|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 08 Nov 2001 17:11:12
To : All
Subject : URL: http://www.lwn.net/2001/1108/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]Development
[7]Commerce
[8]Linux in the news
[9]Announcements
[10]Linux History
[11]Letters
[12]All in one big page
See also: [13]last week's Security page.
Security
News and Editorials
OpenSSH 3.0 released. OpenSSH version 3.0 has been [14]released. It
includes a great many new features, including smartcard support,
improved Kerberos support, dynamic forwarding, and more.
CERT advisory on lpd vulnerabilities. CERT has issued [15]an advisory
regarding several vulnerabilities in the lpd print system. Most of the
problems are old; the purpose of the advisory is to remind people to
apply their upgrades.
Security Reports
Trouble with netfilter and syncookies. Just when you had installed a
new kernel and thought that the security problems were behind you, a
new one turns up. It's an obscure problem, but, in many cases, worth
fixing anyway. Essentially, the "syncookies" mechanism, developed to
defend against SYN flood attacks, can be exploited by a clever
attacker to circumvent netfilter firewall rules that block incoming
connections. Since many firewall setups depend on blocking these
connections, this vulnerability could seriously compromise the
protection of the system or network. A short-term workaround is to
turn off syncookies:
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
Syncookies will be reset at the next reboot; the system will also be
more vulnerable to SYN flood (denial of service) attacks while
syncookies are disabled. The real fix, of course, is to apply another
kernel update. Here's the ones we've seen so far:
* [16]Caldera (November 5, 2001)
* [17]Conectiva (November 2, 2001)
* [18]EnGarde (November 6, 2001)
* [19]SuSE (October 26, 2001)
* [20]Red Hat (November 2, 2001)
Webalizer tag vulnerability. The "webalizer" logfile analysis program
[21]has a vulnerability which can allow an attack to place arbitrary
HTML tags into the reports. When the reports are viewed, these tags
can be used toward unpleasant ends, including cross-site scripting
attacks. A fix is available which closes the vulnerability.
Updates seen so far:
* [22]EnGarde (November 1, 2001)
* [23]SuSE (November 6, 2001)
* [24]Red Hat (October 30, 2001)
Red Hat updates ghostscript. Red Hat has issued [25]a security update
to ghostscript fixing an interesting problem. When ghostscript is used
as part of the print spooling system (a common configuration), a
clever attacker can use its PostScript file commands to read any file
that is accessible to the print spooler. The update disables those
commands in that context. There is also [26]a more comprehensive
printer update available from Red Hat which includes this fix, a
number of others, and tosses in the IBM Omni printer drivers for good
measure.
Denial of service vulnerability in Tux. The Tux kernel-based web
server has [27]a denial of service vulnerability which can allow a
remote attacker to crash the host system. Most systems do not run Tux;
those which do should apply the [28]Red Hat kernel update for the
syncookie problem; it also fixes this vulnerability.
Caldera security update for libdb.
Caldera has released a security update that fixes the [29]libdb
package. The update fixes vulnerabilities from an unsafe version of
the snprintf and vsnprintf that can be exploited by local and remote
attacks.
Format string vulnerability in rwhoisd. The "rwhoisd" whois server
[30]has a format string vulnerability which can be used by a remote
attacker to run arbitrary code. [31]A patch is available which should
be quickly applied by anybody running this server; no distributor
updates have been seen as of this writing.
Updates
Configuration file vulnerability in ht://Dig. The ht://Dig search
engine contains a vulnerability which allows a remote user to specify
an alternate configuration file. If that user is able to place a
suitable file in a location where ht://Dig can read it, the system may
be compromised. See [32]the original report from the ht://Dig project
for details. This vulnerability first appeared in [33]the October 11
LWN security page.
This week's updates:
* [34]Mandrake (November 1, 2001)
Previous updates:
* [35]SuSE (October 24, 2001)
* [36]Conectiva (October 10, 2001)
* [37]Debian (October 17, 2001)
Procmail race conditions. See [38]the July 26 Security page for the
initial report.
