|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 11 Apr 2002 19:37:28
To : All
Subject : URL: http://www.lwn.net/2002/0411/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[LWN.net]
Sections:
[2]Main page
Security
[3]Kernel
[4]Distributions
[5]Development
[6]Commerce
[7]Linux in the news
[8]Announcements
[9]Letters
[10]All in one big page
See also: [11]last week's Security page.
Security
News and Editorials
Red Hat Unveils CVE Security Compatibility. Red Hat [12]announced that
their security alerts and advisories, including updates issued through
the Red Hat Network, will use Common Vulnerabilities and Exposures
(CVE) standard names. The [13]CVE project has been working since 1999
to create a standard way of talking about security problems. So far,
[14]fifty one organizations have declared that [15]seventy six network
security products or services are, or will be CVE-compatible.
Other Linux distributors who have adopted CVE at some level include
Caldera, Debian, EnGarde Secure Linux and Mandrake Linux. LWN
published a brief introduction to CVE in our [16]February 28th
security section.
New Evans Data Survey Reports Security Breaches Rare in Linux
Environment. An Evans Data Corp. survey [17]looks at Linux security
statistics. "According to CERT, a center for Internet security
expertise operated by Carnegie Mellon University, the total number of
computer attacks has almost doubled every year since 1988. However,
the rarity of security breaches in the Linux environment is
illustrated by the fact that 78% of respondents to the survey have
never experienced an unwanted intrusion and 94% have operated
virus-free."
Open sourcers wear the white hats (ZDNet). Here's an [18]article by
Bruce Perens about the difference in the security of open-source and
proprietary software. "In contrast, open source has a lot of "white
hats" looking at the source. They often do find security bugs while
working on other aspects of the code, and the bugs are reported and
closed. However, open source can still profit from a formal security
review, just as proprietary code can, and there is an accelerating
trend to do formal security reviews in open-source projects."
Security Reports
IMP 2.2.8 released. Version 2.2.8 of IMP [19]has been released, it
fixes some vulnerabilities. "The Horde team announces the availability
of IMP 2.2.6, which fixes three potential security issues. We strongly
recommend that all sites running IMP 2.2.x upgrade to this version. "
Red Hat Security Advisory - tcpdump. Updated [20]tcpdump, libpcap, and
arpwatch packages are available for Red Hat Linux 6.2 and 7.x. These
updates close vulnerabilities present in versions of tcpdump up to
3.5.1 and various other bugs.
Red Hat Security Advisory - logwatch. Updated Red Hat Linux 7.2
[21]logwatch packages are available that fix tmp file race conditions
which can cause a local user to gain root privileges. Here's the same
alert for the Red Hat Powertools [22]logwatch.
web scripts.
The following web scripts were reported to contain vulnerabilities:
* Steve Gustin has [23]reported a remote code execution
vulnerability in csGuestBook, csLiveSupport, csNewsPro and
csChatRBox. Updates that fix the vulnerability are available from
[24]CGIScript.net
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
* [25]Emumail has a reported [26]vulnerability in emumail.cgi which
allows viewing of arbitrary files on the server.
Updates
Apache spoofed information logging vulnerabilty. Versions of apache
prior to 1.3.24 sometimes put invalid client hostnames in the log
file. A remote attacker may exploit this behavior to insert spoofed
information into the webserver logs. The fix is to upgrade to the
recent Apache 1.3.24 release. (First LWN report: [27]March 28th).
This week's updates:
* [28]Eridani (April 5, 2002) .
rsync supplementary groups vulnerability. Ethan Benson [29]reported
that rsyncd fails to remove supplementary groups (such as root) from
the server process after changing to the specified unprivileged uid
and gid. "This seems only serious if rsync is called using "rsync
--daemon" from the command line where it will inherit the group of the
user starting the server (usually root)." (First LWN report:
[30] March 14th).
This week's updates:
* [31]Caldera (April 3, 2002)
Previous updates:
* [32]Mandrake (March 13, 2002)
* [33]Red Hat (March 21, 2002)
* [34]Slackware (March 12, 2002)
Multiple vulnerabilities in SNMP implementations. Most SNMP
implementations out there have a variety of buffer overflow
vulnerabilities and should be upgraded at first opportunity. See
[35]this CERT advisory for more. (First LWN report: [36]February 14).
