|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Linux Security Alert
|
So what is being stated here is that as soon as it was discovered, a fix
was issued?
Try that from M$.
reinvigorated my ass.
V
On Tue, 25 Apr 2000 07:36:51 Michael Leone wrote:
> Saw this in my InformationWeek daily newsletter:
>
> - Linux Security Flaw Detailed
> Internet Security Systems Inc. is warning Linux users of a back-
> door security flaw that carries ISS's highest danger rating. The
> company's vulnerability-assessment team, or "X-Force," as it is
> known, says a back-door vulnerability exists for any user running
> a full version of Red Hat Linux Piranha, which contains Linux
> Virtual Server software, a Web-based graphical user interface, as
> well as monitoring and failover applications. ISS and Red Hat Inc.
> are providing on a fix for the problem.
>
> According to ISS, an undocumented back-door password exists in the
> GUI portion of Piranha that may allow remote users to execute
> commands on the server from a remote location and may provide
> access to other systems. This security flaw has been given a "5"
> rating, on a scale from 1 to 5, because of the flaw's inherent
> ability to provide damaging access to attackers. The flaw is
> present in version 0.4.12 of the Piranha GUI, which is part of the
> latest Red Hat Linux 6.2 distribution. Early versions of Red Hat
> are not vulnerable.
>
> A security breach is possible even if Linux Virtual Server is not
> used on the system. The system is vulnerable if the affected
> Piranha-GUI package is installed and the administrator has not
> changed the password. Chris Rouland, director of X-Force for ISS
> in Atlanta, does not believe that the back door was installed with
> malicious intent, but the vulnerability does reinvigorate the
> debate between open-source and closed-source software.
> "I think it was just an engineering mistake," says Rouland. Open-
> source software doesn't have "an engineering organization whose
> role or job it is to provide quality assurance to commercial
> software. The upside of open source is that everyone can see it,
> so if there are glaring holes, you have peer revue." Red Hat has
> provided updated Piranha, Piranha-doc, and Piranha-GUI packages
> 0.4.13-1, and recommends that administrators be sure that a new
> password is installed following the installation.
>
>
>
> ______________________________________________________________________
> Philadelphia Linux Users Group - http://plug.nothinbut.net
> Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
> General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
>
______________________________________________________________________
Philadelphia Linux Users Group - http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
|
|