Issues on Linux and Security
button Home

Welcome to LinuxSecure

I found some scripts on my workstation that have not been published and may be interesting for some people. Actually, I will not prepare them for publishing, but you can contact me, if you are interested in one or more of them.

  • A tool for the backup of network components. The script runs as a daemon and can be configured via config files. It reads in the config files containing the passwords of the components once, so you can store them in a crypt storage. There exist severeal templates for ssh, scp, telnet. The intention is to make automated backups from router, switches, firewalls etc.
  • Postfixanalyser was written for the trendmicro mail virusscanner. You can search for mails and you will get a status for the found mails: when did the system receive it, when was it working with the mail the last time, whats the status of the mail, where there any problem while delivering the mail. The second feature was a simple statistic: bytes and number of mails received and send, mails by status (received from extern, queued, sent to trend, received from trend, queued, delivered) and mails by problem (deferred and not sent to scanner (scanner rejected), deferred and not sent to scanner (scanner down), sent to trend, but deferred before, dereffed and not sent to extern (mta rejected), deferred and not sent to extern (mta down), sent to extern, but deferred befor).
  • A logscanner and a scanner for the checkpoint objects file.
  • A tool, that parses the registry of the genugate firewall and produces a more human readable output in html.
  • A ftp-script for the honeynet.
  • Various backupscripts in Perl and Bash.
  • Various iptables scrips.
  • A script called minilinux to create a small linux out of a huge running system.
  • Pigsparty was a small projetct that was never finished. The idea was to convert snort rule sets into iptables rule sets.
  • A snort admin interface in php.
  • A perlmodule and some programs (e.g. mfl) for the preparation and analysis of longitudinal data with a focus of same domains.

back to top

button Whats New
[2005-02-18] mp3riot version 1.3 released
[2004-10-08] mp3riot version 1.2 is out.
[2004-04-30] Added section Bridging
[2004-01-09] working progress on mp3riot version 1.2
Evan Prodromou, creator of identi.caand, has put a call out for interested parties to adopt the administrationof public microblogging servers, which he is currently funding out of his own pocket. "Almost all of them are on $5/month Digital Ocean droplets, which makes them relatively cheap for a single person to support. If you decide you want to adopt a server, E14N will sell you the domain and all the software and data for $1. But you'll be obligated to keep the server running for at least a year, and if you decide you don't want to run it, you have to sell it back to me."There are currently around 25 servers in the federated network initially started by Prodromou, which does not count other instances. He notes that one important exception is the site, which is significantly larger than the rest, and which he would like to find a trusted non-profit organization to maintain.
Prodromou: Adopt a server

The 4.7.5and 4.4.22stable kernel updates are available. These are relatively large updates containing the usual important fixes.
Stable kernel updates 4.7.5 and 4.4.22

At his blog, Kyle E. Mitchell ("who is not your attorney") takes a close, line-by-line readingof the popular MITsoftware license. The details he points out begin on line one with the license's title: "'The MIT License' is a not a single license, but a family of license forms derived from language prepared for releases from the Massachusetts Institute of Technology. It has seen a lot of changes over the years, both for the original projects that used it, and also as a model for other projects. The Fedora Project maintains a kind of cabinet of MIT license curiosities, with insipid variations preserved in plain text like anatomical specimens in formaldehyde, tracing a wayward kind of evolution."Despite the license being only 171 words, Mitchell finds quite a bit to expand on, such as the ambiguities of the phrase "to deal in the Software without restriction": "As a result of this mishmash of legal, industry, general-intellectual-property, and general-use terms, it isn?t clear whether The MIT License includes a patent license. The general language 'deal in' and some of the example verbs, especially 'use', point toward a patent license, albeit a very unclear one. The fact that the license comes from the copyright holder, who may or may not have patent rights in inventions in the software, as well as most of the example verbs and the definition of 'the Software' itself, all point strongly toward a copyright license."Nevertheless, Mitchell notes, "despite some crusty verbiage and lawyerly affectation, one hundred and seventy one little words can get a hell of a lot of legal work done."
Mitchell: The MIT License, Line by Line

