linux security - Jan 1997 - evidence/timelines that show linux is "more secure"

I''m looking for some evidence, backup up with dates and references,
that shows that the Linux community responds to security problems
more quickly than other OS vendors, and thus might be considered
"more secure".  A number of fairly high profile corporations are
starting to look for such information as they consider Linux as an
alternative solution to other UNIXes.

Something like:

Vulnerability  : foo has buffer overrun
Affects        : Linux, Solaris, etc
Linux Fix Date : Oct 1, 1996
Other Fix Dates: Solaris: not yet fixed
                 ...
References     : http://.......
                 CERT Advisory XYZ

Does anyone have any pointers, or information I can use to assemble
data like this?  I''ll be happy to summarize any data I get and send
it to the list.

Thanks,
Marc

> I''m looking for some evidence, backup up with dates and
references,
 > that shows that the Linux community responds to security problems
 > more quickly than other OS vendors, and thus might be considered
 > "more secure".

Unfortunately it''s not clear that this is all that true. The
turnaround time on the libc env bugs was on the order of three to four
months, around the same time as most vendors. Mind you, this was
nearly a worst case for Linux.

When developers discover holes they get fixed a lot faster; the talkd
bug that came out of CERT this week was fixed in Linux in July,
because I found it while preparing NetKit 0.07 (yeah, I know the CERT
advisory says 0.08, this particular bug was actually fixed in 0.07;
you shouldn''t be running anything earlier than 0.09 or a vendor-fixed
0.08 at this point anyway.)

The other problem: define "Linux fix date"? In the libc case, a fixed
developer version of libc was out long before the fixes were complete.
Red Hat got a fixed version out someplace in the middle.

FWIW:

Vulnerability  : talkd buffer overrun attackable via DNS
Affects        : Linux, NetBSD, FreeBSD, OpenBSD, BSD/OS, Solaris, etc.
Linux Fix Date : July 1996 (check the exact netkit 7 release date)
Other Fix Dates: NetBSD, OpenBSD: July 1996
		 FreeBSD: January 1997
		 BSD/OS: January 1997
		 Solaris: Not yet fixed
References     : CERT Advisory CA-97.04

--
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino

[Mod: Quoted text trimmed. -- alex]

I think that is going to be tough, but the real issue is that
even with "evidence" like this, it does not address the most
important issue to upper management: Who to blame/litigate
when there''s a security breach? They want to know who is
responsible for keeping ahead of the system crackers and at
whom to point the finger if (to be read, "when") a
breach is expoited. So even if you were to collect lots of
anecdotal data ("anecdotal", because none of it would stand
up to true scientific investigatory criteria), it wouldn''t
convince managers who need to have good feelings about dealing
with a definable, legal, corporate entity. The "Linux Community"
does not fall within this limited thinking.

[Mod: The thing to remember is that to my knowledge none of the vendors of
commercial UNIX operating systems is willing to accept responsibility for
vulnerabilities either. -- alex]

Regards,
B.Brown

----------------------------------------------------------------
These are so obviously my own opinions that no one in the world
would ever even think that they represent those of anyone else.
----------------------------------------------------------------

"ME" == Marc Ewing <marc@schroeder.redhat.com> writes:

ME> I''m looking for some evidence, backup up with dates and
references,
ME> that shows that the Linux community responds to security problems
ME> more quickly than other OS vendors, and thus might be considered
ME> "more secure".  A number of fairly high profile corporations
are
ME> starting to look for such information as they consider Linux as an
ME> alternative solution to other UNIXes.

ME> Does anyone have any pointers, or information I can use to assemble
ME> data like this?  I''ll be happy to summarize any data I get and
send
ME> it to the list.

Well, a good starting point would be ftp.cert.org:/pub/cert_advisories.

Looking there, for relatively recent entries (''96 & ''97--I
may continue
looking back through ''94 and ''95 if/when I have the
time)--some of which
mention Linux and some of which don''t--I''ve found:

96.01, UDP Port Denial-of-Service Attack
	N/A

96.02, BIND Version 4.9.3
	N/A; Linux not mentioned by CERT.

