|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 22 Mar 2001 18:11:20
To : All
Subject : URL: http://lwn.net/2001/0322/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]On the Desktop
[7]Development
[8]Commerce
[9]Linux in the news
[10]Announcements
[11]Linux History
[12]Letters
[13]All in one big page
See also: [14]last week's Security page.
Security
News and Editorials
Honeynet Forensic Challenge results posted. The [15]Honeynet Project
Forensic Challenge contest was launched on January 15. The purpose of
the challenge was to allow security investigators to show off their
forensic skills, to help publish useful forensic techniques, and to
show just how difficult and expensive responding to security events
really is. Contestants were given a set of disk images taken from a
compromised system; their task was to figure out how the system was
broken, where the attack came from, and what changes had been made to
the system. Anybody who has ever had to go through this process knows
how little fun it really is.
The contest is now over, and [16]an announcement has gone out with the
results. Thirteen submissions came in and were judged, and three of
them were considered good enough to win - the winners will get a
T-shirt and a book for their efforts.
That's a pretty small payback, given that the participants spent
34 hours each on this project. That is one of the big points that this
challenge was designed to make: recovering from this sort of incident
takes, generally, a week of a professional's time. Security incidents,
in other words, are expensive, even if no real damage is done by the
perpetrator.
Recovery is also not a sure thing - nearly every participant in the
challenge found at least one thing that was passed over by the other
teams. Modern computing systems are complicated things; it's not easy
to find every single change made by a hostile intruder. It's hard
enough, after all, to get a handle on what the person in the next
cubicle has done.
Much security-related effort goes into prevention techniques -
passwords, encryption, firewalls, etc. There is an increase in
interest in intrusion detection technologies as well. Counterpane is
pushing insurance policies (see next item). But recovery from
compromises receives a relatively small amount of attention. We would
not like to hazard a guess as to what percentage of system
administrators will be faced with a recovery task at some point in
their careers, but one would presume it would be high. The Honeynet
Project is doing a great service by focusing some attention on that
aspect of the problem. After all, many of us are going to have a mess
to clean up, sooner or later.
A bug in PGP? A company called ICZ has [17]put out a press release
claiming that a serious bug has been found in PGP. Essentially, a flaw
in the format used by PGP makes it possible, in some conditions, to
decrypt a message without knowing the recipients private key.
This sounds scary, but this is a very hard vulnerability to exploit.
It requires that the attacker be able to modify the file containing
the victim's private key. Somebody with that level of access can
probably come up with more straightforward ways to get the desired
information. Still, it could be a useful technique for some sorts of
"black bag" jobs perpetrated by well-funded, inquisitive agencies.
So, it's worth fixing, but most PGP users need not panic.
March CRYPTO-GRAM newsletter. Bruce Schneier's [18]CRYPTO-GRAM
newsletter for March is out. It has, if anything, more than the usual
amount of interesting news from the security area, including
discussions of the "security patch treadmill," how network security
will be an insurance company issue in the future, the new crypto
scheme out of Harvard, the TCP/IP sequence number problem, and more.
On insurance:
What will happen when the CFO looks at his premium and realizes
that it will go down 50% if he gets rid of all his insecure Windows
operating systems and replaces them with a secure version of Linux?
The choice of which operating system to use will no longer be 100%
technical. Microsoft, and other companies with shoddy security,
will start losing sales because companies don't want to pay the
insurance premiums.
Those who prefer it can also read this issue [19]on the Counterpane
site. (Thanks to Jose Nazario).
Passive analysis attacks on ssh. Here's a bit of a disturbing item:
Solar Designer has posted [20]a lengthy writeup on a number of
"passive analysis" attacks on the ssh protocols which can make it much
easier to break users' passwords. It's amazing how hard it can be to
get these things right. Most ssh users need not panic at the moment,
but it is good to know that these problems exist. Patches for a number
of the vulnerabilities are included with the report.
XFree86 4.0.3 - time to dump version 3.x. Here's [21]a note from
Andrew van der Stock on XFree86 4.0.3, and, in particular, on the
various security bugs that have been fixed in that release. The list
of fixes is growing, to the point that it is really getting to be time
to upgrade any systems still using XFree86 3.x.
Security Reports
Denial-of-service vulnerability in FTP server implementations. [22]A
report went out this week on a method to confuse a number of FTP
server. Essentially, it just takes a line like:
ftp> ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
The server will then go off for a very long time trying to expand this
wildcard filename.
