Security Linux News for Jul 27, 2000
VNU Net: Microsoft hit by further Outlook bug (Jul 27, 2000, 23:12)
"When exploited, this vulnerability allows an attacker to store
an HTML file in an area that is not protected by the policies of
the 'Internet Zone'. This file may then be used to open arbitrary
files on [a] machine and send the contents back to the
excite/ZDNet: Silence the best security policy (Jul 27, 2000, 21:41)
"Well-meaning hackers are creating an army of "script kiddies"
by making security holes public, says a speaker at the Black Hat
LinuxSecurity.com Interviews Secure Computing (Jul 27, 2000, 21:22)
"If a user manages to mount an HTTP overrun attack, or a stack
overrun attack of any sort, they can't use that to break out of the
application they're in and get down into the operating system to
gain root access to take over the entire system. We've absolutely
Conectiva Linux Security Announcement: Package: pam (Jul 27, 2000, 20:33)
"This module incorrectly identifies remote X logins for displays
other than :0 (:1, :2, etc.) as local ones, thus giving the console
to this user. Having the console, the remote user could issue
commands like reboot to remotely reboot the system (after providing
his or her password)."
Conectiva Linux Security Announcement: Package: nfs-utils (Jul 27, 2000, 20:28)
"There is a problem in the nfs-utils package that could lead to
a remote root exploit."
Conectiva Linux Security Announcement: Package: MAN (Jul 27, 2000, 20:23)
"The man package has a script called makewhatis that is run
weekly by the cron daemon as root. This script creates a directory
in /tmp and some files under it with predictable names, thus making
it possible for a local attacker to alter any file in the system
via symlink attacks."
Red Hat Security Advisory: gpm security flaws have been addressed (Jul 27, 2000, 20:17)
"gpm as shipped in Red Hat Linux 5.2 and 6.x contains a number
of security problems. Additionally, a denial of service attack via
/dev/gpmctl is possible."
LinuxWorld: Linux's lack of compliance with the Common Criteria may prohibit government acceptance (Jul 27, 2000, 19:40)
"The biggest threat to Linux becoming the software of choice in
government circles is that there is no third-party verification,
certification or evaluation of it."
LinuxSecurity.com: LinuxSecurity.com Releases the Linux Security Quick Reference Card (Jul 27, 2000, 01:19)
"This Quick Reference Card is intended to provide a starting
point for improving the security of your system. Contained within
include references to security resources around the net, tips on
securing your Linux box, and general security information. It is
intended to be printed on 8x11" US paper in Landscape."