LWN.net Logo

LWN.net Weekly Edition for July 21, 2005

Debconf5: Structural Evolution

Debconf5 sign Debconf5, the sixth annual Debian Conference, recently descended upon the Helsinki University of Technology (HUT) in Espoo, Finland. LWN reporter Rebecca Sobol was privileged to attend this year's event.

Hundreds of Debian developers, maintainers, translators, users and fans joined together for an overflowing week's worth of talks, BOFs, hacking and partying. Debian GNU/Linux is the largest distribution project in many ways; lots of developers (around 200 Debian Developers plus scores of package maintainers, documentation authors and translators), support for more architectures, lots of packages (nearly 15,000 binary packages are available), more derived distributions using it as a base, and soon even a choice between Linux and Hurd kernels. The Debian community is massive and scattered around the globe.

Debconf5 group During the year these people keep in touch through a variety of mailing lists and IRC channels, but the annual Debconf provides people with a chance to meet face to face to talk about their favorite operating system. Each year Debconf meets in a different part of the world to make it more accessible to some portion of its global community. This year's conference in Finland brought out over ninety Finns, followed by a full gross of people from Germany, the United Kingdom, the United States, Sweden, Spain and Norway. It was also accessible to a handful of people from the Russian Federation and other parts of Eastern Europe. A few traveled greater distances to come from South America, New Zealand and Fiji. All told, there were people from over thirty countries at this year's event.

Debian is large, and it is all volunteer. A few people have found or created jobs for themselves where they can be paid to work on Debian, at least part of the time, but they are in the minority. The organization is guided by a social contract and maintains a strong commitment to software freedom.

Bdale Garbee, long time Debian developer and former Debian Project Leader gave a talk on Debian's Structural Evolution, subtitled Musings on Debian, Today and Tomorrow. He has serious concerns that Debian has grown too large for its infrastructure. For example, each year Debian developers elect a Project Leader. For nine weeks each year a few prominent Debian developers cease working as a team to compete for a job that has grown too complex for a single person. Only Debian developers are allowed to vote, leaving hundreds, or more likely thousands of Debian volunteers and users with no say whatsoever.

Some of Debian's infrastructure is ably provided by Software in the Public Interest (SPI). However too few Debian developers are involved in SPI, which oversees many other projects. Also it not in SPI's mandate to provide technical guidance, that is the role of the Technical Committee. Bdale finds the committee, as currently defined, is not particularly satisfying. The committee could use a periodic review and refresh, which is currently not happening.

The current DPL, Branden Robinson started Project SCUD as an attempt to address some of these issues while working within the constraints of the Debian constitution. However Bdale (a member of SCUD) finds that the relationship between the DPL and the project is not clear. The team is self-selected and does not include a representative sampling of Debian project participants.

Perhaps it is time to replace the DPL and Technical Committee with an elected leadership board. Candidates would be motivated to campaign on their teamwork skills and more people would be willing to be involved in Debian's leadership. Perhaps a way could be found to allow the greater Debian community a voice in this process. Perhaps this would make Debian even stronger.

Comments (10 posted)

Delays in security updates

July 20, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

There are a number of reasons that users choose Linux, but security is one of the most often-cited reasons. While Linux distributions certainly see their fair share of security issues, updates are usually issued in a timely fashion.

However, there are times when the process gets bogged down. Security updates for Debian, for example, were not going out in a timely fashion for some time. As reported in Branden Robinson's Debian Project Leader Report for July, security updates were interrupted for some time. This has also been reported in the mainstream press, though members of the Debian team take issue with the actual reporting.

Looking at the security advisories for 2005, one thing that is clear is that no security updates were issued through most of June. There are no updates from June 4 through June 29. Updates resumed on June 30, and there have been a steady stream of updates since then. We e-mailed Martin Schulze about the Debian security delays, and he confirmed the time period.

That is quite a delay for some of the updates. For example, the sudo vulnerability, for example, was addressed in Debian on July 1 for Woody and Sarge. The Fedora Core team released an update for this vulnerability for Fedora Core 3 and Fedora Core 4 on June 21, and Ubuntu released an update on June 21st for Hoary (5.04) and Warty (4.10). Updates for Gaim's recent vulnerabilities were issued on June 16 for FC3 and FC4, and June 10 and June 15 by the Ubuntu team, respectively -- but not for Debian until July 5.

In an e-mail, Schulze said that he didn't know all of the details of the problems that delayed updates, but explained way the process is supposed to work:

When a new release happens the old release, formerly known as "stable", becomes "oldstable" and "testing" becomes "stable."

This change needs to be done on the ftp-master, on the security host and on the wanna-build database (the database behind the buildd network).

In addition to that, on all buildd hosts that are supposed to build packages for "oldstable" as well (not all buildds do), the old "stable" build chroot needs to be renamed to "oldstable" and "oldstable" needs to be enabled in the configuration.

Additionally, on all buildd hosts the "stable" build chroot needs to be updated to the current "stable," or the old "testing" chroot renamed. These are used by the security builds as well.

All this should be done synchronously, but wasn't. On July 7th I wrote in my logbook that the buildd network seems to be finally fixed. Actually it was fixed two days before that article. Before that, one part or another was missing or not fixed totally.

