[1411] in linux-security and linux-alert archive
[linux-security] Re: evidence/timelines that show linux is "more secure"
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Wed Jan 29 18:00:53 1997
Date: Wed, 29 Jan 1997 17:12:09 -0500
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-security@redhat.com
CC: marc@redhat.com
In-Reply-To: Your message of Wed, January 29, 1997 15:22:57 -0500
Reply-To: juphoff@nrao.edu
Resent-From: linux-security@redhat.com
"ME" == Marc Ewing <marc@schroeder.redhat.com> writes:
ME> I'm looking for some evidence, backup up with dates and references,
ME> that shows that the Linux community responds to security problems
ME> more quickly than other OS vendors, and thus might be considered
ME> "more secure". A number of fairly high profile corporations are
ME> starting to look for such information as they consider Linux as an
ME> alternative solution to other UNIXes.
ME> Does anyone have any pointers, or information I can use to assemble
ME> data like this? I'll be happy to summarize any data I get and send
ME> it to the list.
Well, a good starting point would be ftp.cert.org:/pub/cert_advisories.
Looking there, for relatively recent entries ('96 & '97--I may continue
looking back through '94 and '95 if/when I have the time)--some of which
mention Linux and some of which don't--I've found:
96.01, UDP Port Denial-of-Service Attack
N/A
96.02, BIND Version 4.9.3
N/A; Linux not mentioned by CERT.
96.03, Vulnerability in Kerberos 4 Key Server
N/A
96.04, Corrupt Information from Network Servers
N/A; Linux not mentioned by CERT.
96.05, Java Implementations Can Allow Connections to an Arbitrary Host
N/A
96.06, Vulnerability in NCSA/Apache CGI example code
N/A
96.07, Weaknesses in Java Bytecode Verifier
N/A
96.08, Vulnerabilities in PCNFSD
N/A; Linux not mentioned by CERT.
96.09, Vulnerability in rpc.statd
N/A
96.10, NIS+ Configuration Vulnerability
N/A
96.11, Interpreters in CGI bin Directories
N/A
96.12, Vulnerability in suidperl
Sort of N/A; this is third-party for most vendors. Linux is
mentioned.
96.13, Vulnerability in the dip program
N/A; Linux-specific vulnerability.
96.14, Vulnerability in rdist
IBM Corporation
===============
AIX is vulnerable to this problem. Fixes are in process but
are not yet available.
Linux
=====
[Not vulnerable as distributed.]
The Santa Cruz Operation
========================
The following releases of SCO Software are known to contain
a version of rdist that is vulnerable:
SCO OpenServer 5.0.2, 5.0.0
SCO Internet FastStart 1.0
SCO Open Server Enterprise/Network System 2.0, 3.0
SCO Open Desktop 2.0, 3.0
SCO Open Desktop Lite 3.0
SCO UnixWare 2.0, 2.1
SCO TCP/IP 1.2.0, 1.2.1
Patches are being developed for the following releases:
SCO OpenServer 5.0.2, 5.0.0
SCO Internet FastStart 1.0
SCO UnixWare 2.1
96.15, Vulnerability in Solaris 2.5 KCMS programs
N/A
96.16, Vulnerability in Solaris admintool
N/A
96.17, Vulnerability in Solaris vold
N/A
96.18, Vulnerability in fm_fls
N/A
96.19, Vulnerability in expreserve
N/A; Linux not mentioned by CERT.
96.20, Sendmail Vulnerabilities
Digital Equipment Corporation
=============================
[About the resource starvation problem]
Source:
Software Security Response Team Copyright (c) Digital
Equipment Corporation 1996. All rights reserved.
08.SEP.1996
At the time of writing this document, patches (binary kits)
for Digital's UNIX related operating systems are being
developed.
FreeBSD
=======
All currently released FreeBSD distributions have this
vulnerability, as we distribute sendmail 8.7.x as part of our
operating system. However, our -current and -stable source
distributions were updated on 18 Sep 1996 to sendmail 8.7.6.
Users tracking -current or -stable are advised to upgrade and
recompile sendmail at their earliest convinience.
Hewlett-Packard Company
=======================
[About the both the resource starvation and the buffer overflow problem]
HP-UX is vulnerable, and patches are in progress.
IBM Corporation
================
The following APARs are being developed and will be available shortly.
