[1411] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: evidence/timelines that show linux is "more secure"

daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Wed Jan 29 18:00:53 1997

Date: Wed, 29 Jan 1997 17:12:09 -0500
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-security@redhat.com
CC: marc@redhat.com
In-Reply-To: Your message of Wed, January 29, 1997 15:22:57 -0500
Reply-To: juphoff@nrao.edu
Resent-From: linux-security@redhat.com

"ME" == Marc Ewing <marc@schroeder.redhat.com> writes:

ME> I'm looking for some evidence, backup up with dates and references,
ME> that shows that the Linux community responds to security problems
ME> more quickly than other OS vendors, and thus might be considered
ME> "more secure".  A number of fairly high profile corporations are
ME> starting to look for such information as they consider Linux as an
ME> alternative solution to other UNIXes.

ME> Does anyone have any pointers, or information I can use to assemble
ME> data like this?  I'll be happy to summarize any data I get and send
ME> it to the list.

Well, a good starting point would be ftp.cert.org:/pub/cert_advisories.

Looking there, for relatively recent entries ('96 & '97--I may continue
looking back through '94 and '95 if/when I have the time)--some of which
mention Linux and some of which don't--I've found:

96.01, UDP Port Denial-of-Service Attack
	N/A

96.02, BIND Version 4.9.3
	N/A; Linux not mentioned by CERT.

96.03, Vulnerability in Kerberos 4 Key Server
	N/A

96.04, Corrupt Information from Network Servers
	N/A; Linux not mentioned by CERT.

96.05, Java Implementations Can Allow Connections to an Arbitrary Host
	N/A

96.06, Vulnerability in NCSA/Apache CGI example code
	N/A

96.07, Weaknesses in Java Bytecode Verifier
	N/A

96.08, Vulnerabilities in PCNFSD
	N/A; Linux not mentioned by CERT.

96.09, Vulnerability in rpc.statd
	N/A

96.10, NIS+ Configuration Vulnerability
	N/A

96.11, Interpreters in CGI bin Directories
	N/A

96.12, Vulnerability in suidperl
	Sort of N/A; this is third-party for most vendors.  Linux is
	mentioned.

96.13, Vulnerability in the dip program
	N/A; Linux-specific vulnerability.

96.14, Vulnerability in rdist
	IBM Corporation
	===============
	   AIX is vulnerable to this problem. Fixes are in process but
	   are not yet available.

	Linux
	=====
	[Not vulnerable as distributed.]

	The Santa Cruz Operation
	========================
	    The following releases of SCO Software are known to contain
	    a version of rdist that is vulnerable:
	
	    SCO OpenServer 5.0.2, 5.0.0
	    SCO Internet FastStart 1.0
	
	    SCO Open Server Enterprise/Network System 2.0, 3.0
	    SCO Open Desktop 2.0, 3.0
	    SCO Open Desktop Lite 3.0
	
	    SCO UnixWare 2.0, 2.1
	
	    SCO TCP/IP 1.2.0, 1.2.1
	
	    Patches are being developed for the following releases:
	
	    SCO OpenServer 5.0.2, 5.0.0
	    SCO Internet FastStart 1.0
	    SCO UnixWare 2.1

96.15, Vulnerability in Solaris 2.5 KCMS programs
	N/A

96.16, Vulnerability in Solaris admintool
	N/A

96.17, Vulnerability in Solaris vold
	N/A

96.18, Vulnerability in fm_fls
	N/A

96.19, Vulnerability in expreserve
	N/A; Linux not mentioned by CERT.

96.20, Sendmail Vulnerabilities
	Digital Equipment Corporation
	=============================
	[About the resource starvation problem]
	  Source:
	      Software Security Response Team Copyright (c) Digital
	      Equipment Corporation 1996. All rights reserved.
	      08.SEP.1996
	
	   At the time of writing this document, patches (binary kits)
	   for Digital's UNIX related operating systems are being
	   developed.

	FreeBSD
	=======
	   All currently released FreeBSD distributions have this
	   vulnerability, as we distribute sendmail 8.7.x as part of our
	   operating system.  However, our -current and -stable source
	   distributions were updated on 18 Sep 1996 to sendmail 8.7.6.
	   Users tracking -current or -stable are advised to upgrade and
	   recompile sendmail at their earliest convinience.

	Hewlett-Packard Company
	=======================
	[About the both the resource starvation and the buffer overflow problem]
	
	   HP-UX is vulnerable, and patches are in progress.

	IBM Corporation
	================
	  The following APARs are being developed and will be available shortly.

	Linux
	=====
	[For the resource starvation problem:]
	
	   Debian Linux: not vulnerable (uses smail)
	
	   Red Hat and derivatives:
	     ftp://ftp.redhat.com/pub/redhat-3.0.3/i386/updates/RPMS/sendmail*

	The Santa Cruz Operation
	========================
	
	   Any SCO operating system running a version of sendmail
	   provided by SCO is vulnerable to this problem. SCO is
	   providing Support Level Supplement (SLS) oss443a for the
	   following releases to address this issue:
	   SCO Internet FastStart release 1.0.0
	   SCO OpenServer releases 5.0.0 and 5.0.2
	
	   This SLS provides a pre-release version of sendmail release
	   8.7.6 for these platforms. SCO hopes to have a final version
	   of sendmail 8.7.6 available to address both issues mentioned
	   in this advisory in the near future.