96.03, Vulnerability in Kerberos 4 Key Server
	N/A

96.04, Corrupt Information from Network Servers
	N/A; Linux not mentioned by CERT.

96.05, Java Implementations Can Allow Connections to an Arbitrary Host
	N/A

96.06, Vulnerability in NCSA/Apache CGI example code
	N/A

96.07, Weaknesses in Java Bytecode Verifier
	N/A

96.08, Vulnerabilities in PCNFSD
	N/A; Linux not mentioned by CERT.

96.09, Vulnerability in rpc.statd
	N/A

96.10, NIS+ Configuration Vulnerability
	N/A

96.11, Interpreters in CGI bin Directories
	N/A

96.12, Vulnerability in suidperl
	Sort of N/A; this is third-party for most vendors.  Linux is
	mentioned.

96.13, Vulnerability in the dip program
	N/A; Linux-specific vulnerability.

96.14, Vulnerability in rdist
	IBM Corporation
	==============	   AIX is vulnerable to this problem. Fixes are in process but
	   are not yet available.

	Linux
	====	[Not vulnerable as distributed.]

	The Santa Cruz Operation
	=======================	    The following releases of SCO Software are known to
contain
	    a version of rdist that is vulnerable:
	
	    SCO OpenServer 5.0.2, 5.0.0
	    SCO Internet FastStart 1.0
	
	    SCO Open Server Enterprise/Network System 2.0, 3.0
	    SCO Open Desktop 2.0, 3.0
	    SCO Open Desktop Lite 3.0
	
	    SCO UnixWare 2.0, 2.1
	
	    SCO TCP/IP 1.2.0, 1.2.1
	
	    Patches are being developed for the following releases:
	
	    SCO OpenServer 5.0.2, 5.0.0
	    SCO Internet FastStart 1.0
	    SCO UnixWare 2.1

96.15, Vulnerability in Solaris 2.5 KCMS programs
	N/A

96.16, Vulnerability in Solaris admintool
	N/A

96.17, Vulnerability in Solaris vold
	N/A

96.18, Vulnerability in fm_fls
	N/A

96.19, Vulnerability in expreserve
	N/A; Linux not mentioned by CERT.

96.20, Sendmail Vulnerabilities
	Digital Equipment Corporation
	============================	[About the resource starvation problem]
	  Source:
	      Software Security Response Team Copyright (c) Digital
	      Equipment Corporation 1996. All rights reserved.
	      08.SEP.1996
	
	   At the time of writing this document, patches (binary kits)
	   for Digital''s UNIX related operating systems are being
	   developed.

	FreeBSD
	======	   All currently released FreeBSD distributions have this
	   vulnerability, as we distribute sendmail 8.7.x as part of our
	   operating system.  However, our -current and -stable source
	   distributions were updated on 18 Sep 1996 to sendmail 8.7.6.
	   Users tracking -current or -stable are advised to upgrade and
	   recompile sendmail at their earliest convinience.

	Hewlett-Packard Company
	======================	[About the both the resource starvation and the buffer
overflow problem]
	
	   HP-UX is vulnerable, and patches are in progress.

	IBM Corporation
	===============	  The following APARs are being developed and will be available
shortly.

	Linux
	====	[For the resource starvation problem:]
	
	   Debian Linux: not vulnerable (uses smail)
	
	   Red Hat and derivatives:
	     ftp://ftp.redhat.com/pub/redhat-3.0.3/i386/updates/RPMS/sendmail*

	The Santa Cruz Operation
	=======================	
	   Any SCO operating system running a version of sendmail
	   provided by SCO is vulnerable to this problem. SCO is
	   providing Support Level Supplement (SLS) oss443a for the
	   following releases to address this issue:
	   SCO Internet FastStart release 1.0.0
	   SCO OpenServer releases 5.0.0 and 5.0.2
	
	   This SLS provides a pre-release version of sendmail release
	   8.7.6 for these platforms. SCO hopes to have a final version
	   of sendmail 8.7.6 available to address both issues mentioned
	   in this advisory in the near future.