In the Project Leader Report, Robinson points out that there was a failure in infrastructure and communication:

I suspect, given what I know from conversation with some of the principals close to the infrastructure involved in getting our stable security updates out, that that's what we're dealing with. There have been technical failures and communication failures, with the former greatly exacerbated by the latter.

I have asked Andreas Barth to look into this situation and establish as clear a factual record as he can. Using this report, we should be able to attack the areas of weakness. One thing I'd like to see is better documentation of the internal workings of the security update process, perhaps in the Debian Developers' Reference. With a broader understanding of security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful.

Robinson has also proposed making the security team DPL delegates, and points out that now would be a good time to add new members to the security team roster. Whether that has happened or not, however, remains up in the air. Schulze said that adding new members would be "discussed inside the security team." Robinson has not replied to e-mails asking about the security delays.

Schulze also said that the backlog of security updates that built up through June should be cleared out by now.

Around the same time, the Fedora Legacy project's security updates also seem to have been bottled up. The Fedora Legacy project has a gap for updates between June 5 and July 9, for all Red Hat and Fedora distributions supported by the Fedora Legacy project, Red Hat 7.3 and 9.0, and Fedora Core 1 and Fedora Core 2.

Some of the updates that were released in July by Fedora Legacy were rather tardy indeed. For example the GNU Mailman advisory (CAN-2005-0202), was fixed by other distributions back in February. The PHP advisory on July 10 from Fedora Legacy was addressed back in April by Gentoo, Mandriva and others. (Debian's fix for this bug came out in May.) This post on the Fedora Legacy mailing list from Jesse Keating acknowledges that the legacy project has longer lead times on security updates.

It would seem that Debian's infrastructure problems have been solved, at least for now. However, the gap in updates is somewhat alarming. As a rule, Debian has often been one of the first distributions to issue security updates and advisories, and has developed a well-deserved reputation for being quick to respond to security issues. We hope that the delay in updates while the project was transitioning from Woody to Sarge is a one-time issue, and that the transition from Sarge to Etch, whenever that happens, will happen more smoothly.

The importance of speedy security releases can't be emphasized enough. Aside from the obvious PR problems when a distribution is behind in updates, Linux users need to be able to depend on updates as soon as they can be made available so that they are not subject to exploits any longer than is absolutely necessary.

Comments (2 posted)

Page editor: Rebecca Sobol

Security

Security news

Debconf5: Securing the Testing Distribution

This part of our Debconf5 coverage was inspired by a talk titled Securing the Testing Distribution given by Joey Hess. Debconf5 sign

Debian has several branches, including two currently supported stable branches, Woody and Sarge and the unstable branch, also known as sid. Though usually fairly stable, sid is in constant flux and provides a faster paced target for those who like run the latest and greatest software. The testing branch, on the other hand, provides a look at the next stable version still in development, in this case etch. Testing was first used when woody was in development. Once Woody was released as Debian 3.0 testing became synonymous with sarge. So now that Sarge has been released as Debian 3.1, testing has become etch which will someday to be the next stable version.

The supported stable version(s) (support for Woody will end before we will see an etch release) have a security team providing security updates. Often security fixes are backported to the stable packages. Packages in sid are usually upgraded to a new version of the package in which the problem has been fixed. Up to now there has been no mechanism to provide security updates for testing.

Some of the security issues in stable will have already been fixed in testing's newer packages, but for the most part security fixes have lagged behind stable and unstable. Packages fixed in unstable can automatically migrate to testing, if certain criteria are met, but that comes with a built-in delay. Unrelated release critical bugs in unstable packages could block the security updates from reaching testing. Ironically, those very users most interested in the shape of the next stable version are also those likely to be put off by the lack of security updates.

Those days have come to end. Now there is a security team for testing, with five to six team members and twice that on the mailing list. Some team members are Debian Developers (DDs), but that's not required. The team now proactively looks for holes, checking Debian testing packages against CVE entrys, bugs in the Bug Tracking System (BTS), and watching other security lists.

DDs and package maintainers were asked to document all security issues, including the CVE number in open bug reports. Change log entries and closed bugs should include a CVE number and indicate when security issues are fixed. Tracking and fixing security bugs in etch will make it far more appealing to potential testers, and may even help Debian achieve a more predictable release cycle.

Comments (2 posted)

New vulnerabilities

affix: two remote vulnerabilities

Package(s):affix CVE #(s):CAN-2005-2250 CAN-2005-2277
Created:July 19, 2005 Updated:September 2, 2005
Description: A buffer overflow in the Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary code via a long filename in an OBEX file share. Also remote attackers may execute arbitrary commands via shell metacharacters in the filename argument of a PUT command.
Alerts:
Debian DSA-762-1 2005-07-19

Comments (none posted)

bugzilla: information disclosure

Package(s):bugzilla CVE #(s):CAN-2005-2173 CAN-2005-2174
Created:July 14, 2005 Updated:July 19, 2005
Description: Bugzilla has a vulnerability that may allow a remote attacker to modify flags of arbitrary bugs, triggering a return email to the attacker as well as a race condition.
Alerts:
Gentoo 200507-12 2005-07-13

