|
ru.linux
- RU.LINUX ---------------------------------------------------------------------
From : Sergey Lentsov 2:4615/71.10 08 Mar 2001 18:11:23
To : All
Subject : URL: http://lwn.net/2001/0308/security.php3
--------------------------------------------------------------------------------
[1][LWN Logo]
[2]Click Here
[LWN.net]
Sections:
[3]Main page
Security
[4]Kernel
[5]Distributions
[6]On the Desktop
[7]Development
[8]Commerce
[9]Linux in the news
[10]Announcements
[11]Linux History
[12]Letters
[13]All in one big page
See also: [14]last week's Security page.
Security
News and Editorials
Strong ES vs Weak ES in TCP/IP implementations. This week, the most
[15]prolific discussion on BugTraq focused on the implementation of
[16]RFC 1122, which covers the TCP/IP communications protocol layers:
link layer, IP layer, and transport layer. In the portion that
discusses how to handle multi-homed hosts and the implementation of
the loopback device, the RFC is somewhat ambiguous, providing two
possible implementations without recommending between them. This week,
[17]a note was posted that pointed out the security implications of
one of those two implementations.
Elias Levy posted [18]an excerpt of the portion of the RFC that
applies to this issue. The two implementations it describes are
entitled "Strong ES Model" and "Weak ES Model". Under the Strong ES
Model, packets arriving from one network interface will not be
forwarded to other network interfaces unless forwarding is enabled.
Under the Weak ES Model, the reverse is true, packets will be
forwarded even with forwarding disabled. The Weak ES Model is the one
that has some people concerned.
Why would this be a problem? Take a common setup, a host with two
ethernet cards, one connected to an external network and the other
connected to an internal network. If IP forwarding is disabled, an
administrator might assume that a network service that listens only on
the internal interface is not accessible to probing from hackers
coming in on the external interface. Under the Weak ES Model, this is
incorrect; unless a firewall is in place to prevent it, packets coming
in on the external interface can be forwarded to the internal
interface and therefore access (and possibly exploit) that network
service.
So what model does Linux use? Following the BugTraq thread, we did not
get a consistent answer. The original post claims that Red Hat 6.2 is
not affected, other posts claim that Linux 2.2 follows the Weak ES
model while 2.4 does not, still others claim that they've tested Linux
2.2.16 and it is not vulnerable, while tests of Linux 2.4 show that it
is vulnerable. At this point, we can only sum it up by saying, "We
don't know" (but we'll ask our resident kernel expert to look into it
...).
So two camps emerge from the discussion. One camp feels strongly that,
because the Strong ES Model is slanted towards providing more
security, it should be the default model (if not the only model). It
is true that we are all advocating moving Linux in the direction of
security-by-default; would the Strong ES model be a best-fit as a
result?
The other camp quickly pointed out the functionality currently in use
that depends on the Weak ES Model, including load balancers such as
the [19]Linux Virtual Server project, upon which Red Hat Piranha is
based. In addition, there was a strong feeling that any security
issues associated with the Weak ES Model can be fixed via a
properly-configured local firewall.
In the end, the ability to choose between the Strong ES Model and the
Weak ES Model seems to be highly desirable. Which model is chosen as
the default can be easily left to the Linux distribution, possibly
eventually defaulting to the Strong ES Model, as long as changing the
configuration is a simple matter. Whether or not that gets done, of
course, is a decision that will be made by the kernel developers.
Meanwhile, a clear problem that has been identified is the failure of
our current HOWTOs to document the current model being used and the
security implications of that model. Right now, systems administrators
do not have the correct information they need to make the right
configuration choices.
Uncovering the secrets of SE Linux: Part 1 (IBM developerWorks).
Author Larry Loeb looks at [20]the SE Linux code, the open sourced
security-enhanced version of the Linux 2.2 kernel released by the
National Security Agency. "If you haven't been following the
cryptography area lately, let me assure you that this action by the
NSA was the crypto equivalent of the Pope coming down off the balcony
in Rome, working the crowd with a few loaves of bread and some fishes,
and then inviting everyone to come over to his place to watch the
soccer game and have a few beers."