	Silicon Graphics, Inc.
	=====================	   We are analyzing the vulnerability, and will provide
	   additional information as it becomes available.
	
	
	Sun Microsystems, Inc.
	=====================	   Sun is working on a patch which will fix both
problems, and
	   we expect to have it out by the end of the month. Also, we
	   will send out a Sun bulletin on this subject at about the
	   same time.

96.21, TCP SYN Flooding and IP Spoofing Attacks
	N/A; Linux not mentioned by CERT.

96.22, Vulnerabilities in bash
	Silicon Graphics, Inc.
	=====================	SGI has distributed bash (version 1.14.6) as part of the
	Freeware 1.0 CDROM.  This collection of software has been
	compiled for IRIX as a service to our customers, but is
	furnished without formal SGI support.
	
	The problem identified by IBM in bash is present in the version
	of bash on the Freeware 1.0 CDROM.  This CDROM included both the
	source code for bash an compiled versions of it.
	
	SGI urges customers to recompile bash after making the changes
	in parse.y suggested by IBM.
	
	As a service similar to that of the original Freeware 1.0 CDROM,
	SGI intends to make available a compiled version of bash and its
	source in the near future.  This action does not necessarily
	imply a commitment to any future support actions for the
	programs found on the Freeware 1.0 CDROM.

	Linux
	====	Patches for the following Linux versions are available.

	[SuSE 4.2, Red Hat 3.0.3, Yggdrasil, WGS Linux Pro, Caldera all
	had patches out.]

96.23, Vulnerability in WorkMan
	Sort of N/A; this is third-party for most vendors.  Linux is
	mentioned in a general sense, as is Sun.

96.24, Sendmail Daemon Mode Vulnerability
	Digital Equipment Corporation
	============================	DIGITAL Engineering is aware of these reported
problems and
	testing is currently underway to determine the impact against
	all currently supported releases of DIGITAL UNIX and ULTRIX.
	Patches will be developed (as necessary) and made available via
	your normal DIGITAL Support channel.

	FreeBSD
	======	All currently shipping releases of FreeBSD are affected,
	including the just released 2.1.6. An update for 2.1.6 will be
	available shortly. This problem has been corrected in the
	-current sources. In the mean time, FreeBSD users should follow
	the instructions in the CERT advisory. Sendmail will compile and
	operate "out of the box" on FreeBSD systems.

	Hewlett-Packard Company
	======================	Sendmail daemon problem:
	  Not Vulnerable  HP-UX 9.X, 10.00, 10.01, 10.10
	  Vulnerable      HP-UX 10.2  even with PHNE_8702     Patches in process

	IBM Corporation
	==============	See the appropriate release below to determine your action.
	
	  AIX 3.2
	  -------
	    No fix required. AIX 3.2 sendmail is not vulnerable.
	
	  AIX 4.1
	  -------
	    No fix required. AIX 4.1 sendmail is not vulnerable.
	
	  AIX 4.2
	  -------
	    AIX 4.2 sendmail is vulnerable.
	    APAR IX63068 will be available shortly.

	Linux
	====	Linux has provided these URLs for S.u.S.E. Linux:
	
	   ftp://ftp.suse.de/suse_update/S.u.S.E.-4.3/sendmail
	   ftp://ftp.gwdg.de/pub/linux/suse/suse_update/S.u.S.E.-4.3/sendmail
	
	Checksums for the files in these directories:
	
	   6279df0597c972bff65623da5898d5dc  sendmail.tgz
	   0c0d20eecb1019ab4e629b103cac485c  sendmail-8.8.3.dif
	   0cb58caae93a19ac69ddd40660e01646  sendmail-8.8.3.tar.gz
	