Comments (none posted)

ekg: multiple vulnerabilities

Package(s):ekg CVE #(s):CAN-2005-1850 CAN-2005-1851 CAN-2005-1916
Created:July 18, 2005 Updated:August 8, 2005
Description: Several vulnerabilities have been discovered in the ekg contributed scripts. These include an insecure temporary file creation problem, a potential shell command injection problem, and an arbitrary command execution problem.
Alerts:
Ubuntu USN-162-1 2005-08-08
Debian DSA-760-1 2005-07-18

Comments (none posted)

heartbeat: insecure temporary files

Package(s):heartbeat CVE #(s):CAN-2005-2231
Created:July 19, 2005 Updated:August 15, 2005
Description: Eric Romang discovered several insecure temporary file creations in the High Availability Linux Project Heartbeat 1.2.3.
Alerts:
Debian DSA-761-2 2005-08-15
Ubuntu USN-165-1 2005-08-11
Mandriva MDKSA-2005:132 2005-08-09
Gentoo 200508-05 2005-08-07
Debian DSA-761-1 2005-07-19

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

mediawiki: JavaScript code injection

Package(s):mediawiki CVE #(s):
Created:July 20, 2005 Updated:July 20, 2005
Description: MediaWiki has a vulnerability caused by failing to correctly escape a parameter in the page move template. Remote attackers can use this to inject and execute JavaScript code with the permission of the user's browser session.
Alerts:
Gentoo 200507-18 2005-07-20

Comments (none posted)

mozilla-firefox: multiple vulnerabilities

Package(s):mozilla-firefox CVE #(s):
Created:July 14, 2005 Updated:July 22, 2005
Description: A dozen security vulnerabilities that have been fixed in Firefox 1.0.5 and Mozilla 1.7.9 have been back-ported to older versions.
Alerts:
Gentoo 200507-14 2005-07-15
Mandriva MDKSA-2005:120 2005-07-13

Comments (none posted)

mysql: low-impact security fix

Package(s):mysql CVE #(s):CAN-2005-1636
Created:July 20, 2005 Updated:February 22, 2006
Description: An update to MySQL version 4.1.12 fixes a low-impact security problem (bz#158689).
Alerts:
Mandriva MDKSA-2006:045 2006-02-21
Red Hat RHSA-2005:685-01 2005-10-05
Debian DSA-783-1 2005-08-24
Fedora FEDORA-2005-557 2005-07-20

Comments (1 posted)

pam_ldap: plain text authentication leak

Package(s):pam_ldap CVE #(s):CAN-2005-2069
Created:July 14, 2005 Updated:October 17, 2005
Description: pam_ldap and nss_ldap ignore the "ssl start_tls" ldap.conf setting, allowing an attacker to sniff unencrypted passwords and other information.
Alerts:
Red Hat RHSA-2005:767-01 2005-10-17
Red Hat RHSA-2005:751-01 2005-10-17
SuSE SUSE-SR:2005:020 2005-09-12
Ubuntu USN-152-1 2005-07-21
Mandriva MDKSA-2005:121 2005-07-18
Gentoo 200507-13 2005-07-14

Comments (none posted)

phppgadmin: directory traversal vulnerability

Package(s):phppgadmin CVE #(s):CAN-2005-2256
Created:July 18, 2005 Updated:July 19, 2005
Description: A missing input sanitization vulnerability has been discovered in the phppgadmin PHP scripts, sensitive information may be disclosed.
Alerts:
Debian DSA-759-1 2005-07-18

Comments (none posted)

thunderbird mozilla firefox: multiple vulnerabilities

Package(s):thunderbird firefox mozilla CVE #(s):CAN-2005-0989 CAN-2005-1159 CAN-2005-1160 CAN-2005-1532 CAN-2005-2261 CAN-2005-2265 CAN-2005-2266 CAN-2005-2269 CAN-2005-2270
Created:July 20, 2005 Updated:September 1, 2005
Description: Multiple vulnerabilities have been found in the Mozilla Thunderbird email client, as well as the Mozilla Suite and Firefox and Mozilla based other browsers. Bugs include an anonymous function handling bug, a JavaScript validation problem, privileged UI code handling DOM nodes, a JavaScript privilege escalation, a problem with Javascript in XBL controls, improper handling of child frames, a DOM name code execution vulnerability, and a base object clone problem.
Alerts:
Debian DSA-779-2 2005-09-01
Mandriva MDKSA-2005:127-1 2005-08-26
Debian DSA-781-1 2005-08-23
Debian DSA-779-1 2005-08-20
SuSE SUSE-SA:2005:045 2005-08-11
Ubuntu USN-157-2 2005-08-02
Ubuntu USN-157-1 2005-08-01
Mandriva MDKSA-2005:127 2005-07-28
Ubuntu USN-149-3 2005-07-28
Ubuntu USN-155-1 2005-07-26
Gentoo 200507-24 2005-07-26
Ubuntu USN-149-2 2005-07-25
Mandriva MDKSA-2005:120-1 2005-07-22
Slackware SSA:2005-203-01 2005-07-22
Red Hat RHSA-2005:587-01 2005-07-22
Fedora FEDORA-2005-622 2005-07-22
Fedora FEDORA-2005-621 2005-07-22
Fedora FEDORA-2005-618 2005-07-22
Fedora FEDORA-2005-620 2005-07-22
Fedora FEDORA-2005-617 2005-07-22
Fedora FEDORA-2005-619 2005-07-22
Fedora FEDORA-2005-616 2005-07-22
Red Hat RHSA-2005:601-01 2005-07-21
Red Hat RHSA-2005:586-01 2005-07-21
Ubuntu USN-149-1 2005-07-21
Fedora FEDORA-2005-606 2005-07-20
Fedora FEDORA-2005-604 2005-07-20
Fedora FEDORA-2005-605 2005-07-20
Fedora FEDORA-2005-603 2005-07-20

