| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for October 31, 2002
Linux and the desktop
Last January, we made a number of predictions about what the year held for the Linux community. One of those read as follows:
Normally we don't say much about our past predictions, in the hope that our readers will forget them as soon as possible. We may not do any worse than those analyst groups that sell their predictions printed on heavy paper, but we still find ourselves embarrassed by the things we say at times. In this case, however, we just might have gotten it right.
The latest development on the Linux desktop front is SuSE's announcement of the "SuSE Linux Office Desktop," a new version of its distribution which is due out in January. This distribution is, of course, aimed at the desktop market; it features (relatively) easy administration, a full set of office productivity tools (based on StarOffice), and CrossOver Office for those proprietary applications that simply cannot be done without.
SuSE, of course, is not alone in its new emphasis on the desktop. Red Hat Linux 8.0 includes a reworked, friendlier desktop. Distributions like Lycoris and Xandros are aimed at desktop users; Mandrake Linux, of course, has always had this emphasis. There is a Debian Desktop Project out there. Linux systems can even be purchased at outlets like Wal-Mart. Not too long ago, even the strongest Linux advocates mostly agreed that Linux was only suited to server-oriented tasks. Now, more and more people think that Linux is ready for desktop tasks, and, perhaps more to the point, that there is money to be made in desktop Linux.
One might well wonder why desktop Linux is coming into its own now. There are several possible reasons:
- The set of free desktop applications is maturing. Tools like
OpenOffice, AbiWord, Gnumeric, Mozilla, Konqueror, etc. have reached a
point where they are good enough for most users. The feature lists
may still fall short of the proprietary competition in some cases, but
most of the truly important features are there.
- The Wine project, in the form of products like CrossOver Office,
has, after many years, reached a point where it can run the
proprietary applications desktop users rely on. The availability of
these applications makes the Linux desktop that much more valuable.
- The difficult economy and Microsoft's licensing schemes have made
companies more interested in ways of saving money.
- People are finally beginning to notice that Linux users don't
have to spend their time fighting the virus of the week.
- Linux has clearly survived the dotcom crash - a fact which still surprises many people. Fears that Linux will vanish like so many other highly-hyped technologies are fading away.
The theory of "disruptive technologies" states that a new technology does not have to be better than the one it replaces - at least, not in every way. It is enough to offer advantages, financial and otherwise, that are sufficiently compelling to get people to make a change. Linux (and free software in general) have a lot to offer in cost savings, security, rapid and open development, freedom from vendor lock-in, etc. Increasingly, Linux also has applications that perform widely useful functions, and which are becoming easier to use. Many of these applications are on their way toward becoming the best available, free or otherwise. We are, it seems, reaching that point where the balance begins to tip. This may truly be the beginning of the era of the free desktop.
We should not lose track of the fact that a great deal remains to be done before free desktops can truly achieve World Domination, however. Linux administration is getting easier, but remains difficult. Linux applications still lack features that many users want. A visit to any computer store will show that there is a whole range of applications that are still absent on Linux: where are the children's games, menu planners, language courses, tax return preparers, home remodel designers, and makeover assistants for Linux? When your Linux system will help you look like the Cosmo Girl, we'll know we have truly arrived. But that day will remain distant until Linux becomes a more friendly platform for proprietary applications.
It is also worth noting that development on the Linux kernel has emphasized performance on very large systems just as it looks like the Linux desktop is going to take off. Performance on smaller systems is supposed to be addressed during the stabilization period. Testing by desktop users will be an important part of that process; as more people test out the development kernel in the coming months, it becomes increasingly likely that the next stable kernel release will meet the needs of desktop users.
The true triumph of the free desktop is still probably some years away. A great deal of hard work remains to be done. But the results of years of effort by thousands of developers determined to improve the Linux desktop experience are beginning to be felt in a serious way. It is going to be fun to watch where things go from here.
Study: free software in the U.S. Department of Defense
The MITRE corporation has just released the results of a study it performed on the use of free and open source software (which it calls "FOSS") within the U.S. Department of Defense. It is an interesting look at how the DoD uses free software, and what would happen if an anti-free-software policy were to be adopted. The full study is available as a 160-page PDF file; here you'll find a rather shorter summary of what it says.The question that this study was meant to answer seems to be "should the military ban the use of free software?" The conclusion they came to is clear:
Looking at one area in particular, the report continues:
The report looks at free software licenses in considerable detail in a deliberate attempt to address a number of institutional fears about those licenses. Worries about licensing, say the authors, have led to a suboptimal level of free software usage. It is a reasonably straightforward and accurate study; for added fun, they look at the EULA for Microsoft's "Mobile Internet Toolkit" and compare its terms with those of free licenses. "However, unlike the Microsoft MIT EULA, the GPL places no constraints on software simply running on the same system, and actually goes out of its way not to intrude on other licenses outside of that context."
The report includes a survey of how free software is used within the DoD now. They break that usage down into four categories:
- Infrastructure, using tools like sendmail and apache.
- Software development, especially with gcc and Perl.
- Security, including intrusion detection systems, security
analysis tools (i.e. SARA and Snort), and secured operating systems
like OpenBSD. "Yet another important way in which FOSS
contributes to security is by making it possible to change and fix
security holes quickly in the face of new modes of cyberattack. This
ability, which allows rapid response to new or innovative forms of
cyberattack, is intrinsic to the FOSS approach and generally
impractical in closed source products."
- Research, which benefits from Linux clusters and the general culture of free software.
The report authors looked at costs, of course:
They note one other important factor regarding free software and costs:
The report concludes with three recommendations that, they say, would help the DoD make optimal use of free software. They are:
- Create a "generally recognized as safe" list of free software. 115
free applications found by the survey would be the starting point for
this list. Suggested "applications" include, however, Linux, OpenBSD,
NetBSD, and FreeBSD, so this list would be pretty general.
- Develop generic infrastructure, development, security, and research
policies. These policies would promote the use of free software in
situations where it is deemed appropriate.
- Encourage use of FOSS to promote product diversity. "Acquisition diversity reduces the cost and security risks of being fully dependent no a single software product, while architectural diversity lowers the risk of catastrophic cyber attacks based on automated exploitation of specific features for flaws of very widely deployed products."
Finally, a set of appendices provides lists of free software applications in use within the DoD, and the full text of a large number of free software licenses.
If the DoD was seriously considering banning free software, one can only hope that this report will put an end to such thoughts. Through a great deal of detailed research, the report's authors have demonstrated that the Department of Defense is already heavily dependent on free software, and would be badly hurt if use such software were forbidden. Increasingly, free software is crucial part of the systems we all use, and that, of course, is a good thing.
LWN meta-news
It's time for our weekly report to our readers. Read on for the latest subscription counts and a few bits of site news.As of this writing, we are getting close to 2200 subscribers. That still leaves us far short of our medium-term goal of 4000. Things are headed in the right direction, however; with continued support from our readers, we hope that we will get to where we need to be before too long.
We are also encouraged by a small increase in the rate of corporate subscriptions. They still fall short of our hopes, but there are signs that the bureaucratic wheels are beginning to turn. If you work for a company that could benefit from a subscription, please consider talking to them about setting one up.
This week we were also able to announce a group subscription for the Debian project, which has been funded by HP. Debian developers are encouraged to read the announcement for information on how to get access to this subscription.
For those of you who have been requesting the ability to pay with American Express: we have finally managed to get that set up. Progress on setting up a Euro-zone bank account has been slower; it looks like that will not be a viable option anytime soon. The best approach for accepting funds from Europeans without credit cards may turn out to be to simply have those people send us checks. We're still working on that one, though.
There has been a small stream of requests for a stable URL for the latest free version of the Weekly Edition. That has now been implemented; the current free weekly can be found at:
- http://lwn.net/free/
- http://lwn.net/free/bigpage (the "one big page" format).
Of course, lwn.net/current continues to refer to the most recent (subscription) Weekly Edition.
We have been having some trouble with sites blocking mail from the LWN server (things like the various LWN mailing lists and subscription notices). That mail originates from our production server, which is donated to us by Rackspace. Some people, evidently, have received a lot of spam from Rackspace-hosted systems, and have simply blocked the entire Rackspace network. Rackspace tells us that they shut down spammers as soon as they know of them, but it's an ongoing battle. Meanwhile, we are looking into other ways of generating and routing mail so that this problem, hopefully, will be behind us soon.
For those of you making your holiday shopping lists: LWN gift certificates will be available shortly. The work is mostly done, but won't be completed at this point until after the weekly publication cycle. Stay tuned for the announcement.
That is the LWN news for this week. Thanks, as always, for your support.
No letters to the editor
For the second week in a row, we have no "letters to the editor" page, since nobody sent us any letters. The reduction in readership caused by the subscription gate probably has a lot to do with that. Still, we would like to hear from you; if you have comments you would like to see published, please feel free to send them to letters@lwn.net.
Page editor: Jonathan Corbet
Security
Security news
Protecting the domain name system
Worth a read: this article by ICANN board member Karl Auerbach on how to protect the domain name system against denial of service attacks. Mr, Auerbach's fundamental point is simple: the DNS is a uniquely vulnerable component of the Internet because it is centralized. The net as a whole has no center, but the DNS depends heavily on its root servers. Most of the suggestions for improving the security of DNS thus involve spreading things out, and making them diverse and redundant.The suggestions are:
- Make copies of the root DNS zone files available, and disperse them
everywhere.
- Create multiple roots for the DNS system.
- Create an early warning system which raises the alarm when it detects
the beginning of a denial of service attack.
- Create a set of canned router filters which can be quickly applied to
protect the root DNS servers in case of an attack.
- Have a plan for moving a root server elsewhere on the Internet should
that server come under attack.
- Create alternative DNS server software, so that not everybody is running bind.
All of these suggestions make sense, of course, in many contexts other than the domain name system. It is important to replicate crucial data, spread your vital resources out, have fallback plans, and to have a diverse software base. We will see whether these ideas are actually heard by the DNS Powers That Be, however.
New vulnerabilities
inn: format string and insecure open vulnerabilities
| Package(s): | inn | CVE #(s): | ||||
| Created: | October 30, 2002 | Updated: | October 30, 2002 | |||
| Description: | There are several format string coding bugs as well as unsecure open() calls in the inn program. | |||||
| Alerts: |
| |||||
krb5: Buffer Overflow in Kerberos Administration Daemon
| Package(s): | krb5, heimdal | CVE #(s): | CAN-2002-1235 | |||||||||||||||||||||||||||
| Created: | October 29, 2002 | Updated: | January 14, 2003 | |||||||||||||||||||||||||||
| Description: | CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon
Systems Affected
Overview Multiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system. The CERT/CC has received reports that indicate that this vulnerability is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002 notes that an exploit is circulating. We strongly encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
zope: Insecure XML-RPC exception handling
| Package(s): | zope | CVE #(s): | ||||
| Created: | October 30, 2002 | Updated: | October 30, 2002 | |||
| Description: | Zope will reveal the complete physical
location where the server and its components are installed if it receives
"incorrect" XML-RPC requests. In some cases it will also reveal information about the serves in the protected LAN (10.x.x.x for example). More information is available at: http://collector.zope.org/Zope/359 | |||||
| Alerts: |
| |||||
Updated vulnerabilities
LPRng accepts jobs from any host.
| Package(s): | LPRng | CVE #(s): | CAN-2002-0378 | |||||||||
| Created: | June 12, 2002 | Updated: | October 31, 2002 | |||||||||
| Description: | Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public. | |||||||||||
| Alerts: |
| |||||||||||
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | August 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||||||||||||||
| Description: | PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Apache shared memory scoreboard vulnerabilities
| Package(s): | apache | CVE #(s): | CAN-2002-0839 | |||||||||||||||||||||||||||||||||
| Created: | October 9, 2002 | Updated: | December 18, 2002 | |||||||||||||||||||||||||||||||||
| Description: | Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related vulnerabilities which can be exploited by local users running under the Apache user ID. In-server scripting languages, such as PHP, are the most likely means of carrying out the attacks. One vulnerability causes the server to fork off new processes, leading to denial of service scenarios; the other allows an attacker to send SIGUSR1 to any process as root, probably killing that process. See this iDEFENSE advisory for the details. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
bzip2: file creation and symbolic link vulnerabilities
| Package(s): | bzip2 | CVE #(s): | CAN-2002-0759 CAN-2002-0760 CAN-2002-0761 | ||||||
| Created: | October 29, 2002 | Updated: | October 30, 2002 | ||||||
| Description: | bzip2 does not use the O_EXCL flag to create files during
decompression and does not warn the user if an existing file
would be overwritten, which could allow attackers to overwrite
files via a bzip2 archive.
