A look at a Linux kernel rejection
The Halloween deadline for submission of new features for the 2.5 kernel
has passed. Linus has not made final decisions on everything on
the wishlist, but most of the new features
which will be in the next stable kernel series are in the development
kernel now. And some developments clearly are not going to be in that next
stable kernel. Negative results are often the most interesting - they
expose interesting information on how the system works. So we'll look at
why a seemingly sensible feature did not get into the 2.5 kernel.
The project in question is the Linux
Kernel Crash Dump (LKCD) subsystem. LKCD comes into play if a Linux
kernel panics; it uses the swap area to create an image of the dying
system. That dump can then used to figure out just what went wrong.
Commercial operating systems have had crash dump capabilities for decades;
crash dumps make life much easier for vendors facing angry customers who
want their systems fixed immediately. Given the increasing interest in
"enterprise" deployments and high-quality support, one would think that a
crash dump capability would be a high priority for inclusion. One would
also think that it would not be controversial, since crash dump support
does not slow down or adversely affect users in any way. So why did it
fail to go in?
Certainly, there were some technical concerns about LKCD. A kernel which
is crashing is, by definition, not functioning properly; do you
really want that kernel to write massive amounts of data to disk as
its last act? Some developers fear that LKCD has not taken sufficient care
to avoid overwriting files as it saves its dump to disk. There is no real
history of people having their systems trashed by LKCD, but the worry
remains.
LKCD has not played the kernel political game all that well. In some
cases, it is enough to write code and ask that it be merged. But, as a
general rule, you have to convince Linus that the development really
belongs in his kernel. In practice, that means turning one or more of the
top-tier developers into an advocate for your work. The LKCD developers
have not done that; instead, they have tried putting pressure on Linus
directly. Linus responded by digging in his heels and stating: "...right now I won't touch LKCD
with a ten-foot pole, if only because I've been mail-bombed by people who
argue for it when I have better things to do than to explain myself over
and over again."
But neither of those reasons are the real reason why LKCD got left out in
the cold. As Linus has been saying for a few years, his real job anymore
is saying "no" to people. He says "no" to anything that, in his opinion,
does not really have to be in his kernel. It is a hard job; it requires
enough backbone (and ego) to stand up against great pressure at times. But
it is also a crucial role that must be played well if the kernel code is to
remain maintainable over the long term.
Linus said "no" to LKCD because he did see any real advantage to having it
in his kernel. LKCD, says Linus, is a "vendor-driven" development. Since
LKCD is vendor driven, the vendors that are interested can merge it into
their trees. That is what free software is all about, of course.
This attitude may seem a little harsh, but it makes sense when you consider
a couple of points:
- Vendors, with very rare exception, do not ship Linus's kernels as
he distributes them. Most vendor kernels are heavily patched, with
dozens (or even hundreds) of changes and added features. The spec file for the 2.4.18 kernel shipped
with Red Hat Linux 8.0 lists a full 200 patches; Red Hat has
added User-mode Linux, TUX, the O(1) scheduler, the low-latency patch,
NAPI, netdump (a network-based crash dumper), etc. LKCD would
be a small addition to the list of patches already applied by
distributors. The fact that few vendors have included LKCD suggests
that they, who are the main market for such a feature, are not yet
interested in it.
- It is hard to imagine any vendor being interested in a crash dump
that comes from anything other than one of their own stock
kernels. Linux empowers any user to obtain and build any kernel they
want, but those users cannot, in general, expect their vendors to
chase bugs in "roll your own" kernels.
So, by suggesting that interested vendors patch in LKCD themselves, Linus
is getting that code to the places where it is useful without having to put
it into his tree. A certain amount of kernel source bloat is avoided, the
way is left open for other potential crash dump implementations, and LKCD
is still easily deployed in the situations where it is needed. All told,
it is not an entirely unreasonable decision. The
kernel process is often hard on developers, but it important that Linus
continues to say "no" if we want to have a kernel which does not eventually
collapse under its own weight.
(See also: Linus's explanation of why LKCD
didn't go in, and of how to get patches into the kernel in general, and
this week's Kernel page, which looks at the
next steps for the (non-merged) EVMS project).
Comments (3 posted)
The Microsoft settlement
Tempting as it may be to pass over the final judgement in the Microsoft
case as not being of interest to Linux users, the truth of the matter is
that there are a couple of things worth saying. Even though this
settlement looks an awful lot like "business as usual."