This week's updates:
* [37]SuSE (April 8, 2002) (ucdsnmp)
Previous updates:
* [38]Caldera (January 22, 2002)
* [39]Conectiva (February 14, 2002)
* [40]Debian (February 28, 2002) (first update caused some problems)
* [41]Debian (February 14, 2002)
* [42]Eridani Linux (February 22, 2002)
* [43]Mandrake (February 15, 2002)
* [44]Red Hat (February 12, 2002)
* [45]Yellow Dog (February 11, 2002)
zlib corrupts malloc data structures via double free. This
vulnerability impacts all major Linux vendors. It may impact every
Linux installation on Earth. Updates are required to zlib and any
packages that were statically built with the zlib code. (First LWN
report: [46]March 14).
LinuxSecurity [47]describes the vulnerability and coordinated
distributor efforts in detail. "Packages including X11, rsync, the
Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have
the ability to use network compression are potentially vulnerable."
Updating is recommended. As always, please proceed with caution when
applying updates to the kernel.
This week's updates:
* [48]Caldera (April 4, 2002) (libz and derived packages)
* [49]Caldera (April 3, 2002) (rsync)
Previous updates:
* [50]Conectiva (March 14, 2002) (zlib and derived packages)
* [51]Debian (March 11, 2002) (nine packages)
* [52]EnGarde (March 11, 2002) (zlib kernel popt rsync)
* [53]Eridani (March 22, 2002) (kernel update to [54]March 13 alert)
* [55]Eridani (March 13, 2002) (libz)
* [56]Eridani (March 13, 2002) (vnc dump cvs rsync kernel)
* [57]Mandrake (March 13, 2002) (packages containing zlib)
* [58]Mandrake (March 12, 2002) (zlib)
* [59]Mandrake (March 12, 2002) (twelve packages including kernel)
* [60]OpenPKG (March 12, 2002) (zlib cvs gnupg rrdtool rsync)
* [61]Red Hat (March 21, 2002) (Powertools 6.2 VNC update to
[62]March 11 fix; sparc64 kernel for Red Hat 6.2)
* [63]Red Hat (March 15, 2002) (kernel for Red Hat 6.2 & 7.0)
* [64]Red Hat (March 11, 2002) (Red Hat Linux; also apply the March
15 kernel update)
* [65]Red Hat (March 11, 2002) (Red Hat Powertools)
* [66]SuSE (March 11, 2002) (libz/zlib)
* [67]SuSE (March 11, 2002) (eight packages including kernel)
* [68]Slackware (March 12, 2002) (zlib)
* [69]Slackware (March 12, 2002) (rsync)
* [70]Slackware (March 12, 2002) (cvs)
* [71]Trustix (March 18, 2002) (zlib and derived packages)
See also: articles in [72]ZDNet and [73]The Register about the zlib
vulnerability. And, these reports from [74]ZDNet and [75]Vnunet on
this vulnerability in some of Microsoft's major applications.
Resources
Linux security week. The [76]Linux Security Week and [77]Linux
Advisory Watch publications from LinuxSecurity.com are available.
Network security tips for managers (ZDNet). While not Linux (or Unix)
specific, [78]this article does contain some good security tips. "To
see what may be listening on the computers in your network, you should
use a simple hacker's tool known as a port scanner. Software is used
across a network listens to network information on a port. There are a
number of ports available on most servers. By using a tool known as a
port scanner, a hacker checks for every possible piece of network
software. If it answers, the hacker tries to find more information
about the computer. The hacker then tries to exploit that port.
However, you can use it just as a list of what's listening on a
computer and check to make sure you don't have unnecessary software
running."
Events
Black Hat Briefings 2002 call for papers. Black Hat has issued this
[79]reminder that the Black Hat 2002 Call for Papers closes May 1st.
The conference is held from July 31-August 1, 2002 at the Caesars
Palace Hotel and Resort in Las Vegas, NV, USA.
Upcoming Security Events.
