Security Portal: Weekly Linux Security Roundup – 2000/05/22 to 2000/05/28

“Busy week, with many issues. Time to go upgrading again.
Some more exploits for Kerberos released, it’s high time to upgrade
if you haven’t already. Also a nasty bug on X, and in Netscape

(universal applications at the desktop level as far as I know, time
to update and plug those holes too). Note: having multiple layers
of security will either stop or slow down the exploitation of many
of these problems. Firewalling at the desktop machine incurs very
little penalty for performance, and increases a system’s
survivability in the event of an attack. I’m playing around with
the format of the bulletin a bit, comments are welcome
(seifried@securityportal.com). Warning, this advisory is rather on
the huge side.”

Yes kerberos has holes, vendors have been releasing updates but if
you are in a hurry you can do it yourself… The patches previously
posted for fixing the krb4 buffer overruns had some whitespace
issues resulting from untabifying. … These fixed patches have
tabs repaired and also have pathnames in the diff headers fixed to
include directory names so that they may be applied from the top of
a source tree.”

Netscape version prior to 4.73 have a nasty bug in certificate
handling, upgrade immediately. Version 4.73 also has a bad exploit,
similar to but unrelated to previous problems. Basically it gives
attackers the ability to spoof legitimate sites using fake SSL
certificates easily, so unless you are watching out you can easily
be fooled into giving up information to a site that is not the one
you think it is.”

“X Nasty little denial of service attack in X, send a malformed
packet to it (port 6000) and it freezes up for a while (does 4
billion iterations of a loop before unsticking). As always you
should firewall X…”


Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis