|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 21 Mar 2002 17:25:29
To : All
Subject : URL: http://www.lwn.net/2002/0321/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[LWN.net]
Sections:
[2]Main page
Security
[3]Kernel
[4]Distributions
[5]Development
[6]Commerce
[7]Linux in the news
[8]Announcements
[9]Letters
[10]All in one big page
See also: [11]last week's Security page.
Security
News and Editorials
Too much trust in open source? (ZDNet). ZDNet [12]looks at the recent
security vulnerabilities and asks whether free software is really more
secure. Quoting Linus Torvalds: "In the open-source community, the
community has so far been pretty good at policing itself without the
embarrassment. Do bugs happen? Yes, of course. But do they get found
and fixed without a new virus of the week that costs a few billion
dollars of user time? You bet."
Analysts: Security flaws won't undermine Linux (ComputerWorld).
ComputerWorld [13]talks to security analysts about recent security
problems. "Alan Paller, research director at the SANS Institute, a
Bethesda, Md.-based nonprofit security group, said it's not a surprise
that more vulnerabilities are showing up in Linux, since the operating
system is being used more widely in corporate computing. The larger
deployment of the operating system means more problems are likely to
be seen in larger numbers, Paller said." (Thanks to Jay R. Ashworth)
March CRYPTO-GRAM newsletter. [14]Bruce Schneier's CRYPTO-GRAM
Newsletter for March is out. It looks at the SNMP vulnerabilities, the
IETF draft "responsible disclosure" standard, cryptography and
terrorism, and more. "CERT took on the task of coordinating the [SNMP]
fix with the major software vendors, and has said that the reason
publication was delayed so long is that there were so many vendors to
contact. CERT even had problems with vendors not taking the problem
seriously, and had to spend considerable effort to get the right
people to pay attention. Lesson #1: If bugs are secret, many vendors
won't bother patching their systems."
Security Reports
Mandrake Linux update for rsync. Ethan Benson [15]reported that rsyncd
fails to remove supplementary groups (such as root) from the server
process after changing to the specified unprivileged uid and gid.
Mandrake has provided an [16]rsync update which fixes the problem.
"This seems only serious if rsync is called using "rsync --daemon"
from the command line where it will inherit the group of the user
starting the server (usually root)."
web scripts.
The following web scripts were reported to contain vulnerabilities:
* [17]ARSC Really Simple Chat v1.0.1 and v1.0 had a system
information path disclosure vulnerability reported by Ahmet Sabri
Alper in this [18]advisory. The problem is fixed in [19]version
1.0.1pl1.
* Ahmet Sabri Alper has also reported cross site scripting
vulnerabilities in [20]News-TNK, [21]BG Guestbook and
[22]Board-TNK which "would allow a remote attacker to send
information to victims from untrusted web servers, and make it
look as if the information came from the legitimate server."
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
Updates
Apache mod_ssl buffer overflow vulnerability. According to [23]this
announcement "modssl versions prior to 2.8.7-1.3.23 (Feb 23, 2002)
make use of the underlying OpenSSL routines in a manner which could
overflow a buffer within the implementation. This situation appears
difficult to exploit in a production environment[...]." (First LWN
report: [24]March 7).
This week's updates:
* [25]Red Hat (March 13, 2002) (Red Hat Secure Web Server)
Previous updates:
* [26]Conectiva (March 4, 2002)
* [27]Debian (March 10, 2002)
* [28]EnGarde (March 1, 2002)
* [29]Eridani (March 7, 2002)
* [30]Mandrake (March 7, 2002)
* [31]Red Hat (March 6, 2002) (Red Hat 7, 7.1 & 7.2)
* [32]Trustix (February 28, 2002)
Buffer overflow in CUPS. Versions of the Common Unix Print System
prior to 1.1.14 have a buffer overflow vulnerability. (First LWN
report: [33]February 14).
This week's updates:
* [34]Red Hat (March 13, 2002) (Red Hat Powertools)
Previous updates:
* [35]Debian (February 13, 2002)
* [36]Mandrake (February 15, 2002)
* [37]SuSE (February 27, 2002)
* [38]SuSE (February 23, 2002) ([39]withdrawn due to the
introduction of an unrelated bug)
Remotely exploitable buffer overflow in Ecartis/Listar. Janusz
Niewiadomski and Wojciech Purczynski [40]reported a remotely
exploitable buffer overflow in address_match(). The other
vulnerabilities in their report not addressed by the updates listed
below are "ineffective privilege dropping in listar" and "multiple
local vulnerabilities." Listar is a mailing list manager similar to
Majordomo or Listserv. (First LWN report: [41]March 14).
