Security Portal: Weekly Linux Security Digest 2000/12/11 to 2000/12/17Dec 18, 2000, 07:58 (0 Talkback[s])
(Other stories by Kurt Seifried)
"Vendors are mostly playing catch-up. A few problems have been fixed up by various vendors, although this seems to be slowing down - perhaps the holidays are to blame? Several nasty problems found in Pine (again) and Kerberos (again). In both cases they are pretty elemental programming mistakes: creating /tmp files unsafely and honoring system environment variables - which usually means trusting user-supplied data, never a smart thing to do."
"It's a bit scary when you rely on programs like Kerberos to secure parts of your network infrastructure, and they contain serious exploitable flaws. I've also seen a resurgence in the number of lame bugs, like creating files world-writable and improper /tmp files (I don't think we can mention this one enough). Will people ever learn?"
"We lead off with general advisories and exploit code, then move to vendor advisories. Most items appear in alphabetical order. If we're missing a Linux vendor's advisory, please tell us - ditto for any Linux-related security alerts. The long strings of hex in front of package names are MD5 signatures."