|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 28 Jan 2002 20:54:26
To : All
Subject : URL: http://www.lwn.net/2002/0124/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo] [No ads right now]
[LWN.net]
Sections:
[2]Main page
Security
[3]Kernel
[4]Distributions
[5]Development
[6]Commerce
[7]Linux in the news
[8]Announcements
[9]Linux History
[10]Letters
[11]All in one big page
See also: [12]last week's Security page.
Security
News and Editorials
Qualys Detects and Provides Analysis of Newly-Discovered Linux Trojan.
Qualys has put out [13]a press release on how its tools can detect and
remove the "new and potentially dangerous Remote Shell Trojan,
referenced as RST.b, with backdoor and self-replicating
functionality." If anybody out there has actually encountered this
beast, we would be interested in hearing about it.
MS' highest priority must be security - Billg (Register). The Register
has [14]Bill Gates's memo stating that Microsoft will now focus on
security. Plus, of course, some commentary of their own. "Hello? Earth
to Bill -- it took years of grinding public humiliation for MS to make
a simple modification preventing malicious executables from launching
automatically in Outlook. If this is Gates' idea of a security job
well done, then all we have here is another PR smokescreen."
Security Reports
Mozilla Cookie Exploit. According to [15]this Bugtraq post from Marc
Slemko a bug in versions prior to Netscape 6.2.1 or Mozilla 0.9.7
allows "...an attacker to, if he can convince the user's browser to
load a given URL, steal their cookies for any given domain. It does
not require that active scripting is enabled in the browser, and can
be done with something as simple as an image tag." Since many sites
use cookies for authentication, an attacker may be able to impersonate
a user by using cookies stolen in this manner.
Red Hat security update to uucp. Red Hat has [16]updated its uucp
package to fix a vulnerability in the uuxqt utility. It seems that
uuxqt does not check its options very well, allowing an attacker to
execute commands as the uucp user. If you have uucp installed on your
system (even if you're not actually using it), you may want to apply
this update. But, this subsequent [17]Bugtraq posting states that the
Red Hat update does not fix the whole problem.
Security update to enscript. Enscript has a temporary file handling
bug. Updates fixing the problem were released by [18]Debian and
[19]Red Hat.
Red Hat security update to OpenLDAP. Red Hat has issued [20]a security
update to OpenLDAP fixing an access control problem in that package.
Conectiva security update to MySQL. Conectiva has issued [21]a
security update to MySQL. It seems that they set up MySQL to do some
pretty thorough logging in a world-readable manner, which could expose
sensitive information to unwanted parties. This problem is specific to
Conectiva.
Mandrake security update to jmcce. MandrakeSoft has issued [22]a
security update to jmcce (a Chinese text display tool) fixing a
temporary file vulnerability in that program.
web scripts.
The following web scripts were reported to contain vulnerabilities:
* Chuid allows non-webserver owned PHP scripts to accept uploads
regardless of the PHP "safe mode" setting.. This [23]Bugtraq post
strongly encourages upgrading to chuid 1.3 to avoid
vulnerabilities that could allow a user to change the uid of files
outside of the designated upload directory (even those owned by
root).
Updates
Heap corruption vulnerability in at. The at command has a potentially
exploitable heap corruption bug. (First LWN report:
[24] January 17th).
This week's updates:
* [25]Debian (January 18, 2002) (first update did not fix the
problem).
* [26]Mandrake (January 18, 2002)
* [27]Red Hat (January 22, 2002) Red Hat Linux 7.2 is not
vulnerable; earlier releases are.
* [28]Slackware (January 22, 2002)
Previous updates:
* [29]Debian (January 16, 2002)
* [30]SuSE (January 16, 2001)
exim remotely exploitable vulnerability. It seems that, for certain
exim configurations, a properly crafted mail message may cause an
arbitrary command to be executed. Not good; upgrades are recommended.
(First LWN report: [31] January 17th).
Red Hat only offers exim in the Powertools package. It is not
vulnerable in the default Powertools configuration.
This week's updates:
* [32]Conectiva (January 18, 2002)
Previous updates:
* [33]Debian (January 3, 2002)
* [34]Red Hat (January 7, 2002) .
Format string vulnerability in groff
. A format string problem exists in groff; apparently it could be
remotely exploited when it is configured to be used with the lpd
printing system. (First LWN report: [35]August 16, 2001).
The stable release of Debian [36]is not vulnerable.
New updates:
* [37]Trustix (January 18, 2002)
Previous updates:
* [38]Red Hat (January 14, 2002)
* [39]Conectiva (October 2, 2001)
* [40]Debian (August 10, 2001)
* [41]Progeny (August 16, 2001)
ProFTPD remotely exploitable vulnerabilities. This is a security
update with fixes for a couple of remotely exploitable
vulnerabilities. (First LWN report: [42] January 10th).