Free software advocates had hoped, for a while, that the settlement would
at least require the opening of formats and protocols. Imagine the great
things the Samba team could do if it had to spend less time reverse
engineering everything. In the end, the final settlement offers nothing of
value in this regard. Consider:
- Microsoft is required to license its protocols under RAND
terms. These terms involve license fees, of course, and are thus
quite discriminatory against free software.
- Microsoft does not have to license to companies which have a
"history of software counterfeiting or piracy or willful
violation of intellectual property rights." Potential
licensees also have to convince Microsoft of the "authenticity and
viability" of their business, and submit their code to Microsoft for
verification.
The most interesting provision with regard to licensing, though, may well
be this one:
No provision of this Final Judgment shall... Require Microsoft to
document, disclose or license to third parties: (a) portions of
APIs or Documentation or portions or layers of Communications
Protocols the disclosure of which would compromise the security of
a particular installation or group of installations of anti-piracy,
anti-virus, software licensing, digital rights management,
encryption or authentication systems, including without limitation,
keys, authorization tokens or enforcement criteria; or (b) any API,
interface or other information related to any Microsoft product if
lawfully directed not to do so by a governmental agency of
competent jurisdiction.
As has been pointed out by others, the "security" argument could be used to
lock up just about anything that Microsoft does not want to release. And
why, exactly, does the U.S. government reserve to itself the right to
suppress the release of API and protocol information? One assumes that
somebody has something in mind here.
After five years, the entire settlement goes away.
The bottom line is that this decree is not going to help the free software
community to any great extent. But, then, it never really was going to.
Attacking Microsoft is not a useful goal for the free software community;
our purpose is to create and distribute the best free software we can.
And, for those who wish to
see Microsoft in discomfort, it is worth noting that free software has
already caused the company much worry. Microsoft's planned takeover of the
server space has been thwarted, and the company's grip on other computing
markets, while still firm, just does not look as invulnerable as it once
did. Editors, compilers, and the free software development process may yet
prove to be the most effective weapon against software monopolies.
(See also: yet
another leaked Microsoft memo, duly marked up by Eric Raymond. This
one is a survey of opinions toward Linux. "Closing, those who are
familiar with OSS and Linux are favorably predisposed towards them. Linking
this work with other on-point research, we can assume that in the majority
of cases this reported 'favorability' is more emotional than it is
rational.")
Comments (6 posted)
Your weekly report from LWN
It's time for the weekly "report from LWN" column. Read on for the latest
subscription information, the new search engine, gift certificates, and
more.
As of this writing, there are just under 2300 individual LWN subscribers.
In recent times, that number has been growing by about 100 per week - not
quite what we might really like, but enough to keep us reasonably happy if
it continues. Making it continue could prove challenging, however. A
number of subscribers signed up for only one or two months, and those
subscriptions are beginning to expire. Unless those subscriptions get
renewed (hint, hint...), we could conceivably start going backwards.
Here's to hoping that doesn't happen.
One way to help keep that from happening would be to shower your friends
with LWN gift
certificates. It's a great way to support LWN and, simultaneously,
deal with your holiday shopping problems.
We have sold about twenty group subscriptions, including a couple of
reasonably large ones. Next week, perhaps, we'll publicly thank the
companies which wish to be acknowledged in this way.
Meanwhile, LWN once again has a search engine. It
has the basic features one would expect, including the ability to filter on
category and content type. It is indexed as content is generated, so
search results always include the newest content.
For now, only the new site (i.e. content back to last June) is covered; we're
still figuring out what the best solution is for all of our older content.
We may, as one reader suggested, simply put in a link to Google...
That's pretty much it for this week. Thanks to all of you, again, for
supporting LWN.net.
Comments (19 posted)
Page editor: Jonathan Corbet
Security
Security news
Keeping older Debian distributions secure
The Debian Project has
sent out a
survey in an attempt to figure out how many users are still using the
"Potato" distribution. The project's goal is clear: they want to figure
out when they can stop providing security updates for that version of the
distribution. Pulling the plug on Potato may seem a bit premature, given
that Woody was only released back in July. But, for Debian, this move is
already late; remember that support for Debian 2.1 ("Slink") was
withdrawn
just one month after the
Potato release.
Debian is different from most distributions, of course, in that its users
are expected to upgrade quickly. Given the ease of the process, there is
generally little reason to wait. But the simple fact is that people do not
like to upgrade working systems. If a computer is happily doing the tasks
assigned to it, why thrash up the operating system and break things?