FTP servers known to be vulnerable include ProFTPd, NetBSD FTP,
PureFTPd (to some variants on this attack), BeroFTPD, and FreeBSD FTP.
Known not vulnerable are wu-ftpd and publicfile.
This bug was publicly posted with essentially no notice to the
maintainers of the various FTP daemon maintainers, which annoyed a
number of people. The poster is also the author of PureFTPd, so it was
with some relish that others [23]pointed out that PureFTPd, too, was
vulnerable to a form of this attack.
[24]An advisory for ProFTPd has gone out. There is not, however, a
patch available at this time; the advisory simply suggests a
configuration change to minimize vulnerability to the problem.
It has been [25]noted that the real problem could be said to lie
elsewhere - simply typing the above "ls" command at a shell prompt
will cause, at best, a long delay and a lot of disk rattling. But the
problem gets worse, of course, when it is made available to anonymous
remote users.
Format string vulnerability in mutt. The mutt mailer contains a format
string vulnerability which may be remotely exploited by a hostile IMAP
server. Updates seen so far include:
* [26]Conectiva
* [27]Immunix (which provides mutt only in the "unsupported"
directory).
* [28]Linux-Mandrake
* [29]Red Hat
* [30]Trustix
licq URL checking problem. MandrakeSoft has issued [31]a security
update to licq fixing what appears to be a new problem in that
package. It seems that URLs passed to licq are passed on to the web
browser with no sanity checking; the result is that an attacker can
send commands to be executed on the victim's system. This, needless to
say, is not good. Those with licq running on their systems are
encouraged to upgrade.
RPM building races? Ian Lynagh [32]noticed that a number of RPM "spec"
files use /tmp in an unsafe way. A clever attacker could, conceivably,
make use of this problem to change system files. In this case, the
race is very difficult to exploit; it depends, among other things, on
knowing when somebody will decide to rebuild a package from the RPM
source file.
Updates
CUPS buffer overflow and temporary file creation problems. Check the
[33]March 1st LWN Security Summary for the initial report.
This week's updates:
* [34]Conectiva
Previous updates:
* [35]Linux-Mandrake (March 1st)
* [36]SuSE (March 8)
Icecast buffer overflows, first covered in the [37]March 15, 2001 LWN.
This week's updates:
* [38]Conectiva
Previous updates:
* [39]FreeBSD (March 15).
imap buffer overflows, as discussed in [40]last week's LWN security
page.
This week's update:
* [41]Conectiva
Previous updates:
* [42]Caldera Systems (March 15).
sgml-tools temporary file vulnerability; see [43]last week's LWN
security page for the initial report.
This week's updates:
* [44]Immunix
* [45]Linux-Mandrake
* [46]Red Hat
Previous updates:
* [47]Debian (March 15)
slrn buffer overflow. (First reported in [48]March 15, 2001 LWN).
This week's updates:
* [49]Conectiva
* [50]Immunix
* [51]Red Hat
Previous updates:
* [52]Debian (March 15)
* [53]Linux-Mandrake (March 15)
Resources
Events
New security paradigms workshop - time is running out. The [54]call
for papers for the [55]New Security Paradigms Workshop has a deadline
of March 30 - in other words, soon. Since attendance requires the
submission of an interesting paper, those who don't get something in
before the deadline won't be at the workshop. If you were thinking of
going, now is the time to get that abstract together.
Upcoming security events.
Date Event Location
March 26-29, 2001. [56]Distributed Object Computing Security Workshop
Annapolis, Maryland, USA.
March 27-28, 2001. [57]eSecurity Boston, MA, USA.
March 28-30, 2001. [58]CanSecWest/core01 Network Security Training
Conference Vancouver, British Columbia, Canada.
March 29, 2001. [59]Security of e-Finance and e-Commerce Forum Series
Manhattan, New York, USA.
March 30-April 1, 2001. [60]@LANta.CON Doraville, GA, USA.
April 6-8, 2001. [61]Rubi Con 2001 Detroit, MI, USA.
April 8-12, 2001. [62]RSA Conference 2001 San Francisco, CA, USA.
April 20-22, 2001. [63]First annual iC0N security conference
Cleveland, Ohio, USA.
April 22-25, 2001. [64]Techno-Security 2001 Myrtle Beach, SC, USA.
April 24-26, 2001. [65]Infosecurity Europe 2001 London, Britain, UK.
May 13-16, 2001. [66]2001 IEEE Symposium on Security Oakland, CA, USA.