bzip2 decompresses files with world-readable permissions before setting the permissions to what is specified in the bzip2 archive, which could allow local users to read the files as they are being decompressed. bzip2 uses the permissions of symbolic links instead of the actual files when creating an archive, which could cause the files to be extracted with less restrictive permissions than intended. | ||||||||
| Alerts: |
| ||||||||
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc | CVE #(s): | CAN-2002-0391 | |||||||||
| Created: | August 14, 2002 | Updated: | December 5, 2002 | |||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404 | |||||||||||||||
| Created: | June 12, 2002 | Updated: | October 27, 2002 | |||||||||||||||
| Description: | Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
No known exploits exist "in the wild" at the present time for any of these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | December 17, 2002 | |||||||||||||||||||||||||||
| Description: | e-matters GmbH has issued an advisory warning of a new set of buffer overflows in the fetchmail header parsing code. The vulnerabilities have been fixed in fetchmail 6.1.0. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Buffer overflow in groff
| Package(s): | groff | CVE #(s): | CAN-2002-0003 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | December 9, 2002 | ||||||||||||||||||
| Description: | The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Buffer overflow in gv
| Package(s): | gv | CVE #(s): | CAN-2002-0838 | ||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | November 25, 2002 | ||||||||||||||||||||||||
| Description: | gv, a graphical front end to ghostscript, has a buffer overflow vulnerability which can be exploited by a properly crafted PostScript or PDF file. If a user can be tricked into viewing such a file, arbitrary code can be executed with that user's privileges. See this iDEFENSE advisory for the details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
heartbeat: remotely exploitable buffer overflow
| Package(s): | heartbeat | CVE #(s): | ||||||||||
| Created: | October 16, 2002 | Updated: | November 6, 2002 | |||||||||
| Description: | The heartbeat failover system has a remotely exploitable buffer overflow vulnerability; versions prior to 0.4.9e and 0.4.9.2 are affected. Any system that is worth running heartbeat on is worth upgrading. See the advisory for the details. | |||||||||||
| Alerts: |
| |||||||||||
UW imapd remotely exploitable buffer overflow
| Package(s): | imap | CVE #(s): | CAN-2002-0379 | |||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | December 20, 2002 | |||||||||||||||||||||||||||
| Description: | UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
| Package(s): | kdelibs | CVE #(s): | |||||||||||||
| Created: | September 17, 2002 | Updated: | November 18, 2002 | ||||||||||||
| Description: | Konqueror for KDE 3.0.3, and earlier versions, is subject to this cross-site scripting vulnerability. Since the problem is in kdelibs, any other application which uses the KHTML renderer is also vulnerable. Javascript code running in one frame can access other frames which should be inaccessible. The problem is fixed in kdelibs 3.0.3a. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: several security issues fixed
| Package(s): | kernel | CVE #(s): | |||||||||||||||||||
| Created: | October 22, 2002 | Updated: | November 22, 2002 | ||||||||||||||||||
| Description: | A number of security fixes have gone out for the 2.2 and 2.4 kernels. There are no known exploits at this time, but upgrading will make sense anyway. As always with kernel updates, read the distributor instructions carefully; there is usually more involved than just installing a new package. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 | CVE #(s): | ||||||||||
| Created: | August 14, 2002 | Updated: | October 29, 2002 | |||||||||
| Description: | A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system. Updating now is recommended. CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc | CVE #(s): | CAN-2002-0738 CAN-2002-1307 CAN-2002-1388 | |||||||||
| Created: | September 11, 2002 | Updated: | January 3, 2003 | |||||||||
| Description: | Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. | |||||||||||
| Alerts: |
| |||||||||||
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 | CVE #(s): | ||||
| Created: | July 22, 2002 | Updated: | February 18, 2003 | |||
| Description: | PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP. Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2. For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team. CERT Advisory: CA-2002-21 Vulnerability in PHP | |||||
| Alerts: |
| |||||
mod_ssl: cross site scripting problem
| Package(s): | mod_ssl, libapache-mod-ssl | CVE #(s): | CAN-2002-1157 | |||||||||||||||||||||
| Created: | October 22, 2002 | Updated: | December 12, 2002 | |||||||||||||||||||||
| Description: | Joe Orton discovered a cross site scripting problem in mod_ssl, an
Apache module that adds Strong cryptography (i.e. HTTPS support) to
the webserver. The module will return the server name unescaped in
the response to an HTTP request on an SSL port.
