Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for September 26, 2002
A new era for LWN
When the plans for LWN.net were being laid, back toward the end of 1997, we (Liz Coolbaugh and Jonathan Corbet) set out to create a high-quality news source that would allow the Linux community to keep up with the incredible pace of its development. Plus, of course, we wanted to draw attention to an ill-advised support operation that we were launching at the same time. The support offerings are long since forgotten, but LWN has grown with the community it reports on. LWN, now approaching its fifth anniversary, processes a great deal of news and requires several people for its production. As readers of these pages have been told too many times, advertising does not cover even a fraction of the costs of producing LWN, and similar types of revenue, such as corporate sponsorships, are mostly unavailable.Back in July, we had come to the conclusion that LWN was not a sustainable operation, and that it was time for us to move on to other endeavors. The result was an amazing and unexpected show of support from our readers, in the form of donations, that caused us to rethink things. An unexpected show of, well, something else from our (former) credit card processor slowed that rethink greatly, but the time has now come. LWN is now at a definitive, and possibly final, crossroads.
We will now try to transition LWN into a subscription-based publication, supported by the readers that benefit from it. If LWN is valuable enough to its readers to earn that support, we will continue to produce it - and try to make it better. If not, well, then we will search for some other way to use our skills in the free software community.
Here's the deal: a basic LWN subscription will cost $5/month, with options for those wanting to pay a little less or a little more. Starting October 3, the LWN Weekly Edition will be available only to subscribers for the week following its publication; thereafter it will be freely available to all. Some other features, such as the ability to receive news via email, will be available to subscribers only. Other new features which we may introduce in the future will also be restricted to subscribers, at least initially. The LWN front page and the news items posted there will remain free, as will our security database, kernel patch page, and various other features of the site.
What this means is that all news posted to LWN will continue to be freely available - if you are sufficiently patient. But we strongly hope that most of our regular readers will consider becoming subscribers in order to have immediate access to our content, and, most importantly, to help keep LWN operating.
Those of you working in the software field may want to consider asking your employers to fund an LWN subscription as a useful tool for your job. Or, even better, have them talk to us about group subscriptions, which can provide access to LWN's subscription content for an entire group, company, or university at substantial savings in cost.
We have a lot of ideas for where we would like to take LWN. We would like to cover many important development projects the way we cover Linux kernel development now. We would like to have Linux in Business coverage that is more than a pile of press releases. It would be great to be able to pay for occasional articles by well-known authors. We will release our site code as free software as soon as we find the time to do it. It would be nice, even, to have a search engine that truly works well for the first time ever.
But first we have to stabilize LWN and turn it into a sustainable operation, and an important part of that process is now in the hands of our readers. With sufficient support from you, we can take LWN forward and make it better than ever: a reader-supported community news resource which need not worry about keeping big advertisers happy. If LWN is worthwhile to you, now is the time to act; please consider signing up for a subscription today.
The Native POSIX Thread Library
Readers of the LWN Kernel Page have been aware of the intensive effort to improve threading performance on Linux - at least from the kernel point of view. Now, with the announcement of version 0.1 of the Native POSIX Thread Library (NPTL), the user-space side of this project has come into view. This article will take a look at the technical and performance aspects of NPTL; the next will wander briefly into the political issues.Threads, of course, are processes (or something that looks like processes) that share an address space and various other resources. Multi-threaded applications can be tricky to write (they end up presenting the same sorts of problems with race conditions that operating system programmers have to deal with), but they can be a good solution to a number of programming challenges. Your web browser, for example, likely keeps one thread around to respond quickly to user events (mouse clicks and such) while another thread downloads a web page and yet another one renders it onto the screen. Java programs also tend to be highly threaded. Some applications can create many thousands of threads; obviously, such applications can only be reasonably run on systems with top-quality thread support.
Threading can be implemented entirely in user space, in kernel space, or a combination of both. User-space threads are traditionally lighter weight, since they do not require system calls and do not run in independent processes. They can be tricky to make work in all situations, however, and a pure user-space implementation can not make good use of multiprocessor systems, since all threads run within a single process. So most operating systems provide some degree of kernel support for threading. Linux has long had this support via the flexible clone() system call, which allows a great deal of control over which resources are to be shared with the new thread, and which are to be private.
Pure kernel-based threads are often perceived as being slow, however, since the kernel scheduler must be invoked to switch between threads. So conventional wisdom has often said that the best way to get good thread performance is with the "M:N model." M:N is a hybrid approach, where M user space threads run on each of N kernel threads. The multiple kernel threads allow the application to use all processors on the system, while keeping the performance benefits of doing (most) switching between user-space threads. Many people have said that the key to fixing the (not great) performance of Linux threads is adopting the M:N approach.
So it is interesting to note that NPTL has, instead, stayed with the 1:1 pure kernel thread model. NPTL authors Ulrich Drepper and Ingo Molnar took a close look at the problem, and came to the conclusion that 1:1 was, in the end, the more promising approach. Their reasoning can be found in the NPTL white paper (available in PDF format); the main points are:
- The kernel problems which slow down thread performance can be
eliminated; that has been the focus of Ingo Molnar's work.
- An M:N threading implementation requires two schedulers: the usual
kernel scheduler, and a user-space implementation. Getting the two to
work together for best performance is difficult - especially if you do
not want to impact performance for the system as a whole. Rather than
duplicate the scheduling function, the NPTL implementers felt it was
better to use the (highly optimized) kernel scheduler exclusively.
- Signal handling is the bane of many threading implementations, and
M:N implementations have an even harder time of it. The 1:1 model
leaves signal handling in the kernel.
- User-space threading implementations have to go to great length to ensure that one thread, when it performs a blocking operation, does not block all threads running under that process; this can be a complex task. Kernel-based threads naturally schedule (and block) independently of each other.
Finally, the 1:1 implementation is generally simpler, since user space need not duplicate functionality already found in the kernel.
Of course, all of that means little if the 1:1 model is unable to perform
up to expectations. The benchmarking process has just begun, but the
initial signs are encouraging. Ingo ran one
![[Benchmark results]](http://old.lwn.net/images/ns/thread-chart-sm.jpg)
test where he started up and ran 100,000 concurrent threads - in less
than two seconds. This test would have taken about 15 minutes before
the threading improvements went into the kernel.
Ulrich Drepper has posted some other benchmarks which mostly measure thread creation and shutdown time; some of his results can be seen in the chart to the right.. Such a test should naturally favor the M:N model, since user-space thread creation and destruction can be performed without any system calls. And, in fact, the M:N Next Generation POSIX Threading (NGPT) implementation beat standard Linux threads by at least a factor of two in these tests. The NPTL library, however, beat NGPT by about a factor of four. So the initial indications are that NPTL can deliver the goods. And this is only the 0.1 release.
On the NPTL process
At the first encounter, the Native POSIX Thread Library looks like ideal grist for the Red Hat basher's mill. The library appears to have sprung fully formed from the head of glibc maintainer (and Red Hat employee) Ulrich Drepper, who has made his plans clear:
Installing this library is not easy, since it requires some fairly bleeding-edge software: a 2.5.36 kernel, gcc 3.2, and a current glibc 2.3 snapshot. In fact, the "only environment known to date which works" is an updated version of the "(Null)" Red Hat beta. And, of course, this development has seemingly ignored the longstanding efforts of the Next Generation POSIX Threading project, which is at release 2.0.2.
A certain (relatively small) amount of grumbling along these lines has been seen on the net. But it's uncalled for.
NPTL was developed independently from NGPT for a straightforward reason: the NPTL developers wanted to try a very different approach. NGPT is designed around the M:N model, which, as noted above, NPTL avoids. There was no way to integrate the NPTL approach into NGPT without massive changes. The NPTL developers did, however, work with the NGPT hackers with regard to the kernel changes; those enhancements will benefit both projects in the end.
A new library at version 0.1 can probably be forgiven for using bleeding-edge tools; it is a bleeding-edge tool, after all. By the time NPTL has stabilized, the environments available to users will have caught up substantially. Ingo Molnar, author of the kernel side of the NPTL work, tells us that he intends to backport the kernel changes to the 2.4 kernel once things have stabilized in 2.5. (Whether 2.4 maintainer Marcelo Tosatti will accept them is a separate issue, of course).
And, in the end, this development has been going on for less than two months - it is a very new initiative.