May 13-16, 2001. [67]CHES 2001 Paris, France.
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [68]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [69]lwn@lwn.net.
Section Editor: [70]Liz Coolbaugh
March 22, 2001
[71]Click Here
Secure Linux Projects
[72]Bastille Linux
[73]Immunix
[74]Nexus
[75]SLinux [76]NSA Security-Enhanced
[77]Trustix
Security List Archives
[78]Bugtraq Archive
[79]Firewall Wizards Archive
[80]ISN Archive
Distribution-specific links
[81]Caldera Advisories
[82]Conectiva Updates
[83]Debian Alerts
[84]Kondara Advisories
[85]Esware Alerts
[86]LinuxPPC Security Updates
[87]Mandrake Updates
[88]Red Hat Errata
[89]SuSE Announcements
[90]Yellow Dog Errata
BSD-specific links
[91]BSDi
[92]FreeBSD
[93]NetBSD
[94]OpenBSD
Security mailing lists [95]Caldera
[96]Cobalt
[97]Conectiva
[98]Debian
[99]Esware
[100]FreeBSD
[101]Kondara
[102]LASER5
[103]Linux From Scratch
[104]Linux-Mandrake
[105]NetBSD
[106]OpenBSD
[107]Red Hat
[108]Slackware
[109]Stampede
[110]SuSE
[111]Trustix
[112]turboLinux
[113]Yellow Dog
Security Software Archives
[114]munitions
[115]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[116]CERT
[117]CIAC
[118]Comp Sec News Daily
[119]Crypto-GRAM
[120]LinuxLock.org
[121]Linux Security Audit Project
[122]LinuxSecurity.com
[123]OpenSSH
[124]OpenSEC
[125]Security Focus
[126]SecurityPortal
[127]Next: Kernel
[128]Eklektix, Inc. Linux powered! Copyright Л 2001 [129]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/0322/
4. http://lwn.net/2001/0322/kernel.php3
5. http://lwn.net/2001/0322/dists.php3
6. http://lwn.net/2001/0322/desktop.php3
7. http://lwn.net/2001/0322/devel.php3
8. http://lwn.net/2001/0322/commerce.php3
9. http://lwn.net/2001/0322/press.php3
10. http://lwn.net/2001/0322/announce.php3
11. http://lwn.net/2001/0322/history.php3
12. http://lwn.net/2001/0322/letters.php3
13. http://lwn.net/2001/0322/bigpage.php3
14. http://lwn.net/2001/0315/security.php3
15. http://project.honeynet.org/challenge/results/
16. http://lwn.net/2001/0322/a/honeynet.php3
17. http://www.i.cz/en/onas/tisk4.html
18. http://lwn.net/2001/0322/a/cryptogram.php3
19. http://www.counterpane.com/crypto-gram-0103.html
20. http://lwn.net/2001/0322/a/ssh-analysis.php3
21. http://lwn.net/2001/0322/a/xfree86.php3
22. http://lwn.net/2001/0322/a/ftpd-dos.php3
23. http://lwn.net/2001/0322/a/pureftpd.php3
24. http://lwn.net/2001/0322/a/proftpd-dos.php3
25. http://lwn.net/2001/0322/a/globbing.php3
26. http://lwn.net/2001/0322/a/con-mutt.php3
27. http://lwn.net/2001/0322/a/imm-mutt.php3
28. http://lwn.net/2001/0322/a/lm-mutt.php3
29. http://lwn.net/2001/0322/a/rh-mutt.php3
30. http://lwn.net/2001/0322/a/trustix-mutt.php3
31. http://lwn.net/2001/0322/a/lm-licq.php3
32. http://lwn.net/2001/0322/a/rpm-races.php3
33. http://lwn.net/2001/0301/security.php3#cups
34. http://lwn.net/2001/0322/a/con-cups.php3
35. http://lwn.net/2001/0301/a/lm-MDKSA-2001-023.php3
36. http://lwn.net/2001/0308/a/suse-cups.php3
37. http://lwn.net/2001/0315/security.php3#icecast2
38. http://lwn.net/2001/0322/a/con-icecast.php3
39. http://lwn.net/2001/0315/a/fb-icecast.php3
40. http://lwn.net/2001/0315/security.php3#imap
41. http://lwn.net/2001/0322/a/con-imap.php3
42. http://lwn.net/2001/0315/a/cald-imap.php3
43. http://lwn.net/2001/0315/security.php3#sgml
44. http://lwn.net/2001/0322/a/imm-sgml-tools.php3
45. http://lwn.net/2001/0322/a/lm-sgml-tools.php3
46. http://lwn.net/2001/0322/a/rh-sgmltools.php3
47. http://lwn.net/2001/0315/a/deb-sgml-tools.php3
48. http://lwn.net/2001/0315/security.php3#slrn
