory-watch.php3
31. http://lwn.net/2001/1004/a/cert-key.php3
32. http://lwn.net/2001/1004/a/ici.php3
33. http://www.raid-symposium.org/Raid2001
34. http://www.bell-labs.com/user/reiter/ccs8/
35. http://homex.coolconnect.com/member2/icisa/icics2001.html
36. http://www.blackhat.com/
37. http://www.sympinfowarfare.ch/
38. http://www.seguridad2001.unam.mx/
39. http://www.nipli.org/isse/events/2001/cryptography
40. http://www.usenix.org/events/lisa2001/
41. http://securityfocus.com/calendar
42. mailto:lwn@lwn.net
43. mailto:lwn@lwn.net
44. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
45. http://lwn.net/alerts/
46. http://bluelinux.sourceforge.net/
47. http://castle.altlinux.ru/
48. http://www.engardelinux.org/
49. http://www.immunix.org/
50. http://www.kaladix.org/
51. http://www.nsa.gov/selinux/
52. http://www.openwall.com/Owl/
53. http://www.trustix.com/
54. http://www.bastille-linux.org/
55. http://lsap.org/
56. http://lsm.immunix.org/
57. http://www.openssh.com/
58. http://www.securityfocus.com/bugtraq/archive/
59. http://www.nfr.net/firewall-wizards/
60. http://www.jammed.com/Lists/ISN/
61. http://www.calderasystems.com/support/security/
62. http://www.conectiva.com.br/atualizacoes/
63. http://www.debian.org/security/
64. http://www.kondara.org/errata/k12-security.html
65. http://www.esware.com/actualizaciones.html
66. http://linuxppc.org/security/advisories/
67. http://www.linux-mandrake.com/en/fupdates.php3
68. http://www.redhat.com/support/errata/index.html
69. http://www.suse.de/security/index.html
70. http://www.yellowdoglinux.com/resources/errata.shtml
71. http://www.BSDI.COM/services/support/patches/
72. http://www.freebsd.org/security/security.html
73. http://www.NetBSD.ORG/Security/
74. http://www.openbsd.org/security.html
75. http://www.calderasystems.com/support/forums/announce.html
76. http://www.cobalt.com/support/resources/usergroups.html
77. http://distro.conectiva.com.br/atualizacoes/
78. http://www.debian.org/MailingLists/subscribe
79. http://www.esware.com/lista_correo.html
80. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
81. http://www.kondara.org/mailinglist.html.en
82. http://l5web.laser5.co.jp/ml/ml.html
83. http://www.linuxfromscratch.org/services/mailinglistinfo.php
84. http://www.linux-mandrake.com/en/flists.php3
85. http://www.netbsd.org/MailingLists/
86. http://www.openbsd.org/mail.html
87. http://www.redhat.com/mailing-lists/
88. http://www.slackware.com/lists/
89. http://www.stampede.org/mailinglists.php3
90. http://www.suse.com/en/support/mailinglists/index.html
91. http://www.trustix.net/support/
92. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
93. http://lists.yellowdoglinux.com/ydl_updates.shtml
94. http://munitions.vipul.net/
95. http://www.zedz.net/
96. http://www.cert.org/nav/alerts.html
97. http://ciac.llnl.gov/ciac/
98. http://www.MountainWave.com/
99. http://www.counterpane.com/crypto-gram.html
100. http://linuxlock.org/
101. http://linuxsecurity.com/
102. http://www.opensec.net/
103. http://www.securityfocus.com/
104. http://www.securityportal.com/
105. http://lwn.net/2001/1004/kernel.php3
106. http://www.eklektix.com/
107. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2001/1004/security.php3 |
Sergey Lentsov |
04 Oct 2001 17:57:04 |
|
|