Comments (none posted)

Updated vulnerabilities

CUPS: multiple vulnerabilities

Package(s):CUPS CVE #(s):CAN-2004-2154
Created:July 14, 2005 Updated:September 20, 2005
Description: The CUPS printing system has a problem with queue name case-sensitivity matching that can cause a security policy override. An unauthorized user can use this to gain print to a protected queue.
Alerts:
Mandriva MDKSA-2005:165 2005-09-15
Ubuntu USN-185-1 2005-09-20
Fedora-Legacy FLSA:163274 2005-09-14
Red Hat RHSA-2005:571-01 2005-07-14

Comments (none posted)

cvs: multiple vulnerabilities

Package(s):cvs CVE #(s):CAN-2004-1342 CAN-2004-1343
Created:July 19, 2005 Updated:July 19, 2005
Description: The cvs pserver access method in connection with the Debian repouid can allow an attacker to bypass the password authentication and gain unauthorized access to the repository. Also, a problem with the cvs-repouids file can allow a remote user to crash the cvs server and cause a denial of service.
Alerts:
Debian DSA-715-1 2005-04-27

Comments (none posted)

a2ps: input validation error

Package(s):a2ps CVE #(s):CAN-2004-1170 CAN-2004-1377
Created:November 26, 2004 Updated:December 19, 2005
Description: The GNU a2ps utility fails to properly sanitize filenames, which can be abused by a malicious user to execute arbitrary commands with the privileges of the user running the vulnerable application. More information at Security Focus.
Alerts:
Fedora-Legacy FLSA:152870 2005-12-17
Mandriva MDKSA-2005:097 2005-06-07
OpenPKG OpenPKG-SA-2005.003 2005-01-17
Gentoo 200501-02 2005-01-04
Debian DSA-612-1 2004-12-20
Mandrake MDKSA-2004:140 2004-11-25

Comments (none posted)

acroread: arbitrary code execution

Package(s):acroread CVE #(s):CAN-2005-1625 CAN-2005-1841
Created:July 8, 2005 Updated:July 14, 2005
Description: Adobe Acrobat Reader (acroread) has a buffer overflow vulnerability. If a user is tricked into opening a specially crafted PDF file, arbitrary code can be executed.
Alerts:
SuSE SUSE-SA:2005:042 2005-07-14
Gentoo 200507-09 2005-07-11
Red Hat RHSA-2005:575-01 2005-07-08

Comments (none posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cacti: SQL injection and PHP file inclusion

Package(s):cacti CVE #(s):
Created:June 22, 2005 Updated:July 21, 2005
Description: Cacti (prior to version 0.8.6e) suffers from vulnerabilities which can lead to SQL injection and (on some systems) execution of arbitrary PHP files.
Alerts:
Debian DSA-764-1 2005-07-21
Gentoo GLSA 200506-20:02 2005-06-22
Gentoo GLSA 200506-20:02 2005-06-22
Gentoo 200506-20:02 2005-06-22
Gentoo 200506-20 2005-06-22

Comments (none posted)

centericq: temporary file vulnerability

Package(s):centericq CVE #(s):CAN-2005-1914
Created:July 13, 2005 Updated:July 13, 2005
Description: The centericq messaging client suffers from a classic temporary file vulnerability which could, conceivably, be exploited by a local user to overwrite files.
Alerts:
Debian DSA-754-1 2005-07-13

Comments (none posted)

cpio - file permissions error

Package(s):cpio CVE #(s):CAN-1999-1572
Created:February 2, 2005 Updated:July 19, 2005
Description: Some versions of cpio contain an ancient vulnerability where files created by that utility have overly generous access permissions.
Alerts:
Fedora-Legacy FLSA:152891 2005-07-15
Red Hat RHSA-2005:080-01 2005-02-18
Red Hat RHSA-2005:073-01 2005-02-15
Mandrake MDKSA-2005:032-1 2005-02-11
Mandrake MDKSA-2005:032 2005-02-10
Ubuntu USN-75-1 2005-02-04
Debian DSA-664-1 2005-02-02