Linux
=====
[For the resource starvation problem:]
Debian Linux: not vulnerable (uses smail)
Red Hat and derivatives:
ftp://ftp.redhat.com/pub/redhat-3.0.3/i386/updates/RPMS/sendmail*
The Santa Cruz Operation
========================
Any SCO operating system running a version of sendmail
provided by SCO is vulnerable to this problem. SCO is
providing Support Level Supplement (SLS) oss443a for the
following releases to address this issue:
SCO Internet FastStart release 1.0.0
SCO OpenServer releases 5.0.0 and 5.0.2
This SLS provides a pre-release version of sendmail release
8.7.6 for these platforms. SCO hopes to have a final version
of sendmail 8.7.6 available to address both issues mentioned
in this advisory in the near future.
Silicon Graphics, Inc.
======================
We are analyzing the vulnerability, and will provide
additional information as it becomes available.
Sun Microsystems, Inc.
======================
Sun is working on a patch which will fix both problems, and
we expect to have it out by the end of the month. Also, we
will send out a Sun bulletin on this subject at about the
same time.
96.21, TCP SYN Flooding and IP Spoofing Attacks
N/A; Linux not mentioned by CERT.
96.22, Vulnerabilities in bash
Silicon Graphics, Inc.
======================
SGI has distributed bash (version 1.14.6) as part of the
Freeware 1.0 CDROM. This collection of software has been
compiled for IRIX as a service to our customers, but is
furnished without formal SGI support.
The problem identified by IBM in bash is present in the version
of bash on the Freeware 1.0 CDROM. This CDROM included both the
source code for bash an compiled versions of it.
SGI urges customers to recompile bash after making the changes
in parse.y suggested by IBM.
As a service similar to that of the original Freeware 1.0 CDROM,
SGI intends to make available a compiled version of bash and its
source in the near future. This action does not necessarily
imply a commitment to any future support actions for the
programs found on the Freeware 1.0 CDROM.
Linux
=====
Patches for the following Linux versions are available.
[SuSE 4.2, Red Hat 3.0.3, Yggdrasil, WGS Linux Pro, Caldera all
had patches out.]
96.23, Vulnerability in WorkMan
Sort of N/A; this is third-party for most vendors. Linux is
mentioned in a general sense, as is Sun.
96.24, Sendmail Daemon Mode Vulnerability
Digital Equipment Corporation
=============================
DIGITAL Engineering is aware of these reported problems and
testing is currently underway to determine the impact against
all currently supported releases of DIGITAL UNIX and ULTRIX.
Patches will be developed (as necessary) and made available via
your normal DIGITAL Support channel.
FreeBSD
=======
All currently shipping releases of FreeBSD are affected,
including the just released 2.1.6. An update for 2.1.6 will be
available shortly. This problem has been corrected in the
-current sources. In the mean time, FreeBSD users should follow
the instructions in the CERT advisory. Sendmail will compile and
operate "out of the box" on FreeBSD systems.
Hewlett-Packard Company
=======================
Sendmail daemon problem:
Not Vulnerable HP-UX 9.X, 10.00, 10.01, 10.10
Vulnerable HP-UX 10.2 even with PHNE_8702 Patches in process
IBM Corporation
===============
See the appropriate release below to determine your action.
AIX 3.2
-------
No fix required. AIX 3.2 sendmail is not vulnerable.
AIX 4.1
-------
No fix required. AIX 4.1 sendmail is not vulnerable.
AIX 4.2
-------
AIX 4.2 sendmail is vulnerable.
APAR IX63068 will be available shortly.
Linux
=====
Linux has provided these URLs for S.u.S.E. Linux:
ftp://ftp.suse.de/suse_update/S.u.S.E.-4.3/sendmail
ftp://ftp.gwdg.de/pub/linux/suse/suse_update/S.u.S.E.-4.3/sendmail
Checksums for the files in these directories:
6279df0597c972bff65623da5898d5dc sendmail.tgz
0c0d20eecb1019ab4e629b103cac485c sendmail-8.8.3.dif
0cb58caae93a19ac69ddd40660e01646 sendmail-8.8.3.tar.gz
- -----
Caldera OpenLinux has released a security advisory, available from
http://www.caldera.com/tech-ref/cnd-1.0/security/SA-96.06.html
- -----
Red Hat has patched sendmail 8.7.6. The fixes are available from
Red Hat Linux/Intel:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/sendmail-8.7.6-5.i386.rpm
Red Hat Linux/Alpha:
rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/sendmail-8.7.6-5.axp.rpm
NeXT Software, Inc.
===================
NeXT is not vulnerable to the problem described in Section IV.A.
NeXT is vulnerable to the problem described in Section IV.B, and
it will be fixed in release 4.2 of OpenStep/Mach.
The Santa Cruz Operation, Inc. (SCO)
====================================
SCO is investigating the problem and will have more information
in the near future.
96.25, Sendmail Group Permissions Vulnerability
Linux not mentioned by CERT. "Lagging" vendors were:
Digital Equipment Corporation
=============================
This problem is currently under review by engineering to
determine if it impacts DIGITAL UNIX and DIGITAL ULTRIX
sendmail implementations.