This week's updates:
* [39]Conectiva (November 6, 2001)
Previous updates:
* [40]Red Hat (July 26)
* [41]Yellow Dog (July 25, 2001)
Vulnerabilities in tetex. The tetex package has a temporary file
handling vulnerability; this problem was first reported in [42]the
July 12, 2001 LWN security page.
This week's updates:
* [43]Red Hat (October 23, 2001)
Previous updates:
* [44]Immunix (July 12, 2001)
Several vulnerabilities in ucd-snmp. The ucd-snmp package has a number
of vulnerabilities, including buffer overflows, format string
problems, and temporary file races. This problem was first reported in
[45]the August 23 LWN security page.
This week's updates:
* [46]Red Hat (October 31, 2001)
Previous updates:
* [47]Caldera (August 16, 2001)
Improper credentials from login. A problem with the login program (in
the util-linux package) can, in some situations, cause a user to be
given the credentials of another user at login. Use of the pam_limits
module, in particular, can bring about this problem. In general,
distributions using the default PAM configuration are not vulnerable;
an upgrade is probably a good idea anyway. This problem was first
reported in [48]October 18 LWN security page.
This week's updates:
* [49]Mandrake (November 1, 2001)
Previous updates:
* [50]Red Hat (October 16, 2001) (Adds an update for version 7.2).
* [51]SuSE (October 23, 2001) (Doesn't use util-linux login, but
vulnerable anyway).
* [52]Red Hat (October 16, 2001)
* [53]Trustix (October 17, 2001)
Resources
Linux Security Week for November 5 from LinuxSecurity.com is now
[54]available.
Events
Upcoming Security Events.
Date Event Location
November 8, 2001 [55]8th ACM Conference on Computer and Communication
Security(CCS-8) Philadelphia, PA, USA
November 13 - 15, 2001 [56]International Conference on Information and
Communications Security(ICICS 2001) Xian, China
November 19 - 22, 2001 [57]Black Hat Briefings Amsterdam
November 21 - 23, 2001 [58]International Information Warfare Symposium
AAL, Lucerne, Swizerland.
November 24 - 30, 2001 [59]Computer Security Mexico Mexico City
November 29 - 30, 2001 [60]International Cryptography Institute
Washington, DC
December 2 - 7, 2001 [61]Lisa 2001 15th Systems Administration
Conference San Diego, CA.
December 5 - 6, 2001 [62]InfoSecurity Conference & Exhibition Jacob K.
Javits Center, New York, NY.
December 10 - 14, 2001 [63]Annual Computer Security Applications
Conference New Orleans, LA
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [64]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [65]lwn@lwn.net.
Section Editor: [66]Jonathan Corbet
November 8, 2001
[67]Click Here
LWN Resources
[68]Security alerts archive
Secured Distributions:
[69]Astaro Security
[70]Blue Linux
[71]Castle
[72]Engarde Secure Linux
[73]Immunix
[74]Kaladix Linux
[75]NSA Security Enhanced
[76]Openwall GNU/Linux
[77]Trustix
Security Projects
[78]Bastille
[79]Linux Security Audit Project
[80]Linux Security Module
[81]OpenSSH
Security List Archives
[82]Bugtraq Archive
[83]Firewall Wizards Archive
[84]ISN Archive
Distribution-specific links
[85]Caldera Advisories
[86]Conectiva Updates
[87]Debian Alerts
[88]Kondara Advisories
[89]Esware Alerts
[90]LinuxPPC Security Updates
[91]Mandrake Updates
[92]Red Hat Errata
