Date: Mon, 12 Jun 2000 02:10:23 -0400 (EDT)
From: newsletter-admins@linuxsecurity.com
To: newsletter@linuxsecurity.com
Subject: Linux Security Week June 12, 2000

+---------------------------------------------------------------------+
|  LinuxSecurity.com                         Weekly Newsletter        |
|    June 12, 2000                           Volume 1, Number 7       |
|                                                                     |
|  Editorial Team:  Dave Wreski             dave@linuxsecurity.com    |
|                   Benjamin Thomas         ben@linuxsecurity.com     |
+---------------------------------------------------------------------+

Thank you for reading LinuxSecurity.com's weekly security newsletter. The 
purpose of this document is to provide our readers with a quick summary of 
each week's most relevant Linux security headlines and system advisories. 

A very serious Linux kernel security bug was recently discovered that 
allows local users to gain root access. The problem exists in the Linux 
kernel capability model that affects all 2.2.x kernels. To ensure that 
this vulnerability cannot be exploited by programs running on Linux, users 
are advised to update to kernel version 2.2.16 immediately.

Security updates for KDE, inn, mailx and qpop were all issued by many
vendors. Some vendors also reported vulnerabilities with a flaw in the SSL
transaction handling of Netscape. Keep in mind that simply because your
vendor has not released an update that another vendor may have does not
mean your system is not vulnerable.

Recently added to the site is the WebTrends Security Analyzer. The 
WedTrends Security Analyzer has the most vulnerability tests for Red Hat & 
VA Linux. Using advanced agent-based technology, you can scan your Linux 
servers from your Windows NT/2000 console and protect them against 
potential threats. Now with over 1,000 tests available.

http://www.webtrends.com/redirect/linuxsecurity1.htm

--------------------------------------
Linux Security Week Index: 

Advisories:
June 10th,2000 - Conectiva: Security problems with capabilities 
June 9th, 2000 - Caldera: Netscape SSL vulnerability 
June 9th, 2000 - SuSE 6.x: qpop vulnerability 
June 8th, 2000 - Caldera: serious bug in setuid() 
June 8th, 2000 - Linux Kernel 2.2.x: Local users obtain root 
June 8th, 2000 - Conectiva: gpm Remote buffer overflow 
June 8th, 2000 - BRU: local root exploit vulnerability 
June 8th, 2000 - FreeBSD: ssh port listens 
June 8th, 2000 - FreeBSD: apsfilter 
June 8th, 2000 - Linux Kernel Security Bug Discovered 
June 8th, 2000 - Solar Designer's OpenWall Kernel Patch 
June 8th, 2000 - BSD Based Operating Systems: IPCS 
June 7th, 2000 - Conectiva: cdrecord buffer overflow 
June 7th, 2000 - Caldera: buffer overflow in inn 
June 7th, 2000 - RedHat 6.x: kdelibs vulnerability 
June 6th, 2000 - Conectiva: INN Vulnerability 
June 6th, 2000 - Caldera: kdelibs vulnerability 
June 5th, 2000 - Debian: mailx local exploit

Firewall News: 
June 8th, 2000 - Dialup firewalling with FreeBSD Linux Host Security: 
June 8th, 2000 - Delegating superuser tasks with sudo 
June 8th, 2000 - Linux security classes 
June 7th, 2000 - How To Eliminate The Ten Most Critical Threats 
June 7th, 2000 - A Capabilities Based Operating System

Linux Server Security:
June 9th, 2000 - The Soothingly Seamless Setup of Apache, SSL 
June 8th, 2000 - Linux 101: Basic network security 
June 7th, 2000 - Security scare as outsiders get access passwords 
June 7th, 2000 - Bastille Linux: A Walkthrough 
June 7th, 2000 - Is Linux a net security risk? 
June 6th, 2000 - Hardening Linux Machines For Web Services

