|
|
Subscribe / Log in / New account

Security

A selective look at response times

It is often said that, while free software suffers from security flaws just like the proprietary variety does, fixes for those flaws come out much more quickly. For most users, however, security patches do not arrive until packaged by their distributor. So, every now and then, it is worthwhile to take a look at how quickly various distributors manage to get the fixes out. The following table lists a subset of recent vulnerabilities and the number of days required for each distributor to issue an update. For the purposes of this table, the clock starts when a vulnerability is disclosed, or when the first distributor alert is issued, whichever comes first.

Vulnerability Distributor
Debian Fedora Gentoo Red Hat SUSE Ubuntu
Apache mod_ssl -- -- -- 11 -- 12
clamav 22 -- 3 n/a -- --
evolution -- 1 13 19 -- --
fetchmail 22 0 4 4 -- 5
PCRE 13 4 14 -- 16 3
PHP XML-RPC 9 4 5 6 7 4
PHP XML-RPC 2 18 10 9 4 15 5
ProFTPd 35 -- 4 n/a -- n/a
vim modeline -- 16 -- 28 -- 1

The above table lists a subset of relatively important vulnerabilities disclosed since July, 2005. Distributions marked "n/a" do not ship the vulnerable package; a marking of "--" means that the update has not, yet, been released. Missing updates can mean one of two things: (1) the distributor simply has not gotten around to releasing an update yet, or (2) the relevant package is of the second class citizen variety, such as those found in Fedora Extras or Ubuntu's Universe.

Even though the set of vulnerabilities above is relatively small, some patterns emerge. Some distributors (Fedora, Gentoo, Debian, Red Hat) have managed to close most of the listed vulnerabilities. A couple of others have fallen seriously behind, however, leaving users running vulnerable software. Some distributors tend to be quite fast in getting updates out; others are slower. Perhaps the biggest surprise is the current lag time on Debian's updates; Debian used to be one of the faster distributions to get updates out.

It is worth noting, as well, that the increasingly popular "non-core" package repositories can be a hazard for administrators who are not paying attention. Clamav is used as a virus filter on many sites, and the recent vulnerability is real and exploitable. An administrator who relies upon a distribution's update mechanism may not have noticed that, when she used yum or apt-get to install clamav, it came from Fedora Extras or Ubuntu Universe. As a second class citizen package, clamav will not be updated by the distributor, and will remain vulnerable for an unknown period of time. Any security-conscious site which uses such packages should have a mechanism in place to note and respond to security problems in those packages.

Comments (12 posted)

New vulnerabilities

affix: remote command execution

Package(s):affix CVE #(s):CAN-2005-2716
Created:September 2, 2005 Updated:September 6, 2005
Description: Kevin Finisterre reports that affix, a package used to manage bluetooth sessions under Linux, uses the popen call in an unsafe fashion. A remote attacker can exploit this vulnerability to execute arbitrary commands on a vulnerable system.
Alerts:
Debian DSA-796-1 affix 2005-09-01

Comments (none posted)

apache information disclosure if modssl=yes

Package(s):apache CVE #(s):CAN-2005-2700
Created:September 2, 2005 Updated:November 10, 2005
Description: An information disclosure vulnerability was discovered in mod_ssl, the SSL/TLS module of the Apache webserver. When "SSLVerifyClient optional" was configured in the global virtual host configuration, an "SSLVerifyClient require" in per-location context was not enforced.
Alerts:
Fedora-Legacy FLSA:166941 httpd 2005-11-09
Gentoo 200509-12 mod_ssl 2005-09-19
SuSE SUSE-SA:2005:052 apache2 2005-09-12
Red Hat RHSA-2005:773-01 mod_ssl 2005-09-15
Slackware SSA:2005-251-03 multi 2005-09-14
Debian DSA-807-1 libapache-mod-ssl 2005-09-12
Slackware SSA:2005-251-02 mod_ssl 2005-09-09
Fedora FEDORA-2005-849 httpd 2005-09-07
Mandriva MDKSA-2005:161 apache2 2005-09-08
Fedora FEDORA-2005-848 httpd 2005-09-07
Debian DSA-805-1 apache2 2005-09-08
Ubuntu USN-177-1 apache2, libapache-mod-ssl 2005-09-07
Red Hat RHSA-2005:608-01 httpd 2005-09-06
OpenPKG OpenPKG-SA-2005.017 apache/modssl (apache::with_mod_ssl=yes only) 2005-09-02

Comments (none posted)

courier: missing input sanitizing

Package(s):courier CVE #(s):CAN-2005-2724
Created:September 1, 2005 Updated:September 6, 2005
Description: The courier sqwebmail application has an input sanitizing vulnerability that can be exploited by a remote attacker for the purpose of causing a script insertion attack.
Alerts:
Debian DSA-793-1 courier 2005-09-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 kdebase 2006-08-10
Debian DSA-815-1 kdebase 2005-09-16
Slackware SSA:2005-251-01 kdebase 2005-09-09
Ubuntu USN-176-1 kdebase 2005-09-07
Mandriva MDKSA-2005:160 kdebase 2005-09-06