Like the other recent Apache XSS bugs, this only affects servers using a combination of "UseCanonicalName off" and wildcard DNS. This is very unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it already escapes this HTML. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
ypserv: NIS information leak
| Package(s): | nis, ypserv | CVE #(s): | CAN-2002-1232 | ||||||||||||||||||
| Created: | October 21, 2002 | Updated: | December 5, 2002 | ||||||||||||||||||
| Description: | Thorsten Kukuck discovered a problem in the ypserv program which is part of the Network Information Services (NIS). A memory leak in all versions of ypserv prior to 2.5 is remotely exploitable. When a malicious user could request a non-existing map the server will leak parts of an old domainname and mapname. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Buffer overflow in nss_ldap
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0825 CAN-2002-0374 | |||||||||
| Created: | October 9, 2002 | Updated: | December 11, 2002 | |||||||||
| Description: | The nss_ldap package has a buffer overflow which can be exploited when the module configures itself from information in DNS. The problem is fixed in nss_ldap-199 and later. | |||||||||||
| Alerts: |
| |||||||||||
String format bug in pam_ldap logging
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0374 | ||||||||||||
| Created: | June 5, 2002 | Updated: | October 29, 2002 | ||||||||||||
| Description: | The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism. | ||||||||||||||
| Alerts: |
| ||||||||||||||
PAM: password validation error
| Package(s): | pam | CVE #(s): | ||||
| Created: | October 23, 2002 | Updated: | October 23, 2002 | |||
| Description: | Paul Aurich and Samuele Giovanni Tonon discovered a serious security violation in PAM. Disabled passwords (i.e. those with '*' in the password file) are treated as if they were empty and access to such accounts is granted through the regular login procedure (getty, telnet, ssh). This works for all such accounts whose shell field in the password file does not refer to /bin/false. Only version 0.76 of PAM seems to be affected by this problem. | |||||
| Alerts: |
| |||||
Remotely exploitable vulnerability in pine
| Package(s): | pine | CVE #(s): | CAN-2002-0014 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | November 27, 2002 | ||||||||||||||||||
| Description: | Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea. Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
PXE server denial of service vulnerability
| Package(s): | pxe | CVE #(s): | CAN-2002-0835 | |||||||||
| Created: | September 4, 2002 | Updated: | November 11, 2002 | |||||||||
| Description: | The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
| |||||||||||
| Alerts: |
| |||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
sendmail smrsh bypass vulnerability
| Package(s): | sendmail | CVE #(s): | CAN-2002-1165 | ||||||||||||
| Created: | October 2, 2002 | Updated: | November 29, 2002 | ||||||||||||
| Description: | iDEFENSE has posted an advisory warning of a couple of ways of bypassing the restrictions imposed by the sendmail "smrsh" utility. smrsh puts limits on which programs a user may run out of a .forward file; this vulnerability could give a local user undesired access to the mail server system. A patch has been made available from sendmail.org which closes the vulnerability. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils | CVE #(s): | CAN-2002-0178 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 30, 2002 | ||||||||||||||||||
| Description: | According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid | CVE #(s): | |||||||||||||||||||
| Created: | July 8, 2002 | Updated: | November 15, 2002 | ||||||||||||||||||
| Description: | Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following changes:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
squirrelmail: cross-site scripting vulnerability
| Package(s): | squirrelmail | CVE #(s): | CAN-2002-1131 CAN-2002-1132 | |||||||||||||||
| Created: | October 16, 2002 | Updated: | January 2, 2003 | |||||||||||||||
| Description: | The Squirrelmail web mail package has a cross-site scriptinog vulnerability; versions 1.2.7 and prior are affected. See the advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
syslog-ng: buffer overflow vulnerability
| Package(s): | syslog-ng | CVE #(s): | |||||||||||||||||||
| Created: | October 16, 2002 | Updated: | November 14, 2002 | ||||||||||||||||||
| Description: | Versions 1.4.15 and 1.5.20 (and prior) of the syslog-ng system logging package have a remotely exploitable buffer overflow vulnerability; see this advisory for the details. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat | CVE #(s): | ||||||||||||||||
| Created: | September 25, 2002 | Updated: | January 29, 2003 | |||||||||||||||
| Description: | Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
Tomcat is the servlet container that is used in the official
Reference Implementation for the
Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by Sun
under the Java
Community Process.
| |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Local root vulnerability in chfn
| Package(s): | util-linux | CVE #(s): | CAN-2002-0638 | |||||||||||||||||||||
| Created: | July 29, 2002 | Updated: | October 30, 2002 | |||||||||||||||||||||
| Description: | chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file. CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer | CVE #(s): | ||||||||||||||||
| Created: | May 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||
| Description: | The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Webmin/Usermin vulnerabilities
| Package(s): | webmin | CVE #(s): | ||||||||||
| Created: | May 21, 2002 | Updated: | January 10, 2003 | |||||||||
| Description: | Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication. | |||||||||||
| Alerts: |
| |||||||||||
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans | CVE #(s): | CAN-2002-0837 | |||
| Created: | September 11, 2002 | Updated: | February 4, 2003 | |||
| Description: | The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. | |||||
| Alerts: |
| |||||
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop | CVE #(s): | |
| Created: | May 21, 2002 | Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway. | ||