The BitKeeper non-compete clause
Certain subjects return to these pages over and over again; one of those,
certainly, is the
BitKeeper source
management system. Despite concerns about its proprietary nature,
BitKeeper has become the tool of choice for many Linux kernel developers.
Those who are concerned about BitKeeper use for kernel development found
new flame fuel in a previously unnoticed clause in
the BitKeeper license, version 1.38, which
reads:
Notwithstanding any other terms in this License, this License is
not available to You if You and/or your employer develop, produce,
sell, and/or resell a product which contains substantially similar
capabilities of the BitKeeper Software, or, in the reasonable
opinion of BitMover, competes with the BitKeeper Software.
The purpose of this clause is to say "you can use BitKeeper free of charge,
but only if you are not using it to develop a competitor to BitKeeper." It
is arguably a reasonable licensing clause; regardless of what one thinks of
BitKeeper or proprietary software in general, BitMover can not be expected
to willingly provide its tools for the purpose of creating new
competition.
And BitMover does fear this competition. Many years of effort went into
the development of BitKeeper and the associated business; the creation of a
suitably capable free replacement could wipe out that investment in a short
time. BitMover founder Larry McVoy believes that the free software
community is not capable of creating from scratch a source management
system of BitKeeper's quality and with BitKeeper's innovations. He does,
however, think it could produce a clone that, while inferior, is good
enough to cost BitMover a lot of business. Coming up with ideas in the
first place is expensive; copying them is far easier. BitMover wants the
space to earn something from its (expensive) efforts to create BitKeeper;
it also wants to be able to develop the product into a far more capable
tool, a task requiring, they think, about four years. They have stated
their intention to fight back with every weapon at their disposal -
including copyright and patents - against anybody who threatens their
ability to carry out that plan.
Is all this a problem for free software and the Linux kernel? It could be,
but probably not on the scale that some people fear. The immediate concern
with the clause quoted above is that a number of free software developers
and companies do deal with other source management systems. In the case of
developers, the situation is fairly clear: if you work on a free source
management system, BitKeeper is not available to you. To emphasize the
point, Larry McVoy publicly told Ben
Collins, a kernel FireWire driver developer (and Subversion hacker) that he could
not use BitKeeper:
And you made it clear that you'd be delighted if Subversion was
made good enough to replace BK and you were working towards that
goal. I can't imagine a better example of someone who we
absolutely do not want to support and do not want using BK. I am
explicitly stating that it is our view that your use of BK is
violation of our license.
Ben's kernel work will not be affected, since he was not using BitKeeper
for that project. Other kernel developers could eventually run afoul of
this rule as well, however. For example, the ReiserFS team has no end of
ambitious plans for its filesystem; some of them, such as version
management, begin to push into BitKeeper's turf. Larry told us that, in
his opinion, it was "very likely" that ReiserFS would eventually cross the
line and become a BitKeeper competitor; at that point its developers would
be unable to use BitKeeper.
That is about as far as it goes, however. The license, says Larry, went
too far by excluding anybody whose employer works on source management
systems. The next "debugging" release of the license will tighten that
term so that it only affects developers working directly on source
management, and, perhaps, those very close to them. Thus, for example, Red
Hat developers will not lose their access to BitKeeper just because Red Hat
puts some patches into CVS. It is also BitMover's position the Linux
kernel developers as a whole will not lose
their BitKeeper access even if Linus merges a version of ReiserFS which
costs the ReiserFS team its access.
In evaluating the whole BitKeeper controversy, it is worth remembering a
few things. One is that BitMover could have avoided all this pain simply
by never giving gratis access to its product. Other vendors of commercial
source management systems do not make their products available for
free-of-charge use, and they are not routinely flamed the way BitMover is.
BitMover, instead, has chosen to make its product freely available to
groups developing free software. Kernel development has benefitted from
this gift in a number of ways:
- The capabilities of BitKeeper are much appreciated by developers who
choose to use it. BitKeeper really does make a lot of things easier,
especially in a distributed, multi-developer environment.
- Linus is merging patches at a tremendous rate, and appears to be far
less stressed than before. Patches still get dropped, but on a much
smaller scale. The process, by all appearances, is working more
smoothly than it has in a long time.
- Anybody who is interested can see the state of Linus's development
tree in near real time. There is no longer any need to wait for
prepatches or full releases. Thanks to BitKeeper, a new development
kernel is released many times a day. As an added bonus, Linus is now
able to post automatic changelogs as well, eliminating the need to
read through each release to see what patches were included.
It is also worth pointing out that nobody has been forced to use
BitKeeper. Many top-tier kernel developers have chosen not to use it, and
they have not had to change their ways of working. Getting repositories
and patches into and out of BitKeeper is easy by design; BitKeeper has a
stated "no lockin" policy. It is not even
necessary to use BitKeeper to keep track of Linus; several sites (like this
one) provide frequent access to the updates in his tree.
In other words, the adoption of BitKeeper has brought good things to
anybody who uses the Linux kernel. This has happened free of charge, with
no visible costs of any significance. Except, perhaps, for the time lost
in flame wars. Access to BitKeeper is a gift that its creator was under no
obligation to make. It is unfortunate that some members of the community
expend so much effort criticising those who have made that gift. It is
hard to see how the free software community would be better off if
BitKeeper were withdrawn.
All this is not to say that there is no reason for vigilance and concern.
The denial of access to some developers is a discriminatory action, to say
the least. If Larry McVoy (or his board of directors) wakes up hung over
one morning and decides to
end free access to BitKeeper, the show is over. Larry is uninclined to do
that - he has maintained free access despite the constant flames because he
wants to support the kernel project. But Larry could have an unfortunate
encounter with a bus (though, as Linus has pointed out, buses are rare in
California), or BitMover could be acquired by another company; in either
case, the new management could make changes to the license. The BitKeeper
binary does not come with source; it could be doing no end of evil things
and it would be difficult for people to know. Currently, BitKeeper makes
it easy to extract all data and metadata from a repository; moving an
entire repository into a different
source management system is an easy task. Linus also uses the BitKeeper
interfaces to export patches and tarballs in the same way he always has.
Future versions of BitKeeper, however,
could quietly shift over to a closed format that is harder to escape
from.
And so on. These are issues that come up with any proprietary package, and
they are certainly no worse than the issues raised by that other
proprietary source management platform which is even more heavily used in
the free software community: SourceForge. In the end, people who use
software should always look at the license, and not use a particular
package if the license is not to their taste. In the case of BitKeeper,
those who chose not to use it are no worse off than they were before, and
an easy path is open should a quick evacuation to another source management
system be required. BitKeeper is worth watching; one never knows where a
company might decide to go tomorrow. But the situation at the moment is
not that bad.
Comments (28 posted)
Update on LWN and subscriptions
As of this writing, there are almost 1800 subscribers to LWN.net; we have
also sold a small number of (small) corporate subscriptions. This level of
support is almost sufficient for two full-time staff at minimal salaries - a
huge step in the right direction, but still not enough to keep LWN going in
its current form. While we hope and expect that the number of subscribers
will continue to grow, we will have to take steps to live within our
available means for the near future. It is fully our intent to deliver on
the full term of the one-year subscriptions that many of you have bought;
to do that we will have to be careful now.
So there will be some changes to LWN. We're working on the details now,
and will post another update soon. But it looks like LWN is
here to stay, and that is good news. Let it never be said that the free
software community is unwilling to support the services it finds valuable.
A few other notes:
- We have tracked down and solved the problem that was causing cookie
problems with a number of browsers - especially Internet Explorer. If
you have experienced trouble in the past, please try again; things
should work better.
- There have been some complaints that our initial subscription screens
are not as informative as they could be. We'll be reworking the
subscription information soon to address those concerns. Various
other glitches in the subscription system (i.e. changing between
monthly and fixed-term subscriptions) will also be fixed soon.
