---

Security Portal: Weekly Linux Security Digest 2000/07/10 to 2000/07/16

“The WuFTPD saga continues (ProFTPD 1.2.0pre10 also has holes —
upgrade to the new 1.2.0rc1), with updates from most vendors.
The other big nasty hole this week is in ISC’s DHCP client.
Whoops, we left a trivial to exploit root hack, silly us (hey,
mistakes happen). If you are using ISC’s DHCP client, then any
attacker managing to compromise the DHCP server, or place one on
your network (using a compromised host) can then very quickly seize
control of many machines.
It’s not 100% clear that the patches
issued by ISC solve the problem, and ISC has not released any
further updates. To quote their Website:”

“Fix two network input buffer overflow problems which could
allow an attacker to pervert the stack.”

“You have to love how they make the sentiment of “an attacker
can remotely get root access to your box with relative ease” sound
so harmless.”

“This week a lot of bad things happened, and a lot of good
things did not happen. Netscape has been found to track what you
are doing when you use the Smart Download feature, and sending the
data back as well as storing it locally (with a good chance that a
remote web page will suck the info down). Moral of the story: don’t
trust anyone (including me!). The Register ran a story here (and
they’re usually pretty accurate). OK, now I’m going to get mean, so
if you are easily offended, skip down to the next section.”

Complete
Story

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis