, SecurityFocus 2001-11-28
Red Hat accidentally pre-releases information on a devastating Linux security hole, sends other vendors scramblingOn the surface, it was just another turn of the endless cycle of software release, hole discovery, and patching: operating system vendor Red Hat issued an advisory Tuesday warning the world about a serious security hole in a file transfer program that comes with Linux, and urged customers to download a patch.
There was just one problem: Red Hat's advisory jumped the gun on what was intended to be a simultaneous multi-vendor release, carefully coordinated by the government-funded Computer Emergency Response Team (CERT), and scheduled for December 3rd. Caught off guard, other Linux vendors were rushing Wednesday to finalize their own patches for the hole-- a memory-allocation bug in the ubiquitous Washington University WU-FTPd program.
"The vendors agreed on releasing the information about the flaw... on December 3rd," wrote Roman Drahtmüller, of Linux vendor S.u.S.E., in an email interview. "This timeline was set up for vendors to build and test their packages, which can be a very time-consuming process... If this timeline is broken, distributors... run into a difficult situation, since their users can't download the update packages."
To exploit the bug, attackers must first log in to a host's FTP server. But on many systems, limited 'anonymous' FTP access is enabled by default.
The hole affects thousands of users of virtually every Linux release. Because of the wide implications, Core, working with CERT, and, at one point, SecurityFocus' "Vulnerability Help" team, arranged a coordinated release with Caldera, S.u.S.E., TurboLinux, Debian, Red Hat, and other Linux vendors, so that patches would be available for every distribution simultaneously. December 3rd was picked for the release.
That plan went out the window Tuesday, when Red Hat unilaterally issued its own advisory.
"Everybody else, they look like jerks, and they have to scramble to get fixes," said an irate Ivan Arce, CTO of Core Security Technologies. "The only fixes now out publicly are Red Hat's."
Red Hat apologized to other vendors Tuesday night.
"It was a big mistake," says Mark Cox, Red Hat's senior director of engineering. "The package was ready to go live, and we were holding off until the date this was going to hit." Instead, a Red Hat administrator accidentally swept up the advisory with other, unrelated updates sent out Tuesday.
The company has changed its release process to store a 'not-before date' with its pending releases, says Cox. "It's not going to be possible to release something before that date, so we make sure this doesn't happen again. It's not a very good thing."
Despite the snafu, Cox says coordinated releases have worked well for the Linux community in the past. "I don't think it shows any sort of inherent problems in that process."
The FBI's National Infrastructure Protection Center (NIPC) issued an