Hewlett-Packard Company
=======================
Vulnerabilities
---------------
1. Sendmail Group Permissions Vulnerability
2. Denial of Service Attack using the sendmail configuration variable
TryNullM\XList.
Vulnerable releases
--------------------
9.x
pre-10.2 10.x
10.2
The 9.x, pre-10.2 10.x sendmail is vulnerable with respect to
the "Sendmail Group Permissions Vulnerability".
The 10.2 sendmail is vulnerable with respect to both the
reported security holes.
Patches for these vulnerabilities are in progress.
IBM Corporation
===============
The version of sendmail that ships with AIX is vulnerable to
the conditions listed in this advisory. A fix is in progress
and the APAR numbers will be available soon.
NEC Corporation
===============
Checking out the vulnerability. Contacts for further
information by e-mail:UX48-security-support@nec.co.jp.
The Santa Cruz Operation, Inc. (SCO)
====================================
Any SCO operating system running a version of sendmail
provided by SCO is vulnerable to this problem. SCO will soon
be providing a Support Level Supplement, (SLS), to address
this issue for the following releases of SCO software:
SCO Internet FastStart release 1.0.0, 1.1.0
SCO OpenServer releases 5.0.0 and 5.0.2
Sun Microsystems, Inc.
======================
All Sun sendmails are susceptible to both vulnerabilities. We
will produce and announce patches for all supported versions
of SunOS. We expect the patches to be available later this
month.
96.26, Denial-of-Service Attack via ping
Digital Equipment Corporation
=============================
[...lots of yadda yadda deleted...]
SOLUTION:
Digital has reacted promptly to this reported problem and a
complete set of patch kits are being prepared for all
currently supported platforms.
Linux Systems
=============
We recommend that you upgrade your Linux 1.3.x and 2.0.x
kernels to Linux 2.0.27. This is available from all the main
archive sites such as
ftp://ftp.cs.helsinki.fi/pub/Software/Linux
Users wishing to remain with an earlier kernel version may
download a patch from http://www.uk.linux.org/big-ping-patch.
This patch will work with 2.0.x kernel revisions but is
untested with 1.3.x kernel revisions.
Red Hat Linux has chosen to issue a 2.0.18 based release with
the fix. Red Hat users should obtain this from
ftp://ftp.redhat.com/[...]
Sun Microsystems, Inc.
======================
We are looking into this problem.
96.27, Vulnerability in HP Software Installation Programs
N/A
97.01, Multi-platform Unix FLEXlm Vulnerabilities
N/A
97.02, HP-UX newgrp Buffer Overrun Vulnerability
N/A
97.03, Vulnerability in IRIX csetup
N/A
97.04, talkd Vulnerability
IBM Corporation
===============
The version of talkd shipped with AIX is vulnerable to the
conditions described in this advisory. The APARs listed
below will be available shortly.
Linux
======
This bug was fixed in Linux NetKit 0.08 which is shipped with
all reasonably up to date Linux distributions.
NEC Corporation
===============
UX/4800 Vulnerable for all versions.
EWS-UX/V(Rel4.2MP) Vulnerable for all versions.
EWS-UX/V(Rel4.2) Vulnerable for all versions.
UP-UX/V(Rel4.2MP) Vulnerable for all versions.
Patches for these vulnerabilities are in progress.
The Santa Cruz Operation, Inc. (SCO)
====================================
SCO is investigating the problem with talkd and will
provide updated information for this advisory as it becomes
available. At this time SCO recommends disabling talkd on
your SCO system as described herein.
Silicon Graphics Inc. (SGI)
===========================
We are investigating.
Solbourne (Grumman System Support)
==================================
We have examined the Solbourne implementation and found that
it is vulnerable. Solbourne distributed the Sun application
under license. We will distribute a Solbourne patch based on
the Sun patch when it becomes available.
Sun Microsystems, Inc.
======================
The talkd buffer overflow vulnerability appears to affect at
least some supported versions of SunOS. Sun therefore expects
to release patches for all affected versions of SunOS within
the next few weeks.
97.05, MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4
Sort of N/A; this is third-party for most vendors. Caldera is
mentioned:
Caldera OpenLinux
=================
An upgrade for Caldera OpenLinux Base 1.0 can be found at:
...
--
Jeff Uphoff - Scientific Programming Analyst | juphoff@nrao.edu
National Radio Astronomy Observatory | juphoff@bofh.org.uk
Charlottesville, VA, USA | jeff.uphoff@linux.org
PGP key available at: http://www.cv.nrao.edu/~juphoff/