|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 25 Oct 2001 16:45:25
To : All
Subject : URL: http://www.lwn.net/2001/1025/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]Development
[7]Commerce
[8]Linux in the news
[9]Announcements
[10]Linux History
[11]Letters
[12]All in one big page
See also: [13]last week's Security page.
Security
News and Editorials
A couple of responses to Scott Culp. As might be expected, the
[14]"information anarchy" essay by Microsoft's Scott Culp drew some
responses. We'll pass on a couple of them. Here's [15]Eric Raymond's
response, written in Eric's typical style.
Cryptographers and security experts have known for years that peer
review of open source code is the only reliable way to verify the
effectiveness of encryption systems and other security software. So
Microsoft's closed-source mode of development guarantees that
customers will continue getting cracked and Microsoft will continue
pointing the finger of blame everywhere except where it actually
belongs.
Elias Levy, meanwhile, responded in [16]this SecurityFocus article.
A successful attacker requires three things: the opportunity to
launch an attack, the capacity to successfully execute the attack,
and the motivation to attack. An opportunity to launch an attack
requires a vulnerable system and an access path to the system. The
capability to successfully execute the attack requires knowledge of
the vulnerability and the tools to exploit it. Proponents of the
information dictatorship argument are targeting the second
requirement of a successful attacker: his capability to launch an
attack. This approach to the problem of computer security is
flawed, and can only fail.
Overall, there has been a distinct lack of people rushing out to back
up Microsoft's view on security disclosure. Even people who are
uncomfortable with those who circulate exploit tools have remained
quiet.
Make sure your ssh is current. Here's [17]a NewsBytes article on a new
ssh exploit going around.
In its February advisory, Bindview stated that it was aware of no
working exploits for the overflow flaw in the SSH daemon. But last
week, rumors spread in the hacker underground that scripts were
available to gain "root" or system-level access to vulnerable
systems. And in recent days, system operators have posted reports
on security mailing lists saying they are receiving remote scans
from attackers attempting to locate vulnerable systems running SSH.
There has been little in the way of confirmation of this exploit from
any other source. Nonetheless, now would be a good time to check
ssh/OpenSSH installations and make sure they are current. A remote
root exploit based on ssh is the sort of thing that extreme nastiness
(i.e. horrific Linux-based worms) is made.
Security Reports
Two kernel security bugs explained. Here is [18]Rafal Wojtczuk's
explanation (from Bugtraq) of the two security bugs found in recent
Linux kernels. They are:
* Through the use of properly constructed chains of symbolic links,
a local attacker can lock up the kernel for long periods of time,
thus creating a denial of service attack.
* With the proper use of a setuid binary, the ptrace() system call
can be fooled into tracing another setuid program, and thus into
executing arbitrary code as root.
The second attack can be defeated on many Linux systems by getting rid
of the newgrp binary, which is normally of little use anyway. The real
fix, though, is to run the 2.4.12 (or later) kernel.
Note that there are, apparently, some other kernel security issues out
there that have not, yet, been explained publicly.
Updates seen so far:
* [19]Caldera (October 18, 2001)
* [20]EnGarde (October 19, 2001)
* [21]Immunix (October 19, 2001)
* [22]Openwall Linux (October 18, 2001).
* [23]Red Hat (October 18, 2001)
* [24]Trustix (October 19, 2001)
Two bugs with apache. Apache 1.3.22 fixes a couple of minor issues
with the apache web server. The "split-logfile" program can be used to
overwrite any file that is writable by the web server account, and
which ends in ".log". That script tends not to be shipped with most
Linux distributions. The other vulnerability could lead to the
delivery of undesired directory listings in some situations.
Updates seen so far:
* [25]Conectiva (October 18, 2001)
* [26]EnGarde (October 19, 2001)
Debian security update to nvi.
The Debian Project has released [27]a security update to nvi fixing "a
very stupid format string vulnerability" in that package. "Even if we
don't believe that this could lead into somebody gaining access of
another users account if he hasn't lost his brain, we recommend that
you upgrade your nvi packages."
gftp can expose passwords. The Debian Project has put out [28]an
update to gftp fixing a problem in that package: it displays login
passwords in plain text. In the interest of thwarting shoulder
surfers, applying the update is probably a good idea.