	- -----
	Caldera OpenLinux has released a security advisory, available from
	    http://www.caldera.com/tech-ref/cnd-1.0/security/SA-96.06.html
	
	- -----
	Red Hat has patched sendmail 8.7.6. The fixes are available from
	
	Red Hat Linux/Intel:
	rpm -Uvh ftp://ftp.redhat.com/updates/4.0/i386/sendmail-8.7.6-5.i386.rpm
	
	Red Hat Linux/Alpha:
	rpm -Uvh ftp://ftp.redhat.com/updates/4.0/axp/sendmail-8.7.6-5.axp.rpm

	NeXT Software, Inc.
	==================	NeXT is not vulnerable to the problem described in Section
IV.A.
	NeXT is vulnerable to the problem described in Section IV.B, and
	it will be fixed in release 4.2 of OpenStep/Mach.

	The Santa Cruz Operation, Inc. (SCO)
	===================================	SCO is investigating the problem and will
have more information
	in the near future.

96.25, Sendmail Group Permissions Vulnerability
	Linux not mentioned by CERT.  "Lagging" vendors were:

	Digital Equipment Corporation
	============================	  This problem is currently under review by
engineering to
	  determine if it impacts DIGITAL UNIX and DIGITAL ULTRIX
	  sendmail implementations.

	Hewlett-Packard Company
	======================	   Vulnerabilities
	   ---------------
	   1. Sendmail Group Permissions Vulnerability
	   2. Denial of Service Attack using the sendmail configuration variable
	       TryNullM\XList.
	
	   Vulnerable releases
	   --------------------
	   9.x
	   pre-10.2 10.x
	   10.2
	
	   The 9.x, pre-10.2 10.x sendmail is vulnerable with respect to
	   the "Sendmail Group Permissions Vulnerability".
	
	   The 10.2 sendmail is vulnerable with respect to both the
	   reported security holes.
	
	   Patches for these vulnerabilities are in progress.

	IBM Corporation
	==============	  The version of sendmail that ships with AIX is vulnerable to
	  the conditions listed in this advisory. A fix is in progress
	  and the APAR numbers will be available soon.

	NEC Corporation
	==============	  Checking out the vulnerability. Contacts for further
	  information by e-mail:UX48-security-support@nec.co.jp.
	
	
	The Santa Cruz Operation, Inc. (SCO)
	===================================	  Any SCO operating system running a
version of sendmail
	  provided by SCO is vulnerable to this problem. SCO will soon
	  be providing a Support Level Supplement, (SLS), to address
	  this issue for the following releases of SCO software:
	
	  SCO Internet FastStart release 1.0.0, 1.1.0
	  SCO OpenServer releases 5.0.0 and 5.0.2

	Sun Microsystems, Inc.
	=====================	  All Sun sendmails are susceptible to both
vulnerabilities. We
	  will produce and announce patches for all supported versions
	  of SunOS.  We expect the patches to be available later this
	  month.

96.26, Denial-of-Service Attack via ping
	Digital Equipment Corporation
	============================
	[...lots of yadda yadda deleted...]

	  SOLUTION:
	
	     Digital has reacted promptly to this reported problem and a
	     complete set of patch kits are being prepared for all
	     currently supported platforms.

	Linux Systems
	============	
	  We recommend that you upgrade your Linux 1.3.x and 2.0.x
	  kernels to Linux 2.0.27. This is available from all the main
	  archive sites such as
	
		ftp://ftp.cs.helsinki.fi/pub/Software/Linux
	
	  Users wishing to remain with an earlier kernel version may
	  download a patch from http://www.uk.linux.org/big-ping-patch.
	  This patch will work with 2.0.x kernel revisions but is
	  untested with 1.3.x kernel revisions.
	
	  Red Hat Linux has chosen to issue a 2.0.18 based release with
	  the fix. Red Hat users should obtain this from
	
	ftp://ftp.redhat.com/[...]

	Sun Microsystems, Inc.
	=====================	  We are looking into this problem.

