Security Linux News for Jan 31, 2001
Wired: MS Exec: Linux Is Going Down (Jan 31, 2001, 16:55)
"These are three key Linux trends to watch for in 2001: a static
growth rate, lessening mainstream interest in the open source
operating system, and a sharp decline in Linux-based companies'
stock value, said Doug Miller, Microsoft's group product manager
for competitive strategies."
SuSE Security Announcement: bind8 (Jan 31, 2001, 06:55)
"bind-8.x in all versions of the SuSE distributions contain a
bug in the transaction signature handling code that can allow to
remotely over- flow a buffer and thereby execute arbitrary code as
the user running the nameserver (this is user named by default on
TurboLinux Security Announcement: All packages prior to LPRng-3.6.26 (Jan 31, 2001, 06:47)
"The LPRng port, versions prior to 3.6.26, contains a potential
vulnera- bility which may allow root compromise from both local and
Conectiva Linux Security Announcement - kde2 (Jan 31, 2001, 06:40)
"There is a vulnerability in kdesu which allows for other users
on the machine to capture that password and thus potencially
compromise the root account."
SuSE Security Announcement: kdesu (Jan 31, 2001, 06:37)
"When enabling the 'keep password' option it tries to send the
password across process boundaries to kdesud via a UNIX socket.
During this it does not verify the identity of the listener on the
other end. This allows attackers to obtain the root password."
Slackware Security Advisory: multiple vulnerabilities in bind 8.x (Jan 31, 2001, 06:29)
"Multiple vulnerabilities exist in the versions of BIND found in
Slackware 7.1 and -current. Users of BIND 8.x are urged to upgrade
to 8.2.3 to fix these problems."
Conectiva Linux Security Announcement - bind (Jan 31, 2001, 06:26)
"COVERT labs and Claudio Musmarra have found several
vulnerabilities in the bind packages. Two of these vulnerabilities
affect the version shipped with Conectiva Linux (8.2.2P7 is the
most current shipped package)."
SuSE Security Announcement: bind8 (Nov 16, 2000, 20:41)
"BIND, the Berkeley Internet Name Daemon, versions before
8.2.2p7, has been found vulnerable to two denial of service
attacks: named may crash after a compressed zone transfer request
(ZXFR) and if an SRV record (defined in RFC2782) is sent to the
Conectiva Linux Security Announcement - bind (Nov 10, 2000, 23:01)
"The bind nameserver has a vulnerability regarding compressed
zone tansfers that can be used in a DoS attack. This vulnerability
can only be exploited by authorized zone transfers."