A review of Intrusion Detection Systems. Back in [21]January, we
briefly discussed free software Intrusion Detection systems. This
month, Dragos Ruiu has posted an [22]in-depth evaluation of Snort,
along with several commercial IDS systems; it's a worthwhile read for
anyone interested in deploying an intrusion detection system. "IDS is
a relatively new technology, but it is increasing in popularity,
driven by the number of people starting to entrust valuable or
mission-critical data to computer systems that they feel a need to
install good risk management for. Along with this popularity comes a
large number of commercial entrants, and new products, all with
varying marketing claims - making purchase and evaluation difficult,
particularly as the operation of these early-generation systems is
still an enormously technical task, requiring a fairly deep and broad
knowledge of networking protocols and technology."
The review shows the investment of a great deal of time and research;
we look forward to the promised updated versions over time.
Turbolinux issues updated public key. Turbolinux has a [23]new public
key. Turbolinux users will want to download the new key in order to
properly check the signatures on new Turbolinux security updates.
Security Reports
Apache directory listing error.
In some circumstances, Apache 1.3.18 and earlier can be made to
display a directory listing instead of an error message, by
artificially creating a very long path with many slashes. A fix for
the problem can be found in the recently-released [24]Apache 1.3.19.
Check this [25]SecurityPortal posting for more details.
/bin/mail buffer overflow.
A [26]buffer overflow in /bin/mail was reported by SosPiro to the
vuln-dev mailing list on February 28th, 2001. Note that the buffer
overflow is not exploitable unless the binary is setuid or setgid, a
configuration issue that differs between distributions. A quick check
of the permissions on your local system is recommended, especially
since the permissions may not be the same as the distribution's
installation defaults.
* [27]Caldera
PHP-Nuke 4.4.1a saveuser vulnerability. Security reports for PHP-Nuke
continue to come in fast and furiously. This week, [28]PHP-Nuke 4.4.1a
was reported vulnerable via its saveuser function, which does not
check input rigorously enough and, as a result, can be used to change
another user's email address or gain their password. However, saveuser
was singled out solely as a demonstration; apparently other PHP-Nuke
functions can be exploited in the same manner. No patch or response
from the PHP-Nuke team has been seen yet.
PHP 4.0.4 IMAP fix repercussions.
A security fix for IMAP in PHP 4.0.4 can unfortunately break under
some circumstances, causing the IMAP module to fail. [29]PHP 4.0.4pl1
appears to contain a fix for the problem. Alternately, [30]a patch for
the problem is available that closes the original buffer overflow but
reverts IMAP behavior otherwise back to match 4.0.3.
Mailman potential privacy hole. A potential privacy hole in Mailman
has been fixed in the latest release, [31]Mailman 2.0.2. The hole
could allow list administrators to gain user passwords. Directly, the
user passwords would be of little use to an administrator, but since
many people use the same password in multiple places, the privacy
violation is a concern. This is a recommended upgrade, if not for the
privacy concern, then due to other "important" bug fixes in the
release.
ePerl buffer overflows. Fumitoshi Ukai and Denis Barbier found and
reported buffer overflows in ePerl which can be exploited if ePerl is
installed setuid root. ePerl is used to expand Perl statements inside
text files. If it is installed setuid root, then it can switch to the
UID/GID of the script owner. As a result, even if not installed setuid
root by default, some sites may choose to change the permissions to
get this functionality.
* [32]Debian
man2html denial-of-service vulnerability. man2html, a program for
converting files from the man page format to HTML, to allow them to be
read via a web browser, has been reported to contain a
denial-of-service vulnerability. Details on the problem are currently
lacking, since we've seen the problem only via the Debian advisory
below, at least so far.
* [33]Debian
mc binary execution vulnerability.
Again, we have few details on this vulnerability, since it has not
been reported on BugTraq but was instead first seen (by us) via the
Debian advisory below, which describes the problem in general without
giving technical specifics. It seems that Midnight Commander can be
used by one local user to trick another user into executing a random
program under uid of the person running Midnight Commander. Andrew V.
Samoilov provided a fix for the problem.
* [34]Debian
web scripts.