- We have, finally, managed to extract the last of the donation money
(from last July!) from our previous credit card processor. Happily,
our new processor seems to be far more, um, together, and has not yet
given us any trouble.
- Occasionally somebody asks what happened to our old donation screen.
That screen has been taken down for a couple of reasons. One is to
keep our new credit card processor happy - donations seem to be a
hot-button issue for those people. The other is that we are trying to
transition into a real business, which offers direct value for the
money received. For people who would like to send more money our way,
we'll work out a new way to take it - no need to worry.
- For those of you who are unwilling or unable to buy a subscription,
we have set up a new mailing list that sends out a daily notification
whenever a subscription article becomes freely available. To receive
these notifications, you can sign up via the "My Account" screen for
your account.
- We're a little behind on some of our subscription-oriented mail. Once
the Weekly Edition is out, we hope to get caught up again.
As always, thank you all for supporting LWN.net.
Comments (13 posted)
Page editor: Jonathan Corbet
Security
Security news
Sendmail source hit by a trojan horse
As detailed in
this CERT advisory, the
sendmail source distribution on ftp.sendmail.org was replaced by a version
containing a trojan horse. The modified code stayed on the server from
September 28 through October 6. The trojan was invoked during
the build process; it would fire off a process that would listen for
commands on port 6667. If you downloaded and installed sendmail during
that time period, you need to take a serious look at the integrity of your
systems.
Free software is supposed to be more secure because the source can be
examined for this sort of thing. Yet this particular bit of malware
managed to stay on a high-profile server for over a week. When you
consider that, for example, the Interbase back door went undiscovered for
over a year, one week does not seem all that bad. But one week is plenty
of time to compromise a great many systems.
What is truly surprising is that we have not seen more of this sort of
problem. Trojanized source distributions are scary; a compromised binary
package is truly terrifying. There will be more - and worse -
episodes of this nature in the future.
Of course, we have the tools to defend against most of these attacks. If
you put up software for others to download, you should sign it with a
cryptographic key. If you download software, you should check that
signature. As long as the signing keys are handled carefully
(i.e. not stored on the FTP server!), this bit of hygene will detect
almost all tampering attacks. Without such checks, administrators are
placing a great deal of trust in the security of every system they download
software from.
Comments (2 posted)
New vulnerabilities
Apache shared memory scoreboard vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2002-0839
|
| Created: | October 9, 2002 |
Updated: | December 18, 2002 |
| Description: |
Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related
vulnerabilities which can be exploited by local users running under the
Apache user ID. In-server scripting languages, such as PHP, are the most
likely means of carrying out the attacks. One vulnerability causes the
server to fork off new processes, leading to denial of service scenarios;
the other allows an attacker to send SIGUSR1 to any process as root,
probably killing that process. See this
iDEFENSE advisory for the details. |
| Alerts: |
|
Comments (3 posted)
SSL certificate validation vulnerability in evolution
| Package(s): | evolution |
CVE #(s): | |
| Created: | October 9, 2002 |
Updated: | October 9, 2002 |
| Description: |
The evolution mail client does not properly check SSL certificates, leaving
it open to man-in-the-middle attacks; see this
advisory for details. Versions 1.0.x are vulnerable; the 1.1 beta
branch is not. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
Buffer overflow in nss_ldap
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0825
CAN-2002-0374
|
| Created: | October 9, 2002 |
Updated: | December 11, 2002 |
| Description: |
The nss_ldap package has a buffer overflow which can be exploited when the
module configures itself from information in DNS. The problem is fixed in
