|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 15 Feb 2001 18:24:23
To : All
Subject : URL: http://lwn.net/2001/0215/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]Development
[7]Commerce
[8]Linux in the news
[9]Announcements
[10]Linux History
[11]Letters
[12]All in one big page
See also: [13]last week's Security page.
Security
News and Editorials
SSH Communications opens SSH trademark issue. This week, Tatu Ylonen
opened up a trademark issue involving terms "ssh" and "secure shell".
He sent notes out to two public mailing lists, including [14]this
note, posted to the openssh-unix-dev@mindrot.org development list, and
[15]this note to BugTraq. In them, he requests that the [16]OpenSSH
and [17]ScanSSH projects cease to use the string "SSH" as part of
their product names.
You'll find additional coverage and reader postings on this issue on
both [18]Slashdot and [19]LinuxToday. In addition, you'll find letters
to the editor on the topic already in this week's [20]Letters to the
Editor section.
Two opposed viewpoints are represented in these community exchanges.
On one hand, many people consider Tatu's notes to have been politely
worded and are sympathetic with confusion caused by multiple products
containing the word "SSH". They feel his request for name changes is
reasonable and have already moved forward to suggesting alternatives
(SHH, FRESH, ESH, Secure Telnet, ...)
On the other hand, many people don't consider the name change request
reasonable, regardless of the wording (and the politeness of the
wording can be argued if you look at statements like, "OpenSSH is
doing a disservice to the whole Internet security community by
lengthing the life cycle of the fundamentally broken SSH1 protocols",
which is not particularly polite, nor necessarily accurate). The
arguments on their side include:
1. The word SSH is used both to refer to the protocol SSH as well as
to products from SSH Communications. Trademarking the name of a
standard is a tricky business; it can be viewed as an attempt to
monopolize a standard, a bit of a contradiction in terms.
2. SSH Communications has waited a long time before coming forward to
enforce their trademark. Their registration of "SSH" dates back to
1996, yet products such as TGssh, [21]authored in 1997, were never
asked not to use the name.
3. The license for [22]ssh 1.2.12, upon which OpenSSH is based,
states, "Any derived versions of this software must be clearly
marked as such, and if the derived work is incompatible with the
protocol description in the RFC file, it must be called by a name
other than 'ssh' or 'Secure Shell'". OpenSSH is compatible with
the protocol descriptions, therefore this license can be read to
have granted them the right to use the terms 'ssh' and 'Secure
Shell'.
So which is it? A reasonable request that ought to be granted to
prevent legal wrangles? Or an unreasonable attempt to punish
well-founded competing projects by restricting them from using the
name of the protocol that they implement in their products?
For the good of the community, we, of course, would rather see some
compromise between these two positions that would result in all of us
ceasing to wrangle about it and getting a chance to move on with
developing better software and improving security. The search for such
a compromise is difficult, though, given the strong emotional
reactions that are cropping up on both sides, at least initially.
So let's look at a couple of possible scenarios and their long-term
impact.
1. First, imagine that the community reaction against trademarking
the name of a standard protocol is strong enough that SSH
Communications decides to drop their request and not to pursue
legal action. In this case, the status quo continues. SSH
Communications continues to, in their belief, potentially lose
customers due to the confusion between the OpenSSH and SSH
Communications products.
Unfortunately, we don't actually believe that SSH Communications
is losing customers due to the confusions between the two products
but instead due to the well-understood differences between the
products. From what we have seen, the people who choose to use
OpenSSH instead of SSH Communications SSH do so because it is Free
Software. The license for SSH Communications SSH makes it free to
use and distribute on BSD and Linux platforms, and for
non-commercial use on other platforms, but restricts commercial
usage on other platforms. That makes it "not-free" and people have
a right to vote against such a license by using an alternative.
In addition, the [23]history of licensing changes to SSH
Communications SSH should be enough to give pause to any company
that is considering using it. The license has been opened, closed,
and opened again over the years. Do you want to bet your company
on a product whose license might change again next year? With the
release of SSH Communications SSH 3.X?
2. Second, imagine, instead, that OpenSSH and ScanSSH and all the
other existing programs decide to accede to this request and
change their names. How will you find these programs under their
new names? Can they use the term "SSH" as a keyword? Can they
describe their products as compatible with the "SSH" protocol?
