LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in Business
Linux in the news
Announcements
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Security news
Here we go again
vnunet has posted another one of its Linux security articles with the same sort of theme:
X-Force, the US-based monitoring group of security software firm
Internet Security Systems, has been tracking the number of security
holes in software. Last year the centre found 149 bugs in
Microsoft software compared to 309 for Linux. This year the
situation was worse, with 485 Linux bugs this year compared to
Microsoft's 202.
Nobody would try to argue that Linux is free of security holes - anybody who thinks so need only read the rest of this page to learn otherwise. But the above comparison is absolutely meaningless for a number of reasons:
- Each distribution is counted independently. The same vulnerability in
five distributions will count as five separate vulnerabilities. This
practice, of course, inflates the number of reported Linux problems.
- Linux vulnerabilities include those in applications (i.e. PostgreSQL)
which are not part of a standard Windows system.
- Most Linux vulnerabilities are found through code audits and similar efforts; they are patched and reported before any exploits happen. Any Windows bugs found through similar audits are fixed silently and do not appear in these counts.
Articles like this one try to make it appear that Linux has worse security problems than other operating systems. If you look, however, at the amount of actual security pain suffered by Linux administrators, the story is different. Linux security is nowhere near as good as it really should be, but it's not as bad as some people would like to make it out to be.
Red Hat and Dell host open source security summit
Red Hat and Dell have announced that an "open source security summit" will be held on October 29 in Washington, DC. "The Security Summit will provide an open forum to discuss and explore how open source technologies, methodologies, tools, and support processes meet the challenges of securing networks and computer systems."
New vulnerabilities
Apache 2.0 cross-site scripting vulnerability
| Package(s): | apache | CVE #(s): | CAN-2002-0840 |
| Created: | October 2, 2002 | Updated: | October 2, 2002 |
| Description: | Versions of Apache 2.0 prior to 2.0.43 have a cross-site scripting vulnerability in the error page handling code. If you are running Apache 2.0, this one is worth fixing. | ||
| Alerts: | (No alerts in the database for this vulnerability) | ||
Multiple vulnerabilities in bugzilla
| Package(s): | bugzilla | CVE #(s): | ||||
| Created: | October 2, 2002 | Updated: | October 9, 2002 | |||
| Description: | The Bugzilla bug tracking system (versions prior to 2.14.4 or 2.16.1) suffers from a number of vulnerablities, including one which could result in remote command and SQL injection. An upgrade to 2.16.1 is recommended, since the 2.14 branch will be unmaintained after the end of the year. See the Bugzilla advisory for details. | |||||
| Alerts: |
| |||||
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | December 17, 2002 | |||||||||||||||||||||||||||
| Description: | e-matters GmbH has issued an advisory warning of a new set of buffer overflows in the fetchmail header parsing code. The vulnerabilities have been fixed in fetchmail 6.1.0. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Buffer overflow in gv
| Package(s): | gv | CVE #(s): | CAN-2002-0838 | ||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | November 25, 2002 | ||||||||||||||||||||||||
| Description: | gv, a graphical front end to ghostscript, has a buffer overflow vulnerability which can be exploited by a properly crafted PostScript or PDF file. If a user can be tricked into viewing such a file, arbitrary code can be executed with that user's privileges. See this iDEFENSE advisory for the details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Buffer overflows in heimdal
| Package(s): | heimdal | CVE #(s): | |||||||
| Created: | October 1, 2002 | Updated: | October 17, 2002 | ||||||
| Description: | A SuSE security team audit of the heimdal Kerberos implementation turned up sever buffer overflow vulnerabilities. No exploits are known as of this writing, but these vulnerabilities are almost certainly possible for a remote attacker to exploit; if you are running heimdal, you should upgrade at the first opportunity. | ||||||||
| Alerts: |
| ||||||||
sendmail smrsh bypass vulnerability
| Package(s): | sendmail | CVE #(s): | CAN-2002-1165 | ||||||||||||
| Created: | October 2, 2002 | Updated: | November 29, 2002 | ||||||||||||
| Description: | iDEFENSE has posted an advisory warning of a couple of ways of bypassing the restrictions imposed by the sendmail "smrsh" utility. smrsh puts limits on which programs a user may run out of a .forward file; this vulnerability could give a local user undesired access to the mail server system. A patch has been made available from sendmail.org which closes the vulnerability. | ||||||||||||||
| Alerts: |
| ||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Updated vulnerabilities
LPRng accepts jobs from any host.