Commercial distributors understand this inertia, and most of them go out of
their way to support old distributions for at least a couple of years. As
a volunteer-driven distributor, the Debian Project has had the freedom to
cut off support sooner (because it does not have paying customers), and the
need to do that, because it does not have paid developers who can be sent
off to patch holes in ancient packages.
The fact that the Debian Project is asking for input this time, rather than
simply cutting off support after one month, shows a new sensitivity toward
the needs of users beyond the Debian developer community. This is a good
thing, of course, but Debian, by its nature, will still be limited in the
amount of support it can provide for older versions of its distribution.
This is an area where companies that ship commercial versions of Debian
could contribute back to the project. By paying somebody to fix security
problems in older versions of Debian GNU/Linux, these distributors can
enhance the value of their own products while supporting the project that
supports them.
So far, no vendor of Debian-based distributions has stepped up to this
plate. Indeed, Debian-based distributors tend not to bother with security
updates at all, since the Debian Project itself does such a good job with
them. If these companies are serious about using Debian as a base for a
commercial product, however, they are going to have to get a bit more
serious about long-term support. Otherwise, they are likely to find their
customers going elsewhere.
Comments (2 posted)
CodeWeavers adds KLEZ immunity
CodeWeavers has
announced
a new version (1.3.1) of its CrossOver Office product which features
immunity to the KLEZ virus.
"
Whenever KLEZ attempts to run its
.EXE file from the TMP directory, CrossOver Office 1.3.1 spawns a message to
the user warning them that they may launching an application that could
potentially harm their computer." Bringing Windows applications to
Linux is a good thing for many users, but great care must be taken to not
port Windows problems as well...
Comments (none posted)
New vulnerabilities
linuxconf: bad sendmail configuration file creation
| Package(s): | linuxconf |
CVE #(s): | |
| Created: | November 6, 2002 |
Updated: | November 6, 2002 |
| Description: |
The linuxconf "mailconf" module can create sendmail configurations which allow the server to run as an open relay, instantly turning your site into a spammer's tool and getting you onto blacklists. |
| Alerts: |
|
Comments (1 posted)
log2mail: buffer overflow
| Package(s): | log2mail |
CVE #(s): | |
| Created: | November 6, 2002 |
Updated: | November 6, 2002 |
| Description: |
Enrico Zini discovered a buffer overflow in log2mail, a daemon for watching
logfiles and sending lines with matching patterns via mail. The log2mail
daemon is started upon system boot and runs as root. A specially crafted
(remote) log message could overflow a static buffer, potentially leaving
log2mail to execute arbitrary code as root. |
| Alerts: |
|
Comments (none posted)
luxman: pathname vulnerability
| Package(s): | luxman |
CVE #(s): | CAN-2002-1245
|
| Created: | November 6, 2002 |
Updated: | November 6, 2002 |
| Description: |
LuxMan is a maze game which, one would think, would not be much of a threat. It has, however, a pathname vulnerability that can be turned into a local root exploit. Versions through 0.41 are vulnerable. |
| Alerts: |
|
Comments (none posted)
Mozilla: Privacy leak and other vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CAN-2002-1126
CAN-2002-1091
|
| Created: | November 1, 2002 |
Updated: | February 13, 2003 |
| Description: |
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to
corrupt heap memory and execute arbitrary code via a GIF image with a zero
width.
See also Mozilla's
Recently fixed security issues page.
All users are encouraged to upgrade to this latest stable 1.0.x release of
Mozilla. |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache shared memory scoreboard vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2002-0839
|
| Created: | October 9, 2002 |
Updated: | December 18, 2002 |
| Description: |
Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related
vulnerabilities which can be exploited by local users running under the
Apache user ID. In-server scripting languages, such as PHP, are the most
likely means of carrying out the attacks. One vulnerability causes the
server to fork off new processes, leading to denial of service scenarios;
the other allows an attacker to send SIGUSR1 to any process as root,
probably killing that process. See this
iDEFENSE advisory for the details. |
| Alerts: |
|
Comments (3 posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
bzip2: file creation and symbolic link vulnerabilities
| Package(s): | bzip2 |
CVE #(s): | CAN-2002-0759
CAN-2002-0760
CAN-2002-0761
|
| Created: | October 29, 2002 |
Updated: | October 30, 2002 |
| Description: |
bzip2 does not use the O_EXCL flag to create files during
decompression and does not warn the user if an existing file
would be overwritten, which could allow attackers to overwrite
files via a bzip2 archive.
