Gnodal Journal

Fresh off the press (27JAN03): from LinuxWorld, “
Larry McVoy on BitKeeper, kernel development, Linux Torvalds [sic] & Bruce Perens“. (This followup to “Meet the Perens” part 1 and part 2 was initiated by McVoy’s request for corrections; from the intro: “[t]hinking that a story on BitKeeper — the controversial proprietary source management tool currently in use by Linus and others for Linux kernel development — that also carried McVoy’s corrections would be more interesting to our readers …”)

Addenda to the M$ $QL 1434 attack:
* Distributed Intrusion Detection System presents a very informative homepage.
* netsys.com hosts “Full Disclosure“, a security oriented list.
* CERT/CC and the Electronic Industries Alliance have joined to form the Internet Security Alliance.
* from SecurityFocus 7JAN03: “Closing the Floodgates: DDoS Mitigation Techniques“. “To be on the receiving end of a distributed denial of service (DDoS) attack is a nightmare scenario […] It begins instantly, without warning, and continues relentlessly […] An effective, immediate response is often difficult and may depend on third parties, such as ISPs.” (The “related articles” on this page includes such as “Characterizing and Tracing Packet Floods Using Cisco Routers” [PDF])
* by UW’s David Dittrich (an armload of forensic links here), the mother of all DDoS pages: DDoS Attacks / Tools
* Bill Wall’s list of computer hacker incidents (thanks to DaD for this)
* at itworld.com, the Unix Security Newsletter; “Unix is lauded for its flexibility and openness. However, vulnerabilities in standard configurations can make Unix systems susceptible to security threats.” (This is the archives, stopping at SEP02 … the list is defunct? Security Strategies is up to date.)

Tuck in your CVS Server! –
Running CVS 1.11.4 or earlier? Well … don’t do that.

According to CERT Advisory CA-2003-02 – Double-Free Bug: “The CVS server component contains a “double-free” vulnerability[…] an error-checking routine may attempt to free() the same memory reference more than once. Deallocating the already freed memory leads to heap corruption, which an attacker could leverage to execute arbitrary code […] The CVS server process is typically started by the Internet services daemon (inetd) […] Arbitrary code inserted by an attacker would therefore run with root privileges.” (Common Vulnerabilities and Exposures also issued a report.)

On 20JAN03 CVS posted notice that 1.11.5 was available.

The exploit was discovered first reported, apparently, *sigh* by Stefan Esser at e-matters. His report/advisory includes a timeline on the fix *!OpenSource rawks!* and ends with a suggestion: “You should also consider running your CVS server chrooted over SSH instead of using the :pserver: method.” and points to a tutorial on this: Chrooted SSH CVS server how-to.