Debianhas updated firefox-esr(multiple vulnerabilities). Debian-LTShas updated wordpress(multiple vulnerabilities). Fedorahas updated distribution-gpg-keys(F23: privilege escalation), mock(F23: privilege escalation), openvas-libraries(F24; F23: multiple vulnerabilities), openvas-scanner(F24; F23: denial of service), and shiro(F24: access control bypass). openSUSEhas updated pdns(13.2, Leap 42.1: multiple vulnerabilities). Oraclehas updated kernel(4.1.12 O6; O7: multiple vulnerabilities; 3.8.13 O7; O6: multiple vulnerabilities; 2.6.39 O6; O5: multiple vulnerabilities). Slackwarehas updated openssl(14.0, 14.1, 14.2, -current: multiple vulnerabilities) and pidgin(13.0, 13.1, 13.137, 14.0, 14.1: mysterious vulnerabilities). Ubuntuhas updated openssl(12.04, 14.04, 16.04: multiple vulnerabilities).
Friday's security updates

Matthew Garrett looks at the real problembehind the inability of some Lenovo laptops to run Linux. "The real problem here is that Intel do very little to ensure that free operating systems work well on their consumer hardware - we still have no information from Intel on how to configure systems to ensure good power management, we have no support for storage devices in "RAID"mode and we have no indication that this is going to get better in future. If Intel had provided that support, this issue would never have occurred."
Garrett: Microsoft aren't forcing Lenovo to block free operating systems

Arch Linuxhas updated firefox(multiple vulnerabilities), irssi(code execution), and tomcat7(proxy injection). CentOShas updated firefox(C5, C6, C7: multiple vulnerabilities). Debianhas updated wireshark(LTS: dissector vulnerabilities), irssi(denial of service), and openssl(multiple vulnerabilities). Fedorahas updated drupal7-google_analytics(F23, F24: cross-site scripting), drupal7-panels(F23, F24: multiple vulnerabilities), jasper(F23: multiple code-execution vulnerabilities), mod_cluster(F24: "remote exploits"), nodejs-string-dot-prototype-dot-repeat(F23: "update for security reasons"), php-horde-Horde-Mime-Viewer(F23, F24: cross-site scripting), php-horde-Horde-Text-Filter(F23, F24: cross-site scripting), and xen(F23: multiple vulnerabilities). Mageiahas updated chromium-browser-stable(29 CVEs), curl(code execution), file-roller(file deletion), flash-player-plugin(26 CVEs), icu(code execution), jsch(path traversal vulnerability), libksba(denial of service), nodejs(remote code execution), slock(lock bypass), and tomcat(traffic redirection). openSUSEhas updated opera(multiple vulnerabilities). Oraclehas updated firefox(OL5, OL6, OL7: multiple vulnerabilities). Scientific Linuxhas updated firefox(SL5-7: multiple vulnerabilities). Slackwarehas updated irssi(denial of service), pidgin(17 CVE numbers), and firefox(multiple vulnerabilities). SUSEhas updated java-1_7_1-ibm(SLES12: three CVEs described as "Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment"), and java-1_6-0-ibm(SLES11: one unspecified vulnerability). Ubuntuhas updated firefox(multiple vulnerabilities), gdk-pixbuf(code execution), irssi(denial of service), and thunderbird(code execution). Note that there appear to be differences of opinion as to whether the irssi vulnerability can be exploited for code execution.
A pile of security updates for Thursday

The Weekly Edition for September 22, 2016 is available.
[$] Weekly Edition for September 22, 2016

The GNOME Project has announced the release of GNOME 3.22, "Karlsruhe". "This release brings comprehensive Flatpak support. GNOME Software can install and update Flatpaks, GNOME Builder can create them, and the desktop provides portal implementations to enable sandboxed applications. Improvements to core GNOME applications include support for batch renaming in Files, sharing support in GNOME Photos, an updated look for GNOME Software, a redesigned keyboard settings panel, and many more."
GNOME 3.22 released

Congestion-control algorithms are unglamorous bits of code that allow network protocols (usually TCP) to maximize the throughput of any given connection while simultaneously sharing the available bandwidth equitably with other users. New algorithms tend not to generate a great deal of excitement; the addition of TCP New Vegasduring the 4.8 merge window drew little fanfare, for example. The BBR (Bottleneck Bandwidth and RTT) algorithm just released by Google, though, is attracting rather more attention; it moves away from the mechanisms traditionally used by these algorithms in an attempt to get better results in a network characterized by wireless links, meddling middleboxes, and bufferbloat.
[$] BBR congestion control