96.27, Vulnerability in HP Software Installation Programs
	N/A

97.01, Multi-platform Unix FLEXlm Vulnerabilities
	N/A

97.02, HP-UX newgrp Buffer Overrun Vulnerability
	N/A

97.03, Vulnerability in IRIX csetup
	N/A

97.04, talkd Vulnerability
	IBM Corporation
	==============	   The version of talkd shipped with AIX is vulnerable to the
	   conditions described in this advisory.  The APARs listed
	   below will be available shortly.

	Linux				
	======				
	   This bug was fixed in Linux NetKit 0.08 which is shipped with
	   all reasonably up to date Linux distributions.

	NEC Corporation
	==============		UX/4800             Vulnerable for all versions.
		EWS-UX/V(Rel4.2MP)  Vulnerable for all versions.
		EWS-UX/V(Rel4.2)    Vulnerable for all versions.
		UP-UX/V(Rel4.2MP)   Vulnerable for all versions.
	
	   Patches for these vulnerabilities are in progress.

	The Santa Cruz Operation, Inc. (SCO)
	===================================	      SCO is investigating the problem with
talkd and will
	   provide updated information for this advisory as it becomes
	   available. At this time SCO recommends disabling talkd on
	   your SCO system as described herein.

	Silicon Graphics Inc. (SGI)
	==========================	   We are investigating.
	
	Solbourne (Grumman System Support)
	=================================	   We have examined the Solbourne
implementation and found that
	   it is vulnerable. Solbourne distributed the Sun application
	   under license. We will distribute a Solbourne patch based on
	   the Sun patch when it becomes available.

	Sun Microsystems, Inc.
	=====================	   The talkd buffer overflow vulnerability appears to
affect at
	   least some supported versions of SunOS. Sun therefore expects
	   to release patches for all affected versions of SunOS within
	   the next few weeks.

97.05, MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4
	Sort of N/A; this is third-party for most vendors.  Caldera is
	mentioned:

	Caldera OpenLinux
	================	   An upgrade for Caldera OpenLinux Base 1.0 can be found at:
	...

--
Jeff Uphoff - Scientific Programming Analyst  |  juphoff@nrao.edu
National Radio Astronomy Observatory          |  juphoff@bofh.org.uk
Charlottesville, VA, USA                      |  jeff.uphoff@linux.org
        PGP key available at: http://www.cv.nrao.edu/~juphoff/

[Mod: Quoted text removed -- alex]

 However, I do run the Linux Security Web Page that does try to do
something like the above with links to get fixes, patches, the exploits
and where to find more information on a know bug/problem. It may not be
enought to convence a non-techincal person, but it does help those who
need to know the bugs and where to get the fixes.

The Linux Security Home Page: http://www.ecst.csuchico.edu/~jtmurphy

--
----------------------------------------------------------------------------
Jason T. Murphy |  Finger for PGP Public Key  | jtmurphy@ecst.csuchico.edu
  The Linux Security Home Page -> http://www.ecst.csuchico.edu/~jtmurphy
The Unix tip of the week for Windows Users: rm -rf /dev/brain; install unix

On Wed, 29 Jan 1997, Smokey the Murphy wrote:
> The Linux Security Home Page: http://www.ecst.csuchico.edu/~jtmurphy
Hey, I''ve got one too, http://www.reptile.net/linux. Mine''s
geared more
towards the full-disclosure, test-your-own-system type of security, and
the solutions for most security problems are of the quick-fix type.

BTW, anyone got a talkd exploit to put up on it?

[Mod: It was posted to alt.security a while ago. Also keep in mind that it
does not really work with Linux systems running Netkits after 0.7 -- alex]

						Jonathan

-----------------------------------------------------------------------------
The Reptile                                             reptile@interport.net
Reptile''s Realm                                       
http://www.reptile.net
Reptile''s Linux Security Page                   
http://www.reptile.net/linux
-----------------------------------------------------------------------------