The following web scripts were reported to contain vulnerabilities:
* [35]Infopop Ultimate Bulletin Board 5.0.x beta has been reported
to contain a vulnerability that can be exploited to retrieve user
cookies. An upgrade to Infopop Ultimate Bulletin Board 6.0 Beta
should fix the problem.
* [36]Simple Server, a Java-based HTTP server, has been reported
vulnerable to a directory- tranversal problem. No patch or vendor
response has been seen so far.
* [37]post-query, a CGI-based script generally provided as sample
CGI code, contains a remotely-exploitable buffer overflow. It is
recommended that the script be removed from your system if it is
present.
Commercial products.
The following commercial products were reported to contain
vulnerabilities:
* [38]SurgeFTP, an FTP server from [39]NetWin that runs on
Unix/Linux/Windows, is vulnerable to a local denial-of-service
attack. The vendor has issued Build v1.1h of SurgeFTP which fixes
the issue.
* [40]Cisco IOS has been reported to contain a vulnerability that
can allow the successful prediction of TCP Initial Sequence
Numbers. This only impacts traffic originating or terminating on
the Cisco itself. Free software upgrades are offered to fix the
problem.
Updates
Zope security update.
Digital Creations released [41]a security update to Zope (all versions
up to 2.3b1) fixing a security vulnerability in how ZClasses are
handled the week of [42]March 1st. An upgrade is recommended.
This week's updates:
* [43]Conectiva
Previous updates:
* [44]Red Hat (March 1st)
* [45]Linux-Mandrake (March 1st)
joe file handling vulnerability.
Check the [46]March 1st LWN Security Summary for the initial report.
This week's updates:
* [47]Red Hat
* [48]Immunix
* [49]Linux-Mandrake
CUPS buffer overflow and temporary file creation problems. Check the
[50]March 1st LWN Security Summary for the initial report.
This week's updates:
* [51]SuSE
Previous updates:
* [52]Linux-Mandrake (March 1st)
sudo buffer overflow.
Check the [53]March 1st LWN Security Summary for the original report.
This week's updates:
* [54]Debian
Previous updates:
* [55]Slackware (March 1st)
* [56]Trustix (March 1st)
* [57]Conectiva (March 1st)
* [58]Linux-Mandrake (March 1st)
* [59]Debian (March 1st)
* [60]Immunix (March 1st)
Analog buffer overflow.
An exploitable buffer overflow in analog was reported in the
[61]February 22nd LWN Security Summary. Version 4.16 contains a fix
for the problem, which affects all earlier versions.
This week's updates:
* [62]Debian
Previous updates:
* [63]Red Hat (March 1st)
LICQ/GnomeICU denial-of-service vulnerability.
Check the [64]February 15th LWN Security Summary for the original
report, which also noted a similar problem in kicq.
This week, [65]Bill Soudan noted that the CVS code for kicq has been
corrected, with thanks to Bernhard Rosenbraenzer at Red Hat.
Multiple vulnerabilities in ProFTPD.
Check the [66]February 8th, 2001 LWN Security Summary for details.
ProFTPD 1.2.0rc3 contains fixes for all the above problems.
This week's updates:
* [67]Debian, updated advisory, Motorola 680x0 packages added
* [68]Debian, updated advisory, this one also fixes two
Debian-specific configuration errors
Previous updates:
* [69]Cobalt, unofficial package updates (February 8th)
* [70]Conectiva (February 15th)
* [71]Linux-Mandrake (February 15th)
* [72]Debian (February 15th)
* [73]Trustix (February 15th)
mgetty tmp file race problem.
mgetty was one of twelve packages reported in January to contain tmp
file race problems. Check the [74]January 11th LWN Security Summary
for the initial report.
This week's updates:
* [75]Debian, updated advisory, Motorola 680x0 and PowerPC added.
Previous updates:
* [76]Immunix (January 11th)
* [77]Debian (January 11th)
* [78]Linux-Mandrake (January 18th)
* [79]Caldera (January 18th)
Events
RAID 2001 - Call for Papers. The Fourth International Symposium on the
Recent Advances in Intrusion Detection, better known as RAID 2001,
will take place on October 10th through the 12th, 2001, in Davis, CA,
USA. The deadline for their [80]Call-for-Papers is coming up soon,
March 30th, 2001.
Upcoming security events.