Cryptography: 
June 8th, 2000 - OpenSSH 2.2.1 Released
June 6th, 2000 - U.S. To Follow EU Crypto Lead 
June 6th, 2000 - Encryption: Where Next? 
June 5th, 2000 - Cryptography and Security Vendors/Products/Tools:
June 9th, 2000 - WetStone Technologies Releases SMART Watch 
June 9th, 2000 - Linux Kernel Auditing Project 
June 8th, 2000 - OpenSSH v2.2.1 Released 
June 6th, 2000 - SSH Version 2.2 Released 
June 5th, 2000 - Secure open source Web server debuts at Linux expo 

Community News:
June 9th, 2000Linux Kernel Auditing Project
June 7th, 2000 - Infosec Outlook June 2000 
June 7th, 2000 - The Arash Baratloo 
June 7th, 2000 - Security is Important, and so is OS 
June 6th, 2000 - Biometrics: More than a helping hand 
June 6th, 2000 - Security Firm to List Additional Threats 
June 5th, 2000 - A Data Sanctuary Is Born 


Advisories this Week: 

June 10th, 2000
Conectiva: Security problems with capabilities
The 2.2.x series of the linux kernel implement capabilities. Capabilites 
can be used to restrict what the root user can do. Many privileged 
programs, such as SUID programs, drop root privileges before taking 
certain action, such as executing an user supplied program.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-480.html

June 9th, 2000
Caldera: Netscape SSL vulnerability
There are some flaws in the SSL transaction handling of Netscape Version 
4.72 which could compromise encrypted SSL sessions.

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-479.html

June 9th, 2000
SuSE 6.x: qpop vulnerability
An attacker could send a mail with a malicously formated mail header to a 
person, that reveives it's mail via qpop 2.53, to execute code with the 
privileges of user 'mail' at the qpop server.

http://www.linuxsecurity.com/advisories/advisory_documents/suse_advisory-478.html

June 8th, 2000
Caldera: serious bug in setuid()
There is a serious vulnerability in the Linux kernel that allows local 
users to obtain root privilege by exploiting certain setuid root 
applications.

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-477.html

June 8th, 2000
Linux Kernel 2.2.x: Local users can obtain root privileges
A bug in the kernel capability model allows local users to obtain root 
privileges. All users should upgrade to kernel 2.2.16. Vendor kernel 
releases will be coming out shortly.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-476.html

June 8th, 2000
Conectiva: gpm Remote buffer overflow
The gdm program is on of the graphical login choices available for 
Conectiva Linux users. A serious vulnerability has been found in this 
program during the XDMCP protocol processing that could lead to remote 
root compromise.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-475.html

June 8th, 2000
BRU: local root exploit vulnerability
To prevent BRU from being exploited and offering root privileges, the 
binary file's privileges should be changed to 0550.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-484.html 

June 8th, 2000
FreeBSD: ssh port listens
A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly configured 
the SSH daemon to listen on an additional network port, 722, in addition 
to the usual port 22. This change was made as part of a patch to allow the 
SSH server to listen on multiple ports, but the option was incorrectly 
enabled by default.

http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-474.html

June 8th, 2000
FreeBSD: apsfilter 
The apsfilter port, versions 5.4.1 and below, contain a vulnerability 
which allow local users to execute arbitrary commands as the user running 
lpd, user root in a default FreeBSD installation. The apsfilter software 
allows users to specify their own filter configurations, which are read in 
an insecure manner and may be used to elevate privileges.

http://www.linuxsecurity.com/advisories/advisory_documents/freebsd_advisory-473.html

June 8th, 2000
Linux Kernel Security Bug Discovered
A serious bug has been discovered in the Linux kernel that can be used by 
local users to gain root access. The problem, a vulnerability in the Linux 
kernel capability model, exists in kernel versions up to and including 
version 2.2.15. According to Alan Cox, a key member of the Linux developer 
community, "It will affect programs that drop setuid state and rely on 
losing saved setuid, even those that check that the setuid call 
succeeded."

