|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 13 Aug 2001 17:10:34
To : All
Subject : URL: http://www.lwn.net/2001/0809/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]On the Desktop
[7]Development
[8]Commerce
[9]Linux in the news
[10]Announcements
[11]Linux History
[12]Letters
[13]All in one big page
See also: [14]last week's Security page.
Security
News and Editorials
McAfee patent for Internet based security services. The war of silly
patents continues, this time invading the realm of security. McAfee
has received a patent that covers [15]securing, managing or optimizing
a personal computer, a fairly broad sounding description with far
reaching implications if it can actually hold up to challenges. The
patent does, in fact, seem to cover any sort of automated system
upgrade facilities such as those found in Ximian's Red Carpet or the
Red Hat Network.
The summary of the patent includes the following blurb:
The user directs the Internet browser to a Internet clinical
services provider web site computer and logs in to the site using
an identifier and a secure password and optionally makes a
selection of the type of servicing desired, wherein an
automatically-executing software package encapsulated within a
markup language communication unit deliverable across the Internet
is delivered, to the user computer, the automatically-executing
software package being adapted to perform security, management, or
optimization functions on the user computer.
As might be expected, The Register [16]took issue with this patent.
ZDNet [17]offered comments from both partners and competitors of
McAfee, including one rather arrogant quote from the patent holder.
"In an interview with the Associated Press, a McAfee representative
indicated that any company that is seen as 'willfully flaunting the
technology' may face legal action."
While the patent may be another shot in the ongoing feud between long
time rivals McAfee and Symantec, the impact of the patent could affect
how personal computers are maintained in the future. The future of
remote service provision, including such environments as .NET, may be
at stake. Fortunately, while prior art may be the saving grace once
again, one detailed step of the patent may prove even more open ended:
[The] transmitting [of] an electronic message in an e-mail format
from the server computer to the remotely located computer
indicating that a new product or a new application is available for
download.
Neither Ximian nor Red Hat nor even Debian requires sending of email
messages for notification of new software. Even further, the patent
explicity calls for the payment of services which means at a minimum
Debian should be in the clear. And finally, the really silly part
here, the patent explicitly calls for the use of a "web browser," a
term which leaves open the interpretation of methods for accessing any
service on the Internet.
So while McAfee has its shiny new patent, its footing remains
unstable. Automated security updates instigated by the user using
standard web protocols may still be protected. We just have to wait
for challenges to begin.
Flaws found in key wireless protocol (ZDNet). Two researchers in
Israel, including one of the original RSA designers - Adi Shamir, and
another from Cisco have found a serious flaw in the cipher used to
protect messages on 802.11 wireless lans. The flaw, reported in a
ZDNet article, [18]can expose the key in less than 15 minutes. What's
worse, the problem doesn't get more complex with longer keys.
By default, WEP uses a static 40-bit key, and although that is
often augmented in WLAN implementations, experts say the attack
would work nearly as quickly on longer keys because the complexity
of the attack grows linearly instead of exponentially in relation
to the key length.
In a separate incident reported in the same article, researchers at
AT&T used an inexpensive wireless card and a Linux system to break the
same cipher in WEP. Things are looking bleak for secure wireless
networking right now.
Code Redder. SecurityFocus posted a warning that [19]a new version of
Code Red was on the loose this week. This version, which gained access
just as the original, was noted to be leaving backdoors in systems.
Sklyarov updates. News of Dmitry Sklyarov's release on bail was
covered on the [20]Front Page this week. The news kept many news
sources busy and, in the interest of complete coverage, we'll
summarize what we've seen.
* Russian programmer Sklyarov freed on $50,000 bail
(SiliconValley.com) SiliconValley.com appeared to be the first to
[21]carry the news that Dmitry Sklyarov has been released on
$50,000 bail.
* Sklyarov: A Huge Sigh of Release (Wired) Here's [22]a Wired News
article on the release of Dmitry Sklyarov. "Paradoxically,
however, if the case against Sklyarov is dropped, the chances for
a constitutional challenge to the DMCA could perhaps be hampered,
some observers said. Sklyarov is thought to be the first criminal
defendant charged under the law, and many who oppose it see his
plight as a kind of Kafkaesque example of why the law needs to be
changed."