This development shows some of the best aspects of the free software model. Two hackers with some good ideas have proved those ideas in the way the community accepts best: with code. We will all benefit from this work.
Looking the OpenSSL gift horse in the mouth
Sun's announcement of its donation of an elliptic curve encryption implementation to the OpenSSL project was generally well received. After all, the donation of more open source code has got to be a good thing. As it turns out, however, some people are looking at this gift and wondering how free it really is.If you look at the OpenSSL LICENSE file in the current snapshot, nothing has changed; it's a fairly straightforward BSD-style license. But the Sun-contributed code contains its own license text which differs from the OpenSSL license. In particular, it contains this rather impenetrable language:
One would that Sun, by virtue of having released the code under a free license, would have given up the right to sue people for using that code. This clause, however, seems to put a string on it: Sun explicitly says it won't sue, but only if you don't sue them either. The limitation seems to only apply to suits over the elliptical curve code itself, but it's hard to say for sure; the language is not all that clear.
For those who object to this language, the distinction does not matter. If you start attaching strings to free code, they say, it is no longer free. The most vocal of the dissenters is, of course, OpenBSD hacker Theo de Raadt, who states:
Theo has gone as far as suggesting a fork in the OpenSSL project as a way of maintaining a version that is, to his eyes, truly free.
Whether or not this particular bit of language bothers people, there is an issue here: companies often have a hard time resisting the temptation to attach their own language to free software licenses. The tendency toward custom licenses for each company and project has subsided somewhat, but it is not completely gone. It will always be necessary to scrutinize software licenses carefully, whether they are presented as free or not.
The Lulu Tech Circus
For those of you who are curious about what Bob Young has been up to since he left Red Hat: the Lulu Tech Circus is happening in Raleigh, NC starting September 27. It has the look of a fun event for people who like to play with free software, and with cool technology in general. Wish we could be there...
Page editor: Jonathan Corbet
Security
Thanks for reading
This is my last week as LWN.net's Security Page Editor. I've opted to pass the Security Page duties on to an excellent editor so I can focus my time for LWN.net on administrivia and infrastructure issues."Thank You" to everyone who has read the security page this year. I'll miss the pleasure of providing you with our weekly security summary.
Safe Travels,
Dennis Tenney, LWN.net Dude
Security news
OpenSSL worm in the news
The OpenSSL worm, has been referred to in various reports as Apache/mod_ssl worm, linux.slapper.worm, bugtraq.c worm and Modap worm. Please check out last week's security page for more information.This week CNET continued their coverage with a report that the worm "has reached a plateau after infecting about 7,000 servers and turning the hosts into a peer-to-peer network that could be used to attack other computers."
Personal Computer World covers the recent Slapper C varient "which, has infected 1,500 servers already and is spreading, although a source point has not been identified at this time."
Open-source group gets Sun security gift (CNET News.com)
CNET covers the recent donation by Sun of their "elliptic curve" cryptography technology to the open source community. "Elliptic curve cryptography will enable secure communications with devices that don't have as much calculating power as most desktop computers, said Whitfield Diffie, Sun's chief security officer and a pioneer of the Diffie-Hellman "public key" cryptography method used today in SSL and other encryption systems."
London man charged with making virus (Reuters)
Reuters News Agency reports the arrest of the suspected author of "the malicious "T0rn" virus that attacked Linux computer systems". The suspect was assested at his home in Surbiton, southwest of London, England.
Security reports
phpWebSite 0.8.3 fixes PHP source injection vulnerability
Tim Vandermeersch reports a PHP source injection vulnerabilty in phpWebSite which is fixed in version 0.8.3. Upgrading is recommended; the vulnerability allows remote execution of arbitrary PHP code by an attacker.
Xoops RC3 script injection vulnerability
David Suzanne reports a script injection vulnerability in Xoops RC3; the current version.
JAWmail cross-site scripting vulnerabilities
Ulf Harnhammar reports cross-site scripting vulnerabilities in JAWmail 1.0-rc1. Versions 2.0-rc1 and later are not vulnerable.
Squirrel Mail 1.2.8 fixes cross site scripting vulnerabilities
SquirrelMail 1.2.8 fixes all of the cross site scripting vulnerabilities described in this post.