| Package(s): | LPRng | CVE #(s): | CAN-2002-0378 | |||||||||
| Created: | June 12, 2002 | Updated: | October 31, 2002 | |||||||||
| Description: | Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public. | |||||||||||
| Alerts: |
| |||||||||||
Safemode vulnerability in PHP
| Package(s): | PHP | CVE #(s): | CAN-2001-1246 | ||||||||||||
| Created: | August 20, 2002 | Updated: | October 9, 2002 | ||||||||||||
| Description: | PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | August 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||||||||||||||
| Description: | PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc | CVE #(s): | CAN-2002-0391 | |||||||||
| Created: | August 14, 2002 | Updated: | December 5, 2002 | |||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404 | |||||||||||||||
| Created: | June 12, 2002 | Updated: | October 27, 2002 | |||||||||||||||
| Description: | Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
No known exploits exist "in the wild" at the present time for any of these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Buffer overflow in groff
| Package(s): | groff | CVE #(s): | CAN-2002-0003 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | December 9, 2002 | ||||||||||||||||||
| Description: | The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax | CVE #(s): | CAN-2001-1034 | |||||||||
| Created: | July 30, 2002 | Updated: | October 9, 2002 | |||||||||
| Description: | The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
| |||||||||||
| Alerts: |
| |||||||||||
UW imapd remotely exploitable buffer overflow
| Package(s): | imap | CVE #(s): | CAN-2002-0379 | |||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | December 20, 2002 | |||||||||||||||||||||||||||
| Description: | UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
| Package(s): | kdelibs | CVE #(s): | |||||||||||||
| Created: | September 17, 2002 | Updated: | November 18, 2002 | ||||||||||||
| Description: | Konqueror for KDE 3.0.3, and earlier versions, is subject to this cross-site scripting vulnerability. Since the problem is in kdelibs, any other application which uses the KHTML renderer is also vulnerable. Javascript code running in one frame can access other frames which should be inaccessible. The problem is fixed in kdelibs 3.0.3a. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 | CVE #(s): | ||||||||||
| Created: | August 14, 2002 | Updated: | October 29, 2002 | |||||||||
| Description: | A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system. Updating now is recommended. CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc | CVE #(s): | CAN-2002-0738 CAN-2002-1307 CAN-2002-1388 | |||||||||
| Created: | September 11, 2002 | Updated: | January 3, 2003 | |||||||||
| Description: | Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. | |||||||||||
| Alerts: |
| |||||||||||
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 | CVE #(s): | ||||
| Created: | July 22, 2002 | Updated: | February 18, 2003 | |||
| Description: | PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP. Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2. For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team. CERT Advisory: CA-2002-21 Vulnerability in PHP | |||||
| Alerts: |
| |||||
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla | CVE #(s): | CAN-2002-0354 | |||||||||
| Created: | May 21, 2002 | Updated: | October 18, 2002 | |||||||||
| Description: | This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2). | |||||||||||
| Alerts: |
| |||||||||||
String format bug in pam_ldap logging
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0374 | ||||||||||||
| Created: | June 5, 2002 | Updated: | October 29, 2002 | ||||||||||||
| Description: | The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Remotely exploitable vulnerability in pine
| Package(s): | pine | CVE #(s): | CAN-2002-0014 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | November 27, 2002 | ||||||||||||||||||
| Description: | Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea. Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Buffer overflow vulnerabilities in purity
| Package(s): | purity | CVE #(s): | ||||
| Created: | September 17, 2002 | Updated: | September 25, 2002 | |||
| Description: | It seems that the "purity" game isn't entirely pure itself - a couple of buffer overflows have been found which could be exploited to gain access to the "games" group on Debian systems. Rather than face the prospect of people tampering with their nethack scores, the Debian Project released the first upgrade closing the vulnerability. | |||||
| Alerts: |
| |||||
PXE server denial of service vulnerability
| Package(s): | pxe | CVE #(s): | CAN-2002-0835 | |||||||||
| Created: | September 4, 2002 | Updated: | November 11, 2002 | |||||||||
| Description: | The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
| |||||||||||
| Alerts: |
| |||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils | CVE #(s): | CAN-2002-0178 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 30, 2002 | ||||||||||||||||||
| Description: | According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid | CVE #(s): | |||||||||||||||||||
| Created: | July 8, 2002 | Updated: | November 15, 2002 | ||||||||||||||||||
| Description: | Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following changes:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump | CVE #(s): | CAN-2002-0380 | |||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | October 9, 2002 | |||||||||||||||||||||
| Description: | A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat | CVE #(s): | ||||||||||||||||
| Created: | September 25, 2002 | Updated: | January 29, 2003 | |||||||||||||||
| Description: | Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
Tomcat is the servlet container that is used in the official
Reference Implementation for the
Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by Sun
under the Java
Community Process.
