|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 18 Oct 2001 16:14:03
To : All
Subject : URL: http://www.lwn.net/2001/1018/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]Development
[7]Commerce
[8]Linux in the news
[9]Announcements
[10]Linux History
[11]Letters
[12]All in one big page
See also: [13]last week's Security page.
Security
News and Editorials
Bugtraq gets a new moderator. After six years of running the Bugtraq
mailing list, Elias Levy (also known as Aleph1) has [14]announced that
he is moving on. "I'd like to think I did not do a half-bad job, but
you are the judge of that." From LWN's point of view, Aleph1 has done
a great job; Bugtraq is and remains the premier, required-reading list
for anybody interested in computer and network security. He'll be
missed, but we'll expect new and interesting things to come from his
direction as he moves on to new challenges.
We wish the new moderator, David Ahmad, the best of luck as he takes
over this responsibility.
October CRYPTO-GRAM newsletter. Bruce Schneier's [15]CRYPTO-GRAM
newsletter for October is out. Covered topics include cyberterrorism
vs. "cyberhooliganism," the Nimda worm, the SANS top 20
vulnerabilities, and the SSSCA.
I have long argued that the entertainment industry doesn't want
people to have computers. Computers give users too much capability,
too much flexibility, too much freedom. The entertainment industry
wants users to sit back and consume things. They are trying to turn
a computer into an Internet Entertainment Platform, along the lines
of a television or VCR. This bill is a large step in that
direction.
Worth a read, as always.
Microsoft doesn't like disclosure. Microsoft has [16]fingered the
culprit for all those worms which have been feeding on its products:
disclosure of security vulnerabilities, otherwise known as
"information anarchy." The company is starting a new push to try to
get security experts to clamp down on vulnerability information. In
the words of Scott Culp, the manager of Microsoft's Security Response
Center:
But regardless of whether the remediation takes the form of a patch
or a workaround, an administrator doesn't need to know how a
vulnerability works in order to understand how to protect against
it, any more than a person needs to know how to cause a headache in
order to take an aspirin.
In other words, "trust us, we'll tell you what to do."
There are signs that some parts of Microsoft, at least, are taking
security a bit more seriously. The company would be will advised to
put its efforts into supporting those groups, rather than trying to
keep information on its vulnerabilities as proprietary as its
software.
Security Reports
Login vulnerability in PostNuke. The PostNuke web portal system (up to
version 0.64) [17]has a vulnerability which can allow an attacker to
log into other users' accounts. A fix is included in the report. It
appears that PhpNuke is also vulnerable to this attack. (We also still
have not seen a new PhpNuke release fixing the severe,
widely-exploited vulnerability in version 5.2.)
Buffer overflow vulnerability in snes9x. [18]Snes9x is a Super
Nintendo emulator which runs on Linux; it is occasionally installed
setuid root (though most Linux distributions do not ship it this way).
There is [19]a buffer overflow vulnerability in version 1.37 which may
be exploited by a local attacker to get root access on the system. A
new version is available from [20]the snes9x web site which fixes the
problem.
Improper credentials from login. A problem with the login program (in
the util-linux package) can, in some situations, cause a user to be
given the credentials of another user at login. Use of the pam_limits
module, in particular, can bring about this problem. In general,
distributions using the default PAM configuration are not vulnerable;
an upgrade is probably a good idea anyway.
Updates seen so far:
* [21]Red Hat (October 16, 2001)
* [22]Trustix (October 17, 2001)
Updates
Configuration file vulnerability in ht://Dig. The ht://Dig search
engine contains a vulnerability which allows a remote user to specify
an alternate configuration file. If that user is able to place a
suitable file in a location where ht://Dig can read it, the system may
be compromised. See [23]the original report from the ht://Dig project
for details. This vulnerability first appeared in [24]the October 11
LWN security page.
This week's updates:
* [25]Conectiva (October 10, 2001)
* [26]Debian (October 17, 2001)
OpenSSH restricted host vulnerability. Versions of OpenSSH prior to
2.9.9 have a vulnerability that can allow logins from hosts which have
been explicitly denied access. The fix is to upgrade to [27]OpenSSH
2.9.9. This problem first appeared in [28]the October 4 LWN security
page.
This week's updates:
* [29]Mandrake (October 16, 2001)
* [30]Red Hat (October 9, 2001)
* [31]Trustix (October 17, 2001)
DTML scripting vulnerability in Zope. Versions 2.2.0 through 2.4.1 of
Zope have a vulnerability that can allow a suitably clever attacker to
circumvent the normal Zope access control mechanism. [32]A fix from
Zope Corp. is available which closes the hole. This vulnerability was
first reported in [33]the October 4 LWN security page.