What, indeed, will the impact be on the standardization process
for the SSH protocol? It must be considered important for SSH
Communications for the SSH protocol to be adopted as a standard.
Providing products based on an acknowledged standard is an
important part of their company's worth and reputation. Right now,
the SSH Protocol is currently under review by the [24]Internet
Engineering Task Force. We spoke with Bill Sommerfeld, currently
the working group chair. In [25]this note, he provides links to
information about the IETF standards process and touches carefully
on the impact of the SSH trademark issue. "In practice, IETF
working groups tend to "engineer around" troublesome IPR
[Intellectual Property] issues; for instance, the SSH version 2
protocol was changed to use DSS instead of RSA to avoid the (now
expired) RSA patent. I can't predict how the working group will
react to this -- I only know that it will slow things down.
Needless to say, added delay in the standards process does not
help the end user."
The trademark dispute is potentially impairing the standards
process which should be of critical important to SSH
Communications.
3. If neither side backs down, this situation is likely to end up in
the hands of lawyers. That is actually the worst situation of all.
OpenSSH is an open source product that brings in no revenue for
OpenBSD. Embroiling them in an expensive legal wrangle will not
reflect well on SSH Communications' public image, whether they win
or lose. They may well lose, due to the length of time they've
taken to start enforcing their trademark.
Most important, all of us lose, due to the wasted time and energy.
Looking at all the options above, we would most like to see a fourth
option created, that would recognize the concerns voiced by Tatu
Yloenen, without trade-marking the name of an Internet standard,
particularly one as important to all of us as the SSH protocol
standard is.
Standards are developed in order to produce interoperability and
foster competition. Trade-marking the name of the standard is simply
incompatible with those goals.
Fixes for XFree86 vulnerabilities show up from Debian.
XFree86 security issues were a common theme throughout the year 2000.
Unfortunately, distribution updates fixing such problems had a
tendency to show up late, if ever. For example, in [26]October, 2000,
we discussed a list of XFree86 security issues, many of them reported
by Chris Evans. Between then and now, we've only reported one
distribution update in response to that extensive report. It was
[27]from Conectiva and only addressed one of the security problems.
This week, Debian has come out with their [28]XFree86 security update.
It addresses twelve XFree86 security issues in XFree86 3.3.6 reported
by "Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox, and
others". The fixes are also authored by a numerous and well-known
group, "including Aaron Campbell, Paulo Cesar Pereira de Andrade,
Keith Packard, David Dawes, Matthieu Herrb, Trevor Johnson, Colin
Phipps, and Branden Robinson".
The massive size of this set of fixes gives some glimpse into the
question as to why distributions have been so slow in getting updates
out. Nonethless, with the release of the Debian updates, it is to be
hoped that updates from other distributions will follow much more
quickly.
This week's updates:
* [29]Debian (all architectures except m68000)
* [30]Debian (m68000)
Security Reports
ssh daemon remotely-exploitable integer overflow.
A remotely-exploitable integer overflow was reported this week in ssh
daemons that include deattack.c. This includes SSH Communications' ssh
1.2.24 and later (but not their ssh 2.X products) and versions of
OpenSSH prior to 2.3.0. This vulnerability can lead to a remote
attacker executing arbitrary code locally under the uid of the ssh
daemon (usually root). OpenSSH users are encouraged to upgrade
immediately to 2.3.0. Users of SSH Communications' ssh daemon are
encouraged to upgrade to SSH Comunications SSH 2.4 (with ssh1 support
disabled).
This week's updates:
* [31]Debian, OpenSSH
* [32]LinuxPPC, OpenSSH
* [33]FreeBSD, OpenSSH and SSH1
Multiple Linux kernel 2.2 and 2.4 vulnerabilities.
Caldera Systems [34]issued an advisory this week reporting two
security problems affecting both the Linux 2.2 and 2.4 kernel trees.
The first vulnerability allows large parts of Linux kernel memory to
be read by passing a negative offset to sysctl. The second
vulnerability is a race condition where ptrace is attached to a setuid
program and used to modify that program.
Following this report, Red Hat issued [35]their advisory, which
included their fixes for the sysctl and ptrace problems, as well as a
fix for an unspecified vulnerability specific to the Pentium III
patch. Note that the Red Hat advisory credits Solar Designer for
discovering the sysctl bug, but this in incorrect. Solar Designer
posted a note stating that Chris Evans discovered and [36]reported the
sysctl bug.