nss_ldap-199 and later. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
Temporary file vulnerability in tkmail
| Package(s): | tkmail |
CVE #(s): | |
| Created: | October 9, 2002 |
Updated: | October 9, 2002 |
| Description: |
The tkmail package has a temporary file vulnerability; a local attacker can
use this hole to overwrite files owned by a local user. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache 2.0 cross-site scripting vulnerability
| Package(s): | apache |
CVE #(s): | CAN-2002-0840
|
| Created: | October 2, 2002 |
Updated: | October 2, 2002 |
| Description: |
Versions of Apache 2.0 prior to 2.0.43 have a
cross-site scripting vulnerability in the error page handling code. If
you are running Apache 2.0, this one is worth fixing. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Multiple vulnerabilities in bugzilla
| Package(s): | bugzilla |
CVE #(s): | |
| Created: | October 2, 2002 |
Updated: | October 9, 2002 |
| Description: |
The Bugzilla bug tracking system (versions prior to 2.14.4 or 2.16.1)
suffers from a number of vulnerablities, including one which could result
in remote command and SQL injection. An upgrade to 2.16.1 is recommended,
since the 2.14 branch will be unmaintained after the end of the year. See
the Bugzilla advisory for details. |
| Alerts: |
|
Comments (1 posted)
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | December 5, 2002 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream |
| Alerts: |
|
Comments (none posted)
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
CAN-2002-0353
CAN-2002-0401
CAN-2002-0402
CAN-2002-0403
CAN-2002-0404
|
| Created: | June 12, 2002 |
Updated: | October 27, 2002 |
| Description: |
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl |
CVE #(s): | |
| Created: | October 1, 2002 |
Updated: | December 17, 2002 |
| Description: |
e-matters GmbH has issued an advisory
warning of a new set of buffer overflows in the fetchmail header parsing
code. The vulnerabilities have been fixed in fetchmail 6.1.0. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 20, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in gv
| Package(s): | gv |
CVE #(s): | CAN-2002-0838
|
| Created: | October 1, 2002 |
Updated: | November 25, 2002 |
| Description: |
gv, a graphical front end to ghostscript, has a buffer overflow
vulnerability which can be exploited by a properly crafted PostScript or
PDF file. If a user can be tricked into viewing such a file, arbitrary
code can be executed with that user's privileges. See this iDEFENSE advisory for the details. |
| Alerts: |
|
Comments (none posted)
Buffer overflows in heimdal
| Package(s): | heimdal |
CVE #(s): | |
| Created: | October 1, 2002 |
Updated: | October 17, 2002 |
| Description: |
A SuSE security team audit of the heimdal Kerberos implementation turned up sever buffer overflow vulnerabilities. No exploits are known as of this writing, but these vulnerabilities are almost certainly possible for a remote attacker to exploit; if you are running heimdal, you should upgrade at the first opportunity. |
| Alerts: |
|
Comments (none posted)
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax |
CVE #(s): | CAN-2001-1034
|
| Created: | July 30, 2002 |
Updated: | October 9, 2002 |
| Description: |
The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
| Package(s): | kdelibs |
CVE #(s): | |
| Created: | September 17, 2002 |
Updated: | November 18, 2002 |
| Description: |
Konqueror for KDE 3.0.3, and earlier versions, is subject to
this cross-site
scripting vulnerability.
Since the problem is in kdelibs, any other application which
uses the KHTML renderer is also vulnerable.
Javascript code running in one frame can
access other frames which should be inaccessible. The problem is
fixed in kdelibs 3.0.3a. |
| Alerts: |
|
Comments (2 posted)
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | October 29, 2002 |
| Description: |
A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this
potential division by zero bug in
code derived from the SunRPC library which is used
in many places, including the Kerberos 5 administration system.
Updating now is recommended.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
LPRng accepts jobs from any host.
| Package(s): | LPRng |
CVE #(s): | CAN-2002-0378
|
| Created: | June 12, 2002 |
Updated: | October 31, 2002 |
| Description: |
Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators
with systems exposed to the general public.