[93]SuSE Announcements
[94]Yellow Dog Errata
BSD-specific links
[95]BSDi
[96]FreeBSD
[97]NetBSD
[98]OpenBSD
Security mailing lists
[99]Caldera
[100]Cobalt
[101]Conectiva
[102]Debian
[103]Esware
[104]FreeBSD
[105]Kondara
[106]LASER5
[107]Linux From Scratch
[108]Linux-Mandrake
[109]NetBSD
[110]OpenBSD
[111]Red Hat
[112]Slackware
[113]Stampede
[114]SuSE
[115]Trustix
[116]turboLinux
[117]Yellow Dog
Security Software Archives
[118]munitions
[119]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[120]CERT
[121]CIAC
[122]Comp Sec News Daily
[123]Crypto-GRAM
[124]LinuxLock.org
[125]LinuxSecurity.com
[126]Security Focus
[127]SecurityPortal
[128]Next: Kernel
[129]Eklektix, Inc. Linux powered! Copyright Л 2001 [130]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/1108/
4. http://lwn.net/2001/1108/kernel.php3
5. http://lwn.net/2001/1108/dists.php3
6. http://lwn.net/2001/1108/devel.php3
7. http://lwn.net/2001/1108/commerce.php3
8. http://lwn.net/2001/1108/press.php3
9. http://lwn.net/2001/1108/announce.php3
10. http://lwn.net/2001/1108/history.php3
11. http://lwn.net/2001/1108/letters.php3
12. http://lwn.net/2001/1108/bigpage.php3
13. http://lwn.net/2001/1101/security.php3
14. http://lwn.net/2001/1108/a/openssh-3.0.php3
15. http://lwn.net/2001/1108/a/cert-lpd.php3
16. http://lwn.net/alerts/Caldera/CSSA-2001-038.0.php3
17. http://lwn.net/alerts/Conectiva/CLA-2001:432.php3
18. http://lwn.net/alerts/EnGarde/ESA-20011106-01.php3
19. http://lwn.net/alerts/SuSE/SuSE-SA:2001:036,.php3
20. http://lwn.net/alerts/RedHat/RHSA-2001:142-15.php3
21. http://lwn.net/2001/1108/a/webalizer.php3
22. http://lwn.net/alerts/EnGarde/ESA-20011101-01.php3
23. http://lwn.net/alerts/SuSE/SuSE-SA:2001:040.php3
24. http://lwn.net/alerts/RedHat/RHSA-2001:140-05.php3
25. http://lwn.net/alerts/RedHat/RHSA-2001:112-07.php3
26. http://lwn.net/alerts/RedHat/RHSA-2001:138-10.php3
27. http://lwn.net/2001/1108/a/tux-dos.php3
28. http://lwn.net/alerts/RedHat/RHSA-2001:142-15.php3
29. http://lwn.net/alerts/Caldera/CSSA-2001-037.0.php3
30. http://lwn.net/2001/1108/a/rwhoisd.php3
31. http://lwn.net/2001/1108/a/rwhoisd-patch.php3
32. http://lwn.net/2001/1011/a/htdig.php3
33. http://lwn.net/2001/1011/security.php3#htdig
34. http://lwn.net/alerts/Mandrake/MDKSA-2001:083.php3
35. http://lwn.net/alerts/SuSE/SuSE-SA:2001:035.php3
36. http://lwn.net/alerts/Conectiva/CLA-2001:429.php3
37. http://lwn.net/alerts/Debian/DSA-080-1.php3
38. http://lwn.net/2001/0726/security.php3#procmail
39. http://lwn.net/alerts/Conectiva/CLA-2001:433.php3
40. http://lwn.net/2001/0726/a/rh-procmail.php3
41. http://lwn.net/alerts/YellowDog/YDU-20010725-12.php3
42. http://lwn.net/2001/0712/security.php3#tetex
43. http://lwn.net/alerts/RedHat/RHSA-2001:102-10.php3
44. http://lwn.net/2001/0712/a/imm-tetex.php3
45. http://lwn.net/2001/0823/security.php3#snmp
46. http://lwn.net/alerts/RedHat/RHSA-2001:101-07.php3
47. http://lwn.net/alerts/Caldera/CSSA-2001-031.0.php3
48. http://lwn.net/2001/1018/security.php3#pam
49. http://lwn.net/alerts/Mandrake/MDKSA-2001:084.php3
50. http://lwn.net/alerts/RedHat/RHSA-2001:132-04.php3
51. http://lwn.net/alerts/SuSE/SuSE-SA:2001:034.php3
52. http://lwn.net/alerts/RedHat/RHSA-2001:132-03.php3
53. http://lwn.net/alerts/Trustix/2001-0025.php3