Date Event Location
April 14 - 15, 2002 [80]Workshop on Privacy Enhancing Technologies
2002 (Cathedral Hill Hotel)San Francisco, California, USA
April 15 - 19, 2002 [81]InfoSec 2002 UniNet IRC network
(irc.uninet.edu) - channel #infosec
April 16 - 19, 2002 [82]The Twelfth Conference on Computers, Freedom &
Privacy (Cathedral Hill Hotel)San Francisco, California, USA
April 23 - 25, 2002 [83]Infosecurity Europe 2002 Olympia, London, UK
May 1 - 3, 2002 [84]cansecwest/core02 Vancouver, Canada
May 4 - 5, 2002 [85]DallasCon Dallas, TX., USA
May 12 - 15, 2002 [86]2002 IEEE Symposium on Security and Privacy (The
Claremont Resort)Oakland, California, USA
May 13 - 14, 2002 [87]3rd International Common Criteria
Conference(ICCC) Ottawa, Ont., Canada
May 13 - 17, 2002 14th Annual Canadian Information Technology Security
Symposium(CITSS) (Ottawa Congress Centre)Ottawa, Ontario, Canada
May 27 - 31, 2002 [88]3rd International SANE Conference(SANE 2002)
Maastricht, The Netherlands
May 29 - 30, 2002 [89]RSA Conference 2002 Japan (Akasaka Prince
Hotel)Tokyo, Japan
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [90]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [91]lwn@lwn.net.
Section Editor: [92]Dennis Tenney
April 11, 2002
Sponsored Link
[93]Your Text Ad Here
Purchase your own text ad with our self-serve advertising system.
LWN Resources
[94]Security alerts archive
Secured Distributions:
[95]Astaro Security
[96]Blue Linux
[97]Castle
[98]Engarde Secure Linux
[99]Immunix
[100]Kaladix Linux
[101]NSA Security Enhanced
[102]Openwall GNU/Linux
[103]Trustix
Security Projects
[104]Bastille
[105]Linux Security Audit Project
[106]Linux Security Module
[107]OpenSSH
Security List Archives
[108]Bugtraq Archive
[109]Firewall Wizards Archive
[110]ISN Archive
Distribution-specific links
[111]Caldera Advisories
[112]Conectiva Updates
[113]Debian Alerts
[114]Kondara Advisories
[115]Esware Alerts
[116]LinuxPPC Security Updates
[117]Mandrake Updates
[118]Red Hat Errata
[119]SuSE Announcements
[120]Turbolinux
[121]Yellow Dog Errata
BSD-specific links
[122]BSDi
[123]FreeBSD
[124]NetBSD
[125]OpenBSD
Security mailing lists
[126]Caldera
[127]Cobalt
[128]Conectiva
[129]Debian
[130]Esware
[131]FreeBSD
[132]Kondara
[133]LASER5
[134]Linux From Scratch
[135]Linux-Mandrake
[136]NetBSD
[137]OpenBSD
[138]Red Hat
[139]Slackware
[140]Stampede
[141]SuSE
[142]Trustix
[143]turboLinux
[144]Yellow Dog
Security Software Archives
[145]munitions
[146]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[147]CERT
[148]CIAC
[149]Comp Sec News Daily
[150]Crypto-GRAM
[151]LinuxLock.org
[152]LinuxSecurity.com
[153]Security Focus
[154]SecurityPortal
[155]Next: Kernel
[156]Eklektix, Inc. Linux powered! Copyright Л 2002 [157]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://lwn.net/2002/0411/
3. http://lwn.net/2002/0411/kernel.php3
4. http://lwn.net/2002/0411/dists.php3
5. http://lwn.net/2002/0411/devel.php3
6. http://lwn.net/2002/0411/commerce.php3
7. http://lwn.net/2002/0411/press.php3
8. http://lwn.net/2002/0411/announce.php3
9. http://lwn.net/2002/0411/letters.php3
10. http://lwn.net/2002/0411/bigpage.php3
11. http://lwn.net/2002/0404/security.php3
12.
