|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 08 Feb 2002 14:32:46
To : All
Subject : URL: http://www.lwn.net/2002/0207/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo] [No ads right now]
[LWN.net]
Sections:
[2]Main page
Security
[3]Kernel
[4]Distributions
[5]Development
[6]Commerce
[7]Linux in the news
[8]Announcements
[9]Letters
[10]All in one big page
See also: [11]last week's Security page.
Security
News and Editorials
Checking for root kits. After his security tutorial at Linux World,
LWN asked Michael H. Warfield, of [12]Internet Security Systems, if
there was one current security issue our readers should watch. It is
"root kits installed by intruders after they cracked your site to hide
their activities and protect their backdoors." Michael also mentioned,
in his talks, that "common worms have new exploits plus root kits
wrapped up with some crude scripting glue to propagate from system to
system and install backdoors with the rootkits hiding them."
Michael recommends regularly checking exposed systems by running
[13]chkrootkit. This nifty tool locally checks for signs of a rootkit.
Running it regularly and using diff to compare the results to past
runs is one way to look for compromised systems.
The Sardonix security auditing portal. Crispin Cowan has [14]announced
a new security portal designed to encourage auditing of code. "The
whole project is intended to leverage community skepticism of claims
of security, and the community's joyful habit of criticizing the work
of others, and so we call it Sardonix." There will be features to
track the auditing of various packages; it will also be able to audit
the auditors by tracking how many bugs are found after somebody has
declared it clean. The project is in an early stage, and contributors
are being sought. This work is supported by a DARPA grant.
Out of the box, Linux is 'dreadfully insecure' (Register). The
Register [15]reminds us that default installations for most Linux
distibutions are insecure. "Jay Beale, the lead developer of Bastille
Linux and an independent security consultant, says it's not the
Unix-based systems with interesting stuff on them that get hacked,
it's the vulnerable ones. And if you're not prepared to tighten up
what you get from the vendor, it's just a matter of time."
Security Reports
Mandrake Linux Security Update - gzip. Mandrake has issued a security
advisory for [16]gzip. This fixes two problems with the gzip archiving
program; the first is a crash when an input file name is over 1020
characters, and the second is a buffer overflow that could be
exploited if gzip is run on a server such as an FTP server.
Net::FTPServer security fix. The Net::FTPServer project released this
[17]security fix to close a potential vulnerability "allowing users to
list directories to which they should not have access. If your
configuration file uses 'list rule', then you need to upgrade to
version 1.034."
PHP Safe Mode Filesystem Circumvention Problem. According to this
[18]post to Bugtraq: "If an attacker has access to a MySQL server
[...], he can use it as a proxy by which to download files residing on
the [PHP] safe_mode-enabled web server".
web scripts.
The following web scripts were reported to contain vulnerabilities:
* [19]Faq-O-Matic has a cross-site scripting vulnerability described
in this [20]Bugtraq post. There is a fix available in CVS
according to this [21]subsequent post.
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
* Multiple vulnerabilities in Oracle 9i and 9iAS are described in
Bugtraq posts from NGSSoftware Insight. They are charaterized as
potential [22]remote compromise, [23]multiple buffer overflows and
[24]JSP translation file access. Although the vulnerabilties are
described as present on "all operating systems" no mention is made
of verification on Linux.
* texis(CGI) has a path disclosure vulnerability described in
[25]this Bugtraq post.
Updates
Remotely exploitable vulnerability in pine. Pine has an unpleasant
vulnerability in URL handling vulnerability which can lead to command
execution by remote attackers. (First LWN report: [26] January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution, setting
enable-msg-view-urls to "off" in pine's setup will avoid the
vulnerability. (Thanks to Greg Herlein).
This week's updates:
* [27]Conectiva (January 31, 2002)
Previous updates:
* [28]EnGarde (January 14, 2002)
[29]Red Hat (January 14, 2002)
[30]Slackware (January 13, 2002)
[31]Yellow Dog (January 27, 2002) A remotely exploitable hole in
rsync. A vulnerability has been found in the rsync server: it seems
that the server did not pay enough attention to the sign of numbers it
reads from the client connection. This oversight allows an attacker to
write bytes containing zero almost anywhere in the stack, with results
similar to those caused by buffer overflows. Sites running rsync in
its daemon mode are thus vulnerable to remote root compromises.
Versions of rsync prior to 2.5.2 are vulnerable. (First LWN report:
[32] January 31th).
This week's updates:
* [33]Debian (February 3, 2002)
(note: if you applied [34]the original update, which broke rsync, you
need to update again.) Previous updates:
* [35]Conectiva (January 25, 2002)
[36]EnGarde (January 25, 2002)
[37]Mandrake (January 28, 2002)
[38]Red Hat (January 30, 2002) (note that this alert was updated; if
you applied [39]the original version you should update again.)
[40]Slackware (January 26, 2002)
[41]SuSE (January 25, 2002)
[42]Trustix (January 28, 2002)
[43]Yellow Dog (January 27, 2002)
Events
Upcoming Security Events.
The schedule for CodeCon 2002 has [44]been announced. "CodeCon is the
premier event in 2002 for the P2P, cypherpunk, and network/security
application developer community." CodeCon 2002 will be held at DNA
lounge in San Francisco, February 15th to 17th.
Date Event Location
February 15 - 17, 2002 [45]CODECON 2002 San Francisco, California, USA
February 18 - 22, 2002 [46]RSA Conference 2002 San Jose, CA., USA
March 11 - 14, 2002 [47]Financial Cryptography 2002 Sothhampton,
Bermuda
March 18 - 21, 2002 [48]Sixth Annual Distributed Objects and
Components Security Workshop (Pier 5 Hotel at the Inner
Harbor)Baltimore, Maryland, USA
April 7 - 10, 2002 [49]Techno-Security 2002 Conference Myrtle Beach,
SC
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [50]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [51]lwn@lwn.net.
Section Editor: [52]Dennis Tenney
February 7, 2002
LWN Resources
[53]Security alerts archive
Secured Distributions:
[54]Astaro Security
[55]Blue Linux
[56]Castle
[57]Engarde Secure Linux
[58]Immunix
[59]Kaladix Linux
[60]NSA Security Enhanced
[61]Openwall GNU/Linux
[62]Trustix
Security Projects
[63]Bastille
[64]Linux Security Audit Project
[65]Linux Security Module
[66]OpenSSH
Security List Archives
[67]Bugtraq Archive
[68]Firewall Wizards Archive
[69]ISN Archive
Distribution-specific links
[70]Caldera Advisories
[71]Conectiva Updates
[72]Debian Alerts
[73]Kondara Advisories
[74]Esware Alerts
[75]LinuxPPC Security Updates
[76]Mandrake Updates
[77]Red Hat Errata
[78]SuSE Announcements
[79]Turbolinux
[80]Yellow Dog Errata
BSD-specific links
[81]BSDi
[82]FreeBSD
[83]NetBSD
[84]OpenBSD
Security mailing lists
[85]Caldera
[86]Cobalt
[87]Conectiva
[88]Debian
[89]Esware
[90]FreeBSD
[91]Kondara
[92]LASER5
[93]Linux From Scratch
[94]Linux-Mandrake
[95]NetBSD
[96]OpenBSD
[97]Red Hat
[98]Slackware
[99]Stampede
[100]SuSE
[101]Trustix
[102]turboLinux
[103]Yellow Dog
Security Software Archives
[104]munitions
[105]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[106]CERT
[107]CIAC
[108]Comp Sec News Daily
[109]Crypto-GRAM
[110]LinuxLock.org
[111]LinuxSecurity.com
[112]Security Focus
[113]SecurityPortal
[114]Next: Kernel
[115]Eklektix, Inc. Linux powered! Copyright Л 2002 [116]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://lwn.net/2002/0207/
3. http://lwn.net/2002/0207/kernel.php3
4. http://lwn.net/2002/0207/dists.php3
5. http://lwn.net/2002/0207/devel.php3
6. http://lwn.net/2002/0207/commerce.php3
7. http://lwn.net/2002/0207/press.php3
8. http://lwn.net/2002/0207/announce.php3
9. http://lwn.net/2002/0207/letters.php3
10. http://lwn.net/2002/0207/bigpage.php3
11. http://lwn.net/2002/0131/security.php3
12. http://www.iss.net/
13. http://www.chkrootkit.org/
14. http://lwn.net/2002/0207/a/sardonix.php3
15. http://www.theregister.co.uk/content/55/23901.html
16. http://lwn.net/alerts/Mandrake/MDKSA-2002:011.php3
17. http://lwn.net/2002/0207/a/net-ftpserver.php3
18. http://lwn.net/2002/0207/a/phpsafemode.php3
19. http://faqomatic.sourceforge.net/
20. http://lwn.net/2002/0207/a/faqomatic.php3
21. http://lwn.net/2002/0207/a/faqomatic2.php3
22. http://lwn.net/2002/0207/a/oracle1.php3
23. http://lwn.net/2002/0207/a/oracle2.php3
24. http://lwn.net/2002/0207/a/oracle3.php3
25. http://lwn.net/2002/0207/a/texis.php3
26. http://lwn.net/2002/0117/security.php3#pine
27. http://lwn.net/alerts/Conectiva/CLA-2002:460.php3
28. http://lwn.net/alerts/EnGarde/ESA-20020114-002.php3
29. http://lwn.net/alerts/RedHat/RHSA-2002:009-06.php3
30. http://lwn.net/alerts/Slackware/sl-1010936849.php3
31. http://lwn.net/alerts/YellowDog/YDU-20020127-8.php3
32. http://lwn.net/2002/0131/security.php3#rsync
33. http://lwn.net/alerts/Debian/DSA-106-2.php3
34. http://lwn.net/alerts/Debian/DSA-106-1.php3
35. http://lwn.net/alerts/Conectiva/CLA-2002:458.php3
36. http://lwn.net/alerts/EnGarde/ESA-20020125-004.php3
37. http://lwn.net/alerts/Mandrake/MDKSA-2002:009.php3
38. http://lwn.net/alerts/RedHat/RHSA-2002:018-10.php3
39. http://lwn.net/alerts/RedHat/RHSA-2002:018-05.php3
40. http://lwn.net/alerts/Slackware/sl-1012057608.php3
41. http://lwn.net/alerts/SuSE/SuSE-SA:2002:004.php3
42. http://lwn.net/alerts/Trustix/2002-0025.php3
43. http://lwn.net/alerts/YellowDog/YDU-20020127-3.php3
44. http://lwn.net/2002/0207/a/codeconschedule.php3
45. http://www.codecon.org/
46. http://www.rsaconference.com/
47. http://www.fc02.ai/
48. http://www.omg.org/news/meetings/docsec2002/call.htm
49. http://www.TECHSEC.com/
50. http://securityfocus.com/calendar
51. mailto:lwn@lwn.net
52. mailto:lwn@lwn.net
53. http://lwn.net/alerts/
54. http://www.astaro.com/products/index.html
55. http://bluelinux.sourceforge.net/
56. http://castle.altlinux.ru/
57. http://www.engardelinux.org/
58. http://www.immunix.org/
59. http://www.kaladix.org/
60. http://www.nsa.gov/selinux/
61. http://www.openwall.com/Owl/
62. http://www.trustix.com/
63. http://www.bastille-linux.org/
64. http://lsap.org/
65. http://lsm.immunix.org/
66. http://www.openssh.com/
67. http://www.securityfocus.com/archive/1
68. http://www.nfr.net/firewall-wizards/
69. http://www.jammed.com/Lists/ISN/
70. http://www.calderasystems.com/support/security/
71. http://www.conectiva.com.br/atualizacoes/
72. http://www.debian.org/security/
73. http://www.kondara.org/errata/k12-security.html
74. http://www.esware.com/actualizaciones.html
75. http://linuxppc.org/security/advisories/
76. http://www.linux-mandrake.com/en/fupdates.php3
77. http://www.redhat.com/support/errata/index.html
78. http://www.suse.de/security/index.html
79. http://www.turbolinux.com/security/
80. http://www.yellowdoglinux.com/resources/
81. http://www.BSDI.COM/services/support/patches/
82. http://www.freebsd.org/security/security.html
83. http://www.NetBSD.ORG/Security/
84. http://www.openbsd.org/security.html
85. http://www.calderasystems.com/support/forums/announce.html
86. http://www.cobalt.com/support/resources/usergroups.html
87. http://distro.conectiva.com.br/atualizacoes/
88. http://www.debian.org/MailingLists/subscribe
89. http://www.esware.com/lista_correo.html
90. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
91. http://www.kondara.org/mailinglist.html.en
92. http://l5web.laser5.co.jp/ml/ml.html
93. http://www.linuxfromscratch.org/services/mailinglistinfo.php
94. http://www.linux-mandrake.com/en/flists.php3
95. http://www.netbsd.org/MailingLists/
96. http://www.openbsd.org/mail.html
97. http://www.redhat.com/mailing-lists/
98. http://www.slackware.com/lists/
99. http://www.stampede.org/mailinglists.php3
100. http://www.suse.com/en/support/mailinglists/index.html
101. http://www.trustix.net/support/
102. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
103. http://lists.yellowdoglinux.com/ydl_updates.shtml
104. http://munitions.vipul.net/
105. http://www.zedz.net/
106. http://www.cert.org/nav/alerts.html
107. http://ciac.llnl.gov/ciac/
108. http://www.MountainWave.com/
109. http://www.counterpane.com/crypto-gram.html
110. http://linuxlock.org/
111. http://linuxsecurity.com/
112. http://www.securityfocus.com/
113. http://www.securityportal.com/
114. http://lwn.net/2002/0207/kernel.php3
115. http://www.eklektix.com/
116. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2002/0207/security.php3 |
Sergey Lentsov |
08 Feb 2002 14:32:46 |
|
|
