|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 03 Mar 2002 15:39:33
To : All
Subject : URL: http://www.lwn.net/2002/0221/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo] [No ads right now]
[LWN.net]
Sections:
[2]Main page
Security
[3]Kernel
[4]Distributions
[5]Development
[6]Commerce
[7]Linux in the news
[8]Announcements
[9]Letters
[10]All in one big page
See also: [11]last week's Security page.
Security
News and Editorials
Defining a reasonable disclosure process. Steve Christey and Chris
Wysopal have [12]released a draft document titled "Reasonable
Disclosure Process;" which is in the process to become an IETF
standard. This document attempts to lay out the responsibilities of
all those who have to deal with security vulnerabilities. Since it
touches on the controversial topic of disclosure, there is likely to
be some disagreement on what the document says.
As might be expected, the draft tries to balance the interests of
vendors, customers, and those who discover security holes. It provides
a detailed and formal set of events that is supposed to happen:
1. Avoidance of vulnerabilities in the first place.
2. Discovery of the problem.
3. Vendor notification.
4. Acknowledgement of the notification from the vendor (within seven
days).
5. Verification of the problem by the vendor.
6. Resolution of the problem (within 30 days).
7. General release of information on the problem.
8. Follow-up.
In general, people who discover vulnerabilities are not supposed to
announce them generally until the release stage has been achieved. The
vendor is supposed to provide a status update to the reporter every
seven days, and the reporter should keep silence as long as the vendor
appears to be making a good faith effort toward a solution. This
process could drag on for some time:
The Reporter SHOULD recognize that it may be difficult for a Vendor
to resolve a vulnerability within 30 days if (1) the problem is
related to insecure design, (2) the Vendor has a diverse set of
hardware, operating systems, and/or product versions to support, or
(3) the Vendor is not skilled in security.
What happens if the vendor is not serious? The draft calls for a
"coordinator" role; the coordinator should arbitrate between the
reporter and the vendor, and help decide if a disclosure of the
vulnerability is called for.
Who are these coordinators? The draft is vague:
A Coordinator is an individual or organization who works with the
Reporter and the Vendor to analyze and address the vulnerability.
Coordinators are often well-known third parties. Coordinators may
have resources, credibility, or working relationships that exceed
those of the reporter or vendors. Coordinators may serve as proxies
for reporters, help to verify the reporter's claims, resolve
conflicts, and work with all parties to resolve the vulnerability
in a satisfactory manner.
A role which is so vaguely defined seems unlikely to be filled in a
manner that is satisfactory to all parties.
Even when a security vulnerability is released, the draft allows a
vendor to sit on the details of the problem for 30 additional days.
The idea, of course, is to allow time for patches to be applied before
more detailed information becomes available. Such a delay may be
useful for closed-source code; it won't help much for free software,
however.
There is currently an open comment period on this draft; see [13]the
announcement for information on how to send in your suggestions.
CRYPTO-GRAM Newsletter. Here's [14]Bruce Schneier's CRYPTO-GRAM
Newsletter for February. The main topics covered are Microsoft's
security PR and Oracle's not-so-unbreakable system. "In addition to
making its protocols and interfaces public, we suggest that Microsoft
consider making its entire source code public. We're not advocating
that Microsoft make its products open source, but if they really want
to impress everyone about their newfound security religion, they will
make their code available for inspection."
Security Reports
Debian security updates to hanterm, ncurses. The Debian Project has
issued security updates to [15]hanterm (fixing a set of buffer
overflow problems) and [16]ncurses (also fixing a buffer overflow).
Buffer overflow in exim. Ehud Tenenbaum has [17]reported a buffer
overflow in the exim mailer, versions 3.34 and prior. No known
exploits exist at this time.
web scripts.
The following web scripts were reported to contain vulnerabilities:
* The "slash" weblog package [18]has a cross-site scripting
vulnerability affecting versions prior to 2.2.5. Sites running
older versions should upgrade to 2.2.5, which has been out for a
couple of weeks.
Updates
Buffer overflow in CUPS. Versions of the Common Unix Print System
prior to 1.1.14 have a buffer overflow vulnerability. (First LWN
report: [19]February 14).
This week's updates:
* [20]SuSE (February 27, 2002)
[21]SuSE (February 23, 2002) (Later [22]withdrawn due to the
introduction of an unrelated bug).
Previous updates:
* [23]Debian (February 13, 2002)
[24]Mandrake (February 15, 2002)
Multiple vulnerabilities in SNMP implementations. Most SNMP
implementations out there have a variety of buffer overflow
vulnerabilities and should be upgraded at first opportunity. See
[25]this CERT advisory for more. (First LWN report: [26]February 14).
This week's updates:
* [27]Eridani Linux (February 22, 2002)
Previous updates:
* [28]Caldera (January 22, 2002)
[29]Conectiva (February 14, 2002)
[30]Debian (February 14, 2002)
[31]Mandrake (February 15, 2002)
[32]Red Hat (February 12, 2002)
[33]Yellow Dog (February 11, 2002)
Multiple vendor telnetd vulnerability. This vulnerability, originally
thought to be confined to BSD-derived systems, was first covered in
the [34]July 26th Security Summary. It is now known that Linux telnet
daemons are vulnerable as well.
This week's updates:
* [35]HP (February 12, 2002)
Previous updates:
* [36]Caldera (August 10, 2001)
[37]Conectiva (August 24, 2001)
[38]Debian (August 14, 2001) (SSL version)
[39]Debian (August 14, 2001) (Update for Sparc version)
[40]Mandrake (August 13, 2001)
[41]Mandrake (December 17, 2001) (kerberos version)
[42]Progeny (August 14, 2001)
[43]Red Hat (February 7, 2002) (Update, for Red Hat 5.2, 6.2, 7.0,
and 7.1, to the [44]original advisory, issued August 9, 2001.)
[45]Red Hat (August 9, 2001)
[46]Red Hat (August 9, 2001) (kerberos version)
[47]Slackware (August 9, 2001)
[48]SuSE (September 3, 2001)
[49]Yellow Dog (August 10, 2001)
[50]Yellow Dog (August 10, 2001) (kerberos version)
Remote command execution vulnerability in uucp. The uuxqt utility in
the uucp package does not properly check its options, allowing an
attacker to run arbitrary commands. (First LWN report: [51]January 24,
2002).
This week's updates:
* [52]Conectiva (February 18, 2002)
Previous updates:
* [53]HP (January 22, 2002)
[54]Red Hat (January 15, 2002)
[55]Yellow Dog (January 27, 2002)
Resources
Security: Key Players - HP (IT-Director). IT-Director [56]sees HP as a
growing force in computer security. "HP development in the Linux area
is concentrated on providing secure compartmentalisation. The target
market for this is primarily service providers, who are keen to deploy
high specification servers that can support multiple clients. Plainly,
there must be strong security separating individual clients. Linux is
popular in the service provider market, and there is also interest
from SAP."
Linux security week. The [57]Linux Security Week and [58]Linux
Advisory Watch publications from LinuxSecurity.com are available.
Events
Upcoming Security Events.
Date Event Location
February 20 - 22, 2002 [59]RSA Conference 2002 San Jose, CA., USA
February 25 - March 1, 2002 [60]Secure Trusted OS Consortium -
Quarterly Meeting(STOS) (Hyperdigm Research)Chantilly, VA, USA
March 11 - 14, 2002 [61]Financial Cryptography 2002 Sothhampton,
Bermuda
March 18 - 21, 2002 [62]Sixth Annual Distributed Objects and
Components Security Workshop (Pier 5 Hotel at the Inner
Harbor)Baltimore, Maryland, USA
March 18 - 20, 2002 [63]InfoSec World Conference and Expo/2002
Orlando, FL, USA
April 1 - 7, 2002 [64]SANS 2002 Orlando, FL., USA
April 5 - 7, 2002 [65]Rubicon Detroit, Michigan, USA
April 7 - 10, 2002 [66]Techno-Security 2002 Conference Myrtle Beach,
SC
April 14 - 15, 2002 [67]Workshop on Privacy Enhancing Technologies
2002 (Cathedral Hill Hotel)San Francisco, California, USA
April 16 - 19, 2002 [68]The Twelfth Conference on Computers, Freedom &
Privacy (Cathedral Hill Hotel)San Francisco, California, USA
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [69]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [70]lwn@lwn.net.