49. http://lwn.net/2001/0322/a/con-slrn.php3
50. http://lwn.net/2001/0322/a/imm-slrn.php3
51. http://lwn.net/2001/0322/a/rh-slrn.php3
52. http://lwn.net/2001/0315/a/deb-slrn-20010309.php3
53. http://lwn.net/2001/0315/a/lm-slrn.php3
54. http://lwn.net/2001/0215/a/sec-nspw-cfp.php3
55. http://www.nspw.org/
56. http://www.omg.org/news/meetings/docsec2001/
57. http://www.intmedgrp.com/security/sec01bs/overview.html
58. http://www.dursec.com/conference.html
59. http://www.ists.dartmouth.edu/iria/events/ebizforum.html
60. http://www.atlantacon.org/
61. http://www.rubi-con.org/
62. http://www.rsasecurity.com/conference/rsa2001/index2.html
63. http://lwn.net/2001/0208/a/iC0N.php3
64. http://www.techsec.com/html/Conferences.html
65. http://www.infosec.co.uk/page.cfm
66. http://www.ieee-security.org/TC/sp2001.html
67. http://www.ece.wpi.edu/Research/crypt/ches/start.html
68. http://securityfocus.com/calendar
69. mailto:lwn@lwn.net
70. mailto:lwn@lwn.net
71. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
72. http://bastille-linux.sourceforge.net/
73. http://www.immunix.org/
74. http://Nexus-Project.net/
75. http://www.slinux.org/
76. http://www.nsa.gov/selinux/
77. http://www.trustix.com/
78. http://www.securityfocus.com/bugtraq/archive/
79. http://www.nfr.net/firewall-wizards/
80. http://www.jammed.com/Lists/ISN/
81. http://www.calderasystems.com/support/security/
82. http://www.conectiva.com.br/atualizacoes/
83. http://www.debian.org/security/
84. http://www.kondara.org/errata/k12-security.html
85. http://www.esware.com/actualizaciones.html
86. http://linuxppc.org/security/advisories/
87. http://www.linux-mandrake.com/en/fupdates.php3
88. http://www.redhat.com/support/errata/index.html
89. http://www.suse.de/security/index.html
90. http://www.yellowdoglinux.com/resources/errata.shtml
91. http://www.BSDI.COM/services/support/patches/
92. http://www.freebsd.org/security/security.html
93. http://www.NetBSD.ORG/Security/
94. http://www.openbsd.org/security.html
95. http://www.calderasystems.com/support/forums/announce.html
96. http://www.cobalt.com/support/resources/usergroups.html
97. http://distro.conectiva.com.br/atualizacoes/
98. http://www.debian.org/MailingLists/subscribe
99. http://www.esware.com/lista_correo.html
100. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
101. http://www.kondara.org/mailinglist.html.en
102. http://l5web.laser5.co.jp/ml/ml.html
103. http://www.linuxfromscratch.org/services/mailinglistinfo.php
104. http://www.linux-mandrake.com/en/flists.php3
105. http://www.netbsd.org/MailingLists/
106. http://www.openbsd.org/mail.html
107. http://www.redhat.com/mailing-lists/
108. http://www.slackware.com/lists/
109. http://www.stampede.org/mailinglists.php3
110. http://www.suse.com/en/support/mailinglists/index.html
111. http://www.trustix.net/support/
112. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
113. http://lists.yellowdoglinux.com/ydl_updates.shtml
114. http://munitions.vipul.net/
115. http://www.zedz.net/
116. http://www.cert.org/nav/alerts.html
117. http://ciac.llnl.gov/ciac/
118. http://www.MountainWave.com/
119. http://www.counterpane.com/crypto-gram.html
120. http://linuxlock.org/
121. http://lsap.org/
122. http://linuxsecurity.com/
123. http://www.openssh.com/
124. http://www.opensec.net/
125. http://www.securityfocus.com/
126. http://www.securityportal.com/
127. http://lwn.net/2001/0322/kernel.php3
128. http://www.eklektix.com/
129. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://lwn.net/2001/0322/security.php3 |
Sergey Lentsov |
22 Mar 2001 18:11:20 |
|
|