To ensure that this vulnerability cannot be exploited by programs running 
on Linux, Linux users are advised to update to kernel version 2.2.16 
immediately. Information on "capabilities" are discussed in the 
Capabilities FAQ. We also recently ran a story on a capabilities-based 
operating system that is worth reading.

http://www.linuxsecurity.com/articles/server_security_article-831.html
ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt

June 8th, 2000
Solar Designer's OpenWall Kernel Patch
Solar's kernel security enhancement patch is now available for the 
recently-released 2.2.16 Linux kernel. "This patch is a collection of 
security-related features for the Linux kernel, all configurable via the 
new 'Security options' configuration section. In addition to the new 
features, some versions of the patch contain various security fixes. The 
number of such fixes changes from version to version, as some are becoming 
obsolete (such as because of the same problem getting fixed with a new 
kernel release), while other security issues are discovered."

http://www.linuxsecurity.com/articles/projects_article-839.html

June 8th, 2000
BSD Based Operating Systems: IPCS Vulnerability
This advisory is for all 386BSD-derived OSes, including all versions of 
FreeBSD, NetBSD and OpenBSD. "An unprivileged local user can cause every 
process on the system to hang during exiting. In other words, after the 
system call is issued, no process on the system will be able to exit 
completely until another user issues the "unblock" call or the system is 
rebooted. This is a denial-of-service attack."

http://www.linuxsecurity.com/articles/server_security_article-832.html

June 7th, 2000
Conectiva: cdrecord buffer overflow
The cdrecord program has a buffer overflow problem in the processing of 
the command-line argument "dev=". By exploring this vulnerability, a local 
user could make the program execute arbitrary commands. Conectiva Linux 
doesn't ship this binary with the SUID or SGID bits turned on. So, the 
vulnerability's extent is greatly reduced, not having the effect of 
granting higher user privileges.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-472.html

June 7th, 2000
Caldera: buffer overflow in inn
There is a buffer overflow in the handling of control articles in some 
configurations of the InterNet News package (INN). This lets malicious 
attackers tailor control message that might give them access to the local 
'news' account.

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-471.html

June 7th, 2000
RedHat 6.x: kdelibs vulnerability
In kdelibs 1.1.2, there are security issues with the way some applications 
perform when they are run suid root. The only application vulnerable is 
kwintv from Powertools. With our PAM configuration, the suid bit for 
kwintv is not necessary.

http://www.linuxsecurity.com/advisories/advisory_documents/redhat_advisory-470.html

June 6th, 2000
Conectiva: INN Vulnerability
An update to the INN package has been released for the Conectiva 
distribution that fixes a buffer overflow.

http://www.linuxsecurity.com/advisories/advisory_documents/other_advisory-469.html

June 6th, 2000
Caldera: kdelibs vulnerability
There is a very serious vulnerability in the way KDE starts applications 
that allows local users to take over any file in the system by exploiting 
setuid root KDE application.

http://www.linuxsecurity.com/advisories/advisory_documents/caldera_advisory-468.html

June 5th, 2000
Debian: mailx local exploit
The version of mailx distributed in Debian GNU/Linux 2.1 (a.k.a. slink), 
as well as in the frozen (potato) and unstable (woody) distributions is 
vulnerable to a local buffer overflow while sending messages. This could 
be exploited to give a shell running with group "mail".

http://www.linuxsecurity.com/advisories/advisory_documents/debian_advisory-467.html


Firewall News:

June 8th, 2000
Dialup firewalling with FreeBSD
This article documents how to setup a firewall using a PPP dialup with 
FreeBSD and IPFW, and specifically with firewalling over a dialup with a 
dynamically assigned IP address. It does not cover how to setup a standard 
PPP connection. 

http://www.linuxsecurity.com/articles/firewalls_article-840.html


Linux Host Security:

June 8th, 2000
Delegating superuser tasks with sudo
"Instead of just handing out your root password to various users or 
beginning sys-admins or changing numerous programs as set uid root (to run 
as root), you can use sudo (which stands for "superuser do") to allow them 
to run certain commands as the super user (or as another user). Using sudo 
is also an idea for running scripts as another user since setting the suid 
bit for scripts does not work." 