The security fixes for sysctl and ptrace have been integrated into
[37]2.2.19pre9; the Pentium III bug only affects the 2.2 kernel series
if the Pentium III patches have been applied.
Linux 2.4 was not vulnerable to the ptrace issue. Fixes for the sysctl
and Pentium III bugs have been integrated into the -ac development
tree.
This week's updates:
* [38]Caldera
* [39]Red Hat
* [40]Immunix
* [41]Trustix
ja-xklock local root compromise. FreeBSD reported a [42]local root
compromise in ja-xklock, a "localized" xlock clone which is part of
the FreeBSD ports. ja-xklock does not appear to be popular under
Linux, but may show up on other BSD systems.
mars_nwe potential remote root compromise. FreeBSD reported a
[43]potential remote root compromise in their mars_nwe port, due to a
format string vulnerability. Mars_nwe is Novell Netware server
emulator. This vulnerability is not specific to FreeBSD.
elvis-clone exploitable buffer overflow. A remote root compromise is
possible due to an [44]exploitable buffer overflow in two elvis-clones
in FreeBSD, ja-elvis and ko-helvis. The buffer overflow was found in
the elvrec utility, as a result of an internal audit. This
vulnerability is not specific to FreeBSD.
dc20ctrl locally-exploitable buffer overflow. dc20ctrl, a program for
controlling Kodak DC20 digital cameras, contains a [45]buffer overflow
that can be exploited locally, reports FreeBSD. The overflow can be
exploited to gain access to the serial port devices on FreeBSD,
however the program itself is not specific to FreeBSD.
FreeBSD-specific advisories. FreeBSD released the following advisories
this week for vulnerabilities specific to FreeBSD:
* [46]ipfw/ip6fw allows bypassing of 'established' keyword (updated
advisory)
* [47]inetd ident server remote file read access (updated advisory)
m4 buffer overflow. A [48]buffer overflow in m4 has been reported and
confirmed on Slackware 7.1.0 and Red Hat 6.1. Oddly enough, there has
been no follow-up to these reports and no update to m4 has been
published.
LICQ/GnomeICU denial-of-service vulnerability. Sending an RTF (Rich
Text Format) file to LICQ or GnomeICU on a target computer will crash
the application, [49]reports No Strezzz Cazzz. Both are applications
that support ICQ-based communications. No updates to to LICQ have been
published. GnomeICU 0.95.1 and 0.95.2 have been [50]released, but the
descriptions of these updates do not indicate whether or not this
problem has been solved.
Note that a [51]similar problem was reported in kicq and a patch for
it has been released.
MySQL buffer overrun. [52]MySql version 3.23.33 was released this week
and contains a fix for two buffer overruns, one in the libmysqlclient
library and the other in DROP DATABASE.
Web scripts.
The following Web scripts were reported to contain vulnerabilities:
* [53]Phpnuke is reported to be exploitable remotely to read files,
and, depending on the remote configuration, execute PHP code or
other arbitrary code on the server. The author is aware of the
problem and has [54]released a patched version.
* [55]An additional problem with PHPNuke was reported by rain forest
puppy. After a long, detailed exploration of the problem,
amounting to almost a full security audit, he indicates that he
communicated the problems to the author, PHP-Nuke 4.4 was released
40 days later and he does not yet know whether his suggested
improvements/fixes have been incorporated.
Commercial products.
The following commercial products were reported to contain
vulnerabilities:
* IBM's IBM Net.Commerce package, including IBM Net.Commerce and IBM
WebSphere Commerce Suite, are reported to contain a [56]remote
arbitrary command execution vulnerability due to macros that do
not validate user input properly. Net.Commerce Versions 3.2 and
WebSphere Commerce Suite 4.1 contain corrected versions of the
macros. Note that although IBM Websphere includes Apache, Apache
itself is not impacted by this report.
Updates
SSH protocol 1.5 key session recovery vulnerability.
Check [57]last week's LWN Security Summary for the initial report.
