| Name: | |
| Email: | |
| Security Portal Weekly Newsletter |
Weekly Solaris Security Roundup Archive
By Seán Boran, sean AT boran.com, for Security Portal
A quiet week for Sun, no new advisories or weaknesses.
The Yassp tool is making progress, a new release will be ready soon.
05/31/00 CS-2000-02 CERT Summary
Topics in this regularly scheduled CERT Summary include buffer overflows in Kerberos
authenticated services, improper validation of SSL sessions in Netscape Navigator, the
Love Letter Worm, denial-of-service attacks using nameservers, the exploitation of
unprotected Windows shares, and continued reports of machines compromised by exploiting
vulnerabilities in BIND.
Web Security: A
discussion kicked-off at Sunworld contains some interesting comments on the UNIX vs. Linux
vs. Microsoft security debate. Moderated by Carole Fennelly and Brian Martin.
Progress report on Yassp (the Solaris hardening tool):
Work on beta#6 is underway, with lots of activity on the developer list. A new release is
very close.
Updates: some path problems have been corrected in /etc/profile and /etc/default/su, support for Solaris8 is under test, /opt/local and /usr/local will be supported for tools, /etc/rc.conf and /etc/yassp.conf have been merged, /etc/syslog.conf is improved.
Programs to be included: ssh (enhanced with SecurID support), tripwire, tcpd (wrapper), rpcbind (with access control), gzip, rcs. The installation script can allow the user to choose packages or have them installed "hands-off" by definition of the PKGLIST variable.
The Intel platform is not yet supported.
There was also some (inconclusive) discussion on adding 'ifstatus' to yassp.
See also:
Yassp site
Hardening Solaris (with Yassp)
Bugtraq vulnerabilities this week - Solaris:
none
Bugtraq vulnerabilities this week - Applications that run on Solaris:
none
Summary of FOCUS-Sun discussions this week:
06/02/00 No secure copy on Solaris 8?
06/02/00 solaris packages
A discussion of alternative methods of installing Solaris applications, such as RPM and NFS hacks.
05/30/00 sun's libkrb and the recent kerb vulns.
No answers so far.
05/29/00 LDAP authentication through nsswitch.conf
No answers so far.
05/25/00 Colliding Password Hashes
Solaris ignores password characters after the maximum 8 characters.
05/26/00 Solaris Backup Verification
Solaris
Default Processes and init.d Part. I (SecurityFocus)
This Article's first part explains what each of the running processes are, in a typical
new Solaris 8 installation.
Sun Security Resources:
Sun Security Coordination Team sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
Sun security bulletins are available at: sunsolve.sun.com/security
General Sun Security www.sun.com/security
Solaris Security Datasheets www.sun.com/software/solaris/ds/ds-security
Java Security java.sun.com/security
Patches
If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database, sunsolve.sun.com. If you don't, use the SecurityFocus Solaris Patch Calculator: www.securityfocus.com/sun/vulncalc
Sun security patches: sunsolve.sun.com/securitypatch
Public sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access Patch download tool WGET sunsite.auc.dk/ftp/pub/infosystems/wget
Web Publications & resources
SecurityFocus, Sun section: www.securityfocus.com/sun
Vulnerability database: www.securityfocus.com/vdbSecurity Portal papers:
Hardening Solaris
Review of the Sunscreen EFS3 firewall
All about SSH - Part I
All about SSH - Part IISunworld:
Sunwhere index of resources
Sunworld security columns
Solaris Security FAQ
General discussion resources
News /personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html
Newsgroups:
comp.unix.solaris
comp.sys.sun.admin
comp.sys.sun.hardware
alt.solaris.x86Sun-managers Mailing list: This list has been around for many years and is an invaluable resource to Sun system administrators.
To have your mailing address added to or removed from the mailing list, send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help in securing Sun products, using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. Unsure how secure NIS is? Curious as to how to properly use ACL's? Does the latest and greatest Sun RPC bug affect you? Questions like these are all expected and encouraged. The Focus-Sun list is meant to address those questions which are inappropriate or off topic for Bugtraq. In addition, important announcements related to breaking vulnerabilities will be posted, with the details needed to ensure that you have the up to the minute information you need to keep your Sun's secure.