New vulnerabilities
Multiple vulnerabilities in Zope 2.5.1
| Package(s): | zope | CVE #(s): | CAN-2002-0170 CAN-2002-0687 CAN-2002-0688 | |||
| Created: | September 25, 2002 | Updated: | September 25, 2002 | |||
| Description: | Three security hotfixes are available to fix vulnerabilities in
Zope 2.5.1:
| |||||
| Alerts: |
| |||||
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat | CVE #(s): | ||||||||||||||||
| Created: | September 25, 2002 | Updated: | January 29, 2003 | |||||||||||||||
| Description: | Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
Tomcat is the servlet container that is used in the official
Reference Implementation for the
Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by Sun
under the Java
Community Process.
| |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Updated vulnerabilities
LPRng accepts jobs from any host.
| Package(s): | LPRng | CVE #(s): | CAN-2002-0378 | |||||||||
| Created: | June 12, 2002 | Updated: | October 31, 2002 | |||||||||
| Description: | Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public. | |||||||||||
| Alerts: |
| |||||||||||
OpenSSL remotely-exploitable buffer overflow vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 30, 2002 | Updated: | September 24, 2002 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit.
Both client and server applications are affected.
The vulnerabilities are described in this security alert from the OpenSSL team.
A nasty exploit for one of the vulnerabilities is described in CERT Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
If you haven't already, applying an update is a very good thing to do today. Mitel Networks has an update available which closes this vulnerabilty for their SME Server software. CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Safemode vulnerability in PHP
| Package(s): | PHP | CVE #(s): | CAN-2001-1246 | ||||||||||||
| Created: | August 20, 2002 | Updated: | October 9, 2002 | ||||||||||||
| Description: | PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | August 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||||||||||||||
| Description: | PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc | CVE #(s): | CAN-2002-0391 | |||||||||
| Created: | August 14, 2002 | Updated: | December 5, 2002 | |||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404 | |||||||||||||||
| Created: | June 12, 2002 | Updated: | October 27, 2002 | |||||||||||||||
| Description: | Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
No known exploits exist "in the wild" at the present time for any of these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Buffer overflow in groff
| Package(s): | groff | CVE #(s): | CAN-2002-0003 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | December 9, 2002 | ||||||||||||||||||
| Description: | The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax | CVE #(s): | CAN-2001-1034 | |||||||||
| Created: | July 30, 2002 | Updated: | October 9, 2002 | |||||||||
| Description: | The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
| |||||||||||
| Alerts: |
| |||||||||||
UW imapd remotely exploitable buffer overflow
| Package(s): | imap | CVE #(s): | CAN-2002-0379 | |||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | December 20, 2002 | |||||||||||||||||||||||||||
| Description: | UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
| Package(s): | kdelibs | CVE #(s): | |||||||||||||
| Created: | September 17, 2002 | Updated: | November 18, 2002 | ||||||||||||
| Description: | Konqueror for KDE 3.0.3, and earlier versions, is subject to this cross-site scripting vulnerability. Since the problem is in kdelibs, any other application which uses the KHTML renderer is also vulnerable. Javascript code running in one frame can access other frames which should be inaccessible. The problem is fixed in kdelibs 3.0.3a. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 | CVE #(s): | ||||||||||
| Created: | August 14, 2002 | Updated: | October 29, 2002 | |||||||||
| Description: | A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system. Updating now is recommended. CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc | CVE #(s): | CAN-2002-0738 CAN-2002-1307 CAN-2002-1388 | |||||||||
| Created: | September 11, 2002 | Updated: | January 3, 2003 | |||||||||
| Description: | Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. | |||||||||||
| Alerts: |
| |||||||||||
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 | CVE #(s): | ||||
| Created: | July 22, 2002 | Updated: | February 18, 2003 | |||
| Description: | PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP. Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2. For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team. CERT Advisory: CA-2002-21 Vulnerability in PHP | |||||
| Alerts: |
| |||||
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla | CVE #(s): | CAN-2002-0354 | |||||||||
| Created: | May 21, 2002 | Updated: | October 18, 2002 | |||||||||
| Description: | This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2). | |||||||||||
| Alerts: |
| |||||||||||
String format bug in pam_ldap logging
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0374 | ||||||||||||
| Created: | June 5, 2002 | Updated: | October 29, 2002 | ||||||||||||
| Description: | The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Remotely exploitable vulnerability in pine
| Package(s): | pine | CVE #(s): | CAN-2002-0014 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | November 27, 2002 | ||||||||||||||||||