A pile of Debian security alerts. Here's another set of alerts which
have come out of Debian in the last week:
* [29]w3m, buffer overflow problem, with a possible remote exploit.
(Update: it seems that [30]there is no PowerPC version of this
patch available; PowerPC users are advised to avoid w3m.
* [31]xvt, locally-exploitable buffer overflow.
* [32]procmail, signal handling problem with possible local exploit.
The project has also [33]appointed two security secretaries, Matt
Zimmerman and Noah Meyerhans, to help coordinate security response.
Denial of service in 6tunnel. The 6tunnel utility, used for IPv6
tunneling, [34]has a denial of service vulnerability that allows an
attacker to cause the 6tunnel server to crash. Affected users should
upgrade to version 0.09 or later.
Proprietary products.
The following proprietary products were reported to contain
vulnerabilities:
* A [35]set of three vulnerabilities has been reported with Oracle,
including one which can be exploited to overwrite files.
Updates
Configuration file vulnerability in ht://Dig. The ht://Dig search
engine contains a vulnerability which allows a remote user to specify
an alternate configuration file. If that user is able to place a
suitable file in a location where ht://Dig can read it, the system may
be compromised. See [36]the original report from the ht://Dig project
for details. This vulnerability first appeared in [37]the October 11
LWN security page.
This week's updates:
* [38]SuSE (October 24, 2001)
Previous updates:
* [39]Conectiva (October 10, 2001)
* [40]Debian (October 17, 2001)
OpenSSH restricted host vulnerability. Versions of OpenSSH prior to
2.9.9 have a vulnerability that can allow logins from hosts which have
been explicitly denied access. The fix is to upgrade to [41]OpenSSH
2.9.9. This problem first appeared in [42]the October 4 LWN security
page.
This week's updates:
* [43]Immunix (October 17, 2001)
* [44]Red Hat (October 19, 2001) (Adds support for version 7.2).
Previous updates:
* [45]Mandrake (October 16, 2001)
* [46]Red Hat (October 9, 2001)
* [47]Trustix (October 17, 2001)
SQL injection vulnerabilities in Apache authentication modules.
Several Apache authentication modules have vulnerabilities that could
allow an attacker to feed arbitrary SQL code to the underlying
database, resulting in a compromise of database integrity and
unauthorized access to the server. See [48]the September 6 security
page for more information.
New updates:
* [49]Red Hat (October 23, 2001) (mod_auth_pgsql)
Previous updates:
* [50]Conectiva (September 28, 2001) (mod_auth_pgsql)
* [51]Conectiva (September 6, 2001) (mod_auth_mysql)
Squid httpd acceleration ACL vulnerability. This vulnerability could
result in unauthorized access to the squid server. See the [52]July 26
Security page for details.
This week's updates:
* [53]Red Hat (October 16, 2001) (adds an updated package for 7.2).
Previous updates:
* [54]Yellow Dog (July 25, 2001)
* [55]Caldera (August 9)
* [56]Linux-Mandrake (August 2)
* [57]Immunix (July 26)
* [58]Trustix (July 26)
* [59]Red Hat (July 26)
Improper credentials from login. A problem with the login program (in
the util-linux package) can, in some situations, cause a user to be
given the credentials of another user at login. Use of the pam_limits
module, in particular, can bring about this problem. In general,
distributions using the default PAM configuration are not vulnerable;
an upgrade is probably a good idea anyway. This problem was first
reported in [60]October 18 LWN security page.
This week's updates:
* [61]Red Hat (October 16, 2001) (Adds an update for version 7.2).
* [62]SuSE (October 23, 2001) (Doesn't use util-linux login, but
vulnerable anyway).