* Free Dmitry! (Salon) Salon has [23]come up with new ways of
applying pressure to get Dmitry Sklyarov out of jail. "2) Threaten
to unleash a virus even more successful than Sircam, and with a
payload so devastating as to threaten civilization itself: The
'Free Dmitry' virus will force any infected computer to play an
unending loop of Richard Stallman's rendition of the 'Free
Software Song.'"
* Dimitry Sklyarov: Enemy or friend? (ZDNet) Bruce Perens
[24]writes about Dmitry Sklyarov on ZDNet. "While publishers fret
over the potential of illegal copies of their books, Sklyarov's
presentation reveals that they could be ripped off in an
unexpected way: by producers of astonishingly inept cryptography
software. Sklyarov is in jail for revealing that secret."
Security Reports
Caldera update for Tomcat. Caldera issued a security advisory for
[25]Jakarta/Tomcat in their OpenLinux Server 3.1 distributions this
week. The updates doesn't appear to address vulnerabilities reported
on external security lists but rather closes an internally reported
problem.
Zope security alert. A new [26]Zope security alert has come out. There
is, apparently, a problem in the permission checking code that would
allow a suitably clueful attacker to access objects which should not
be accessible. Zope versions 2.3.3 and the 2.4.0 alpha and beta
releases are all vulnerable. A fix is available from Zope Corp; we
have not yet seen any vendor updates.
SuSE advisory for xmcd. SuSE has posted a security advisory targeting
[27]xmcd, the GUI-based CD player system. The problem stems from a
lower level command line utility called Cda, which xmcd calls, having
buffer overflow problems.
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
* [28]Adobe PDF files were reported as being vulnerable to carrying
a computer virus. However, according to one virus writer and a
[29]follow-up posting, the trick still requires PDF readers to
actually open the embedded objects. The standard Acrobat reader
doesn't do that. Interestingly, one post to the BugTraq list asked
if virus scanners have to reach into PDF files now, what do they
do if the [30]PDF file is encrypted?
* Macromedia began warning users of [31]ColdFusion Server that
example applications left on ColdFusion servers can open those
servers to attacks. The advisory posted from ISS listed
[32]multiple platforms as being vulnerable.
Updates
Squid httpd acceleration ACL vulnerability.
Check the [33]July 26th Security Summary for details. Squid 2.3STABLE4
is affected; earlier versions are not. Red Hat 7.0 is reported to be
vulnerable, while earlier and later versions are not. Debian is
reported not vulnerable. A patch to fix the problem is available.
This week's updates:
* [34]Caldera
Previous updates:
* [35]Linux-Mandrake
* [36]Immunix
* [37]Trustix
* [38]Red Hat
Vulnerability in telnetd.
Check the [39]July 26th Security Summary for details. This problem is
actively being exploited on BSD systems.
This week's updates:
* [40]Caldera (official advisory)
Resources
A Net Unprotected (ZDNet). ZDNet talks to a few experts who fear the
worst is yet to come when dealing with [41]polymorphic worms like Code
Red. "A polymorphic buffer overflow morphs part of its code every time
it propagates. So any system designed to stop it can never identify
it, yet the initial buffer overflow attack code remains intact."
Events
Upcoming Security Events.
Date Event Location
August 9 - 10, 2001 [42]CERT Conference 2001 Omaha, NE, USA.
August 10 - 12, 2001 [43]Hackers at Large 2001(HAL2001) Enschede,
Netherlands
August 13 - 17, 2001 [44]10th USENIX Security Symposium 2001
Conference Washington, D.C.
September 11 - 13, 2001 [45]New Security Paradigms Workshop 2001(NSPW)
Cloudcroft, New Mexico, USA
September 28 - 30, 2001 [46]Canadian Association for Security and
Intelligence Studies(CASIS 2001) (Dalhousie University)Halifax, Nova
Scotia, Canada.