Comments (none posted)

cpio: directory traversal

Package(s):cpio CVE #(s):CAN-2005-1111
Created:June 20, 2005 Updated:December 26, 2005
Description: There is a vulnerability in cpio (2.6 and previous) that allows a malicious cpio file to extract to an arbitrary directory of the attackers choice. cpio will extract to the path specified in the cpio file, this path can be absolute.
Alerts:
Mandriva MDKSA-2005:237 2005-12-23
Red Hat RHSA-2005:806-01 2005-11-10
Debian DSA-846-1 2005-10-07
Ubuntu USN-189-1 2005-09-29
Red Hat RHSA-2005:378-01 2005-07-21
Mandriva MDKSA-2005:116-1 2005-07-19
Mandriva MDKSA-2005:116 2005-07-11
Trustix TSLSA-2005-0030 2005-06-24
Gentoo 200506-16 2005-06-20

Comments (1 posted)

cURL: buffer overflow

Package(s):curl CVE #(s):CAN-2005-0490
Created:February 28, 2005 Updated:July 19, 2005
Description: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded.
Alerts:
Fedora-Legacy FLSA:152917 2005-07-15
Fedora FEDORA-2005-325 2005-04-20
Red Hat RHSA-2005:340-01 2005-04-05
Conectiva CLA-2005:940 2005-03-21
Gentoo 200503-20 2005-03-16
Mandrake MDKSA-2005:048 2005-03-04
SuSE SUSE-SA:2005:011 2005-02-28
Ubuntu USN-86-1 2005-02-28

Comments (none posted)

cvs: multiple vulnerabilities

Package(s):cvs CVE #(s):CAN-2005-0753
Created:April 18, 2005 Updated:July 13, 2005
Description: CVS (in version prior to 1.11.20) has one or more buffer overflow vulnerabilities, memory leaks, and a NULL pointer dereferencing error. These can be used to launch a remote denial of service or to remotely execute arbitrary code.
Alerts:
Debian DSA-742-1 2005-07-07
Fedora-Legacy FLSA:155508 2005-05-12
Ubuntu USN-117-1 2005-05-04
Red Hat RHSA-2005:387-01 2005-04-25
Gentoo 200504-16:02 2005-04-18
Slackware SSA:2005-111-01 2005-04-22
Trustix TSLSA-2005-0013 2005-04-20
Mandriva MDKSA-2005:073 2005-04-20
Fedora FEDORA-2005-330 2005-04-20
Gentoo 200504-16 2005-04-18
SuSE SUSE-SA:2005:024 2005-04-18

Comments (none posted)

cyrus-imapd: buffer overflows

Package(s):cyrus-imapd CVE #(s):CAN-2005-0546
Created:February 23, 2005 Updated:April 9, 2006
Description: Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system.
Alerts:
Fedora-Legacy FLSA:156290 2006-04-04
Red Hat RHSA-2005:408-01 2005-05-17
Fedora FEDORA-2005-339 2005-04-27
OpenPKG OpenPKG-SA-2005.005 2005-04-05
Conectiva CLA-2005:937 2005-03-17
Mandrake MDKSA-2005:051 2005-03-04
Ubuntu USN-87-1 2005-02-28
SuSE SUSE-SA:2005:009 2005-02-24
Gentoo 200502-29 2005-02-23

Comments (none posted)

dbus: information disclosure

Package(s):dbus CVE #(s):CAN-2005-0201
Created:June 8, 2005 Updated:August 30, 2005
Description: From the Red Hat alert: "Dan Reed discovered that a user can send and listen to messages on another user's per-user session bus if they know the address of the socket." At current usage levels, this vulnerability is not particularly threatening.
Alerts:
Fedora FEDORA-2005-822 2005-08-29
Ubuntu USN-144-1 2005-06-27
Mandriva MDKSA-2005:105 2005-06-24
Red Hat RHSA-2005:102-01 2005-06-08

Comments (none posted)

dhcp: format string vulnerability

Package(s):dhcp CVE #(s):CAN-2004-1006
Created:November 4, 2004 Updated:July 13, 2005
Description: Dhcp has a format string vulnerability in the log functions of dhcp 2.x that may be exploited via a malicious DNS server.
Alerts:
Fedora-Legacy FLSA:152835 2005-07-10
Red Hat RHSA-2005:212-01 2005-04-12
Debian DSA-584-1 2004-11-04

Comments (none posted)

dhcpcd: denial of service

Package(s):dhcpcd CVE #(s):CAN-2005-1848
Created:July 13, 2005 Updated:September 13, 2005
Description: The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
Alerts:
Slackware SSA:2005-255-01 2005-09-13
Red Hat RHSA-2005:603-01 2005-07-27
Gentoo 200507-16 2005-07-15
Mandriva MDKSA-2005:117 2005-07-12
Debian DSA-750-1 2005-07-11

Comments (none posted)

Dnsmasq: poisoning and DoS

Package(s):dnsmasq CVE #(s):
Created:April 4, 2005 Updated:July 21, 2005
Description: Dnsmasq does not properly detect that DNS replies received do not correspond to any DNS query that was sent. Rob Holland of the Gentoo Linux Security Audit team also discovered two off-by-one buffer overflows that could crash DHCP lease files parsing.
Alerts:
Slackware SSA:2005-201-01 2005-07-21
Gentoo 200504-03 2005-04-04

Comments (none posted)

emacs21: format string vulnerability in "movemail"

