---

Security Portal: Weekly Linux Security Roundup – 2000/03/06 to 2000/03/12

Another messy week for Linux, but more vendor patches /
packages released so that’s good. Most of these problems boil down
to buffer overflows or race conditions, most of which are caused by
bad programming practices/technique.
If you write software
please audit it with systems like ITS4, and test it with programs
like fuzz. If you have to run a system you should look into using
various protective measures like the Openwall kernel patch, and
Stackguard.”

“Of general concern is the ability to trick client machines
behind firewalls into establishing connections outside of the
firewall using the FTP command. Many firewalls that proxy
connections or otherwise try to protect systems (by scanning
packets for example) can be fooled into letting this through. You
must of course trick the client machine into trying to connect out,
but this is trivial in most cases (send an email with html embedded
for example). Exploit code at the bottom.”

“We lead off with general advisories, then vendor advisories
(distributions, then any major software ones), then mailing list
related traffic, any interesting tidbits and then the tip of the
week. Most things are in alphabetical order. If we’re missing a
Linux vendor’s advisory please tell us, ditto for any Linux related
security alerts. The long strings of hex in front of package names
are MD5 signatures.”


Complete Story