Arch Linuxhas updated curl(code execution), lib32-curl(code execution), and lib32-jansson(denial of service). Debianhas updated wireshark(multiple vulnerabilities). Debian-LTShas updated unadf(two vulnerabilities). Red Hathas updated firefox(RHEL5,6,7: multiple vulnerabilities). SUSEhas updated mysql(SLE11-SP3,4: multiple unspecified vulnerabilities).
Security advisories for Wednesday

The Apache CouchDB database project has announcedits 2.0 release. New features include clustering support, a new query language, a new administrative interface, and more. "CouchDB 2.0 is 99% API compatible with the 1.x series and most applications should continue to just work."
CouchDB 2.0 released

The fuzzy notepad blog is carrying a post about the switchstatementwith just about everything one might want to know about its past, present, and possible future. "As we?ve seen, the switch statement has had basically the same form for 49 years. The special case labels are based on syntax derived directly from fixed-layout FORTRAN on punchcards in 1957, several months before my father was born. I hate it."
The curious case of the switch statement (fuzzy notepad)

Michael Catanzaro lays down the rulesfor which GNOME applications distributions should package if they want to claim to provide a "pure GNOME experience.""Selecting the right set of default applications is critical to achieving a quality user experience. Installing redundant or overly technical applications by default can leave users confused and frustrated with the distribution. Historically, distributions have selected wildly different sets of default applications. There?s nothing inherently wrong with this, but it?s clear that some distributions have done a much better job of this than others."
Catanzaro: GNOME 3.22 core apps

NTP, the Network Time Protocol, quietly and without much fuss performs the critical internet function of knowing the correct time. Using it, a computer with imperfect communications links may join a distributed community of servers, each of which is either directly attached to a reliable clock, or is trying to best synchronize its clock to one or more better-synchronized members of the community. The NTP pool system has arisen as a method of providing such a community to the internet; it works well, but is not without its challenges.
[$] The NTP pool system

Carlos Garcia Campos takes a lookat the latest stable release of WebKitGTK+. "[The threaded compositor] is the most important changeintroduced in WebKitGTK+ 2.14 and what kept us busy for most of this release cycle. The idea is simple, we still render everything in the web process, but the accelerated compositing (all the OpenGL calls) has been moved to a secondary thread, leaving the main thread free to run all other heavy tasks like layout, JavaScript, etc. The result is a smoother experience in general, since the main thread is no longer busy rendering frames, it can process the JavaScript faster improving the responsiveness significantly."This release is also considered feature complete in Wayland.
Garcia: WebKitGTK+ 2.14

OpenSSL CVE-2016-6306 Local Denial of Service Vulnerability
Vuln: OpenSSL CVE-2016-6306 Local Denial of Service Vulnerability

IBM Rational DOORS Next Generation CVE-2016-5955 Unspecified Cross Site Scripting Vulnerability
Vuln: IBM Rational DOORS Next Generation CVE-2016-5955 Unspecified Cross Site Scripting Vulnerability

OpenSSL CVE-2016-6307 Denial of Service Vulnerability
Vuln: OpenSSL CVE-2016-6307 Denial of Service Vulnerability

OpenSSL CVE-2016-6308 Denial of Service Vulnerability
Vuln: OpenSSL CVE-2016-6308 Denial of Service Vulnerability

OS-S Security Advisory 2016-19: Epson WorkForce multi-function printers do not use signed firmware images and allow unauthorized malicious firmware-updates (CVSS 10)
Bugtraq: OS-S Security Advisory 2016-19: Epson WorkForce multi-function printers do not use signed firmware images and allow unauthorized malicious firmware-updates (CVSS 10)

[slackware-security] php (SSA:2016-267-01)
Bugtraq: [slackware-security] php (SSA:2016-267-01)

ESA-2016-097: RSA Identity Governance and Lifecycle Information Disclosure Vulnerability
Bugtraq: ESA-2016-097: RSA Identity Governance and Lifecycle Information Disclosure Vulnerability

Recon Europe 2017 Call For Papers - January 27 - 29, 2017 - Brussels, Belgium
Bugtraq: Recon Europe 2017 Call For Papers - January 27 - 29, 2017 - Brussels, Belgium

News, Infocus, Columns, Vulnerabilities, Bugtraq ...
More rss feeds from SecurityFocus