Package(s):emacs21 CVE #(s):CAN-2005-0100
Created:February 7, 2005 Updated:May 15, 2006
Description: Max Vozeler discovered a format string vulnerability in the "movemail" utility of Emacs. By sending specially crafted packets, a malicious POP3 server could cause a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user and the "mail" group.
Alerts:
Fedora-Legacy FLSA:152898 2006-05-12
Debian DSA-685-1 2005-02-17
Mandrake MDKSA-2005:038 2005-02-15
Gentoo 200502-20 2005-02-15
Fedora FEDORA-2005-146 2005-02-14
Fedora FEDORA-2005-145 2005-02-14
Red Hat RHSA-2005:133-01 2005-02-15
Red Hat RHSA-2005:110-01 2005-02-15
Red Hat RHSA-2005:134-01 2005-02-10
Red Hat RHSA-2005:112-01 2005-02-10
Fedora FEDORA-2005-116 2005-02-08
Fedora FEDORA-2005-115 2005-02-08
Debian DSA-671-1 2005-02-08
Debian DSA-670-1 2005-02-08
Ubuntu USN-76-1 2005-02-07

Comments (none posted)

enscript: arbitrary code execution

Package(s):enscript CVE #(s):CAN-2004-1184 CAN-2004-1185 CAN-2004-1186
Created:January 21, 2005 Updated:May 27, 2006
Description: Erik Sjölund has discovered several security relevant problems in enscript, a program to convert ASCII text into Postscript and other formats. Unsanitized input can cause the execution of arbitrary commands via EPSF pipe support. Due to missing sanitizing of filenames it is possible that a specially crafted filename can cause arbitrary commands to be executed. Multiple buffer overflows can cause the program to crash.
Alerts:
rPath rPSA-2006-0083-1 2006-05-26
Fedora-Legacy FLSA:152892 2005-12-17
Red Hat RHSA-2005:040-01 2005-02-15
Mandrake MDKSA-2005:033 2005-02-10
Gentoo 200502-03 2005-02-02
Red Hat RHSA-2005:039-01 2005-02-01
Fedora FEDORA-2005-096 2005-01-31
Fedora FEDORA-2005-092 2005-01-28
Fedora FEDORA-2005-091 2005-01-28
Fedora FEDORA-2005-016 2005-01-26
Fedora FEDORA-2005-015 2005-01-26
Ubuntu USN-68-1 2005-01-24
Debian DSA-654-1 2005-01-21

Comments (none posted)

ettercap: format string vulnerability

Package(s):ettercap CVE #(s):CAN-2005-1796
Created:June 13, 2005 Updated:July 13, 2005
Description: The Ettercap suite of networking tools has a format string vulnerability that can be exploited by a remote attacker for the execution of arbitrary code.
Alerts:
Debian DSA-749-1 2005-07-10
Gentoo 200506-07 2005-06-11

Comments (none posted)

evolution: message crash vulnerability

Package(s):evolution CVE #(s):CAN-2005-0806
Created:March 17, 2005 Updated:August 11, 2005
Description: The Evolution mail client can be crashed when reading certain types of messages.
Alerts:
Ubuntu USN-166-1 2005-08-11
Red Hat RHSA-2005:397-01 2005-05-04
Conectiva CLA-2005:950 2005-04-27
Fedora FEDORA-2005-338 2005-04-22
Mandrake MDKSA-2005:059 2005-03-16

Comments (none posted)

Foomatic: Arbitrary command execution in foomatic-rip

Package(s):foomatic CVE #(s):CAN-2004-0801
Created:September 20, 2004 Updated:May 31, 2006
Description: There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler.
Alerts:
SuSE SUSE-SA:2006:026 2006-05-30
Fedora-Legacy FLSA:2076 2004-11-05
Conectiva CLA-2004:880 2004-10-27
Fedora FEDORA-2004-303 2004-09-21
Gentoo 200409-24 2004-09-20

Comments (none posted)

FUSE: information disclosure

Package(s):fuse CVE #(s):CAN-2005-1858
Created:July 13, 2005 Updated:July 13, 2005
Description: The filesystems in user space (FUSE) subsystem (not yet part of the mainline kernel) has an information disclosure vulnerability exploitable by local users.
Alerts:
Debian DSA-744-1 2005-07-08

Comments (none posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gtk-pixbuf, gtk2: denial of service

Package(s):gdk-pixbuf gtk2 CVE #(s):CAN-2005-0891
Created:March 30, 2005 Updated:December 19, 2005
Description: The BMP image processing code in gdk-pixbuf and gtk2 contains a denial of service vulnerability exploitable via a specially crafted image file.
Alerts:
Fedora-Legacy FLSA:155510 2005-12-17
Fedora-Legacy FLSA:154272 2005-07-15
SuSE SUSE-SR:2005:010 2005-04-08
Mandrake MDKSA-2005:069 2005-04-07
Mandrake MDKSA-2005:068 2005-04-07
Ubuntu USN-108-1 2005-04-05
Red Hat RHSA-2005:343-01 2005-04-05
Red Hat RHSA-2005:344-01 2005-04-01
Fedora FEDORA-2005-268 2005-03-30
Fedora FEDORA-2005-267 2005-03-30
Fedora FEDORA-2005-266 2005-03-30
Fedora FEDORA-2005-265 2005-03-30