This week's updates:
* [43]Mandrake (January 17, 2002)
Previous updates:
* [44]Conectiva (January 9, 2002)
Remotely exploitable vulnerability in pine. Pine has an unpleasant
vulnerability in URL handling vulnerability which can lead to command
execution by remote attackers. (First LWN report: [45] January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution, setting
enable-msg-view-urls to "off" in pine's setup will avoid the
vulnerability. (Thanks to Greg Herlein).
No new updates this week.
Previous updates:
* [46]Slackware (January 13, 2002)
* [47]EnGarde (January 14, 2002)
* [48]Red Hat (January 14, 2002)
Format string bug in stunnel. Stunnel has a format string bug
described in detail [49]here. Versions prior to 3.15 [50]are not
vulnerable. LWN first reported the problem on[51] January 3rd.
This week's updates:
* [52]Mandrake (January 16, 2002)
Previous updates:
* [53]Trustix (January 7, 2002)
* [54]Red Hat (January 3, 2002)
* [55]EnGarde (December 27, 2001)
Nasty security hole in sudo. The sudo package, used to provide limited
administrator access to systems, has an unpleasant vulnerability which
makes it relatively easy for a local attacker to obtain root access.
If you have sudo on a system with untrusted users, you probably want
to disable it until you can get a fix installed. (First LWN report:
[56] January 17th).
This week's updates:
* [57]Slackware (January 22, 2002)
Previous updates:
* [58]Conectiva (January 15, 2002)
* [59]Debian (January 14, 2002)
* [60]EnGarde (January 14, 2002)
* [61]Mandrake (January 15, 2002)
* [62]Red Hat (January 15, 2002)
* [63]Red Hat (January 14, 2002) (Powertools)
* [64]SuSE (January 14, 2002)
XChat session hijacking vulnerability. The XChat IRC client has a
vulnerabilty that allows an attacker to take over the users IRC
session. (First LWN report: [65] January 17th).
This week's updates:
* [66]Conectiva (January 18, 2002)
* [67]Slackware (January 22, 2002)
Previous updates:
* [68]Debian (January 12, 2002)
* [69]Red Hat (January 14, 2002)
Resources
Security-Enhanced Linux update. The [70]SELinux web site was updated
with new stable (2.4) and development (2.5) SELinux prototypes. "The
stable (2.4) LSM-based SELinux prototype was updated to kernel 2.4.17
and was updated to include a number of bug fixes and minor
enhancements made since the previous release. A new development (2.5)
LSM-based SELinux prototype based on kernel 2.5.2 was also added to
the site."
William Stearns and Michal Zalewski released [71]p0f version 1.8. "p0f
is the passive OS fingerprinting utility that can identify a remote
machine from just the syn packet of an incoming connection."
Events
Upcoming Security Events.
Register for CodeCon 2002 by February 1st and get [72]a ten dollar
discount. "CodeCon is the premier event in 2002 for the P2P,
cypherpunk, and network/security application developer community."
CodeCon 2002 will be held at DNA lounge in San Francisco, February
15th to 17th.
Date Event Location
January 30 - February 2, 2002 [73]Second Annual Privacy and Data
Protection Summit Washington D.C., USA
February 15 - 17, 2002 [74]CODECON 2002 San Francisco, California, USA
February 18 - 22, 2002 [75]RSA Conference 2002 San Jose, CA., USA
March 11 - 14, 2002 [76]Financial Cryptography 2002 Sothhampton,
Bermuda
March 18 - 21, 2002 [77]Sixth Annual Distributed Objects and
Components Security Workshop (Pier 5 Hotel at the Inner
Harbor)Baltimore, Maryland, USA
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [78]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [79]lwn@lwn.net.
Section Editor: [80]Dennis Tenney
January 24, 2002
LWN Resources
[81]Security alerts archive
Secured Distributions:
[82]Astaro Security
[83]Blue Linux
[84]Castle
[85]Engarde Secure Linux
[86]Immunix
[87]Kaladix Linux
[88]NSA Security Enhanced
[89]Openwall GNU/Linux
[90]Trustix
Security Projects
[91]Bastille
[92]Linux Security Audit Project
[93]Linux Security Module
[94]OpenSSH
Security List Archives
[95]Bugtraq Archive
[96]Firewall Wizards Archive
[97]ISN Archive
Distribution-specific links
[98]Caldera Advisories
[99]Conectiva Updates
[100]Debian Alerts
[101]Kondara Advisories
[102]Esware Alerts
[103]LinuxPPC Security Updates
[104]Mandrake Updates
[105]Red Hat Errata
[106]SuSE Announcements
[107]Yellow Dog Errata
BSD-specific links
[108]BSDi
[109]FreeBSD
[110]NetBSD
[111]OpenBSD
Security mailing lists
[112]Caldera
[113]Cobalt
[114]Conectiva
[115]Debian
[116]Esware
[117]FreeBSD
[118]Kondara
[119]LASER5
[120]Linux From Scratch
[121]Linux-Mandrake
[122]NetBSD
[123]OpenBSD
[124]Red Hat
[125]Slackware
[126]Stampede
[127]SuSE
[128]Trustix
[129]turboLinux
[130]Yellow Dog
Security Software Archives
[131]munitions
[132]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[133]CERT
[134]CIAC
[135]Comp Sec News Daily
[136]Crypto-GRAM
[137]LinuxLock.org
[138]LinuxSecurity.com
[139]Security Focus
[140]SecurityPortal
[141]Next: Kernel
[142]Eklektix, Inc. Linux powered! Copyright Л 2002 [143]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://lwn.net/2002/0124/
3. http://lwn.net/2002/0124/kernel.php3
4. http://lwn.net/2002/0124/dists.php3
5. http://lwn.net/2002/0124/devel.php3
6. http://lwn.net/2002/0124/commerce.php3
7. http://lwn.net/2002/0124/press.php3
8. http://lwn.net/2002/0124/announce.php3
9. http://lwn.net/2002/0124/history.php3
10. http://lwn.net/2002/0124/letters.php3
11. http://lwn.net/2002/0124/bigpage.php3
12. http://lwn.net/2002/0117/security.php3
13.
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/01-09-200
2/0001644984&EDATE=
14. http://www.theregister.co.uk/content/4/23715.html
15. http://lwn.net/2002/0124/a/mozillacookie.php3
16. http://lwn.net/alerts/RedHat/RHSA-2001:165-08.php3
17. http://lwn.net/2002/0124/a/uucp-not-yet.php3
18. http://lwn.net/alerts/Debian/DSA-105-1.php3
19. http://lwn.net/alerts/RedHat/RHSA-2002:012-06.php3
20. http://lwn.net/alerts/RedHat/RHSA-2002:014-07.php3
21. http://lwn.net/alerts/Conectiva/CLA-2002:455.php3
22. http://lwn.net/alerts/Mandrake/MDKSA-2002:008.php3
23. http://lwn.net/2002/0124/a/chuid.php3
24. http://lwn.net/2002/0117/security.php3#at
25. http://lwn.net/alerts/Debian/DSA-102-2.php3
26. http://lwn.net/alerts/Mandrake/MDKSA-2002:007.php3
27. http://lwn.net/alerts/RedHat/RHSA-2002:015-13.php3
28. http://lwn.net/alerts/Slackware/sl-1011706104.php3
29. http://lwn.net/alerts/Debian/DSA-102-1.php3
30. http://lwn.net/alerts/SuSE/SuSE-SA:2002:003.php3
31. http://lwn.net/2002/0110/security.php3#exim
32. http://lwn.net/alerts/Conectiva/CLA-2002:454.php3
33. http://lwn.net/alerts/Debian/DSA-097-1.php3
34. http://lwn.net/alerts/RedHat/RHSA-2001:176-05.php3
35. http://lwn.net/2001/0816/security.php3#groff
36. http://lwn.net/2002/0117/a/debiangroffok.php3
37. http://lwn.net/alerts/Trustix/2002-0020.php3
38. http://lwn.net/alerts/RedHat/RHSA-2002:004-06.php3
39. http://lwn.net/alerts/Conectiva/CLA-2001:428.php3
40. http://lwn.net/alerts/Debian/DSA-072-1.php3
41. http://lwn.net/alerts/Progeny/PROGENY-SA-2001-33.php3
42. http://lwn.net/2002/0110/security.php3#proftpd
43. http://lwn.net/alerts/Mandrake/MDKSA-2002:005.php3
44. http://lwn.net/alerts/Conectiva/CLA-2002:450.php3
45. http://lwn.net/2002/0117/security.php3#pine
46. http://lwn.net/alerts/Slackware/sl-1010936849.php3
47. http://lwn.net/alerts/EnGarde/ESA-20020114-002.php3
48. http://lwn.net/alerts/RedHat/RHSA-2002:009-06.php3
49. http://lwn.net/2002/0103/a/stunnelformatstringbug.php3
50. http://lwn.net/2002/0110/a/stunnelupdate.php3
51. http://lwn.net/2002/0103/security.php3#stunnel
52. http://lwn.net/alerts/Mandrake/MDKSA-2002:004.php3