bzip2 decompresses files with world-readable permissions
before setting the permissions to what is specified in the
bzip2 archive, which could allow local users to read the files
as they are being decompressed.
bzip2 uses the permissions of symbolic links instead of the
actual files when creating an archive, which could cause the
files to be extracted with less restrictive permissions than
intended. |
| Alerts: |
|
Comments (none posted)
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | December 5, 2002 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl |
CVE #(s): | |
| Created: | October 1, 2002 |
Updated: | December 17, 2002 |
| Description: |
e-matters GmbH has issued an advisory
warning of a new set of buffer overflows in the fetchmail header parsing
code. The vulnerabilities have been fixed in fetchmail 6.1.0. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 20, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in gv
| Package(s): | gv |
CVE #(s): | CAN-2002-0838
|
| Created: | October 1, 2002 |
Updated: | November 25, 2002 |
| Description: |
gv, a graphical front end to ghostscript, has a buffer overflow
vulnerability which can be exploited by a properly crafted PostScript or
PDF file. If a user can be tricked into viewing such a file, arbitrary
code can be executed with that user's privileges. See this iDEFENSE advisory for the details. |
| Alerts: |
|
Comments (none posted)
heartbeat: remotely exploitable buffer overflow
| Package(s): | heartbeat |
CVE #(s): | |
| Created: | October 16, 2002 |
Updated: | November 6, 2002 |
| Description: |
The heartbeat failover system has a remotely exploitable buffer overflow
vulnerability; versions prior to 0.4.9e and 0.4.9.2 are affected. Any
system that is worth running heartbeat on is worth upgrading. See the advisory for the details. |
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
inn: format string and insecure open vulnerabilities
| Package(s): | inn |
CVE #(s): | |
| Created: | October 30, 2002 |
Updated: | October 30, 2002 |
| Description: |
There are several format string coding bugs as well as unsecure open()
calls in the inn program. |
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
| Package(s): | kdelibs |
CVE #(s): | |
| Created: | September 17, 2002 |
Updated: | November 18, 2002 |
| Description: |
Konqueror for KDE 3.0.3, and earlier versions, is subject to
this cross-site
scripting vulnerability.
Since the problem is in kdelibs, any other application which
uses the KHTML renderer is also vulnerable.
Javascript code running in one frame can
access other frames which should be inaccessible. The problem is
fixed in kdelibs 3.0.3a. |
| Alerts: |
|
Comments (2 posted)
kernel: several security issues fixed
| Package(s): | kernel |
CVE #(s): | |
| Created: | October 22, 2002 |
Updated: | November 22, 2002 |
| Description: |
A number of security fixes have gone out for the 2.2 and 2.4 kernels. There are no known exploits at this time, but upgrading will make sense anyway. As always with kernel updates, read the distributor instructions carefully; there is usually more involved than just installing a new package. |
| Alerts: |
|
Comments (none posted)
krb5: Buffer Overflow in Kerberos Administration Daemon
| Package(s): | krb5, heimdal |
CVE #(s): | CAN-2002-1235
|
| Created: | October 29, 2002 |
Updated: | January 14, 2003 |
| Description: |
CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon
Systems Affected
- MIT Kerberos version 4 and version 5 up to and including
krb5-1.2.6
- KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version
0.5.1
- Other Kerberos implementations derived from vulnerable MIT or KTH
code
Overview
Multiple Kerberos distributions contain a remotely exploitable buffer
overflow in the Kerberos administration daemon. A remote attacker
could exploit this vulnerability to gain root privileges on a
vulnerable system.
The CERT/CC has received reports that indicate that this vulnerability
is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002
notes that an exploit is circulating.
We strongly encourage sites that use vulnerable Kerberos distributions
to verify the integrity of their systems and apply patches or upgrade
as appropriate. |
| Alerts: |
|
Comments (none posted)
LPRng accepts jobs from any host.
| Package(s): | LPRng |
CVE #(s): | CAN-2002-0378
|
| Created: | June 12, 2002 |
Updated: | October 31, 2002 |
| Description: |
Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators
with systems exposed to the general public.
|
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc |
CVE #(s): | CAN-2002-0738
CAN-2002-1307
CAN-2002-1388
|
| Created: | September 11, 2002 |
Updated: | January 3, 2003 |
| Description: |
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. |
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
mod_ssl: cross site scripting problem
| Package(s): | mod_ssl, libapache-mod-ssl |
CVE #(s): | CAN-2002-1157
|
| Created: | October 22, 2002 |
Updated: | December 12, 2002 |
| Description: |
Joe Orton discovered a cross site scripting problem in mod_ssl, an
Apache module that adds Strong cryptography (i.e. HTTPS support) to
the webserver. The module will return the server name unescaped in
the response to an HTTP request on an SSL port.