Comments (none posted)

gettext: Insecure temporary file handling

Package(s):gettext CVE #(s):CAN-2004-0966
Created:October 11, 2004 Updated:March 1, 2006
Description: gettext insecurely creates temporary files in world-writeable directories with predictable names. A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When gettext is called, this would result in file access with the rights of the user running the utility, which could be the root user.
Alerts:
Mandriva MDKSA-2006:051 2006-02-28
Fedora-Legacy FLSA:136323 2006-01-09
Gentoo 200410-10:02 2004-10-10
OpenPKG OpenPKG-SA-2004.055 2004-12-23
Ubuntu USN-5-1 2004-10-27
Gentoo 200410-10 2004-10-10

Comments (1 posted)

gftp: missing input sanitizing

Package(s):gftp CVE #(s):CAN-2005-0372 CAN-2004-1376
Created:February 17, 2005 Updated:July 13, 2005
Description: gftp has a directory traversal vulnerability. A remote server could use specially crafted filenames to overwrite local files.
Alerts:
Fedora-Legacy FLSA:152908 2005-07-10
Red Hat RHSA-2005:410-01 2005-06-13
Fedora FEDORA-2005-310 2005-04-07
Fedora FEDORA-2005-309 2005-04-07
Mandrake MDKSA-2005:050 2005-03-04
Gentoo 200502-27 2005-02-19
SuSE SUSE-SR:2005:005 2005-02-18
Debian DSA-686-1 2005-02-17

Comments (none posted)

ghostscript: symlink vulnerabilities

Package(s):ghostscript CVE #(s):CAN-2004-0967
Created:October 20, 2004 Updated:September 28, 2005
Description: The ghostscript package (prior to version 7.07.1-r7) contains several scripts which are vulnerable to symlink attacks.
Alerts:
Red Hat RHSA-2005:081-01 2005-09-28
Ubuntu USN-3-1 2004-10-27
Gentoo 200410-18 2004-10-20

Comments (none posted)

glibc: tempfile vulnerability in catchsegv script

Package(s):glibc CVE #(s):CAN-2004-0968
Created:October 21, 2004 Updated:November 14, 2005
Description: The catchsegv script in the glibc package has a symlink vulnerability that may allow a local user to overwrite arbitrary files with the permissions of the user that is running the script.
Alerts:
Fedora-Legacy FLSA:152848 2005-11-13
Red Hat RHSA-2005:261-01 2005-04-28
Debian DSA-636-1 2005-01-12
Mandrake MDKSA-2004:159 2004-12-29
Red Hat RHSA-2004:586-01 2004-12-20
Fedora FEDORA-2004-356 2004-11-11
Ubuntu USN-4-1 2004-10-27
Gentoo 200410-19 2004-10-21

Comments (none posted)

gnupg: information leak

Package(s):gnupg CVE #(s):CAN-2005-0366
Created:March 16, 2005 Updated:August 19, 2005
Description: GnuPG (and other PGP-like systems) suffers from an information leak which could, in some situations, be used by an attacker to obtain plain text from an encrypted message. See this message for a detailed explanation of the problem. "We know of no real-world application that is affected by this type of attack. It is an attack that requires the active participation of someone who holds the actual key required to decrypt a message. Thus, it is not something you are likely to see."
Alerts:
Ubuntu USN-170-1 2005-08-19
Gentoo 200503-29 2005-03-24
Mandrake MDKSA-2005:057 2005-03-15

Comments (none posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:September 16, 2005
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

groff: insecure temporary directory

Package(s):groff CVE #(s):CAN-2004-0969
Created:November 1, 2004 Updated:February 9, 2006
Description: Recently, Trustix Secure Linux discovered a vulnerability in the groff package. The utility "groffer" created a temporary directory in an insecure way, which allowed exploitation of a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Mandriva MDKSA-2006:038 2006-02-08
Gentoo 200411-15 2004-11-08
Ubuntu USN-13-1 2004-11-01

Comments (none posted)

gxine: format string vulnerability

Package(s):gxine CVE #(s):CAN-2005-1692
Created:May 26, 2005 Updated:July 23, 2005
Description: The gxine media player has a format string vulnerability in the hostname decoding function. A specially crafted file can be used to cause a user to execute arbitrary code.
Alerts:
Slackware SSA:2005-203-04 2005-07-23
Gentoo 200505-19 2005-05-26

Comments (none posted)

gzip: race condition and directory traversal

Package(s):gzip CVE #(s):CAN-2005-0988 CAN-2005-1228
Created:May 4, 2005 Updated:July 13, 2005
Description: gzip suffers from a race condition which could allow a fast-fingered attacker to change the permissions on files owned by others. There is also a directory traversal vulnerability associated with the -N option.
Alerts:
Debian DSA-752-1 2005-07-11
Red Hat RHSA-2005:357-01 2005-06-13
OpenPKG OpenPKG-SA-2005.010 2005-06-10
OpenPKG OpenPKG-SA-2005.009 2005-06-10
Mandriva MDKSA-2005:092 2005-05-18
Gentoo 200505-05 2005-05-09
Trustix TSLSA-2005-0018 2005-05-06
Ubuntu USN-116-1 2005-05-04