Date Event Location
March 26-29, 2001. [81]Distributed Object Computing Security Workshop
Annapolis, Maryland, USA.
March 27-28, 2001. [82]eSecurity Boston, MA, USA.
March 28-30, 2001. [83]CanSecWest/core01 Network Security Training
Conference Vancouver, British Columbia, Canada.
March 29, 2001. [84]Security of e-Finance and e-Commerce Forum Series
Manhattan, New York, USA.
March 30-April 1, 2001. [85]@LANta.CON Doraville, GA, USA.
April 6-8, 2001. [86]Rubi Con 2001 Detroit, MI, USA.
April 8-12, 2001. [87]RSA Conference 2001 San Francisco, CA, USA.
April 20-22, 2001. [88]First annual iC0N security conference
Cleveland, Ohio, USA.
April 22-25, 2001. [89]Techno-Security 2001 Myrtle Beach, SC, USA.
For additional security-related events, included training courses
(which we don't list above) and events further in the future, check
out Security Focus' [90]calendar, one of the primary resources we use
for building the above list. To submit an event directly to us, please
send a plain-text message to [91]lwn@lwn.net.
Section Editor: [92]Liz Coolbaugh
March 8, 2001
[93]Click Here
Secure Linux Projects [94]Bastille Linux
[95]Immunix
[96]Nexus
[97]SLinux [98]NSA Security-Enhanced
[99]Trustix
Security List Archives
[100]Bugtraq Archive
[101]Firewall Wizards Archive
[102]ISN Archive
Distribution-specific links
[103]Caldera Advisories
[104]Conectiva Updates
[105]Debian Alerts
[106]Kondara Advisories
[107]Esware Alerts
[108]LinuxPPC Security Updates
[109]Mandrake Updates
[110]Red Hat Errata
[111]SuSE Announcements
[112]Yellow Dog Errata
BSD-specific links
[113]BSDi
[114]FreeBSD
[115]NetBSD
[116]OpenBSD
Security mailing lists [117]Caldera
[118]Cobalt
[119]Conectiva
[120]Debian
[121]Esware
[122]FreeBSD
[123]Kondara
[124]LASER5
[125]Linux From Scratch
[126]Linux-Mandrake
[127]NetBSD
[128]OpenBSD
[129]Red Hat
[130]Slackware
[131]Stampede
[132]SuSE
[133]Trustix
[134]turboLinux
[135]Yellow Dog
Security Software Archives
[136]munitions
[137]ZedZ.net (formerly replay.com)
Miscellaneous Resources
[138]CERT
[139]CIAC
[140]Comp Sec News Daily
[141]Crypto-GRAM
[142]LinuxLock.org
[143]Linux Security Audit Project
[144]LinuxSecurity.com
[145]OpenSSH
[146]OpenSEC
[147]Security Focus
[148]SecurityPortal
[149]Next: Kernel
[150]Eklektix, Inc. Linux powered! Copyright Л 2001 [151]Eklektix,
Inc., all rights reserved
Linux (R) is a registered trademark of Linus Torvalds
References
1. http://lwn.net/
2. http://ads.tucows.com/click.ng/pageid=001-012-132-000-000-002-000-000-012
3. http://lwn.net/2001/0308/
4. http://lwn.net/2001/0308/kernel.php3
5. http://lwn.net/2001/0308/dists.php3
6. http://lwn.net/2001/0308/desktop.php3
7. http://lwn.net/2001/0308/devel.php3
8. http://lwn.net/2001/0308/commerce.php3
9. http://lwn.net/2001/0308/press.php3
10. http://lwn.net/2001/0308/announce.php3
11. http://lwn.net/2001/0308/history.php3
12. http://lwn.net/2001/0308/letters.php3
13. http://lwn.net/2001/0308/bigpage.php3
14. http://lwn.net/2001/0301/security.php3
15.
http://securityfocus.com/frames/?content=/templates/archive.pike%3Ffromthread%3D
0%26list%3D1%26end%3D2001-03-10%26tid%3D167052%26threads%3D1%26start%3D2001-03-0
4%26
16. http://linux.sabah.net.my/doc/RFC/rfc1122.htm
17. http://lwn.net/2001/0308/a/loopback.php3
18. http://lwn.net/2001/0308/a/excerpt.php3
19. http://www.linuxvirtualserver.org/
20.
