Security Portal: Weekly Linux Security Digest 2000/07/10 to 2000/07/16Jul 17, 2000, 03:37 (0 Talkback[s])
(Other stories by Kurt Seifried)
"The WuFTPD saga continues (ProFTPD 1.2.0pre10 also has holes -- upgrade to the new 1.2.0rc1), with updates from most vendors. The other big nasty hole this week is in ISC's DHCP client. Whoops, we left a trivial to exploit root hack, silly us (hey, mistakes happen). If you are using ISC's DHCP client, then any attacker managing to compromise the DHCP server, or place one on your network (using a compromised host) can then very quickly seize control of many machines. It's not 100% clear that the patches issued by ISC solve the problem, and ISC has not released any further updates. To quote their Website:"
"Fix two network input buffer overflow problems which could allow an attacker to pervert the stack."
"You have to love how they make the sentiment of "an attacker can remotely get root access to your box with relative ease" sound so harmless."
"This week a lot of bad things happened, and a lot of good things did not happen. Netscape has been found to track what you are doing when you use the Smart Download feature, and sending the data back as well as storing it locally (with a good chance that a remote web page will suck the info down). Moral of the story: don't trust anyone (including me!). The Register ran a story here (and they're usually pretty accurate). OK, now I'm going to get mean, so if you are easily offended, skip down to the next section."