Section Editor: [71]Jonathan Corbet
February 21, 2002
LWN Resources
[72]Security alerts archive
Secured Distributions:
[73]Astaro Security
[74]Blue Linux
[75]Castle
[76]Engarde Secure Linux
[77]Immunix
[78]Kaladix Linux
[79]NSA Security Enhanced
[80]Openwall GNU/Linux
[81]Trustix
Security Projects
[82]Bastille
[83]Linux Security Audit Project
[84]Linux Security Module
[85]OpenSSH
Security List Archives
[86]Bugtraq Archive
[87]Firewall Wizards Archive
[88]ISN Archive
Distribution-specific links
[89]Caldera Advisories
[90]Conectiva Updates
[91]Debian Alerts
[92]Kondara Advisories
[93]Esware Alerts
[94]LinuxPPC Security Updates
[95]Mandrake Updates
[96]Red Hat Errata
[97]SuSE Announcements
[98]Turbolinux
[99]Yellow Dog Errata
BSD-specific links
[100]BSDi
[101]FreeBSD
[102]NetBSD
[103]OpenBSD
Security mailing lists
[104]Caldera
[105]Cobalt
[106]Conectiva
[107]Debian
[108]Esware
[109]FreeBSD
[110]Kondara
[111]LASER5
[112]Linux From Scratch
[113]Linux-Mandrake
[114]NetBSD
[115]OpenBSD
[116]Red Hat
[117]Slackware
[118]Stampede
[119]SuSE
[120]Trustix
[121]turboLinux
[122]Yellow Dog
Security Software Archives
[123]munitions
[124]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[125]CERT
[126]CIAC
[127]Comp Sec News Daily
[128]Crypto-GRAM
[129]LinuxLock.org
[130]LinuxSecurity.com
[131]Security Focus
[132]SecurityPortal
[133]Next: Kernel
[134]Eklektix, Inc. Linux powered! Copyright Л 2002 [135]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://lwn.net/2002/0221/
3. http://lwn.net/2002/0221/kernel.php3
4. http://lwn.net/2002/0221/dists.php3
5. http://lwn.net/2002/0221/devel.php3
6. http://lwn.net/2002/0221/commerce.php3
7. http://lwn.net/2002/0221/press.php3
8. http://lwn.net/2002/0221/announce.php3
9. http://lwn.net/2002/0221/letters.php3
10. http://lwn.net/2002/0221/bigpage.php3
11. http://lwn.net/2002/0214/security.php3
12. http://lwn.net/2002/0221/a/disclosure-process.php3
13. http://lwn.net/2002/0221/a/disclosure-process.php3
14. http://lwn.net/2002/0221/a/crypto-gram.php3
15. http://lwn.net/alerts/Debian/DSA-112-1.php3
16. http://lwn.net/alerts/Debian/DSA-113-1.php3
17. http://lwn.net/2002/0221/a/exim.php3
18. http://lwn.net/2002/0221/a/slash.php3
19. http://lwn.net/2002/0214/security.php3#cups
20. http://lwn.net/alerts/SuSE/SuSE-SA:2002:006.php3
21. http://lwn.net/alerts/SuSE/SuSE-SA:2002:005.php3
22. http://lwn.net/2002/0221/a/suse-cups.php3
23. http://lwn.net/alerts/Debian/DSA-110-1.php3
24. http://lwn.net/alerts/Mandrake/MDKSA-2002:015.php3
25. http://lwn.net/2002/0214/a/cert-snmp.php3
26. http://lwn.net/2002/0214/security.php3
27. http://lwn.net/2002/0228/a/el-sec.php3
28. http://lwn.net/alerts/Caldera/CSSA-2002-004.0.php3
29. http://lwn.net/alerts/Conectiva/CLA-2002:462.php3
30. http://lwn.net/alerts/Debian/DSA-111-1.php3
31. http://lwn.net/alerts/Mandrake/MDKSA-2002:014.php3
32. http://lwn.net/alerts/RedHat/RHSA-2001:163-20.php3
33. http://lwn.net/alerts/YellowDog/YDU-20020211-1.php3
34. http://lwn.net/2001/0726/security.php3#mtelnetd
35. http://lwn.net/alerts/HP/HPSBTL0202-023.php3
36. http://lwn.net/alerts/Caldera/CSSA-2001-030.0.php3
37. http://lwn.net/alerts/Conectiva/CLA-2001:413.php3
38. http://lwn.net/alerts/Debian/DSA-075-1.php3
39. http://lwn.net/alerts/Debian/DSA-075-2.php3
40. http://lwn.net/alerts/Mandrake/MDKSA-2001:068.php3
41. http://lwn.net/alerts/Mandrake/MDKSA-2001:093.php3
42. http://lwn.net/alerts/Progeny/PROGENY-SA-2001-27.php3
43. http://lwn.net/alerts/RedHat/RHSA-2001:099-09.php3
44. http://lwn.net/alerts/RedHat/RHSA-2001:099-06.php3
45. http://lwn.net/alerts/RedHat/RHSA-2001:099-06.php3
46. http://lwn.net/alerts/RedHat/RHSA-2001:100-02.php3
47. http://lwn.net/alerts/Slackware/sl-997726350.php3
48. http://lwn.net/alerts/SuSE/SuSE-SA:2001:029.php3
49. http://lwn.net/alerts/YellowDog/YDU-20010810-1.php3
50. http://lwn.net/alerts/YellowDog/YDU-20010810-2.php3
51. http://lwn.net/2002/0124/security.php3#uucp
52. http://lwn.net/alerts/Conectiva/CLA-2002:463.php3
53. http://lwn.net/alerts/HP/HPSBTL0201-018.php3
54. http://lwn.net/alerts/RedHat/RHSA-2001:165-08.php3
55. http://lwn.net/alerts/YellowDog/YDU-20020127-10.php3
56. http://www.it-director.com/article.php?id=2616
57. http://lwn.net/2002/0221/a/security-week.php3
58. http://lwn.net/2002/0221/a/advisory-watch.php3
59. http://www.rsaconference.com/
60. http://www.stosdarwin.org/
61. http://www.fc02.ai/
62. http://www.omg.org/news/meetings/docsec2002/call.htm
63.