Previous updates:
* [63]Red Hat (October 16, 2001)
* [64]Trustix (October 17, 2001)
Security audit of xinetd and resulting fixes. Solar Designer has
performed an extensive audit of xinetd, looking for certain types of
security vulnerabilities. So many problems were found in the code that
the resulting patch weighed in at over 100KB. This patch was only
fully merged as of xinetd 2.3.3. See [65]the September 6, 2001 LWN
security page for the initial report.
This week's updates:
* [66]EnGarde (October 19, 2001)
Previous updates:
* [67]Immunix (August 29, 2001)
* [68]Mandrake (August 31, 2001)
* [69]Red Hat (September 7, 2001)
Resources
LinuxSecurity.com has put out its [70]Linux Advisory Watch and
[71]Linux Security Week postings, as usual.
Events
Upcoming Security Events.
Date Event Location
November 5 - 8, 2001 [72]8th ACM Conference on Computer and
Communication Security(CCS-8) Philadelphia, PA, USA
November 13 - 15, 2001 [73]International Conference on Information and
Communications Security(ICICS 2001) Xian, China
November 19 - 22, 2001 [74]Black Hat Briefings Amsterdam
November 21 - 23, 2001 [75]International Information Warfare Symposium
AAL, Lucerne, Swizerland.
November 24 - 30, 2001 [76]Computer Security Mexico Mexico City
November 29 - 30, 2001 [77]International Cryptography Institute
Washington, DC
December 2 - 7, 2001 [78]Lisa 2001 15th Systems Administration
Conference San Diego, CA.
December 5 - 6, 2001 [79]InfoSecurity Conference & Exhibition Jacob K.
Javits Center, New York, NY.
December 10 - 14, 2001 [80]Annual Computer Security Applications
Conference New Orleans, LA
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [81]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [82]lwn@lwn.net.
Section Editor: [83]Jonathan Corbet
October 25, 2001
[84]Click Here
LWN Resources
[85]Security alerts archive
Secured Distributions:
[86]Astaro Security
[87]Blue Linux
[88]Castle
[89]Engarde Secure Linux
[90]Immunix
[91]Kaladix Linux
[92]NSA Security Enhanced
[93]Openwall GNU/Linux
[94]Trustix
Security Projects
[95]Bastille
[96]Linux Security Audit Project
[97]Linux Security Module
[98]OpenSSH
Security List Archives
[99]Bugtraq Archive
[100]Firewall Wizards Archive
[101]ISN Archive
Distribution-specific links
[102]Caldera Advisories
[103]Conectiva Updates
[104]Debian Alerts
[105]Kondara Advisories
[106]Esware Alerts
[107]LinuxPPC Security Updates
[108]Mandrake Updates
[109]Red Hat Errata
[110]SuSE Announcements
[111]Yellow Dog Errata
BSD-specific links
[112]BSDi
[113]FreeBSD
[114]NetBSD
[115]OpenBSD
Security mailing lists [116]Caldera
[117]Cobalt
[118]Conectiva
[119]Debian
[120]Esware
[121]FreeBSD
[122]Kondara
[123]LASER5
[124]Linux From Scratch
[125]Linux-Mandrake
[126]NetBSD
[127]OpenBSD
[128]Red Hat
[129]Slackware
[130]Stampede
[131]SuSE
[132]Trustix
[133]turboLinux
[134]Yellow Dog
Security Software Archives
[135]munitions
[136]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[137]CERT
[138]CIAC
[139]Comp Sec News Daily
[140]Crypto-GRAM
[141]LinuxLock.org
[142]LinuxSecurity.com
[143]Security Focus
[144]SecurityPortal
[145]Next: Kernel
[146]Eklektix, Inc. Linux powered! Copyright Л 2001 [147]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/1025/
4. http://lwn.net/2001/1025/kernel.php3
5. http://lwn.net/2001/1025/dists.php3