| Description: | Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea. Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Buffer overflow vulnerabilities in purity
| Package(s): | purity | CVE #(s): | ||||
| Created: | September 17, 2002 | Updated: | September 25, 2002 | |||
| Description: | It seems that the "purity" game isn't entirely pure itself - a couple of buffer overflows have been found which could be exploited to gain access to the "games" group on Debian systems. Rather than face the prospect of people tampering with their nethack scores, the Debian Project released the first upgrade closing the vulnerability. | |||||
| Alerts: |
| |||||
PXE server denial of service vulnerability
| Package(s): | pxe | CVE #(s): | CAN-2002-0835 | |||||||||
| Created: | September 4, 2002 | Updated: | November 11, 2002 | |||||||||
| Description: | The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
| |||||||||||
| Alerts: |
| |||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils | CVE #(s): | CAN-2002-0178 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 30, 2002 | ||||||||||||||||||
| Description: | According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid | CVE #(s): | |||||||||||||||||||
| Created: | July 8, 2002 | Updated: | November 15, 2002 | ||||||||||||||||||
| Description: | Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following changes:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Tcl/Tk local root vulnerability
| Package(s): | tcltk expect | CVE #(s): | CAN-2001-1374 CAN-2001-1375 | |||||||||
| Created: | August 14, 2002 | Updated: | September 24, 2002 | |||||||||
| Description: | Tcl/Tk searches for its libraries in the current working
directory before other directories.
A local user could
execute arbitrary code by inserting a Trojan horse library
in the current working directory.
Versions of the expect application prior to 5.32, search for its libraries in /var/tmp before searching in other directories. A local user could gain root privleges by inserting a Trojan horse library in /var/tmp and then getting the root user to run mkpasswd. | |||||||||||
| Alerts: |
| |||||||||||
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump | CVE #(s): | CAN-2002-0380 | |||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | October 9, 2002 | |||||||||||||||||||||
| Description: | A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Local root vulnerability in chfn
| Package(s): | util-linux | CVE #(s): | CAN-2002-0638 | |||||||||||||||||||||
| Created: | July 29, 2002 | Updated: | October 30, 2002 | |||||||||||||||||||||
| Description: | chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file. CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer | CVE #(s): | ||||||||||||||||
| Created: | May 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||
| Description: | The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Webmin/Usermin vulnerabilities
| Package(s): | webmin | CVE #(s): | ||||||||||
| Created: | May 21, 2002 | Updated: | January 10, 2003 | |||||||||
| Description: | Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication. | |||||||||||
| Alerts: |
| |||||||||||
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans | CVE #(s): | CAN-2002-0837 | |||
| Created: | September 11, 2002 | Updated: | February 4, 2003 | |||
| Description: | The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. | |||||
| Alerts: |
| |||||
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop | CVE #(s): | |||||||||||||
| Created: | May 21, 2002 | Updated: | May 7, 2003 | ||||||||||||
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle | CVE #(s): | CAN-2002-0818 | |||||||||
| Created: | August 14, 2002 | Updated: | October 1, 2003 | |||||||||
| Description: | The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on." | |||||||||||
| Alerts: |
| |||||||||||
xchat IC server based dns query vulnerability
| Package(s): | xchat | CVE #(s): | CAN-2002-0382 | |||||||||||||||
| Created: | June 5, 2002 | Updated: | September 24, 2002 | |||||||||||||||
| Description: | A malicious IRC server may return a response to a /dns query that executes arbitrary commands with the privileges of the user running XChat. Versions of XChat prior to 1.8.9 are vulnerable. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Local privilege escalation vulnerability in XFree86
| Package(s): | xf86 xfree86 | CVE #(s): | |||||||||||||
| Created: | September 18, 2002 | Updated: | October 27, 2002 | ||||||||||||
| Description: | XFree86 version 4.2.1 fixes a problem in Xlib that made it possible to execute arbitrary code in privileged clients. Other libraries are dynamically loaded by libX11.so as needed. When linking against a setuid program, arbitrary code could be loaded and executed from a pathname controlled by the user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Denial of service vulnerability in xinetd
| Package(s): | xinetd | CVE #(s): | ||||||||||||||||
| Created: | August 14, 2002 | Updated: | December 3, 2002 | |||||||||||||||
| Description: | A file descriptor leak into services started from xinetd may be used, by programs it stats, to crash xinetd. Xinetd is a replacement for the BSD derived inetd. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Resources
OWASP Guide to Building Secure Web Applications v1.1
The Open Web Application Security Project announces the release of an updated version of the Open Web Application Security Project Guide to Building Secure Web Applications. The guide is available from here in PDF and HTML format.