This week's updates:
* [42]Debian (March 19, 2002)
Both PHP3 and PHP4 [43]have vulnerabilities in their file upload code
which can lead to remote command execution. This one could be ugly;
sites using PHP should apply updates at the first opportunity. If an
update isn't available for your distribution, users of PHP 4.0.3 and
later are encouraged to consider disabling file upload support by
adding this directive to php.ini:
file_uploads = Off
CERT has [44]issued this advisory on the problem. [45]This article in
the Register also talks about the vulnerability. (First LWN report:
[46]March 7).
Developers using the 4.2.0 branch, are not vulnerable because because
file upload support was completely rewritten for that branch.
This week's updates:
* [47]Mitel Networks (March 7, 2002) (SME Server)
Previous updates:
* [48]Conectiva (March 8, 2002)
* [49]Debian (March 2, 2002)
* [50]EnGarde (March 1, 2002)
* [51]Eridani (March 5, 2002)
* [52]Mandrake (February 28, 2002)
* [53]OpenPKG (February 28, 2002)
* [54]Red Hat (February 27, 2002)
* [55]Slackware (March 5, 2002)
* [56]SuSE (February 28, 2002)
* [57]Trustix (February 28, 2002)
* [58]Yellow Dog (March 5, 2002)
Update: Despite [59]some concern expressed in an earlier report by
LWN, these updates do, in fact, fix the problem. The original update
from the php team fixes the security hole but introduces a "rare
segfault condition" that is not a security problem.
zlib corrupts malloc data structures via double free. This
vulnerability impacts all major Linux vendors. It may impact every
Linux installation on Earth. Updates are required to zlib and any
packages that were statically built with the zlib code. (First LWN
report: [60]March 14).
LinuxSecurity [61]describes the vulnerability and coordinated
distributor efforts in detail. "Packages including X11, rsync, the
Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have
the ability to use network compression are potentially vulnerable."
Updating is recommended. As always, please proceed with caution when
applying updates to the kernel.
This week's updates:
* [62]Conectiva (March 14, 2002) (zlib and derived packages)
* [63]Mandrake (March 13, 2002) (packages containing zlib)
* [64]Red Hat (March 15, 2002) (kernel for Red Hat 6.2 & 7.0)
* [65]Trustix (March 18, 2002) (zlib and derived packages)
Previous updates:
* [66]Debian (March 11, 2002) (nine packages)
* [67]EnGarde (March 11, 2002) (zlib kernel popt rsync)
* [68]Eridani (March 13, 2002) (libz)
* [69]Eridani (March 13, 2002) (vnc dump cvs rsync kernel)
* [70]Mandrake (March 12, 2002) (zlib)
* [71]Mandrake (March 12, 2002) (twelve packages including kernel)
* [72]OpenPKG (March 12, 2002) (zlib cvs gnupg rrdtool rsync)
* [73]Red Hat (March 11, 2002) (Red Hat Linux; also apply the March
15 kernel update)
* [74]Red Hat (March 11, 2002) (Red Hat Powertools)
* [75]SuSE (March 11, 2002) (libz/zlib)
* [76]SuSE (March 11, 2002) (eight packages including kernel)
* [77]Slackware (March 12, 2002) (zlib)
* [78]Slackware (March 12, 2002) (rsync)
* [79]Slackware (March 12, 2002) (cvs)
See also: articles in [80]ZDNet and [81]The Register about the zlib
vulnerability. And, these reports from [82]ZDNet and [83]Vnunet on
this vulnerability in some of Microsoft's major applications.
Resources
Paranoid Penguin: Hardening Sendmail (Linux Journal). Mick Bauer
[84]shares his secrets of a secure sendmail install. "Well, contrary
to popular belief, sendmail isn't a total loss where security is
concerned, nor does it require learning the arcane syntax of
sendmail.cf (although hardcore sendmail gurus do indeed master it).
This month we examine these and other sendmail security controversies,
using sendmail's handy m4 macros to rapidly build a secure but
functional Simple Mail Transport Protocol (SMTP) gateway to handle
internet mail."
The Linux Virus Writing HOWTO. Alexander Bartolich's [85]Linux Virus
Writing HOWTO describes "how to write parasitic file viruses infecting
ELF executables on Linux/i386. Though it contains a lot of source
code, no actual virus is included."
Linux security week. The [86]Linux Security Week and [87]Linux
Advisory Watch publications from LinuxSecurity.com are available.
Events
Upcoming Security Events.
FOSE SELinux Panel. There is a [88]Security Enhanced Linux (SELinux)
panel at the FOSE conference in Washington D.C. today, Thursday, March
21, 2002.