This week's updates:
* [34]Mandrake (October 15, 2001)
* [35]Red Hat (October 9, 2001)
Events
Upcoming Security Events.
Date Event Location
November 5 - 8, 2001 [36]8th ACM Conference on Computer and
Communication Security(CCS-8) Philadelphia, PA, USA
November 13 - 15, 2001 [37]International Conference on Information and
Communications Security(ICICS 2001) Xian, China
November 19 - 22, 2001 [38]Black Hat Briefings Amsterdam
November 21 - 23, 2001 [39]International Information Warfare Symposium
AAL, Lucerne, Swizerland.
November 24 - 30, 2001 [40]Computer Security Mexico Mexico City
November 29 - 30, 2001 [41]International Cryptography Institute
Washington, DC
December 2 - 7, 2001 [42]Lisa 2001 15th Systems Administration
Conference San Diego, CA.
December 5 - 6, 2001 [43]InfoSecurity Conference & Exhibition Jacob K.
Javits Center, New York, NY.
December 10 - 14, 2001 [44]Annual Computer Security Applications
Conference New Orleans, LA
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [45]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [46]lwn@lwn.net.
Section Editor: [47]Jonathan Corbet
October 18, 2001
[48]Click Here
LWN Resources
[49]Security alerts archive
Secured Distributions:
[50]Astaro Security
[51]Blue Linux
[52]Castle
[53]Engarde Secure Linux
[54]Immunix
[55]Kaladix Linux
[56]NSA Security Enhanced
[57]Openwall GNU/Linux
[58]Trustix
Security Projects
[59]Bastille
[60]Linux Security Audit Project
[61]Linux Security Module
[62]OpenSSH
Security List Archives
[63]Bugtraq Archive
[64]Firewall Wizards Archive
[65]ISN Archive
Distribution-specific links
[66]Caldera Advisories
[67]Conectiva Updates
[68]Debian Alerts
[69]Kondara Advisories
[70]Esware Alerts
[71]LinuxPPC Security Updates
[72]Mandrake Updates
[73]Red Hat Errata
[74]SuSE Announcements
[75]Yellow Dog Errata
BSD-specific links
[76]BSDi
[77]FreeBSD
[78]NetBSD
[79]OpenBSD
Security mailing lists
[80]Caldera
[81]Cobalt
[82]Conectiva
[83]Debian
[84]Esware
[85]FreeBSD
[86]Kondara
[87]LASER5
[88]Linux From Scratch
[89]Linux-Mandrake
[90]NetBSD
[91]OpenBSD
[92]Red Hat
[93]Slackware
[94]Stampede
[95]SuSE
[96]Trustix
[97]turboLinux
[98]Yellow Dog
Security Software Archives
[99]munitions
[100]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[101]CERT
[102]CIAC
[103]Comp Sec News Daily
[104]Crypto-GRAM
[105]LinuxLock.org
[106]LinuxSecurity.com
[107]OpenSEC
[108]Security Focus
[109]SecurityPortal
[110]Next: Kernel
[111]Eklektix, Inc. Linux powered! Copyright Л 2001 [112]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/1018/
4. http://lwn.net/2001/1018/kernel.php3
5. http://lwn.net/2001/1018/dists.php3
6. http://lwn.net/2001/1018/devel.php3
7. http://lwn.net/2001/1018/commerce.php3
8. http://lwn.net/2001/1018/press.php3
9. http://lwn.net/2001/1018/announce.php3
10. http://lwn.net/2001/1018/history.php3
11. http://lwn.net/2001/1018/letters.php3
12. http://lwn.net/2001/1018/bigpage.php3
13. http://lwn.net/2001/1011/security.php3
14. http://lwn.net/2001/1018/a/so-long.php3
15. http://lwn.net/2001/1018/a/crypto-gram.php3
16.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/secur
ity/noarch.asp
17. http://lwn.net/2001/1018/a/postnuke.php3
18. http://www.snes9x.com/
19. http://lwn.net/2001/1018/a/snes9x.php3
20. http://www.snes9x.com/
21. http://lwn.net/alerts/RedHat/RHSA-2001:132-03.php3
22. http://lwn.net/alerts/Trustix/2001-0025.php3
23. http://lwn.net/2001/1011/a/htdig.php3
24. http://lwn.net/2001/1011/security.php3#htdig
25. http://lwn.net/alerts/Conectiva/CLA-2001:429.php3
26. http://lwn.net/alerts/Debian/DSA-080-1.php3
27. http://lwn.net/2001/1004/a/openssh.php3
28. http://lwn.net/2001/1004/security.php3#openssh
