Security Portal: Weekly Linux Security Digest 2000/08/14 to 2000/08/20 | Linux Today

Security Portal: Weekly Linux Security Digest 2000/08/14 to 2000/08/20

Written By
Web Webster
Web Webster
Aug 21, 2000

Another messy week. Xlock/Xlockmore (a common screen
saver) has a format bug in the processing of a command line option.
This affects Linux and BSD versions. Zope has a flaw that allows
users to gain additional roles while editing DHTML, and vendors are
still releasing updates for problems from last week (rpc, perl,
mailx, etc.). A very bad hole in the Lyris list manager’s Web
interface allows an attacker to trivially gain administrative
access to the list. You’d think people would learn not to pass
variables specifying the level of access back to users where they
can be modified.”

“Also, some vendors have made very basic mistakes. Trustix, for
example, ships their httpsd server world writeable. If you want to
replace it with one that logs credit card numbers, you can. Hint:
check the distribution for world writeable files and directories
before you ship it. Mandrake’s update tool stores files in /tmp
once it downloads them, meaning any user can potentially modify the
files before they are installed. You simply write a program to
watch tmp for specific filenames and then replace them with your
own version (downloading a source rpm and making it include a
setuid bash shell is trivial), and wait for the admin to upgrade.
Hint: do not use /tmp if at all possible.”

“SGI has issued a security advisory for the Linux kernel
capability bug that can be exploited via sendmail – only several
weeks late. Why is it that the larger the vendor, the slower the
security fixes? Xchat has a flaw that allows attackers to implant
commands in URLs which, if clicked on, can do bad things. The good
news is, there is a nice patch for DHCPD to run it as a non-root
user and chrooted. Also, an experimental set of patches for GCC to
help prevent buffer overflows, from some IBM researchers.”

Complete
Story

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.