53. http://lwn.net/2002/0110/a/trustixstunnelbugfix.php3
54. http://lwn.net/alerts/RedHat/RHSA-2002:002-10.php3
55. http://lwn.net/alerts/EnGarde/ESA-20011227-01.php3
56. http://lwn.net/2002/0117/security.php3#sudo
57. http://lwn.net/alerts/Slackware/sl-1011706104.php3
58. http://lwn.net/alerts/Conectiva/CLA-2002:451.php3
59. http://lwn.net/alerts/Debian/DSA-101-1.php3
60. http://lwn.net/alerts/EnGarde/ESA-20020114-001.php3
61. http://lwn.net/alerts/Mandrake/MDKSA-2002:003.php3
62. http://lwn.net/alerts/RedHat/RHSA-2002:011-06.php3
63. http://lwn.net/alerts/RedHat/RHSA-2002:013-03.php3
64. http://lwn.net/alerts/SuSE/SuSE-SA:2002:002.php3
65. http://lwn.net/2002/0117/security.php3#xchat
66. http://lwn.net/alerts/Conectiva/CLA-2002:453.php3
67. http://lwn.net/alerts/Slackware/sl-1011706104.php3
68. http://lwn.net/alerts/Debian/DSA-099-1.php3
69. http://lwn.net/alerts/RedHat/RHSA-2002:005-09.php3
70. http://www.nsa.gov/selinux/news.html
71. http://lwn.net/2002/0124/a/p0f.php3
72. http://lwn.net/2002/0124/a/codecondiscount.php3
73. http://www.privacyassociation.org/html/conferences.html
74. http://www.codecon.org/
75. http://www.rsaconference.com/
76. http://www.fc02.ai/
77. http://www.omg.org/news/meetings/docsec2002/call.htm
78. http://securityfocus.com/calendar
79. mailto:lwn@lwn.net
80. mailto:lwn@lwn.net
81. http://lwn.net/alerts/
82. http://www.astaro.com/products/index.html
83. http://bluelinux.sourceforge.net/
84. http://castle.altlinux.ru/
85. http://www.engardelinux.org/
86. http://www.immunix.org/
87. http://www.kaladix.org/
88. http://www.nsa.gov/selinux/
89. http://www.openwall.com/Owl/
90. http://www.trustix.com/
91. http://www.bastille-linux.org/
92. http://lsap.org/
93. http://lsm.immunix.org/
94. http://www.openssh.com/
95. http://www.securityfocus.com/archive/1
96. http://www.nfr.net/firewall-wizards/
97. http://www.jammed.com/Lists/ISN/
98. http://www.calderasystems.com/support/security/
99. http://www.conectiva.com.br/atualizacoes/
100. http://www.debian.org/security/
101. http://www.kondara.org/errata/k12-security.html
102. http://www.esware.com/actualizaciones.html
103. http://linuxppc.org/security/advisories/
104. http://www.linux-mandrake.com/en/fupdates.php3
105. http://www.redhat.com/support/errata/index.html
106. http://www.suse.de/security/index.html
107. http://www.yellowdoglinux.com/resources/
108. http://www.BSDI.COM/services/support/patches/
109. http://www.freebsd.org/security/security.html
110. http://www.NetBSD.ORG/Security/
111. http://www.openbsd.org/security.html
112. http://www.calderasystems.com/support/forums/announce.html
113. http://www.cobalt.com/support/resources/usergroups.html
114. http://distro.conectiva.com.br/atualizacoes/
115. http://www.debian.org/MailingLists/subscribe
116. http://www.esware.com/lista_correo.html
117. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
118. http://www.kondara.org/mailinglist.html.en
119. http://l5web.laser5.co.jp/ml/ml.html
120. http://www.linuxfromscratch.org/services/mailinglistinfo.php
121. http://www.linux-mandrake.com/en/flists.php3
122. http://www.netbsd.org/MailingLists/
123. http://www.openbsd.org/mail.html
124. http://www.redhat.com/mailing-lists/
125. http://www.slackware.com/lists/
126. http://www.stampede.org/mailinglists.php3
127. http://www.suse.com/en/support/mailinglists/index.html
128. http://www.trustix.net/support/
129. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
130. http://lists.yellowdoglinux.com/ydl_updates.shtml
131. http://munitions.vipul.net/
132. http://www.zedz.net/
133. http://www.cert.org/nav/alerts.html
134. http://ciac.llnl.gov/ciac/
135. http://www.MountainWave.com/
136. http://www.counterpane.com/crypto-gram.html
137. http://linuxlock.org/
138. http://linuxsecurity.com/
139. http://www.securityfocus.com/
140. http://www.securityportal.com/
141. http://lwn.net/2002/0124/kernel.php3
142. http://www.eklektix.com/
143. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2002/0124/security.php3 |
Sergey Lentsov |
28 Jan 2002 20:54:26 |
|
|