6. http://lwn.net/2001/1025/devel.php3
7. http://lwn.net/2001/1025/commerce.php3
8. http://lwn.net/2001/1025/press.php3
9. http://lwn.net/2001/1025/announce.php3
10. http://lwn.net/2001/1025/history.php3
11. http://lwn.net/2001/1025/letters.php3
12. http://lwn.net/2001/1025/bigpage.php3
13. http://lwn.net/2001/1018/security.php3
14.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/secur
ity/noarch.asp
15. http://lwn.net/2001/1025/a/esr-culp.php3
16. http://www.securityfocus.com/news/270
17. http://www.newsalert.com/bin/story?StoryId=Co85tWc4bmdaWmZC
18. http://lwn.net/2001/1025/a/kernel-sec-bugs.php3
19. http://lwn.net/alerts/Caldera/CSSA-2001-036.0.php3
20. http://lwn.net/alerts/EnGarde/ESA-20011019-02.php3
21. http://lwn.net/alerts/Immunix/IMNX-2001-70-035-01.php3
22. http://lwn.net/2001/1025/a/owl-kernel.php3
23. http://lwn.net/alerts/RedHat/RHSA-2001:129-05.php3
24. http://lwn.net/alerts/Trustix/2001-0028.php3
25. http://lwn.net/alerts/Conectiva/CLA-2001:430.php3
26. http://lwn.net/alerts/EnGarde/ESA-20011019-01.php3
27. http://lwn.net/alerts/Debian/DSA-085-1.php3
28. http://lwn.net/alerts/Debian/DSA-084-1.php3
29. http://lwn.net/alerts/Debian/DSA-081-1.php3
30. http://lwn.net/alerts/Debian/DSA-081-2.php3
31. http://lwn.net/alerts/Debian/DSA-082-1.php3
32. http://lwn.net/alerts/Debian/DSA-083-1.php3
33. http://lwn.net/2001/1025/a/debian-sec-sec.php3
34. http://lwn.net/2001/1025/a/6tunnel.php3
35. http://lwn.net/2001/1025/a/oracle.php3
36. http://lwn.net/2001/1011/a/htdig.php3
37. http://lwn.net/2001/1011/security.php3#htdig
38. http://lwn.net/alerts/SuSE/SuSE-SA:2001:035.php3
39. http://lwn.net/alerts/Conectiva/CLA-2001:429.php3
40. http://lwn.net/alerts/Debian/DSA-080-1.php3
41. http://lwn.net/2001/1004/a/openssh.php3
42. http://lwn.net/2001/1004/security.php3#openssh
43. http://lwn.net/alerts/Immunix/IMNX-2001-70-034-01.php3
44. http://lwn.net/alerts/RedHat/RHSA-2001:114-05.php3
45. http://lwn.net/alerts/Mandrake/MDKSA-2001:081.php3
46. http://lwn.net/alerts/RedHat/RHSA-2001:114-04.php3
47. http://lwn.net/alerts/Trustix/2001-0023.php3
48. http://lwn.net/2001/0906/security.php3
49. http://lwn.net/alerts/RedHat/RHSA-2001:124-04.php3
50. http://lwn.net/alerts/Conectiva/CLA-2001:427.php3
51. http://lwn.net/alerts/Conectiva/CLA-2001:421.php3
52. http://lwn.net/2001/0726/security.php3#squid
53. http://lwn.net/alerts/RedHat/RHSA-2001:113-03.php3
54. http://lwn.net/alerts/YellowDog/YDU-20010725-14.php3
55. http://lwn.net/2001/0809/a/caldera-squid.php3
56. http://lwn.net/2001/0802/a/lm-squid.php3
57. http://lwn.net/2001/0726/a/imm-squid.php3
58. http://lwn.net/2001/0726/a/trustix-squid.php3
59. http://lwn.net/2001/0726/a/rh-squid.php3
60. http://lwn.net/2001/1018/security.php3#pam
61. http://lwn.net/alerts/RedHat/RHSA-2001:132-04.php3
62. http://lwn.net/alerts/SuSE/SuSE-SA:2001:034.php3
63. http://lwn.net/alerts/RedHat/RHSA-2001:132-03.php3
64. http://lwn.net/alerts/Trustix/2001-0025.php3
65. http://lwn.net/2001/0906/security.php3#xinetd
66. http://lwn.net/alerts/EnGarde/ESA-20011019-03.php3
67. http://lwn.net/alerts/Immunix/IMNX-2001-70-033-01.php3
68. http://lwn.net/alerts/Mandrake/MDKSA-2001:076.php3
69. http://lwn.net/alerts/RedHat/RHSA-2001:109-05.php3
70. http://lwn.net/2001/1025/a/advisory-watch.php3