Date Event Location
March 21, 2002 [89]Sixth Annual Distributed Objects and Components
Security Workshop (Pier 5 Hotel at the Inner Harbor)Baltimore,
Maryland, USA
April 1 - 7, 2002 [90]SANS 2002 Orlando, FL., USA
April 5 - 7, 2002 [91]Rubicon Detroit, Michigan, USA
April 7 - 10, 2002 [92]Techno-Security 2002 Conference Myrtle Beach,
SC
April 14 - 15, 2002 [93]Workshop on Privacy Enhancing Technologies
2002 (Cathedral Hill Hotel)San Francisco, California, USA
April 16 - 19, 2002 [94]The Twelfth Conference on Computers, Freedom &
Privacy (Cathedral Hill Hotel)San Francisco, California, USA
April 23 - 25, 2002 [95]Infosecurity Europe 2002 Olympia, London, UK
May 1 - 3, 2002 [96]cansecwest/core02 Vancouver, Canada
May 4 - 5, 2002 [97]DallasCon Dallas, TX., USA
May 12 - 15, 2002 [98]2002 IEEE Symposium on Security and Privacy (The
Claremont Resort)Oakland, California, USA
May 13 - 14, 2002 [99]3rd International Common Criteria
Conference(ICCC) Ottawa, Ont., Canada
May 13 - 17, 2002 14th Annual Canadian Information Technology Security
Symposium(CITSS) (Ottawa Congress Centre)Ottawa, Ontario, Canada
May 27 - 31, 2002 [100]3rd International SANE Conference(SANE 2002)
Maastricht, The Netherlands
May 29 - 30, 2002 [101]RSA Conference 2002 Japan (Akasaka Prince
Hotel)Tokyo, Japan
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [102]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [103]lwn@lwn.net.
Section Editor: [104]Dennis Tenney
March 21, 2002
LWN Resources
[105]Security alerts archive
Secured Distributions:
[106]Astaro Security
[107]Blue Linux
[108]Castle
[109]Engarde Secure Linux
[110]Immunix
[111]Kaladix Linux
[112]NSA Security Enhanced
[113]Openwall GNU/Linux
[114]Trustix
Security Projects
[115]Bastille
[116]Linux Security Audit Project
[117]Linux Security Module
[118]OpenSSH
Security List Archives
[119]Bugtraq Archive
[120]Firewall Wizards Archive
[121]ISN Archive
Distribution-specific links
[122]Caldera Advisories
[123]Conectiva Updates
[124]Debian Alerts
[125]Kondara Advisories
[126]Esware Alerts
[127]LinuxPPC Security Updates
[128]Mandrake Updates
[129]Red Hat Errata
[130]SuSE Announcements
[131]Turbolinux
[132]Yellow Dog Errata
BSD-specific links
[133]BSDi
[134]FreeBSD
[135]NetBSD
[136]OpenBSD
Security mailing lists
[137]Caldera
[138]Cobalt
[139]Conectiva
[140]Debian
[141]Esware
[142]FreeBSD
[143]Kondara
[144]LASER5
[145]Linux From Scratch
[146]Linux-Mandrake
[147]NetBSD
[148]OpenBSD
[149]Red Hat
[150]Slackware
[151]Stampede
[152]SuSE
[153]Trustix
[154]turboLinux
[155]Yellow Dog
Security Software Archives
[156]munitions
[157]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[158]CERT
[159]CIAC
[160]Comp Sec News Daily
[161]Crypto-GRAM
[162]LinuxLock.org
[163]LinuxSecurity.com
[164]Security Focus
[165]SecurityPortal
[166]Next: Kernel
[167]Eklektix, Inc. Linux powered! Copyright Л 2002 [168]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://lwn.net/2002/0321/
3. http://lwn.net/2002/0321/kernel.php3
4. http://lwn.net/2002/0321/dists.php3
5. http://lwn.net/2002/0321/devel.php3
6. http://lwn.net/2002/0321/commerce.php3
7. http://lwn.net/2002/0321/press.php3
8. http://lwn.net/2002/0321/announce.php3
9. http://lwn.net/2002/0321/letters.php3
10. http://lwn.net/2002/0321/bigpage.php3
11. http://lwn.net/2002/0314/security.php3
12. http://zdnet.com.com/2100-1104-864256.html
13. http://computerworld.com/nlt/1%2C3590%2CNAV47_STO69139_NLTAM%2C00.html
14. http://lwn.net/2002/0321/a/crypto-gram.php3
15. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=132272
16. http://lwn.net/alerts/Mandrake/MDKSA-2002:024.php3