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [47]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [48]lwn@lwn.net.
Section Editor: [49]Michael Hammel
August 9, 2001
[50]Click Here
Secured Distributions:
[51]Blue Linux
[52]Engarde Secure Linux
[53]Immunix
[54]Kaladix
[55]NSA Security Enhanced
[56]Openwall GNU/Linux
[57]Trustix
Security Projects
[58]Bastille
[59]Linux Security Audit Project
[60]Linux Security Module
[61]OpenSSH
Security List Archives
[62]Bugtraq Archive
[63]Firewall Wizards Archive
[64]ISN Archive
Distribution-specific links
[65]Caldera Advisories
[66]Conectiva Updates
[67]Debian Alerts
[68]Kondara Advisories
[69]Esware Alerts
[70]LinuxPPC Security Updates
[71]Mandrake Updates
[72]Red Hat Errata
[73]SuSE Announcements
[74]Yellow Dog Errata
BSD-specific links
[75]BSDi
[76]FreeBSD
[77]NetBSD
[78]OpenBSD
Security mailing lists [79]Caldera
[80]Cobalt
[81]Conectiva
[82]Debian
[83]Esware
[84]FreeBSD
[85]Kondara
[86]LASER5
[87]Linux From Scratch
[88]Linux-Mandrake
[89]NetBSD
[90]OpenBSD
[91]Red Hat
[92]Slackware
[93]Stampede
[94]SuSE
[95]Trustix
[96]turboLinux
[97]Yellow Dog
Security Software Archives
[98]munitions
[99]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[100]CERT
[101]CIAC
[102]Comp Sec News Daily
[103]Crypto-GRAM
[104]LinuxLock.org
[105]LinuxSecurity.com
[106]OpenSEC
[107]Security Focus
[108]SecurityPortal
[109]Next: Kernel
[110]Eklektix, Inc. Linux powered! Copyright Л 2001 [111]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/0809/
4. http://lwn.net/2001/0809/kernel.php3
5. http://lwn.net/2001/0809/dists.php3
6. http://lwn.net/2001/0809/desktop.php3
7. http://lwn.net/2001/0809/devel.php3
8. http://lwn.net/2001/0809/commerce.php3
9. http://lwn.net/2001/0809/press.php3
10. http://lwn.net/2001/0809/announce.php3
11. http://lwn.net/2001/0809/history.php3
12. http://lwn.net/2001/0809/letters.php3
13. http://lwn.net/2001/0809/bigpage.php3
14. http://lwn.net/2001/0802/security.php3
15.
http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/n
etahtml/srchnum.htm&r=1&f=G&l=50&s1='6,266,774'.WKU.&OS=PN/6,266,774&RS=PN/6,266
,774
16. http://www.theregister.co.uk/content/56/20872.html
17. http://www.zdnet.com/eweek/stories/general/0,11011,2802506,00.html
18. http://www.zdnet.com/eweek/stories/general/0,11011,2802134,00.html
19. http://lwn.net/2001/0809/a/code-redder.php3
20. http://lwn.net/2001/0809/index.php3#sklyarov-update
21. http://www.siliconvalley.com/docs/news/depth/copyr080701.htm
22. http://wired.com/news/politics/0,1283,45879,00.html
23. http://www.salon.com/tech/log/2001/08/03/dmitry/index.html
24. http://www.zdnet.com/zdnn/stories/comment/0,5859,2800985,00.html
25. http://lwn.net/2001/0809/a/caldera-tomcat.php3
26. http://lwn.net/2001/0809/a/zope-hotfix.php3
27. http://lwn.net/2001/0809/a/suse-xmcd.php3
28. http://lwn.net/2001/0809/a/adobe-pdf-vul.php3
29. http://lwn.net/2001/0809/a/adobe-pdf-followup.php3
30. http://lwn.net/2001/0809/a/pdf-encrypt-q.php3
31. http://www.newsalert.com/bin/story?StoryId=Co3c5qc4bmdaWmtu&Print=1
32. http://lwn.net/2001/0809/a/coldfusion-iss.php3
33. http://lwn.net/2001/0726/security.php3#squid
34. http://lwn.net/2001/0809/a/caldera-squid.php3
35. http://lwn.net/2001/0802/a/lm-squid.php3
