Security Portal: Weekly Linux Security Digest 2000/10/30 to 2000/11/05Nov 06, 2000, 08:36 (0 Talkback[s])
(Other stories by Kurt Seifried)
"Some ugly problems were found this week in SWAT. Remote attackers can execute a denial of service, or try to brute-force usernames and passwords. However, if you log these attempts, local users on the server can potentially gain root access, or simply look at the log file for the usernames and passwords of users that log in successfully to manage Samba via SWAT. This is why firewalling management services (especially Web-based ones) are so critical. You should also use a program like stunnel to SSL-wrap the connection so that usernames and passwords cannot be sniffed."
"Napster for Linux is apparently full of problems. Other Napster programs for Linux are poor, as Knapster has also been found to have problems. Use them at your own risk. Finally we have Ultraseek, a popular search engine (we use it here at SecurityPortal) - the good news is that it is only a denial of service attack. Tripwire 2.3 is officially out for Linux now, under the GPL license. (If you want to do a lot of machines, though, you'd best buy their commercial management software - or go insane trying to manage it manually.)"
"We lead off with general advisories and exploit code, then move to vendor advisories. Most items appear in alphabetical order. If we're missing a Linux vendor's advisory, please tell us - ditto for any Linux-related security alerts. The long strings of hex in front of package names are MD5 signatures."