Note that our original coverage contained errors due to our incorrect
interpretation of the [58]original advisory. We reported that OpenSSH
2.3.0 and earlier were vulnerable (in addition to ssh1.2.31 and
earlier), because a patch to correct the problem had been introduced
into the OpenSSH tree. We received feedback this week from Theo de
Raadt, Ivan Arce and Markus Friedl correcting that impression. In
fact, OpenSSH 2.2.0 and later are not exploitable via this
vulnerability. The maximum number of concurrent unauthenticated
connections is automatically defaulted to 10 and random early drop can
also be enabled.
Multiple vulnerabilities in bind 8.2.2 and bind 4.
Check the [59]February 1st LWN Security Summary for the initial
reports. Bind 8.2.3 contains fixes for the problems with 8.2.2. Bind 4
fixes are also available, but an upgrade to bind 8 or even bind 9 is
generally considered a preferable approach.
This week's updates:
* [60]NetBSD
Previous updates:
* [61]Caldera Systems (February 1st)
* [62]Conectiva (February 1st)
* [63]Debian (February 1st)
* [64]Linux-Mandrake (February 1st)
* [65]Immunix (February 1st)
* [66]Red Hat (February 1st)
* [67]Slackware (February 1st)
* [68]SuSE (February 1st)
* [69]Trustix (February 1st)
* [70]Yellow Dog Linux (February 1st)
* [71]LinuxPPC (February 8th)
* [72]FreeBSD (February 8th)
* [73]Cobalt bind 8.2.3 (for the RaQ2 only) (February 8th)
* [74]Cobalt bind 4 (for the Qube1, RaQ1 and Qube2) (February 8th)
Multiple vulnerabilities in ProFTPD.
Check the [75]February 8th, 2001 LWN Security Summary for details.
ProFTPD 1.2.0rc3 contains fixes for all the above problems.
This week's updates:
* [76]Conectiva
* [77]Linux-Mandrake
* [78]Debian
* [79]Trustix
Previous updates:
* [80]Cobalt, unofficial package updates (February 8th)
man -l format string vulnerability.
Check the [81]February 8th LWN Security Summary for details. Note that
only distributions with a man command that supports the "-l" option
are affected. This would include SuSE, Debian and distributions
derived from them.
This week's updates:
* [82]Debian
Secure Locate buffer overflow.
Check the [83]November 30th, 2000 LWN Security Summary for the
original report of this problem.
This week's updates:
* [84]Turbolinux
Previous updates:
* [85]Debian (December 21st, 2000)
* [86]Linux-Mandrake (December 21st, 2000)
* [87]Red Hat (December 21st, 2000)
* [88]Conectiva (January 11th)
Netscape 4.75 buffer overflow.
First spotted via [89]this FreeBSD advisory and reported on November
9th, a buffer overflow in Netscape 4.75 enables a client-side exploit.
Check the [90]November 9th LWN Security Summary for our original
report. Netscape 4.76, which was released on October 24th, fixes the
problem.
This week's updates:
* [91]Turbolinux
Previous updates:
* [92]FreeBSD (November 9th, 2000)
* [93]Red Hat (November 23rd, 2000)
* [94]Immunix (November 23rd, 2000)
* [95]Conectiva (November 30th, 2000)
* [96]Red Hat, Alpha packages added for RH7 (November 30th, 2000)
* [97]SuSE (December 7th, 2000)
* [98]Kondara (December 7th, 2000)
* [99]Linux-Mandrake (December 21st, 2000)
Resources
ScanSSH. Niels Provos has released a protocol scanner, currently named
[100]ScanSSH, which can be used to help find vulnerable SSH daemons so
they can be upgraded quickly.
Ramenfind 0.4. A new version of the [101]Ramenfind script was released
this week. It handles a new Ramen variant that showed up this past
week. That should also be a reminder to everyone to apply your
security updates, the best way to protect against the Ramen worm.
Events
Call for Papers: New Security Paradigms Workshop (NSPW). Crispin Cowan
sent out the [102]Call-For-Papers for this year's [103]New Security
Paradigms Workshop, which is being held September 11th through the
14th, 2001, in Cloudcroft, New Mexico, USA. "In order to preserve the
small, focused nature of the workshop, participation is limited to
authors of accepted papers and conference organizers. Because we
expect new paradigms we accept wide-ranging topics in information
security. Any paper that presents a significant shift in thinking
about difficult security issues or builds on a previous shift is
welcomed."
Upcoming security events.