17. http://manuel.kiessling.net/projects/software/arsc/
18. http://lwn.net/2002/0321/a/arscreallysimplechat.php3
19. http://manuel.kiessling.net/projects/software/arsc/#download
20. http://lwn.net/2002/0321/a/newstnk.php3
21. http://lwn.net/2002/0321/a/bgguestbook.php3
22. http://lwn.net/2002/0321/a/boardtnk.php3
23. http://online.securityfocus.com/archive/1/258646
24. http://lwn.net/2002/0307/security.php3#apachemodssl
25. http://lwn.net/alerts/RedHat/RHSA-2002:042-12.php3
26. http://lwn.net/alerts/Conectiva/CLA-2002:465.php3
27. http://lwn.net/alerts/Debian/DSA-120-1.php3
28. http://lwn.net/alerts/EnGarde/ESA-20020301-005.php3
29. http://lwn.net/alerts/Eridani/ERISA-2002:006.php3
30. http://lwn.net/alerts/Mandrake/MDKSA-2002:020.php3
31. http://lwn.net/alerts/RedHat/RHSA-2002:041-08.php3
32. http://lwn.net/alerts/Trustix/2002-0034.php3
33. http://lwn.net/2002/0214/security.php3#cups
34. http://lwn.net/alerts/RedHat/RHSA-2002:032-12.php3
35. http://lwn.net/alerts/Debian/DSA-110-1.php3
36. http://lwn.net/alerts/Mandrake/MDKSA-2002:015.php3
37. http://lwn.net/alerts/SuSE/SuSE-SA:2002:006.php3
38. http://lwn.net/alerts/SuSE/SuSE-SA:2002:005.php3
39. http://lwn.net/2002/0228/a/suse-cups.php3
40. http://lwn.net/2002/0314/a/ecartislistar.php3
41. http://lwn.net/2002/0314/security.php3#listar
42. http://lwn.net/alerts/Debian/DSA-123-1.php3
43. http://lwn.net/2002/0307/a/php-upload.php3
44. http://lwn.net/2002/0307/a/cert-php.php3
45. http://www.theregister.co.uk/content/55/24248.html
46. http://lwn.net/2002/0307/security.php3#php
47. http://www.e-smith.org/article.php3?sid=58&mode=threaded&order=0
48. http://lwn.net/alerts/Conectiva/CLA-2002:468.php3
49. http://lwn.net/alerts/Debian/DSA-115-1.php3
50. http://lwn.net/alerts/EnGarde/ESA-20020301-006.php3
51. http://lwn.net/2002/0307/a/el-squid-php.php3
52. http://lwn.net/alerts/Mandrake/MDKSA-2002:017.php3
53. http://www.openpkg.org/security/OpenPKG-SA-2002.001-php.html
54. http://lwn.net/alerts/RedHat/RHSA-2002:035-13.php3
55. http://lwn.net/alerts/Slackware/sl-1015349340.php3
56. http://lwn.net/alerts/SuSE/SuSE-SA:2002:007.php3
57. http://lwn.net/alerts/Trustix/2002-0033.php3
58. http://lwn.net/alerts/YellowDog/YDU-20020305-1.php3
59. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=60523
60. http://lwn.net/2002/0314/security.php3#zlib
61. http://www.linuxsecurity.com/articles/security_sources_article-4582.html
62. http://lwn.net/alerts/Conectiva/CLA-2002:469.php3
63. http://lwn.net/alerts/Mandrake/MDKSA-2002:023-1.php3
64. http://lwn.net/alerts/RedHat/RHSA-2002:026-39.php3
65. http://lwn.net/alerts/Trustix/2002-0040.php3
66. http://lwn.net/alerts/Debian/DSA-122-1.php3
67. http://lwn.net/alerts/EnGarde/ESA-20020311-008.php3
68. http://lwn.net/alerts/Eridani/ERISA-2002:008.php3
69. http://lwn.net/alerts/Eridani/ERISA-2002:009.php3
70. http://lwn.net/alerts/Mandrake/MDKSA-2002:022.php3
71. http://lwn.net/alerts/Mandrake/MDKSA-2002:023.php3
72. http://lwn.net/alerts/OpenPKG/OpenPKG-SA-2002.003.php3
73. http://lwn.net/alerts/RedHat/RHSA-2002:026-35.php3
74. http://lwn.net/alerts/RedHat/RHSA-2002:027-22.php3
75. http://lwn.net/alerts/SuSE/SuSE-SA:2002:010.php3
76. http://lwn.net/alerts/SuSE/SuSE-SA:2002:011.php3
77. http://lwn.net/alerts/Slackware/sl-1015949806.php3
78. http://lwn.net/alerts/Slackware/sl-1015950024.php3
79. http://lwn.net/alerts/Slackware/sl-1015950525.php3
80. http://zdnet.com.com/2100-1104-857031.html
81. http://www.theregister.co.uk/content/5/24387.html
82. http://zdnet.com.com/2100-1104-860428.html
83. http://www.vnunet.com/News/1130151