http://www.misti.com/northamerica.asp?page=4&subpage=2&disp=showconf&id=os02®
ion=1
64. http://www.sans.org/SANS2002.php
65. http://www.rubi-con.org/
66. http://www.TECHSEC.com/
67. http://www.pet2002.org/
68. http://www.cfp2002.org/
69. http://securityfocus.com/calendar
70. mailto:lwn@lwn.net
71. mailto:lwn@lwn.net
72. http://lwn.net/alerts/
73. http://www.astaro.com/products/index.html
74. http://bluelinux.sourceforge.net/
75. http://castle.altlinux.ru/
76. http://www.engardelinux.org/
77. http://www.immunix.org/
78. http://www.kaladix.org/
79. http://www.nsa.gov/selinux/
80. http://www.openwall.com/Owl/
81. http://www.trustix.com/
82. http://www.bastille-linux.org/
83. http://lsap.org/
84. http://lsm.immunix.org/
85. http://www.openssh.com/
86. http://www.securityfocus.com/archive/1
87. http://www.nfr.net/firewall-wizards/
88. http://www.jammed.com/Lists/ISN/
89. http://www.calderasystems.com/support/security/
90. http://www.conectiva.com.br/atualizacoes/
91. http://www.debian.org/security/
92. http://www.kondara.org/errata/k12-security.html
93. http://www.esware.com/actualizaciones.html
94. http://linuxppc.org/security/advisories/
95. http://www.linux-mandrake.com/en/fupdates.php3
96. http://www.redhat.com/support/errata/index.html
97. http://www.suse.de/security/index.html
98. http://www.turbolinux.com/security/
99. http://www.yellowdoglinux.com/resources/
100. http://www.BSDI.COM/services/support/patches/
101. http://www.freebsd.org/security/security.html
102. http://www.NetBSD.ORG/Security/
103. http://www.openbsd.org/security.html
104. http://www.calderasystems.com/support/forums/announce.html
105. http://www.cobalt.com/support/resources/usergroups.html
106. http://distro.conectiva.com.br/atualizacoes/
107. http://www.debian.org/MailingLists/subscribe
108. http://www.esware.com/lista_correo.html
109. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
110. http://www.kondara.org/mailinglist.html.en
111. http://l5web.laser5.co.jp/ml/ml.html
112. http://www.linuxfromscratch.org/services/mailinglistinfo.php
113. http://www.linux-mandrake.com/en/flists.php3
114. http://www.netbsd.org/MailingLists/
115. http://www.openbsd.org/mail.html
116. http://www.redhat.com/mailing-lists/
117. http://www.slackware.com/lists/
118. http://www.stampede.org/mailinglists.php3
119. http://www.suse.com/en/support/mailinglists/index.html
120. http://www.trustix.net/support/
121. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
122. http://lists.yellowdoglinux.com/ydl_updates.shtml
123. http://munitions.vipul.net/
124. http://www.zedz.net/
125. http://www.cert.org/nav/alerts.html
126. http://ciac.llnl.gov/ciac/
127. http://www.MountainWave.com/
128. http://www.counterpane.com/crypto-gram.html
129. http://linuxlock.org/
130. http://linuxsecurity.com/
131. http://www.securityfocus.com/
132. http://www.securityportal.com/
133. http://lwn.net/2002/0221/kernel.php3
134. http://www.eklektix.com/
135. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2002/0221/security.php3 |
Sergey Lentsov |
03 Mar 2002 15:39:33 |
|
|