Linux Security Week and Advisory Watch
The September 23rd Linux Security Week and September 20th Linux Advisory Watch newsletters from LinuxSecurity.com are available.
RATS 2.0 released
The RATS Team announces the release of RATS 2.0.
The Art of Unspoofing
Sean Trifero and Brian Knox have published The Art of Unspoofing, an article on various ways to detect who might be behind a DoS attack. A post of the article garnered this response by Sean Trifero to some pointed comments.
Events
CanSecWest/core03 call for papers
CanSecWest/core03 computer security training conference will be held April 16-18 2003 in Vancouver, British Columbia, Canada.
ToorCon 2002 Conference in San Diego this weekend
The ToorCon 2002 folks sent out a reminder that the conference is this weekend!ToorCon 2002 will be held September 27-29th in San Diego, CA, USA.
A Gathering of Big Crypto Brains (Wired)
Wired reports on the annual COSAC conference held recently in Naas, Ireland.
Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| September 26, 2002 | New Security Paradigms Workshop 2002 | (The Chamberlain Hotel)Hampton, Virginia, USA |
| September 27 - 29, 2002 | ToorCon 2002 | (San Diego Concourse)San Diego, CA, USA |
| October 16 - 18, 2002 | Recent Advances in Intrusion Detection 2002(RAID 2002) | Zurich, Switzerland |
| October 17, 2002 | ShadowCon 2002 | NSWC Dahlgren, VA |
| November 26 - 27, 2002 | HiverCon 2002 | (Burlington Hotel)Dublin, Ireland |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Kernel development
Release status
Kernel release status
The current development kernel is 2.5.38, which was released by Linus on September 21. It contains a bunch of IA-64 updates, more partition handling and filesystem work, a JFS update, some IDE changes, and a few important bug fixes. The long-format changlog is available with the details.Linus released 2.5.37 on September 20. Among other things, this release included a bunch more memory management and performance work from Andrew Morton, James Bottomley's x86 "subarchitecture" work (finally), an ACPI update, more threading performance work, an IrDA update, some IDE and block I/O enhancements, some device model work, various architecture updates, and the removal of Keith Owens from the MAINTAINERS file. Again, see the long-format changelog for the details.
Linus's BitKeeper tree, which will become 2.5.39, contains some preemptible kernel fixes, a temporary disk elevator fix to deal with some performance problems (see below for the likely form of the real fix), some thread fixups, a USB update, more VM and block I/O work, an ISDN update, the removal of the global blk_size array (Al Viro: "it is an ex-parrot"), and various other fixes and updates.
The current stable kernel is 2.4.19; there have been no 2.4.20 prepatches or -ac patches over the last week.
Kernel development news
Some followups from last week
Andrew Morton sent us a note stating that last week's discussion of the new API for putting processes to sleep missed an important objective of that work. The new interface is nice, but what he was really setting out to do was to improve wakeup performance. The new code removes waiting processes from the wait queue immediately at wakeup time, rather than letting the processes remove themselves whenever they get around to it. The result is that subsequent wakeups, if they come quickly, will run faster because they do not need to deal with processes that have already been awakened.We also mentioned, last week, a posting on the leading-edge features used in the TPC benchmark results posted by HP. Lest anybody think that HP was using a highly patched, special-purpose kernel, they have posted a followup stating that a stock Red Hat kernel (from Advanced Server 2.1) was used in the benchmark runs.
Ingo Molnar's new process ID allocator - and the objections to it - were covered last week. Ingo posted a new version of the patch which addressed some of the complaints, and which was to Linus's liking; it was merged in