http://www-106.ibm.com/developerworks/library/s-selinux/?dwzone=security?open&l=
252,t=gr,p=selnx
21. http://lwn.net/2001/0111/security.php3
22. http://securityportal.com/articles/idsintroduction20010226.html
23. http://lwn.net/2001/0308/a/tl-publickey.php3
24. http://freshmeat.net/releases/42191/
25. http://lwn.net/2001/0308/a/sec-apache.php3
26.
http://securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D82%26t
hreads%3D1%26end%3D2001-03-03%26tid%3D166333%26fromthread%3D0%26start%3D2001-02-
25%26
27. http://lwn.net/2001/0308/a/caldera-mail.php3
28. http://lwn.net/2001/0308/a/phpnuke-saveuser.php3
29. http://freshmeat.net/releases/25629/
30. http://lwn.net/2001/0308/a/phpimapfix.php3
31. http://lwn.net/2001/0308/a/mailman.php3
32. http://lwn.net/2001/0308/a/deb-eperl.php3
33. http://lwn.net/2001/0308/a/man2html.php3
34. http://lwn.net/2001/0308/a/deb-mc.php3
35. http://www.securityfocus.com/bid/2408
36. http://www.securityfocus.com/bid/2415
37. http://lwn.net/2001/0308/a/post-query.php3
38. http://lwn.net/2001/0308/a/surgeftp.php3
39. http://www.netwinsite.com/
40. http://lwn.net/2001/0308/a/cisco-tcpinit.php3
41. http://lwn.net/2001/0308/a/zope-zclasses.php3
42. http://lwn.net/2001/0301/security.php3#zope
43. http://lwn.net/2001/0308/a/con-zope.php3
44. http://lwn.net/2001/0301/a/rh-2001-021-06.php3
45. http://lwn.net/2001/0301/a/lm-zope.php3
46. http://lwn.net/2001/0301/security.php3#joe2
47. http://lwn.net/2001/0308/a/rh-joe.php3
48. http://lwn.net/2001/0308/a/imm-joe.php3
49. http://lwn.net/2001/0308/a/lm-joe.php3
50. http://lwn.net/2001/0301/security.php3#cups
51. http://lwn.net/2001/0308/a/suse-cups.php3
52. http://lwn.net/2001/0301/a/lm-MDKSA-2001-023.php3
53. http://lwn.net/2001/0301/security.php3#sudo
54. http://lwn.net/2001/0308/a/deb-sudo.php3
55. http://lwn.net/2001/0301/a/sl-sudo.php3
56. http://lwn.net/2001/0301/a/trustix-sudo.php3
57. http://lwn.net/2001/0301/a/conectiva-sudo.php3
58. http://lwn.net/2001/0301/a/lm-sudo.php3
59. http://lwn.net/2001/0301/a/debian-sudo.php3
60. http://lwn.net/2001/0301/a/immunix-sudo.php3
61. http://lwn.net/2001/0222/security.php3#web
62. http://lwn.net/2001/0308/a/deb-analog.php3
63. http://lwn.net/2001/0301/a/rh-analog.php3
64. http://lwn.net/2001/0215/security.php3#licq/kicq
65. http://lwn.net/2001/0308/a/kicq.php3
66. http://lwn.net/2001/0208/security.php3#proftpd
67. http://lwn.net/2001/0308/a/deb-proftpd-20010306.php3
68. http://lwn.net/2001/0308/a/deb-proftpd-20010307.php3
69. http://lwn.net/2001/0208/a/cb-proftpd.php3
70. http://lwn.net/2001/0215/a/con-proftpd.php3
71. http://lwn.net/2001/0215/a/lm-proftpd.php3
72. http://lwn.net/2001/0215/a/deb-proftpd.php3
73. http://lwn.net/2001/0215/a/tr-kernelproftpd.php3
74. http://lwn.net/2001/0111/security.php3#tmprace
75. http://lwn.net/2001/0308/a/deb-mgetty-20010306.php3
76. http://lwn.net/2001/0111/a/sec-immunix-tmprace.php3
77. http://lwn.net/2001/0111/a/sec-debian-mgetty.php3
78. http://lwn.net/2001/0118/a/lm-mgetty-2001009.php3
79. http://lwn.net/2001/0118/a/caldera-mgetty.php3
80. http://lwn.net/2001/0308/a/RAIDcfp.php3
81. http://www.omg.org/news/meetings/docsec2001/
82. http://www.intmedgrp.com/security/sec01bs/overview.html