http://www.linuxsecurity.com/articles/host_security_article-842.html

June 8th, 2000
Linux security classes
This article discusses a bit of history of security company ISS, its 
founder, and the new Linux security classes they are offering. "Internet 
Security Systems will offer classes in Linux security. Take a look at the 
founder's background in network security and at the company's origins." 

http://www.linuxsecurity.com/articles/forums_article-834.html 

June 7th, 2000
How To Eliminate The Ten Most Critical Internet Security Threats
This SANS document takes their list of the top ten vulnerabilities one 
step further by actually providing steps and advice on eliminating the 
threats. "Here is the experts list of the Ten Most Often Exploited 
Internet Security Flaws along with the actions needed to rid your systems 
of these vulnerabilities."

http://www.linuxsecurity.com/articles/security_sources_article-824.html 

June 7th, 2000
A Capabilities Based Operating System 
In this article, Kurt Seifried discusses various insecurities that are 
common in operating systems and the applications that accompany them. 
"There's been a lot of security advisories in the last few weeks, with 
some pretty major problems. There were even some nasty kernel level 
problems in several operating systems, allowing users to do all sorts of 
bad things (like hang any program on the system once it exits, or execute 
a local denial of service by slamming the ports). Even if you managed to 
squish every bug you could find, you would still not have a bug free 
system (because you are not going to find all the bugs). A good example of 
this is OpenBSD."

http://www.linuxsecurity.com/articles/host_security_article-821.html


Linux Server Security: 

June 9th, 2000
The Soothingly Seamless Setup of Apache, SSL, MySQL, and PHP
This article discusses the use of mod_ssl, OpenSSL, RSARef, MySQL and PHP 
to develop a secure web server. "Our objective is to install a web server 
that will allow us to host sites, that would be secure for e-commerce 
solutions, and that could be driven via scripts to connect to a database 
server and extract its data." 

http://www.linuxsecurity.com/articles/server_security_article-850.html

June 8th, 2000
Linux 101: Basic network security
Here is a nice little article that can help you get started in security. 
"Linux security can be as simple or as advanced as you want. A Linux 
system can be locked down (relatively speaking) with a simple one-two 
punch of /etc/hosts.deny and /etc/hosts.allow, or you can go as far as 
running a strong ipchain-style firewall ruleset and PortSentry.

http://www.linuxsecurity.com/articles/network_security_article-841.html

June 7th, 2000
Security scare as outsiders get access to NetBSD software password
Developers of the NetBSD open source operating system say a recent 
security breach did not compromise the software's source code. NetBSD 
developer and project spokesman Charles Hannum has confirmed that a key 
developer's password was "discovered" by outsiders. The password would 
have given hackers the opportunity to impersonate Paul Vixie, a leading 
developer with the right to make changes to the source code for the 
software, although not directly.

http://www.linuxsecurity.com/articles/server_security_article-830.html

June 7th, 2000
Bastille Linux: A Walkthrough
This article presents a walkthrough of Bastille Linux, a popular hardening 
program for Red Hat and Mandrake, available for free from Jon Lasser, Pete 
Watkins, myself, and the rest of the Bastille Linux project. This 
walkthrough won't be the kind of "paranoid" setup that I enjoy most, as 
that could remove too much functionality for the average reader. Don't 
worry - I'll explain what we'll break in each setting, how we'll break it, 
and how you can fix it. But first, a shameless plug: I'll let you know 
about the cool features in the newest Bastille version, which we've just 
released. 

http://www.linuxsecurity.com/articles/projects_article-827.html 

June 7th, 2000
Is Linux a net security risk?
A SANS Institute of America report has named Linux and Unix operated sites 
as more vulnerable to internet attacks than Windows and Mac powered sites. 
Compiled by US industry, government, and academics, the June 1 paper, 
titled How to Eliminate the Ten Most Critical Internet Security Threats: 
The Experts' Consensus, names versions of Unix and Linux systems in nine 
out of a "top ten" list of security vulnerabilities for operating systems 
that engineers "need to eliminate". Dean Stockwell, director of sales and 
support, Network Associates Asia-Pacific, dismissed SANS's report as 
"skewed". 