Date Event Location
February 19-22, 2001. [104]Financial Cryptography 2001 Grand Cayman,
BWI.
February 19-22, 2001. [105]VPN Con San Jose, CA, USA.
February 24-March 1, 2001. [106]InfoSec World 2001 Orlando, FL, USA.
March 3-6, 2001. [107]EICAR and Anti-Malware Conference Munich,
Germany.
March 27-28, 2001. [108]eSecurity Boston, MA, USA.
March 30-April 1, 2001. [109]@LANta.CON Doraville, GA, USA.
April 6-8, 2001. [110]Rubi Con 2001 Detroit, MI, USA.
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [111]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [112]lwn@lwn.net.
Section Editor: [113]Liz Coolbaugh
February 15, 2001
[114]Click Here
Secure Linux Projects [115]Bastille Linux
[116]Immunix
[117]Nexus
[118]SLinux [119]NSA Security-Enhanced
[120]Trustix
Security List Archives
[121]Bugtraq Archive
[122]Firewall Wizards Archive
[123]ISN Archive
Distribution-specific links
[124]Caldera Advisories
[125]Conectiva Updates
[126]Debian Alerts
[127]Kondara Advisories
[128]Esware Alerts
[129]LinuxPPC Security Updates
[130]Mandrake Updates
[131]Red Hat Errata
[132]SuSE Announcements
[133]Yellow Dog Errata
BSD-specific links
[134]BSDi
[135]FreeBSD
[136]NetBSD
[137]OpenBSD
Security mailing lists [138]Caldera
[139]Cobalt
[140]Conectiva
[141]Debian
[142]Esware
[143]FreeBSD
[144]Kondara
[145]LASER5
[146]Linux From Scratch
[147]Linux-Mandrake
[148]NetBSD
[149]OpenBSD
[150]Red Hat
[151]Slackware
[152]Stampede
[153]SuSE
[154]Trustix
[155]turboLinux
[156]Yellow Dog
Security Software Archives
[157]munitions
[158]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[159]CERT
[160]CIAC
[161]Comp Sec News Daily
[162]Crypto-GRAM
[163]LinuxLock.org
[164]Linux Security Audit Project
[165]LinuxSecurity.com
[166]OpenSSH
[167]OpenSEC
[168]Security Focus
[169]SecurityPortal
[170]Next: Kernel
[171]Eklektix, Inc. Linux powered! Copyright Л 2001 [172]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/0215/
4. http://lwn.net/2001/0215/kernel.php3
5. http://lwn.net/2001/0215/dists.php3
6. http://lwn.net/2001/0215/devel.php3
7. http://lwn.net/2001/0215/commerce.php3
8. http://lwn.net/2001/0215/press.php3
9. http://lwn.net/2001/0215/announce.php3
10. http://lwn.net/2001/0215/history.php3
11. http://lwn.net/2001/0215/letters.php3
12. http://lwn.net/2001/0215/bigpage.php3
13. http://lwn.net/2001/0208/security.php3
14. http://lwn.net/2001/0215/a/ssh-tm.php3
15. http://lwn.net/2001/0215/a/ylo.php3
16. http://www.openssh.com/
17. http://www.monkey.org/~provos/scanssh/
18. http://slashdot.org/articles/01/02/14/1120247.shtml
19. http://linuxtoday.com/news_story.php3?ltsn=2001-02-14-003-04-NW-SW-BD
20. http://lwn.net/2001/0215/letters.php3
21. http://msgs.securepoint.com/cgi-bin/get/openssh-unix-dev-0102/104.html
22. http://wwwcip.informatik.uni-erlangen.de/~msfriedl/LIC/ssh-1.2.12/COPYING
23. http://wwwcip.informatik.uni-erlangen.de/~msfriedl/LIC/
24. http://www.ietf.org/
25. http://lwn.net/2001/0215/a/ietf.php3
26. http://lwn.net/2000/1026/security.php3
27. http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000220
28. http://lwn.net/2001/0215/a/deb-xfree86.php3
29. http://lwn.net/2001/0215/a/deb-xfree86.php3
30. http://lwn.net/2001/0215/a/db-xfree86-m68k.php3
31. http://lwn.net/2001/0215/a/deb-openssh.php3
32. http://lwn.net/2001/0215/a/lp-openssh.php3
33. http://lwn.net/2001/0215/a/fb-openssh.php3
34. http://lwn.net/2001/0215/a/cald-ptrace.php3
35. http://lwn.net/2001/0215/a/rh-kernel.php3
36.