|
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc |
CVE #(s): | CAN-2002-0738
CAN-2002-1307
CAN-2002-1388
|
| Created: | September 11, 2002 |
Updated: | January 3, 2003 |
| Description: |
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. |
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla |
CVE #(s): | CAN-2002-0354
|
| Created: | May 20, 2002 |
Updated: | October 18, 2002 |
| Description: |
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
String format bug in pam_ldap logging
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0374
|
| Created: | June 5, 2002 |
Updated: | October 29, 2002 |
| Description: |
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism. |
| Alerts: |
|
Comments (none posted)
Safemode vulnerability in PHP
| Package(s): | PHP |
CVE #(s): | CAN-2001-1246
|
| Created: | August 20, 2002 |
Updated: | October 9, 2002 |
| Description: |
PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. |
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 20, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL |
CVE #(s): | |
| Created: | August 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions. |
| Alerts: |
|
Comments (none posted)
PXE server denial of service vulnerability
| Package(s): | pxe |
CVE #(s): | CAN-2002-0835
|
| Created: | September 4, 2002 |
Updated: | November 11, 2002 |
| Description: |
The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
|
| Alerts: |
|
Comments (none posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
sendmail smrsh bypass vulnerability
| Package(s): | sendmail |
CVE #(s): | CAN-2002-1165
|
| Created: | October 2, 2002 |
Updated: | November 29, 2002 |
| Description: |
iDEFENSE has posted an advisory warning of a
couple of ways of bypassing the restrictions imposed by the sendmail
"smrsh" utility. smrsh puts limits on which programs a user may run out of
a .forward file; this vulnerability could give a local user
undesired access to the mail server system. A patch has
been made available from sendmail.org which closes the vulnerability. |
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 20, 2002 |
Updated: | October 30, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid |
CVE #(s): | |
| Created: | July 8, 2002 |
Updated: | November 15, 2002 |
| Description: |
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following
changes:
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- Security fixes in how Squid parses FTP directory listings into
HTML
- FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
|
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump |
CVE #(s): | CAN-2002-0380
|
| Created: | June 5, 2002 |
Updated: | October 9, 2002 |
| Description: |
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
|
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat |
CVE #(s): | |
| Created: | September 25, 2002 |
Updated: | January 29, 2003 |
| Description: |
Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
|
| Alerts: |
|
Comments (none posted)
Local root vulnerability in chfn
| Package(s): | util-linux |
CVE #(s): | CAN-2002-0638
|
| Created: | July 29, 2002 |
Updated: | October 30, 2002 |
| Description: |
chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a
carefully crafted attack sequence can be performed to exploit a
complex file locking and modification race present in this utility,
and, as a result, alter /etc/passwd to escalate privileges in the
system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any
but the last 4 kB chunk of the file.
CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility |
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans |
CVE #(s): | CAN-2002-0837
|
| Created: | September 11, 2002 |
Updated: | February 4, 2003 |
| Description: |
The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. |
| Alerts: |
|
Comments (none posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | September 30, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
Local privilege escalation vulnerability in XFree86
| Package(s): | xf86 xfree86 |
CVE #(s): | |
| Created: | September 18, 2002 |
Updated: | October 27, 2002 |
| Description: |
XFree86 version 4.2.1 fixes a problem in
Xlib that made it possible to execute arbitrary code in privileged clients.
Other libraries are dynamically loaded by libX11.so as needed.
When linking against a setuid program, arbitrary code
could be loaded and executed from a pathname controlled by the user.
|
| Alerts: |
|
Comments (none posted)
Denial of service vulnerability in xinetd
| Package(s): | xinetd |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | December 3, 2002 |
| Description: |
A file descriptor leak into services started from xinetd
may be used, by programs it stats, to crash xinetd.
Xinetd is a replacement for the BSD derived inetd. |
| Alerts: |
|
Comments (none posted)
Resources
Linux Security Week
The LinuxSecurity.com "Linux Security Week" newsletter for October 7
is available.
Full Story (comments: none)
Sun exec defends open-source security (News.com)
News.com has
a report from Whitfield Diffie's talk at the RSA conference.
"
Diffie also said that security cannot be delegated, nor can a user rely on one company for security. 'Openness is essential for trust,' he said, referring to open-source code, as well as compatibility."
Comments (none posted)
Securing Linux (O'Reilly)
Michael D. Bauer
talks about Linux security issues on O'Reilly.