36. http://lwn.net/2001/0726/a/imm-squid.php3
37. http://lwn.net/2001/0726/a/trustix-squid.php3
38. http://lwn.net/2001/0726/a/rh-squid.php3
39. http://lwn.net/2001/0726/security.php3#mtelnetd
40. http://lwn.net/2001/0809/a/caldera-telnetd.php3
41. http://www.zdnet.com/intweek/stories/news/0,4164,2801552,00.html
42. http://www.certconf.org/
43. http://www.hal2001.org/hal/01Home/index.html
44. http://www.usenix.org/events/sec2001
45. http://www.nspw.org/
46. http://www.sfu.ca/igs/CASIS/
47. http://securityfocus.com/calendar
48. mailto:lwn@lwn.net
49. mailto:lwn@lwn.net
50. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
51. http://bluelinux.sourceforge.net/
52. http://www.engardelinux.org/
53. http://www.immunix.org/
54. http://www.maganation.com/~kaladix/
55. http://www.nsa.gov/selinux/
56. http://www.openwall.com/Owl/
57. http://www.trustix.com/
58. http://www.bastille-linux.org/
59. http://lsap.org/
60. http://lsm.immunix.org/
61. http://www.openssh.com/
62. http://www.securityfocus.com/bugtraq/archive/
63. http://www.nfr.net/firewall-wizards/
64. http://www.jammed.com/Lists/ISN/
65. http://www.calderasystems.com/support/security/
66. http://www.conectiva.com.br/atualizacoes/
67. http://www.debian.org/security/
68. http://www.kondara.org/errata/k12-security.html
69. http://www.esware.com/actualizaciones.html
70. http://linuxppc.org/security/advisories/
71. http://www.linux-mandrake.com/en/fupdates.php3
72. http://www.redhat.com/support/errata/index.html
73. http://www.suse.de/security/index.html
74. http://www.yellowdoglinux.com/resources/errata.shtml
75. http://www.BSDI.COM/services/support/patches/
76. http://www.freebsd.org/security/security.html
77. http://www.NetBSD.ORG/Security/
78. http://www.openbsd.org/security.html
79. http://www.calderasystems.com/support/forums/announce.html
80. http://www.cobalt.com/support/resources/usergroups.html
81. http://distro.conectiva.com.br/atualizacoes/
82. http://www.debian.org/MailingLists/subscribe
83. http://www.esware.com/lista_correo.html
84. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
85. http://www.kondara.org/mailinglist.html.en
86. http://l5web.laser5.co.jp/ml/ml.html
87. http://www.linuxfromscratch.org/services/mailinglistinfo.php
88. http://www.linux-mandrake.com/en/flists.php3
89. http://www.netbsd.org/MailingLists/
90. http://www.openbsd.org/mail.html
91. http://www.redhat.com/mailing-lists/
92. http://www.slackware.com/lists/
93. http://www.stampede.org/mailinglists.php3
94. http://www.suse.com/en/support/mailinglists/index.html
95. http://www.trustix.net/support/
96. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
97. http://lists.yellowdoglinux.com/ydl_updates.shtml
98. http://munitions.vipul.net/
99. http://www.zedz.net/
100. http://www.cert.org/nav/alerts.html
101. http://ciac.llnl.gov/ciac/
102. http://www.MountainWave.com/
103. http://www.counterpane.com/crypto-gram.html
104. http://linuxlock.org/
105. http://linuxsecurity.com/
106. http://www.opensec.net/
107. http://www.securityfocus.com/
108. http://www.securityportal.com/
109. http://lwn.net/2001/0809/kernel.php3
110. http://www.eklektix.com/
111. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2001/0809/security.php3 |
Sergey Lentsov |
13 Aug 2001 17:10:34 |
|
|