84. http://linuxjournal.com/article.php?sid=5753
85. http://wildsau.idv.uni-linz.ac.at/~k3032e4/virus-writing-HOWTO/_html/
86. http://lwn.net/2002/0321/a/security-week.php3
87. http://lwn.net/2002/0321/a/advisory-watch.php3
88. http://lwn.net/2002/0321/a/selinuxpanel.php3
89. http://www.omg.org/news/meetings/docsec2002/call.htm
90. http://www.sans.org/SANS2002.php
91. http://www.rubi-con.org/
92. http://www.TECHSEC.com/
93. http://www.pet2002.org/
94. http://www.cfp2002.org/
95. http://www.infosec.co.uk/
96. http://cansecwest.com/
97. http://www.dallascon.com/
98. http://www.ieee-security.org/TC/SP02/sp02index.html
99. http://www.cse-cst.gc.ca/en/iccc/iccc.html
100. http://www.nluug.nl/sane/
101. http://www.rsaconference.net/
102. http://securityfocus.com/calendar
103. mailto:lwn@lwn.net
104. mailto:lwn@lwn.net
105. http://lwn.net/alerts/
106. http://www.astaro.com/products/index.html
107. http://bluelinux.sourceforge.net/
108. http://castle.altlinux.ru/
109. http://www.engardelinux.org/
110. http://www.immunix.org/
111. http://www.kaladix.org/
112. http://www.nsa.gov/selinux/
113. http://www.openwall.com/Owl/
114. http://www.trustix.com/
115. http://www.bastille-linux.org/
116. http://lsap.org/
117. http://lsm.immunix.org/
118. http://www.openssh.com/
119. http://www.securityfocus.com/archive/1
120. http://www.nfr.net/firewall-wizards/
121. http://www.jammed.com/Lists/ISN/
122. http://www.calderasystems.com/support/security/
123. http://www.conectiva.com.br/atualizacoes/
124. http://www.debian.org/security/
125. http://www.kondara.org/errata/k12-security.html
126. http://www.esware.com/actualizaciones.html
127. http://linuxppc.org/security/advisories/
128. http://www.linux-mandrake.com/en/fupdates.php3
129. http://www.redhat.com/support/errata/index.html
130. http://www.suse.de/security/index.html
131. http://www.turbolinux.com/security/
132. http://www.yellowdoglinux.com/resources/
133. http://www.BSDI.COM/services/support/patches/
134. http://www.freebsd.org/security/security.html
135. http://www.NetBSD.ORG/Security/
136. http://www.openbsd.org/security.html
137. http://www.calderasystems.com/support/forums/announce.html
138. http://www.cobalt.com/support/resources/usergroups.html
139. http://distro.conectiva.com.br/atualizacoes/
140. http://www.debian.org/MailingLists/subscribe
141. http://www.esware.com/lista_correo.html
142. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
143. http://www.kondara.org/mailinglist.html.en
144. http://l5web.laser5.co.jp/ml/ml.html
145. http://www.linuxfromscratch.org/services/mailinglistinfo.php
146. http://www.linux-mandrake.com/en/flists.php3
147. http://www.netbsd.org/MailingLists/
148. http://www.openbsd.org/mail.html
149. http://www.redhat.com/mailing-lists/
150. http://www.slackware.com/lists/
151. http://www.stampede.org/mailinglists.php3
152. http://www.suse.com/en/support/mailinglists/index.html
153. http://www.trustix.net/support/
154. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
155. http://lists.yellowdoglinux.com/ydl_updates.shtml
156. http://munitions.vipul.net/
157. http://www.zedz.net/
158. http://www.cert.org/nav/alerts.html
159. http://ciac.llnl.gov/ciac/
160. http://www.MountainWave.com/
161. http://www.counterpane.com/crypto-gram.html
162. http://linuxlock.org/
163. http://linuxsecurity.com/
164. http://www.securityfocus.com/
165. http://www.securityportal.com/
166. http://lwn.net/2002/0321/kernel.php3
167. http://www.eklektix.com/
168. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2002/0321/security.php3 |
Sergey Lentsov |
21 Mar 2002 17:25:29 |
|
|