	Silicon Graphics, Inc.
	======================
	   We are analyzing the vulnerability, and will provide
	   additional information as it becomes available.
	
	
	Sun Microsystems, Inc.
	======================
	   Sun is working on a patch which will fix both problems, and
	   we expect to have it out by the end of the month. Also, we
	   will send out a Sun bulletin on this subject at about the
	   same time.

96.21, TCP SYN Flooding and IP Spoofing Attacks
	N/A; Linux not mentioned by CERT.

96.22, Vulnerabilities in bash
	Silicon Graphics, Inc.
	======================
	SGI has distributed bash (version 1.14.6) as part of the
	Freeware 1.0 CDROM.  This collection of software has been
	compiled for IRIX as a service to our customers, but is
	furnished without formal SGI support.
	
	The problem identified by IBM in bash is present in the version
	of bash on the Freeware 1.0 CDROM.  This CDROM included both the
	source code for bash an compiled versions of it.
	
	SGI urges customers to recompile bash after making the changes
	in parse.y suggested by IBM.
	
	As a service similar to that of the original Freeware 1.0 CDROM,
	SGI intends to make available a compiled version of bash and its
	source in the near future.  This action does not necessarily
	imply a commitment to any future support actions for the
	programs found on the Freeware 1.0 CDROM.

	Linux
	=====           
	Patches for the following Linux versions are available.

	[SuSE 4.2, Red Hat 3.0.3, Yggdrasil, WGS Linux Pro, Caldera all
	had patches out.]

96.23, Vulnerability in WorkMan
	Sort of N/A; this is third-party for most vendors.  Linux is
	mentioned in a general sense, as is Sun.

96.24, Sendmail Daemon Mode Vulnerability
	Digital Equipment Corporation
	=============================
	DIGITAL Engineering is aware of these reported problems and
	testing is currently underway to determine the impact against
	all currently supported releases of DIGITAL UNIX and ULTRIX.
	Patches will be developed (as necessary) and made available via
	your normal DIGITAL Support channel.

	FreeBSD
	=======
	All currently shipping releases of FreeBSD are affected,
	including the just released 2.1.6. An update for 2.1.6 will be
	available shortly. This problem has been corrected in the
	-current sources. In the mean time, FreeBSD users should follow
	the instructions in the CERT advisory. Sendmail will compile and
	operate "out of the box" on FreeBSD systems.

	Hewlett-Packard Company
	=======================
	Sendmail daemon problem:
	  Not Vulnerable  HP-UX 9.X, 10.00, 10.01, 10.10
	  Vulnerable      HP-UX 10.2  even with PHNE_8702     Patches in process

	IBM Corporation
	===============
	See the appropriate release below to determine your action.
	
	  AIX 3.2
	  -------
	    No fix required. AIX 3.2 sendmail is not vulnerable.
	
	  AIX 4.1
	  -------
	    No fix required. AIX 4.1 sendmail is not vulnerable.
	
	  AIX 4.2
	  -------
	    AIX 4.2 sendmail is vulnerable.
	    APAR IX63068 will be available shortly.

	Linux
	=====
	Linux has provided these URLs for S.u.S.E. Linux:
	
	   ftp://ftp.suse.de/suse_update/S.u.S.E.-4.3/sendmail
	   ftp://ftp.gwdg.de/pub/linux/suse/suse_update/S.u.S.E.-4.3/sendmail
	
	Checksums for the files in these directories:
	
	   6279df0597c972bff65623da5898d5dc  sendmail.tgz
	   0c0d20eecb1019ab4e629b103cac485c  sendmail-8.8.3.dif
	   0cb58caae93a19ac69ddd40660e01646  sendmail-8.8.3.tar.gz
	
	- -----
	Caldera OpenLinux has released a security advisory, available from
	    http://www.caldera.com/tech-ref/cnd-1.0/security/SA-96.06.html
	
	- -----
	Red Hat has patched sendmail 8.7.6. The fixes are available from
	
	Red Hat Linux/Intel:
	rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/sendmail-8.7.6-5.i386.rpm
	
	Red Hat Linux/Alpha:
	rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/sendmail-8.7.6-5.axp.rpm

	NeXT Software, Inc.
	===================
	NeXT is not vulnerable to the problem described in Section IV.A.
	NeXT is vulnerable to the problem described in Section IV.B, and
	it will be fixed in release 4.2 of OpenStep/Mach.

	The Santa Cruz Operation, Inc. (SCO)
	====================================
	SCO is investigating the problem and will have more information
	in the near future.

96.25, Sendmail Group Permissions Vulnerability
	Linux not mentioned by CERT.  "Lagging" vendors were:

	Digital Equipment Corporation
	=============================
	  This problem is currently under review by engineering to
	  determine if it impacts DIGITAL UNIX and DIGITAL ULTRIX
	  sendmail implementations.