29. http://lwn.net/alerts/Mandrake/MDKSA-2001:081.php3
30. http://lwn.net/alerts/RedHat/RHSA-2001:114-04.php3
31. http://lwn.net/alerts/Trustix/2001-0023.php3
32. http://lwn.net/2001/1004/a/zope-dtml-fmt.php3
33. http://lwn.net/2001/1004/security.php3#zope
34. http://lwn.net/alerts/Mandrake/MDKSA-2001:080.php3
35. http://lwn.net/alerts/RedHat/RHSA-2001:115-05.php3
36. http://www.bell-labs.com/user/reiter/ccs8/
37. http://homex.coolconnect.com/member2/icisa/icics2001.html
38. http://www.blackhat.com/
39. http://www.sympinfowarfare.ch/
40. http://www.seguridad2001.unam.mx/
41. http://www.nipli.org/isse/events/2001/cryptography
42. http://www.usenix.org/events/lisa2001/
43. http://www.infosecurityevent.com/mainmenu.asp
44. http://www.acsac.org/
45. http://securityfocus.com/calendar
46. mailto:lwn@lwn.net
47. mailto:lwn@lwn.net
48. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
49. http://lwn.net/alerts/
50. http://www.astaro.com/products/index.html
51. http://bluelinux.sourceforge.net/
52. http://castle.altlinux.ru/
53. http://www.engardelinux.org/
54. http://www.immunix.org/
55. http://www.kaladix.org/
56. http://www.nsa.gov/selinux/
57. http://www.openwall.com/Owl/
58. http://www.trustix.com/
59. http://www.bastille-linux.org/
60. http://lsap.org/
61. http://lsm.immunix.org/
62. http://www.openssh.com/
63. http://www.securityfocus.com/bugtraq/archive/
64. http://www.nfr.net/firewall-wizards/
65. http://www.jammed.com/Lists/ISN/
66. http://www.calderasystems.com/support/security/
67. http://www.conectiva.com.br/atualizacoes/
68. http://www.debian.org/security/
69. http://www.kondara.org/errata/k12-security.html
70. http://www.esware.com/actualizaciones.html
71. http://linuxppc.org/security/advisories/
72. http://www.linux-mandrake.com/en/fupdates.php3
73. http://www.redhat.com/support/errata/index.html
74. http://www.suse.de/security/index.html
75. http://www.yellowdoglinux.com/resources/errata.shtml
76. http://www.BSDI.COM/services/support/patches/
77. http://www.freebsd.org/security/security.html
78. http://www.NetBSD.ORG/Security/
79. http://www.openbsd.org/security.html
80. http://www.calderasystems.com/support/forums/announce.html
81. http://www.cobalt.com/support/resources/usergroups.html
82. http://distro.conectiva.com.br/atualizacoes/
83. http://www.debian.org/MailingLists/subscribe
84. http://www.esware.com/lista_correo.html
85. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
86. http://www.kondara.org/mailinglist.html.en
87. http://l5web.laser5.co.jp/ml/ml.html
88. http://www.linuxfromscratch.org/services/mailinglistinfo.php
89. http://www.linux-mandrake.com/en/flists.php3
90. http://www.netbsd.org/MailingLists/
91. http://www.openbsd.org/mail.html
92. http://www.redhat.com/mailing-lists/
93. http://www.slackware.com/lists/
94. http://www.stampede.org/mailinglists.php3
95. http://www.suse.com/en/support/mailinglists/index.html
96. http://www.trustix.net/support/
97. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
98. http://lists.yellowdoglinux.com/ydl_updates.shtml
99. http://munitions.vipul.net/
100. http://www.zedz.net/
101. http://www.cert.org/nav/alerts.html
102. http://ciac.llnl.gov/ciac/
103. http://www.MountainWave.com/
104. http://www.counterpane.com/crypto-gram.html
105. http://linuxlock.org/
106. http://linuxsecurity.com/
107. http://www.opensec.net/
108. http://www.securityfocus.com/
109. http://www.securityportal.com/
110. http://lwn.net/2001/1018/kernel.php3
111. http://www.eklektix.com/
112. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2001/1018/security.php3 |
Sergey Lentsov |
18 Oct 2001 16:14:03 |
|
|
