[lug] FW: InformationWeek Daily 4/25/00 (fwd)

Charles Morrison cmorrison at info2000.net
Tue Apr 25 08:49:54 MDT 2000 

So, are you or your organization running clusters with Pirhana? It shouldn't be
an issue otherwise, except of course as a PR issue. I'm not sure why this is
huge news, except that it is a way for MS backers to say "see, Linux has
backdoors too..." . I suppose that might have some merit if RedHat == Linux. It
doesn't however.

My understanding is that Pirhana is a RedHat redo of LVS. To my knowledge, this
is a RedHat only issue, and is not in the official LVS, nor in the TurboLinux
LVS spinoff.

Chuck


On Tue, 25 Apr 2000, you wrote:
> This was forwarded to me from the sysadmin here at work.
> 
> Chip
> 
> FYI -
> 
> GOOD MORNING! Today is April 25,
> and this is....InformationWeek Daily!
> 				-TOP STORIES-
> 
> - Linux Security Flaw Detailed
> 
> Internet Security Systems Inc. is warning Linux users of a back-
> door security flaw that carries ISS's highest danger rating. The 
> company's vulnerability-assessment team, or "X-Force," as it is 
> known, says a back-door vulnerability exists for any user running 
> a full version of Red Hat Linux Piranha, which contains Linux 
> Virtual Server software, a Web-based graphical user interface, as 
> well as monitoring and failover applications. ISS and Red Hat Inc. 
> are providing on a fix for the problem.
> 
> According to ISS, an undocumented back-door password exists in the 
> GUI portion of Piranha that may allow remote users to execute 
> commands on the server from a remote location and may provide 
> access to other systems. This security flaw has been given a "5" 
> rating, on a scale from 1 to 5, because of the flaw's inherent 
> ability to provide damaging access to attackers. The flaw is 
> present in version 0.4.12 of the Piranha GUI, which is part of the 
> latest Red Hat Linux 6.2 distribution. Early versions of Red Hat 
> are not vulnerable.
> 
> A security breach is possible even if Linux Virtual Server is not 
> used on the system. The system is vulnerable if the affected 
> Piranha-GUI package is installed and the administrator has not 
> changed the password. Chris Rouland, director of X-Force for ISS 
> in Atlanta, does not believe that the back door was installed with 
> malicious intent, but the vulnerability does reinvigorate the 
> debate between open-source and closed-source software.
> 
> "I think it was just an engineering mistake," says Rouland. Open-
> source software doesn't have "an engineering organization whose 
> role or job it is to provide quality assurance to commercial 
> software. The upside of open source is that everyone can see it, 
> so if there are glaring holes, you have peer revue." Red Hat has 
> provided updated Piranha, Piranha-doc, and Piranha-GUI packages 
> 0.4.13-1, and recommends that administrators be sure that a new 
> password is installed following the installation. 
> - Matthew G. Nelson
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list