| |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Local root vulnerability in chfn
| Package(s): | util-linux | CVE #(s): | CAN-2002-0638 | |||||||||||||||||||||
| Created: | July 29, 2002 | Updated: | October 30, 2002 | |||||||||||||||||||||
| Description: | chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file. CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer | CVE #(s): | ||||||||||||||||
| Created: | May 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||
| Description: | The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Webmin/Usermin vulnerabilities
| Package(s): | webmin | CVE #(s): | ||||||||||
| Created: | May 21, 2002 | Updated: | January 10, 2003 | |||||||||
| Description: | Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication. | |||||||||||
| Alerts: |
| |||||||||||
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans | CVE #(s): | CAN-2002-0837 | |||
| Created: | September 11, 2002 | Updated: | February 4, 2003 | |||
| Description: | The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. | |||||
| Alerts: |
| |||||
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop | CVE #(s): | |||||||||||||
| Created: | May 21, 2002 | Updated: | May 7, 2003 | ||||||||||||
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle | CVE #(s): | CAN-2002-0818 | |||||||||
| Created: | August 14, 2002 | Updated: | October 1, 2003 | |||||||||
| Description: | The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on." | |||||||||||
| Alerts: |
| |||||||||||
Local privilege escalation vulnerability in XFree86
| Package(s): | xf86 xfree86 | CVE #(s): | |||||||||||||
| Created: | September 18, 2002 | Updated: | October 27, 2002 | ||||||||||||
| Description: | XFree86 version 4.2.1 fixes a problem in Xlib that made it possible to execute arbitrary code in privileged clients. Other libraries are dynamically loaded by libX11.so as needed. When linking against a setuid program, arbitrary code could be loaded and executed from a pathname controlled by the user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Denial of service vulnerability in xinetd
| Package(s): | xinetd | CVE #(s): | ||||||||||||||||
| Created: | August 14, 2002 | Updated: | December 3, 2002 | |||||||||||||||
| Description: | A file descriptor leak into services started from xinetd may be used, by programs it stats, to crash xinetd. Xinetd is a replacement for the BSD derived inetd. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Multiple vulnerabilities in Zope 2.5.1
| Package(s): | zope | CVE #(s): | CAN-2002-0170 CAN-2002-0687 CAN-2002-0688 | |||
| Created: | September 25, 2002 | Updated: | September 25, 2002 | |||
| Description: | Three security hotfixes are available to fix vulnerabilities in
Zope 2.5.1:
| |||||
| Alerts: |
| |||||
Resources
Linux Security Week - September 30th 2002
Linux Security Week for September 30 from LinuxSecurity.com is available.
Slapper Worm brought to heel (Register)
The Register covers two recent varients of the Slapper worm, Slapper.B (Cinik) and Slapper.C (Unlock). "Two fresh variants of the Slapper worm, which spreads through Linux machines by exploiting a well-known flaw in OpenSSL libraries, have been sighted this week."
Page editor: Jonathan Corbet
Next page: Kernel development>>