http://www.businesswire.com/cgi-bin/f_headline.cgi?bw.041002/221002075&ticker=RH
AT
13. http://cve.mitre.org/
14. http://cve.mitre.org/compatible/
15. http://cve.mitre.org/compatible
16. http://lwn.net/2002/0228/security.php3
17. http://www.businesswire.com/cgi-bin/f_headline.cgi?bw.040802/220982285
18. http://www.zdnet.com/techupdate/stories/main/0,14179,2859555,00.html
19. http://lwn.net/2002/0411/a/imp228.php3
20. http://lwn.net/alerts/RedHat/RHSA-2001:089-08.php3
21. http://lwn.net/alerts/RedHat/RHSA-2002:053-12.php3
22. http://lwn.net/alerts/RedHat/RHSA-2002:054-09.php3
23. http://lwn.net/2002/0411/a/cgiscript.php3
24. http://www.cgiscript.net/
25. http://www.emumail.com/
26. http://lwn.net/2002/0411/a/emumail.php3
27. http://lwn.net/2002/0328/security.php3#apache
28. http://lwn.net/alerts/Eridani/ERISA-2002:012.php3
29. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=132272
30. http://lwn.net/2002/0314/security.php3#rsync
31. http://lwn.net/alerts/Caldera/CSSA-2002-014.0.php3
32. http://lwn.net/alerts/Mandrake/MDKSA-2002:024.php3
33. http://lwn.net/alerts/RedHat/RHSA-2002:026-43.php3
34. http://lwn.net/alerts/Slackware/sl-1015950024.php3
35. http://lwn.net/2002/0214/a/cert-snmp.php3
36. http://lwn.net/2002/0214/security.php3
37. http://lwn.net/alerts/SuSE/SuSE-SA:2002:012.php3
38. http://lwn.net/alerts/Caldera/CSSA-2002-004.0.php3
39. http://lwn.net/alerts/Conectiva/CLA-2002:462.php3
40. http://lwn.net/alerts/Debian/DSA-111-2.php3
41. http://lwn.net/alerts/Debian/DSA-111-1.php3
42. http://lwn.net/2002/0228/a/el-sec.php3
43. http://lwn.net/alerts/Mandrake/MDKSA-2002:014.php3
44. http://lwn.net/alerts/RedHat/RHSA-2001:163-20.php3
45. http://lwn.net/alerts/YellowDog/YDU-20020211-1.php3
46. http://lwn.net/2002/0314/security.php3#zlib
47. http://www.linuxsecurity.com/articles/security_sources_article-4582.html
48. http://lwn.net/alerts/Caldera/CSSA-2002-015.0.php3
49. http://lwn.net/alerts/Caldera/CSSA-2002-014.0.php3
50. http://lwn.net/alerts/Conectiva/CLA-2002:469.php3
51. http://lwn.net/alerts/Debian/DSA-122-1.php3
52. http://lwn.net/alerts/EnGarde/ESA-20020311-008.php3
53. http://vena.lwn.net/alerts/Eridani/ERISA-2002:000.php3
54. http://lwn.net/alerts/Eridani/ERISA-2002:008.php3
55. http://lwn.net/alerts/Eridani/ERISA-2002:008.php3
56. http://lwn.net/alerts/Eridani/ERISA-2002:009.php3
57. http://lwn.net/alerts/Mandrake/MDKSA-2002:023-1.php3
58. http://lwn.net/alerts/Mandrake/MDKSA-2002:022.php3
59. http://lwn.net/alerts/Mandrake/MDKSA-2002:023.php3
60. http://lwn.net/alerts/OpenPKG/OpenPKG-SA-2002.003.php3
61. http://lwn.net/alerts/RedHat/RHSA-2002:026-43.php3
62. http://lwn.net/alerts/RedHat/RHSA-2002:027-22.php3
63. http://lwn.net/alerts/RedHat/RHSA-2002:026-39.php3
64. http://lwn.net/alerts/RedHat/RHSA-2002:026-35.php3
65. http://lwn.net/alerts/RedHat/RHSA-2002:027-22.php3
66. http://lwn.net/alerts/SuSE/SuSE-SA:2002:010.php3
67. http://lwn.net/alerts/SuSE/SuSE-SA:2002:011.php3
68. http://lwn.net/alerts/Slackware/sl-1015949806.php3
69. http://lwn.net/alerts/Slackware/sl-1015950024.php3
70. http://lwn.net/alerts/Slackware/sl-1015950525.php3
71. http://lwn.net/alerts/Trustix/2002-0040.php3
72. http://zdnet.com.com/2100-1104-857031.html
73. http://www.theregister.co.uk/content/5/24387.html
74. http://zdnet.com.com/2100-1104-860428.html
75. http://www.vnunet.com/News/1130151
76. http://lwn.net/2002/0411/a/security-week.php3
77. http://lwn.net/2002/0411/a/advisory-watch.php3
78. http://zdnet.com.com/2100-1107-854265.html
79. http://lwn.net/2002/0411/a/blackhat.php3
80. http://www.pet2002.org/
81. http://infosec.uninet.edu/
82. http://www.cfp2002.org/
83. http://www.infosec.co.uk/
84. http://cansecwest.com/
85. http://www.dallascon.com/
86. http://www.ieee-security.org/TC/SP02/sp02index.html
87. http://www.cse-cst.gc.ca/en/iccc/iccc.html
88. http://www.nluug.nl/sane/
89. http://www.rsaconference.net/
90. http://securityfocus.com/calendar
91. mailto:lwn@lwn.net
92. mailto:lwn@lwn.net
93.
http://oasis.lwn.net/oasisc.php?s=4&c=5&cb=476026769&url=http%3A%2F%2Flwn.net%2F
corp%2Fadvertise%2Ftext%2F
94. http://lwn.net/alerts/
95. http://www.astaro.com/products/index.html
96. http://bluelinux.sourceforge.net/
97. http://castle.altlinux.ru/
98. http://www.engardelinux.org/
99. http://www.immunix.org/
100. http://www.kaladix.org/
101. http://www.nsa.gov/selinux/
102. http://www.openwall.com/Owl/
103. http://www.trustix.com/
104. http://www.bastille-linux.org/
105. http://lsap.org/
106. http://lsm.immunix.org/
107. http://www.openssh.com/
108. http://www.securityfocus.com/archive/1
109. http://www.nfr.net/firewall-wizards/
110. http://www.jammed.com/Lists/ISN/
111. http://www.calderasystems.com/support/security/
112. http://www.conectiva.com.br/atualizacoes/
113. http://www.debian.org/security/
114. http://www.kondara.org/errata/k12-security.html
115. http://www.esware.com/actualizaciones.html
116. http://linuxppc.org/security/advisories/
117. http://www.linux-mandrake.com/en/fupdates.php3
118. http://www.redhat.com/support/errata/index.html
119. http://www.suse.de/security/index.html
120. http://www.turbolinux.com/security/
121. http://www.yellowdoglinux.com/resources/
122. http://www.BSDI.COM/services/support/patches/
123. http://www.freebsd.org/security/security.html
124. http://www.NetBSD.ORG/Security/
125. http://www.openbsd.org/security.html
126. http://www.calderasystems.com/support/forums/announce.html
127. http://www.cobalt.com/support/resources/usergroups.html
128. http://distro.conectiva.com.br/atualizacoes/
129. http://www.debian.org/MailingLists/subscribe
130. http://www.esware.com/lista_correo.html
131. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
132. http://www.kondara.org/mailinglist.html.en
133. http://l5web.laser5.co.jp/ml/ml.html
134. http://www.linuxfromscratch.org/services/mailinglistinfo.php
135. http://www.linux-mandrake.com/en/flists.php3
136. http://www.netbsd.org/MailingLists/
137. http://www.openbsd.org/mail.html
138. http://www.redhat.com/mailing-lists/
139. http://www.slackware.com/lists/
140. http://www.stampede.org/mailinglists.php3
141. http://www.suse.com/en/support/mailinglists/index.html
142. http://www.trustix.net/support/
143. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
144. http://lists.yellowdoglinux.com/ydl_updates.shtml
145. http://munitions.vipul.net/
146. http://www.zedz.net/
147. http://www.cert.org/nav/alerts.html
148. http://ciac.llnl.gov/ciac/
149. http://www.MountainWave.com/
150. http://www.counterpane.com/crypto-gram.html
151. http://linuxlock.org/
152. http://linuxsecurity.com/
153. http://www.securityfocus.com/
154. http://www.securityportal.com/
155. http://lwn.net/2002/0411/kernel.php3
156. http://www.eklektix.com/
157. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2002/0411/security.php3 |
Sergey Lentsov |
11 Apr 2002 19:37:28 |
|
|