71. http://lwn.net/2001/1025/a/security-week.php3
72. http://www.bell-labs.com/user/reiter/ccs8/
73. http://homex.coolconnect.com/member2/icisa/icics2001.html
74. http://www.blackhat.com/
75. http://www.sympinfowarfare.ch/
76. http://www.seguridad2001.unam.mx/
77. http://www.nipli.org/isse/events/2001/cryptography
78. http://www.usenix.org/events/lisa2001/
79. http://www.infosecurityevent.com/
80. http://www.acsac.org/
81. http://securityfocus.com/calendar
82. mailto:lwn@lwn.net
83. mailto:lwn@lwn.net
84. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
85. http://lwn.net/alerts/
86. http://www.astaro.com/products/index.html
87. http://bluelinux.sourceforge.net/
88. http://castle.altlinux.ru/
89. http://www.engardelinux.org/
90. http://www.immunix.org/
91. http://www.kaladix.org/
92. http://www.nsa.gov/selinux/
93. http://www.openwall.com/Owl/
94. http://www.trustix.com/
95. http://www.bastille-linux.org/
96. http://lsap.org/
97. http://lsm.immunix.org/
98. http://www.openssh.com/
99. http://www.securityfocus.com/bugtraq/archive/
100. http://www.nfr.net/firewall-wizards/
101. http://www.jammed.com/Lists/ISN/
102. http://www.calderasystems.com/support/security/
103. http://www.conectiva.com.br/atualizacoes/
104. http://www.debian.org/security/
105. http://www.kondara.org/errata/k12-security.html
106. http://www.esware.com/actualizaciones.html
107. http://linuxppc.org/security/advisories/
108. http://www.linux-mandrake.com/en/fupdates.php3
109. http://www.redhat.com/support/errata/index.html
110. http://www.suse.de/security/index.html
111. http://www.yellowdoglinux.com/resources/errata.shtml
112. http://www.BSDI.COM/services/support/patches/
113. http://www.freebsd.org/security/security.html
114. http://www.NetBSD.ORG/Security/
115. http://www.openbsd.org/security.html
116. http://www.calderasystems.com/support/forums/announce.html
117. http://www.cobalt.com/support/resources/usergroups.html
118. http://distro.conectiva.com.br/atualizacoes/
119. http://www.debian.org/MailingLists/subscribe
120. http://www.esware.com/lista_correo.html
121. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
122. http://www.kondara.org/mailinglist.html.en
123. http://l5web.laser5.co.jp/ml/ml.html
124. http://www.linuxfromscratch.org/services/mailinglistinfo.php
125. http://www.linux-mandrake.com/en/flists.php3
126. http://www.netbsd.org/MailingLists/
127. http://www.openbsd.org/mail.html
128. http://www.redhat.com/mailing-lists/
129. http://www.slackware.com/lists/
130. http://www.stampede.org/mailinglists.php3
131. http://www.suse.com/en/support/mailinglists/index.html
132. http://www.trustix.net/support/
133. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
134. http://lists.yellowdoglinux.com/ydl_updates.shtml
135. http://munitions.vipul.net/
136. http://www.zedz.net/
137. http://www.cert.org/nav/alerts.html
138. http://ciac.llnl.gov/ciac/
139. http://www.MountainWave.com/
140. http://www.counterpane.com/crypto-gram.html
141. http://linuxlock.org/
142. http://linuxsecurity.com/
143. http://www.securityfocus.com/
144. http://www.securityportal.com/
145. http://lwn.net/2001/1025/kernel.php3
146. http://www.eklektix.com/
147. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://www.lwn.net/2001/1025/security.php3 |
Sergey Lentsov |
25 Oct 2001 16:45:25 |
|
|