http://www.linuxsecurity.com/articles/network_security_article-826.html

June 6th, 2000
Hardening Linux Machines For Web Services
This is a introductory article on securing your Linux server. It starts 
with physical security then briefly discusses network security. "Your 
objective is to add as many rings or layers as possible, making the 
potential cracker take more time to get in (and increasing the chance of 
you noticing and stopping him before he roots you.)" 

http://www.linuxsecurity.com/articles/server_security_article-816.html


Cryptography: 

June 8th, 2000
OpenSSH v2.2.1 Released
A new version of OpenSSH has been released. Version 2.2.1 fixes a few 
usability bugs and a security feature not enabled by default. OpenSSH is a 
freely-available implementation of Secure Shell, a telnet/ftp/rlogin 
replacement that provides strong authentication and encryption. 

http://www.linuxsecurity.com/articles/cryptography_article-837.html

June 6th, 2000
U.S. To Follow EU Crypto Lead
When the EU meets on June 13th, crypto in the US could be a different 
story shortly thereafter. "If the European Union votes next week to relax 
encryption regulations, the United States says it will take similar steps. 
Commerce Department Undersecretary William Reinsch said Monday that any 
change, designed to make sure American high-tech companies aren't 
disadvantaged, will have to wait until the Europeans reach a decision." 

http://www.linuxsecurity.com/articles/cryptography_article-817.html

June 6th, 2000
Encryption: Where Next?
This SC Mag article discusses the history of crypto, the current 
controversy over exportation, info on the new crypto standard emerging, 
and "Crystal Ball" predictions. "The business arguments (for e-business) 
are important and irresistible. The challenge is for the business world to 
find the way to use the technology more safely than they can right now." 
Cryptography devices will be embedded in modems, cable modems, cellular 
phones and more, when applied to lower-value transactions, he adds. 
Higher-value dealings will warrant stronger protection, negating the 
possibility of software solutions and their inherent limitations. Simply 
put, he explains further, business transactions need new, stronger 
algorithms." 

http://www.linuxsecurity.com/articles/cryptography_article-815.html

June 5th, 2000
Cryptography and Security
Here is a good paper that gives readers a basic understanding of 
cryptography. "Cryptography addresses one specific security-related 
requirement, and does so superbly: protecting a message or a file from 
being read by an eavesdropper who has no other means of access to either 
the original text of what is protected, or the key with which it is 
encrypted. At one time, cryptography wasn't as effective as this: during 
World War II, only a few systems, other than one-time pads, remained 
unbroken, primarily the top-level systems used by the Allies. But today, 
personal computers have made it trivial to use very elaborate methods of 
encryption: whether or not major governments can break them, it is easy 
enough to be sure that hackers cannot." 

http://www.linuxsecurity.com/articles/cryptography_article-805.html


Tools/Vendors/Products: 

June 9th, 2000
WetStone Technologies Releases SMART Watch Version 3.0 
SMART Watch, a Preemptive Hacker Defense Tool and host based intrusion 
detection system detects when key "Watched" Files or Directories have been 
maliciously or accidentally altered. SMART Watch can automatically & 
immediately restore the damage to system resources upon detection, thus 
providing uninterrupted system operation.

http://www.linuxsecurity.com/articles/vendors_products_article-847.html

June 8th, 2000
SecureNet PRO v3.0.7 Released
Version 3.0.7 of the SecureNet PRO Network Intrusion Detection and 
Monitoring suite is now available! SecureNet PRO is an enterprise-scalable 
security platform offering advanced custom protocol decoding, real-time 
monitoring and intrusion response features not found in other product 
offerings. 

http://www.linuxsecurity.com/articles/vendors_products_article-836.html

June 6th, 2000
SSH Version 2.2 Released
"SSH Secure Shell is the recognized de-facto standard for secure remote 
administration and secure file transfers over the Internet."