	Hewlett-Packard Company
	=======================
	   Vulnerabilities
	   ---------------
	   1. Sendmail Group Permissions Vulnerability
	   2. Denial of Service Attack using the sendmail configuration variable
	       TryNullM\XList.
	
	   Vulnerable releases
	   --------------------
	   9.x
	   pre-10.2 10.x
	   10.2
	
	   The 9.x, pre-10.2 10.x sendmail is vulnerable with respect to
	   the "Sendmail Group Permissions Vulnerability".
	
	   The 10.2 sendmail is vulnerable with respect to both the
	   reported security holes.
	
	   Patches for these vulnerabilities are in progress.

	IBM Corporation
	===============
	  The version of sendmail that ships with AIX is vulnerable to
	  the conditions listed in this advisory. A fix is in progress
	  and the APAR numbers will be available soon.

	NEC Corporation
	===============
	  Checking out the vulnerability. Contacts for further
	  information by e-mail:UX48-security-support@nec.co.jp.
	
	
	The Santa Cruz Operation, Inc. (SCO)
	====================================
	  Any SCO operating system running a version of sendmail
	  provided by SCO is vulnerable to this problem. SCO will soon
	  be providing a Support Level Supplement, (SLS), to address
	  this issue for the following releases of SCO software:
	
	  SCO Internet FastStart release 1.0.0, 1.1.0
	  SCO OpenServer releases 5.0.0 and 5.0.2

	Sun Microsystems, Inc.
	======================
	  All Sun sendmails are susceptible to both vulnerabilities. We
	  will produce and announce patches for all supported versions
	  of SunOS.  We expect the patches to be available later this
	  month.

96.26, Denial-of-Service Attack via ping
	Digital Equipment Corporation
	=============================

	[...lots of yadda yadda deleted...]

	  SOLUTION:
	
	     Digital has reacted promptly to this reported problem and a
	     complete set of patch kits are being prepared for all
	     currently supported platforms.

	Linux Systems
	=============
	
	  We recommend that you upgrade your Linux 1.3.x and 2.0.x
	  kernels to Linux 2.0.27. This is available from all the main
	  archive sites such as
	
		ftp://ftp.cs.helsinki.fi/pub/Software/Linux
	
	  Users wishing to remain with an earlier kernel version may
	  download a patch from http://www.uk.linux.org/big-ping-patch.
	  This patch will work with 2.0.x kernel revisions but is
	  untested with 1.3.x kernel revisions.
	
	  Red Hat Linux has chosen to issue a 2.0.18 based release with
	  the fix. Red Hat users should obtain this from
	
	ftp://ftp.redhat.com/[...]

	Sun Microsystems, Inc.
	======================
	  We are looking into this problem.

96.27, Vulnerability in HP Software Installation Programs
	N/A

97.01, Multi-platform Unix FLEXlm Vulnerabilities
	N/A

97.02, HP-UX newgrp Buffer Overrun Vulnerability
	N/A

97.03, Vulnerability in IRIX csetup
	N/A

97.04, talkd Vulnerability
	IBM Corporation
	===============
	   The version of talkd shipped with AIX is vulnerable to the
	   conditions described in this advisory.  The APARs listed
	   below will be available shortly.

	Linux				  
	======				  
	   This bug was fixed in Linux NetKit 0.08 which is shipped with
	   all reasonably up to date Linux distributions.

	NEC Corporation   
	===============
		UX/4800             Vulnerable for all versions.
		EWS-UX/V(Rel4.2MP)  Vulnerable for all versions.
		EWS-UX/V(Rel4.2)    Vulnerable for all versions.
		UP-UX/V(Rel4.2MP)   Vulnerable for all versions.
	
	   Patches for these vulnerabilities are in progress.

	The Santa Cruz Operation, Inc. (SCO)
	====================================
	      SCO is investigating the problem with talkd and will
	   provide updated information for this advisory as it becomes
	   available. At this time SCO recommends disabling talkd on
	   your SCO system as described herein.

	Silicon Graphics Inc. (SGI)
	===========================
	   We are investigating.
	
	Solbourne (Grumman System Support)
	==================================
	   We have examined the Solbourne implementation and found that
	   it is vulnerable. Solbourne distributed the Sun application
	   under license. We will distribute a Solbourne patch based on
	   the Sun patch when it becomes available.

	Sun Microsystems, Inc.
	======================
	   The talkd buffer overflow vulnerability appears to affect at
	   least some supported versions of SunOS. Sun therefore expects
	   to release patches for all affected versions of SunOS within
	   the next few weeks.

97.05, MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4
	Sort of N/A; this is third-party for most vendors.  Caldera is
	mentioned:

	Caldera OpenLinux
	=================
	   An upgrade for Caldera OpenLinux Base 1.0 can be found at:
	...

-- 
Jeff Uphoff - Scientific Programming Analyst  |  juphoff@nrao.edu
National Radio Astronomy Observatory          |  juphoff@bofh.org.uk
Charlottesville, VA, USA                      |  jeff.uphoff@linux.org
        PGP key available at: http://www.cv.nrao.edu/~juphoff/


home help back first fref pref prev next nref lref last post