54. http://lwn.net/2001/1108/a/security-week.php3
55. http://www.bell-labs.com/user/reiter/ccs8/
56. http://homex.coolconnect.com/member2/icisa/icics2001.html
57. http://www.blackhat.com/
58. http://www.sympinfowarfare.ch/
59. http://www.seguridad2001.unam.mx/
60. http://www.nipli.org/isse/events/2001/cryptography
61. http://www.usenix.org/events/lisa2001/
62. http://www.infosecurityevent.com/
63. http://www.acsac.org/
64. http://securityfocus.com/calendar
65. mailto:lwn@lwn.net
66. mailto:lwn@lwn.net
67. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
68. http://lwn.net/alerts/
69. http://www.astaro.com/products/index.html
70. http://bluelinux.sourceforge.net/
71. http://castle.altlinux.ru/
72. http://www.engardelinux.org/
73. http://www.immunix.org/
74. http://www.kaladix.org/
75. http://www.nsa.gov/selinux/
76. http://www.openwall.com/Owl/
77. http://www.trustix.com/
78. http://www.bastille-linux.org/
79. http://lsap.org/
80. http://lsm.immunix.org/
81. http://www.openssh.com/
82. http://www.securityfocus.com/bugtraq/archive/
83. http://www.nfr.net/firewall-wizards/
84. http://www.jammed.com/Lists/ISN/
85. http://www.calderasystems.com/support/security/
86. http://www.conectiva.com.br/atualizacoes/
87. http://www.debian.org/security/
88. http://www.kondara.org/errata/k12-security.html
89. http://www.esware.com/actualizaciones.html
90. http://linuxppc.org/security/advisories/
91. http://www.linux-mandrake.com/en/fupdates.php3
92. http://www.redhat.com/support/errata/index.html
93. http://www.suse.de/security/index.html
94. http://www.yellowdoglinux.com/resources/errata.shtml
95. http://www.BSDI.COM/services/support/patches/
96. http://www.freebsd.org/security/security.html
97. http://www.NetBSD.ORG/Security/
98. http://www.openbsd.org/security.html
99. http://www.calderasystems.com/support/forums/announce.html
100. http://www.cobalt.com/support/resources/usergroups.html
101. http://distro.conectiva.com.br/atualizacoes/
102. http://www.debian.org/MailingLists/subscribe
103. http://www.esware.com/lista_correo.html
104. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
105. http://www.kondara.org/mailinglist.html.en
106. http://l5web.laser5.co.jp/ml/ml.html
107. http://www.linuxfromscratch.org/services/mailinglistinfo.php
108. http://www.linux-mandrake.com/en/flists.php3
109. http://www.netbsd.org/MailingLists/
110. http://www.openbsd.org/mail.html
111. http://www.redhat.com/mailing-lists/
112. http://www.slackware.com/lists/
113. http://www.stampede.org/mailinglists.php3
114. http://www.suse.com/en/support/mailinglists/index.html
115. http://www.trustix.net/support/
116. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
117. http://lists.yellowdoglinux.com/ydl_updates.shtml
118. http://munitions.vipul.net/
119. http://www.zedz.net/
120. http://www.cert.org/nav/alerts.html
121. http://ciac.llnl.gov/ciac/
122. http://www.MountainWave.com/
123. http://www.counterpane.com/crypto-gram.html
124. http://linuxlock.org/
125. http://linuxsecurity.com/
126. http://www.securityfocus.com/
127. http://www.securityportal.com/
128. http://lwn.net/2001/1108/kernel.php3
129. http://www.eklektix.com/
130. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2001/1108/security.php3 |
Sergey Lentsov |
08 Nov 2001 17:11:12 |
|
|