http://www.linuxsecurity.com/articles/vendors_products_article-813.html

June 5th, 2000
Secure open source Web server debuts at Linux expo
Computer security firm C2Net announced the release of the new open source 
Stronghold Secure Web server at the European Linux Expo in London, Friday. 
The product from this US-based company is based on the open source Apache 
Web server and features 128-bit encryption. Open Source software enabling 
secure Web transactions contradicts the assumption that access to source 
code weakens security. 

http://www.linuxsecurity.com/articles/vendors_products_article-804.html


Community News: 

June 9th, 2000
Linux Kernel Auditing Project
Brian Paxton writes, "It's an attempt to audit the linux kernel for any 
security vulnerabilities and/or holes and/or possible vulnerabilities 
and/or possible holes, and of course without adding more bugs or drawbacks 
to the existing kernels. The suggested kernels to be audited are 2.0.x 
kernel series , 2.2.x kernel series, and the 2.3.x/2.4.x kernel series. 
The group and it's work shall be dealt and worked with via a mailing 
list."

http://www.linuxsecurity.com/articles/projects_article-844.html 

June 7th, 2000
Infosec Outlook June 2000
This CERT article talks about current trends and concerns in computer 
security today. Included are topics on liability for attacks, 
Internet-focused insurance policies, comments on virus prevention, "Safe 
computing tips" and more. "Intrusions are going to happen; it's 
inevitable. Administrators, their managers, and senior executives all need 
to know what they're up against so that they are better equipped to deal 
with attacks and be aware of what intruders are doing. Because attack 
techniques and tools are constantly changing, we must maintain constant 
vigilance." 

http://www.linuxsecurity.com/articles/security_sources_article-825.html

June 7th, 2000
The Arash Baratloo 
Here is an interview with the authors of Libsafe..."Arash Baratloo and 
Navjot Singh two of the primary developers for Libsafe, a free software 
library that protects against security exploits based on buffer overflow 
vulnerabilities. They work as members of the Network Software Research 
Department at Bell Labs, the R&D arm of Lucent Technologies."

http://www.linuxsecurity.com/articles/projects_article-823.html 

June 7th, 2000
Security is Important, and so is Open Source
This article questions open source security and the "security" reputation 
that it has earned. "Is this reputation deserved? And more to the point 
can it be maintained? However, some people wonder just how secure these 
and other "open" systems really are. How can a product whose source code 
is freely available to anyone who wants it, including people up to no 
good, be as secure as a product developed in a traditional and highly 
secret environment? How can secure development take place in an 
environment where no one is accountable, where the ruling ethos is that 
"many eyes" are more accountable than a proprietary enterprise? " 

http://www.linuxsecurity.com/articles/forums_article-822.html 

June 6th, 2000
Biometrics: More than a helping hand
An increasing number of agencies and departments are turning to biometrics 
to achieve a higher level of security. Biometric devices measure a persons 
physical or behavioral characteristics, such as iris patterns, hand 
measurements, voice patterns and fingerprints, to ensure that the person 
accessing a device or location is who he or she claims to be. Biometric 
traits, unlike passwords and personal identification numbers (PINs), 
cannot be lost, stolen or easily duplicated. 

http://www.linuxsecurity.com/articles/general_article-811.html

June 6th, 2000
Security Firm to List Additional Threats
The threats listed in the document are just the "tip on the iceberg," 
Nowland said, warning network administrators not to feel safe simply 
because they address the 10 concerns outlined by SANS. NETSEC intends next 
week to release its own supplemented list of Internet security threats 
identified by its in-house team of hackers, Nowland said. 

http://www.linuxsecurity.com/articles/network_security_article-810.html

June 5th, 2000
A Data Sanctuary Is Born
Here's a "safe haven" to store info safe from gov't prying eyes... "A 
windswept gun tower anchored six miles off the stormy coast of England is 
about to become the first Internet data haven. ... It's for "companies 
that want to have email servers in a location in which they can consider 
their email private and not open to scrutiny by anyone capable of filing a 
lawsuit," says Sean Hastings, the 32-year-old chief executive of HavenCo." 

http://www.linuxsecurity.com/articles/general_article-808.html 


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email newsletter-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------