“A lot of new problems found — people are still creating
files in /tmp insecurely, and trusting user-supplied data more then
they should. One vendor, Cobalt, lags behind the rest. Cobalt
makes these nifty little servers in 1U form factors or a small blue
cube – all the software you need is bundled in, etc. Unfortunately,
they are very slow on updates. If you haven’t already, go to
ftp://ftp.cobaltnet.com/pub/products/, find the appropriate
directory for your product, and download and install the updates.
This week’s award is the “We’d update our software, but we just
don’t really care,” and goes to Cobalt. (The existing problems are
one remote root exploit that has been known of for months, and the
Linux kernel bug, also a month old now – also, a very old version
of ProFTPD with known problems). I find Cobalt especially guilty
since their products are aimed at people with minimal
administrative knowledge, so unless you tell them explicitly that
there is a problem and how to fix it, they won’t do so (and
obviously, if you don’t tell them, chances are miniscule that they
will find and fix it on their own).”
“We lead off with general advisories and exploit code, and then
move to vendor ad. Most items appear in alphabetical order. If
we’re missing a Linux vendor’s advisory, please tell us – ditto for
any Linux-related security alerts. The long strings of hex in front
of package names are MD5 signatures. Exploits are housed in
/research/exploits/linux/.”