Comments (none posted)

Heimdal: buffer overflow vulnerabilities

Package(s):heimdal CVE #(s):CAN-2005-2040
Created:June 29, 2005 Updated:July 18, 2005
Description: It has been reported that the "getterminaltype" function of Heimdal's (before 0.6.5) telnetd server is vulnerable to buffer overflows. An attacker could exploit this vulnerability to execute arbitrary code with the permission of the telnetd server program.
Alerts:
Debian DSA-758-1 2005-07-18
SuSE SUSE-SA:2005:040 2005-07-06
Gentoo 200506-24 2005-06-29

Comments (none posted)

ht: arbitrary code execution

Package(s):ht CVE #(s):CAN-2005-1545 CAN-2005-1546
Created:July 8, 2005 Updated:July 13, 2005
Description: The utility ht, an executable file viewer, editor and analyzer, has buffer and integer overflows that can be exploited for the purpose of executing arbitrary code.
Alerts:
Debian DSA-743-1 2005-07-08

Comments (none posted)

htdig: cross site scripting

Package(s):htdig CVE #(s):CAN-2005-0085
Created:February 14, 2005 Updated:January 10, 2006
Description: Michael Krax discovered that ht://Dig fails to validate the 'config' parameter before displaying an error message containing the parameter. This flaw could allow an attacker to conduct cross-site scripting attacks.
Alerts:
Fedora-Legacy FLSA:152907 2006-01-09
Mandrake MDKSA-2005:063 2005-03-31
Red Hat RHSA-2005:090-01 2005-02-15
Debian DSA-680-1 2005-02-14
Gentoo 200502-16 2005-02-13

Comments (none posted)

ImageMagick: xwd coder denial of service

Package(s):ImageMagick CVE #(s):CAN-2005-1739
Created:May 26, 2005 Updated:July 19, 2005
Description: The xwd coder in ImageMagick has a vulnerability that can be accessed by working on a maliciously created image. A denial of service can result.
Alerts:
Fedora-Legacy FLSA:152777 2005-07-12
Mandriva MDKSA-2005:107 2005-06-28
Red Hat RHSA-2005:480-01 2005-06-02
Fedora FEDORA-2005-395 2005-05-26

Comments (none posted)

imap: buffer overflow in c-client

Package(s):imap CVE #(s):CAN-2003-0297
Created:February 18, 2005 Updated:April 9, 2006
Description: A buffer overflow flaw was found in the c-client IMAP client. An attacker could create a malicious IMAP server that if connected to by a victim could execute arbitrary code on the client machine.
Alerts:
Fedora-Legacy FLSA:184074 2006-04-04
Fedora-Legacy FLSA:152912 2005-05-12
Red Hat RHSA-2005:114-01 2005-02-18

Comments (none posted)

imlib2: buffer overflows

Package(s):imlib2 CVE #(s):CAN-2004-0802 CAN-2004-0817
Created:September 8, 2004 Updated:October 26, 2005
Description: The imlib2 library contains buffer overflows in the BMP handling code.
Alerts:
Debian DSA-548-2 2005-10-26
Conectiva CLA-2004:870 2004-09-28
Debian DSA-552-1 2004-09-22
Debian DSA-548-1 2004-09-16
Red Hat RHSA-2004:465-01 2004-09-15
Gentoo 200409-12 2004-09-08
Fedora FEDORA-2004-301 2004-09-09
Fedora FEDORA-2004-300 2004-09-09
Mandrake MDKSA-2004:089 2004-09-07

Comments (none posted)

infozip: privilege escalation, directory-traversal

Package(s):infozip CVE #(s):CAN-2003-0282 CAN-2004-1010 CAN-2005-0602
Created:May 2, 2005 Updated:August 1, 2005
Description: InfoZip reports that Zip 2.3 and (presumably) all previous versions have a buffer-overrun vulnerability relating to deep directory paths that could potentially lead to local privilege escalation (e.g., in the case of automated, Zip-based backups). All versions of UnZip through 5.50 have a number of directory-traversal vulnerabilities.
Alerts:
Ubuntu USN-159-1 2005-08-01
Slackware SSA:2005-121-01 2005-05-02

Comments (1 posted)

junkbuster: heap corruption and settings modification

Package(s):junkbuster CVE #(s):CVE-2005-1108 CVE-2005-1109
Created:April 13, 2005 Updated:November 5, 2005
Description: JunkBuster through version 2.02-r2 contains two vulnerabilities: a heap corruption bug and a possible privacy violation.
Alerts:
Debian DSA-713-1 2005-04-21
Gentoo 200504-11 2005-04-13

Comments (1 posted)

kdelibs: unsanitzied input

Package(s):kdelibs CVE #(s):CAN-2004-1165
Created:January 10, 2005 Updated:July 19, 2005
Description: Thiago Macieira discovered a vulnerability in the kioslave library, which is part of kdelibs, which allows a remote attacker to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline before the FTP command.
Alerts:
Fedora-Legacy FLSA:152769 2005-07-15
Mandrake