http://securityfocus.com/frames/?content=/templates/archive.pike%3Fstart%3D2001-
02-11%26tid%3D162260%26list%3D1%26fromthread%3D0%26threads%3D1%26end%3D2001-02-1
7%26
37. http://lwn.net/2001/0215/a/2.2.19pre9.php3
38. http://lwn.net/2001/0215/a/cald-ptrace.php3
39. http://lwn.net/2001/0215/a/rh-kernel.php3
40. http://lwn.net/2001/0215/a/im-kernel.php3
41. http://lwn.net/2001/0215/a/tr-kernelproftpd.php3
42. http://lwn.net/2001/0215/a/fb-ja-xklock.php3
43. http://lwn.net/2001/0215/a/fb-mars_nwe.php3
44. http://lwn.net/2001/0215/a/fb-elvis.php3
45. http://lwn.net/2001/0215/a/fb-dc20ctrl.php3
46. http://lwn.net/2001/0215/a/fb-ipfw.php3
47. http://lwn.net/2001/0215/a/fb-inetd.php3
48.
http://securityfocus.com/frames/?content=/templates/archive.pike%3Fend%3D2001-02
-10%26start%3D2001-02-04%26list%3D1%26threads%3D1%26fromthread%3D0%26tid%3D16142
4%26
49. http://lwn.net/2001/0215/a/licq.php3
50. http://freshmeat.net/releases/40800/
51. http://lwn.net/2001/0215/a/kicq.php3
52. http://lwn.net/2001/0215/a/mysql.php3
53. http://lwn.net/2001/0215/a/phpnuke.php3
54. http://lwn.net/2001/0215/a/phpnuke2.php3
55. http://lwn.net/2001/0215/a/morephpnuke.php3
56. http://www.securityfocus.com/bid/2350
57. http://lwn.net/2001/0208/security.php3#ssh1.5key
58. http://lwn.net/2001/0208/a/sshprotocol1.5.php3
59. http://lwn.net/2001/0201/security.php3
60. http://lwn.net/2001/0215/a/nb-bind.php3
61. http://lwn.net/2001/0201/a/cald-bind.php3
62. http://lwn.net/2001/0201/a/con-bind.php3
63. http://lwn.net/2001/0201/a/deb-bind.php3
64. http://lwn.net/2001/0201/a/lm-bind.php3
65. http://lwn.net/2001/0201/a/immunix-bind.php3
66. http://lwn.net/2001/0201/a/rh-bind.php3
67. http://lwn.net/2001/0201/a/sl-bind.php3
68. http://lwn.net/2001/0201/a/su-bind.php3
69. http://lwn.net/2001/0201/a/trustix-bind.php3
70. http://lwn.net/2001/0201/a/yd-bind.php3
71. http://linuxppc.org/security/advisories/LPPCSA-2001-003-1.php3
72. http://lwn.net/2001/0208/a/fb-bind-01-18.php3
73. http://lwn.net/2001/0208/a/cbraq-bind.php3
74. http://lwn.net/2001/0208/a/cbqube-bind.php3
75. http://lwn.net/2001/0208/security.php3#proftpd
76. http://lwn.net/2001/0215/a/con-proftpd.php3
77. http://lwn.net/2001/0215/a/lm-proftpd.php3
78. http://lwn.net/2001/0215/a/deb-proftpd.php3
79. http://lwn.net/2001/0215/a/tr-kernelproftpd.php3
80. http://lwn.net/2001/0208/a/cb-proftpd.php3
81. http://lwn.net/2001/0208/security.php3#man
82. http://lwn.net/2001/0215/a/deb-man-db.php3
83. http://lwn.net/2000/1130/security.php3#slocate
84. http://lwn.net/2001/0215/a/tl-slocate.php3
85. http://lwn.net/2000/1221/a/deb-slocate.php3
86. http://lwn.net/2000/1221/a/sec-lm-slocate.php3
87. http://lwn.net/2000/1221/a/sec-rh-slocate.php3
88. http://lwn.net/2001/0111/a/con-slocate.php3
89. http://lwn.net/2000/1109/a/sec-freebsd-netscape.php3
90. http://lwn.net/2000/1109/security.php3#netscape
91. http://lwn.net/2001/0215/a/tl-netscape.php3
92. http://lwn.net/2000/1109/a/sec-freebsd-netscape.php3
93. http://lwn.net/2000/1123/a/rh-netscape.php3
94. http://lwn.net/2000/1123/a/sec-immunix-netscape.php3
95. http://lwn.net/2000/1130/a/con-netscape.php3
96. http://lwn.net/2000/1130/a/sec-rh-netscape.php3
97. http://lwn.net/2000/1207/a/sec-suse-netscape.php3
98. http://lwn.net/2000/1207/a/sec-kondara-netscape.php3