Like the other recent Apache XSS bugs, this only affects servers using
a combination of "UseCanonicalName off" and wildcard DNS. This is very
unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it
already escapes this HTML. |
| Alerts: |
|
Comments (none posted)
ypserv: NIS information leak
| Package(s): | nis, ypserv |
CVE #(s): | CAN-2002-1232
|
| Created: | October 21, 2002 |
Updated: | December 5, 2002 |
| Description: |
Thorsten Kukuck discovered a problem in the ypserv program which is
part of the Network Information Services (NIS). A memory leak in all
versions of ypserv prior to 2.5 is remotely exploitable. When a
malicious user could request a non-existing map the server will leak
parts of an old domainname and mapname. |
| Alerts: |
|
Comments (none posted)
Buffer overflow in nss_ldap
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0825
CAN-2002-0374
|
| Created: | October 9, 2002 |
Updated: | December 11, 2002 |
| Description: |
The nss_ldap package has a buffer overflow which can be exploited when the
module configures itself from information in DNS. The problem is fixed in
nss_ldap-199 and later. |
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 20, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL |
CVE #(s): | |
| Created: | August 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions. |
| Alerts: |
|
Comments (none posted)
PXE server denial of service vulnerability
| Package(s): | pxe |
CVE #(s): | CAN-2002-0835
|
| Created: | September 4, 2002 |
Updated: | November 11, 2002 |
| Description: |
The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
|
| Alerts: |
|
Comments (none posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sendmail smrsh bypass vulnerability
| Package(s): | sendmail |
CVE #(s): | CAN-2002-1165
|
| Created: | October 2, 2002 |
Updated: | November 29, 2002 |
| Description: |
iDEFENSE has posted an advisory warning of a
couple of ways of bypassing the restrictions imposed by the sendmail
"smrsh" utility. smrsh puts limits on which programs a user may run out of
a .forward file; this vulnerability could give a local user
undesired access to the mail server system. A patch has
been made available from sendmail.org which closes the vulnerability. |
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 20, 2002 |
Updated: | October 30, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid |
CVE #(s): | |
| Created: | July 8, 2002 |
Updated: | November 15, 2002 |
| Description: |
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following
changes:
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- Security fixes in how Squid parses FTP directory listings into
HTML
- FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
|
| Alerts: |
|
Comments (none posted)
squirrelmail: cross-site scripting vulnerability
| Package(s): | squirrelmail |
CVE #(s): | CAN-2002-1131
CAN-2002-1132
|
| Created: | October 16, 2002 |
Updated: | January 2, 2003 |
| Description: |
The Squirrelmail web mail package has a cross-site scriptinog vulnerability; versions 1.2.7 and prior are affected. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
syslog-ng: buffer overflow vulnerability
| Package(s): | syslog-ng |
CVE #(s): | |
| Created: | October 16, 2002 |
Updated: | November 14, 2002 |
| Description: |
Versions 1.4.15 and 1.5.20 (and prior) of the syslog-ng system logging package have a remotely exploitable buffer overflow vulnerability; see this advisory for the details. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat |
CVE #(s): | |
| Created: | September 25, 2002 |
Updated: | January 29, 2003 |
| Description: |
Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
|
| Alerts: |
|
Comments (none posted)
Local root vulnerability in chfn
| Package(s): | util-linux |
CVE #(s): | CAN-2002-0638
|
| Created: | July 29, 2002 |
Updated: | October 30, 2002 |
| Description: |
chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a
carefully crafted attack sequence can be performed to exploit a
complex file locking and modification race present in this utility,
and, as a result, alter /etc/passwd to escalate privileges in the
system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any
but the last 4 kB chunk of the file.
CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility |
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans |
CVE #(s): | CAN-2002-0837
|
| Created: | September 11, 2002 |
Updated: | February 4, 2003 |
| Description: |
The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. |
| Alerts: |
|
Comments (none posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | September 30, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
Denial of service vulnerability in xinetd
| Package(s): | xinetd |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | December 3, 2002 |
| Description: |
A file descriptor leak into services started from xinetd
may be used, by programs it stats, to crash xinetd.
Xinetd is a replacement for the BSD derived inetd. |
| Alerts: |
|