83. http://www.dursec.com/conference.html
84. http://www.ists.dartmouth.edu/iria/events/ebizforum.html
85. http://www.atlantacon.org/
86. http://www.rubi-con.org/
87. http://www.rsasecurity.com/conference/rsa2001/index2.html
88. http://lwn.net/2001/0208/a/iC0N.php3
89. http://www.techsec.com/html/Conferences.html
90. http://securityfocus.com/calendar
91. mailto:lwn@lwn.net
92. mailto:lwn@lwn.net
93. http://ads.tucows.com/click.ng/buttonpos=lwnbuttonsecurity
94. http://bastille-linux.sourceforge.net/
95. http://www.immunix.org/
96. http://Nexus-Project.net/
97. http://www.slinux.org/
98. http://www.nsa.gov/selinux/
99. http://www.trustix.com/
100. http://www.securityfocus.com/bugtraq/archive/
101. http://www.nfr.net/firewall-wizards/
102. http://www.jammed.com/Lists/ISN/
103. http://www.calderasystems.com/support/security/
104. http://www.conectiva.com.br/atualizacoes/
105. http://www.debian.org/security/
106. http://www.kondara.org/errata/k12-security.html
107. http://www.esware.com/actualizaciones.html
108. http://linuxppc.org/security/advisories/
109. http://www.linux-mandrake.com/en/fupdates.php3
110. http://www.redhat.com/support/errata/index.html
111. http://www.suse.de/security/index.html
112. http://www.yellowdoglinux.com/resources/errata.shtml
113. http://www.BSDI.COM/services/support/patches/
114. http://www.freebsd.org/security/security.html
115. http://www.NetBSD.ORG/Security/
116. http://www.openbsd.org/security.html
117. http://www.calderasystems.com/support/forums/announce.html
118. http://www.cobalt.com/support/resources/usergroups.html
119. http://distro.conectiva.com.br/atualizacoes/
120. http://www.debian.org/MailingLists/subscribe
121. http://www.esware.com/lista_correo.html
122. http://www.freebsd.org/handbook/eresources.html#ERESOURCES-MAIL
123. http://www.kondara.org/mailinglist.html.en
124. http://l5web.laser5.co.jp/ml/ml.html
125. http://www.linuxfromscratch.org/services/mailinglistinfo.php
126. http://www.linux-mandrake.com/en/flists.php3
127. http://www.netbsd.org/MailingLists/
128. http://www.openbsd.org/mail.html
129. http://www.redhat.com/mailing-lists/
130. http://www.slackware.com/lists/
131. http://www.stampede.org/mailinglists.php3
132. http://www.suse.com/en/support/mailinglists/index.html
133. http://www.trustix.net/support/
134. http://www.turbolinux.com/mailman/listinfo/tl-security-announce
135. http://lists.yellowdoglinux.com/ydl_updates.shtml
136. http://munitions.vipul.net/
137. http://www.zedz.net/
138. http://www.cert.org/nav/alerts.html
139. http://ciac.llnl.gov/ciac/
140. http://www.MountainWave.com/
141. http://www.counterpane.com/crypto-gram.html
142. http://linuxlock.org/
143. http://lsap.org/
144. http://linuxsecurity.com/
145. http://www.openssh.com/
146. http://www.opensec.net/
147. http://www.securityfocus.com/
148. http://www.securityportal.com/
149. http://lwn.net/2001/0308/kernel.php3
150. http://www.eklektix.com/
151. http://www.eklektix.com/
--- ifmail v.2.14.os7-aks1
* Origin: Unknown (2:4615/71.10@fidonet)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
URL: http://lwn.net/2001/0308/security.php3 |
Sergey Lentsov |
08 Mar 2001 18:11:23 |
|
|