99. http://lwn.net/2000/1221/a/sec-lm-netscape.php3
100. http://lwn.net/2001/0215/a/scanssh.php3
101. http://lwn.net/2001/0215/a/ramenfind.php3
102. http://lwn.net/2001/0215/a/sec-nspw-cfp.php3
103. http://www.nspw.org/
104. http://fc01.ai/
105. http://www.vpncon.com/2001events/spring/spring2001index.htm
106. http://www.misti.com/conference_show.asp?id=OS01
107. http://conference.eicar.org/
108. http://www.intmedgrp.com/security/sec01bs/overview.html
109. http://www.atlantacon.org/
110. http://www.rubi-con.org/
111. http://securityfocus.com/calendar
112. mailto:lwn@lwn.net
113. mailto:lwn@lwn.net
114. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
115. http://bastille-linux.sourceforge.net/
116. http://www.immunix.org/
117. http://Nexus-Project.net/
118. http://www.slinux.org/
119. http://www.nsa.gov/selinux/
120. http://www.trustix.com/
121. http://www.securityfocus.com/bugtraq/archive/
122. http://www.nfr.net/firewall-wizards/
123. http://www.jammed.com/Lists/ISN/
124. http://www.calderasystems.com/support/security/
125. http://www.conectiva.com.br/atualizacoes/
126. http://www.debian.org/security/
127. http://www.kondara.org/errata/k12-security.html
128. http://www.esware.com/actualizaciones.html
129. http://linuxppc.org/security/advisories/
130. http://www.linux-mandrake.com/en/fupdates.php3
131. http://www.redhat.com/support/errata/index.html
132. http://www.suse.de/security/index.html
133. http://www.yellowdoglinux.com/resources/errata.shtml
134. http://www.BSDI.COM/services/support/patches/
135. http://www.freebsd.org/security/security.html
136. http://www.NetBSD.ORG/Security/
137. http://www.openbsd.org/security.html
138. http://www.calderasystems.com/support/forums/announce.html
139. http://www.cobalt.com/support/resources/usergroups.html
140. http://distro.conectiva.com.br/atualizacoes/
141. http://www.debian.org/MailingLists/subscribe
142. http://www.esware.com/lista_correo.html
143. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
144. http://www.kondara.org/mailinglist.html.en
145. http://l5web.laser5.co.jp/ml/ml.html
146. http://www.linuxfromscratch.org/services/mailinglistinfo.php
147. http://www.linux-mandrake.com/en/flists.php3
148. http://www.netbsd.org/MailingLists/
149. http://www.openbsd.org/mail.html
150. http://www.redhat.com/mailing-lists/
151. http://www.slackware.com/lists/
152. http://www.stampede.org/mailinglists.php3
153. http://www.suse.com/en/support/mailinglists/index.html
154. http://www.trustix.net/support/
155. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
156. http://lists.yellowdoglinux.com/ydl_updates.shtml
157. http://munitions.vipul.net/
158. http://www.zedz.net/
159. http://www.cert.org/nav/alerts.html
160. http://ciac.llnl.gov/ciac/
161. http://www.MountainWave.com/
162. http://www.counterpane.com/crypto-gram.html
163. http://linuxlock.org/
164. http://lsap.org/
165. http://linuxsecurity.com/
166. http://www.openssh.com/
167. http://www.opensec.net/
168. http://www.securityfocus.com/
169. http://www.securityportal.com/
170. http://lwn.net/2001/0215/kernel.php3
171. http://www.eklektix.com/
172. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://lwn.net/2001/0215/security.php3 |
Sergey Lentsov |
15 Feb 2001 18:24:23 |
|
|