"
I don't presume to know in any definitive way whether Linux is more or less securable than other Unix variants. What I do know is this: Linux is useful, stable, and securable enough to warrant the time and effort required to "harden" it against Internet threats. This article explains some of the reasons I believe it's both possible and worthwhile to secure Linux for use as an Internet server platform."
Comments (none posted)
Events
Chaos Communication Congress 2002
The 19th annual Chaos Computer Club Congress will be held in Berlin on
December 27 to 29. The Call for Papers has gone out; no deadline
for submissions has been specified. "
So, do you dare to speak in
front of people who might have downloaded your
script from your computer in advance and spotted all the logical
errors?"
Full Story (comments: none)
CFP for 2003 CFP conference
The 2003 Computers, Freedom, and Privacy conference will be held
April 1 to 4 in New York. The Call for Papers is out, with a
deadline of November 15.
Full Story (comments: none)
Page editor: Jonathan Corbet
Kernel development
Release status
Kernel release status
The current development kernel is 2.5.41, which was
released by Linus on October 7.
"
Mucho merges with the 'A-Team' (Alan, Al, Alexey, Andrew, Anton,
Arjan, Arnaldo and Art), but the 'M-Team' (Maksim, Marcel, Martin's and
Mike) is a close runner up." There's a bunch of patches from Alan
Cox, more disk management reworking, more memory management work, some SCSI
work, a big ALSA update, an ISDN update, some kbuild work, a big S390
update, and numerous other fixes. The
long-format changelog has all the details.
Linus's BitKeeper repository, which is destined to become 2.5.42, currently
contains some driver model work (with an emphasis on IDE devices), another
s390 update, the large block device patch (see below), the beginning of the
"asynchronous I/O for networking" merge, the return of IDE tagged command
queueing support, indexed directories for the ext3 filesystem, a number of
NUMA and discontiguous memory enhancements, long lists of small patches via
Dave Jones and Alan Cox, and quite a few other fixes and updates.
The current development prepatch from Alan Cox is 2.5.41-ac2. Since 2.5.41 came out, the -ac
patches have been mostly concerned with compilation fixes and other small
updates.
The latest 2.5 status summary from Guillaume
Boissiere is dated October 9.
The current stable kernel is 2.4.19. Marcelo released 2.4.20-pre10 on October 8. The lists of
patches applied are getting smaller, suggesting that there just might be a
release candidate before too long.
Comments (none posted)
Kernel development news
A new way to watch Linus
The lengthy BitKeeper flame war was not entirely without useful results.
Some developers expressed a wish to have a better view into what patches
were being applied without having to run BitKeeper to extract them; the
response was the creation of a couple of "bk commits" mailing lists on
vger.kernel.org. Every time Linus merges a patch, the "bk-commits-head"
list gets a message containing that patch. A similar list (bk-commits-24)
exists for those who want to track what's up with the 2.4 kernel instead.
Now there's no excuse for not knowing what got merged into 2.5 ten minutes
ago.
See the vger majordomo
page for information on how to subscribe to these lists.
Comments (none posted)
Unexporting the system call table
A linux-kernel reader recently
complained
that Red Hat had applied a patch to the kernel in its 8.0 distribution
which made the
sys_call_table data structure unavailable to
modules. He will not have been pleased with the 2.5.41 kernel release,
which did the same thing.
sys_call_table is a special table used to dispatch system calls
within the kernel. It is a simple array, indexed by the system call number
passed in from user space. The reason for wanting this array to be
exported, of course, is to allow modules to add or modify system calls. A
classic example is a module implementing the "streams" interface, which is
unlikely to ever be part of the mainline kernel. Some users need streams,
though; an exported system call table allows them to load a module and have
the streams call work as expected.
So why would this capability be taken away? The stated reason is that
tweaking the system call table is nonportable and unsafe. Each
architecture has a different system call table format, so code which wants
to be portable has to understand how each architecture does things. There
is also no locking mechanism for the