Comments (none posted)

mplayer: heap overflow

Package(s):mplayer CVE #(s):CAN-2005-2718
Created:September 1, 2005 Updated:September 7, 2005
Description: mplayer's ad_pcm.c code has a heap overflow vulnerability. The faulty code handles the strf chunk of PCM audio streams. A maliciously created audio or video file could be created, allowing code to be executed with the privileges of the user who is running mplayer.
Alerts:
Mandriva MDKSA-2005:158 mplayer 2005-09-06
Gentoo 200509-01 mplayer 2005-09-01

Comments (none posted)

net-SNMP: packaging flaw

Package(s):net-snmp CVE #(s):
Created:September 6, 2005 Updated:September 6, 2005
Description: James Cloos reported that Perl modules from the Net-SNMP package look for libraries in an untrusted location. This is due to a flaw in the Gentoo package, and not the Net-SNMP suite.
Alerts:
Gentoo 200509-05 net-snmp 2005-09-06

Comments (none posted)

openssh: privilege escalation

Package(s):openssh CVE #(s):
Created:September 6, 2005 Updated:September 6, 2005
Description: A security bug introduced in OpenSSH version 4.0 caused gateway ports (SSH client command line option "-o 'GatewayPorts yes'") to be accidentally activated for dynamic port forwardings (SSH client command line option "-D [address:]port") when the listen address was not explicitly specified. As a result, the SSH client performed a wildcard bind for the listening socket on the SSH client machine instead of a bind to just "localhost". This way the dynamic port forwardings can be accessed also from outside the SSH client machine.
Alerts:
OpenPKG OpenPKG-SA-2005.019 openssh 2005-09-06

Comments (none posted)

openssh: GSSAPI credential disclosure

Package(s):openssh CVE #(s):CAN-2005-2798
Created:September 7, 2005 Updated:February 3, 2006
Description: OpenSSH prior to version 4.2 will allow GSSAPI credentials to be delegated to users who are not using GSSAPI authentication, possibly leading to the unwanted disclosure of those credentials. OpenSSH 4.2 has the fix.
Alerts:
SuSE SUSE-SR:2006:003 openssh gd mediawiki bogofilter 2006-02-03
Ubuntu USN-209-1 openssh 2005-10-17
Mandriva MDKSA-2005:172 openssh 2005-10-06
Red Hat RHSA-2005:527-01 openssh 2005-10-05
Fedora FEDORA-2005-860 openssh 2005-09-12
Trustix TSLSA-2005-0047 apache openssh squid 2005-09-09
Fedora FEDORA-2005-858 openssh 2005-09-07

Comments (none posted)

OpenTTD: remote execution of arbitrary code

Package(s):OpenTTD CVE #(s):CAN-2005-2763
Created:September 5, 2005 Updated:September 6, 2005
Description: Alexey Dobriyan discovered several format string vulnerabilities in OpenTTD. A remote attacker could exploit these vulnerabilities to crash the OpenTTD server or client and possibly execute arbitrary code with the rights of the user running OpenTTD.
Alerts:
Gentoo 200509-03 OpenTTD 2005-09-05

Comments (none posted)

polygen: denial of service

Package(s):polygen CVE #(s):CAN-2005-2656
Created:September 1, 2005 Updated:September 6, 2005
Description: polygen has a vulnerability in which precompiled grammar objects are created with world write permissions. A local attacker can use this to fill up a local filesystem and cause a denial of service.
Alerts:
Debian DSA-794-1 polygen 2005-09-01

Comments (none posted)

smb4k: temporary file vulnerability

Package(s):smb4k CVE #(s):CVE-2005-2851
Created:September 7, 2005 Updated:December 7, 2005
Description: Smb4K has a temporary file vulnerability which can allow an unprivileged user to read certain files which would otherwise be inaccessible.
Alerts:
Debian-Testing DTSA-25-1 smb4k 2005-12-05
Gentoo 200511-15 smb4k 2005-11-18
Mandriva MDKSA-2005:157 smb4k 2005-09-06

Comments (none posted)

squid: DoS issues

Package(s):squid CVE #(s):CAN-2005-2794 CAN-2005-2796
Created:September 6, 2005 Updated:November 7, 2005
Description: Squid-2.5.10-r2 and earlier has three Denial of Service issues.
Alerts:
Debian DSA-809-3 squid 2005-11-07
Debian DSA-809-2 squid 2005-09-30
SuSE SUSE-SA:2005:053 squid 2005-09-16
Red Hat RHSA-2005:766-01 Squid 2005-09-15
Ubuntu USN-183-1 squid 2005-09-13
Mandriva MDKSA-2005:162 squid 2005-09-12
Debian DSA-809-1 squid 2005-09-13
OpenPKG OpenPKG-SA-2005.021 squid 2005-09-10
Gentoo 200509-06 squid 2005-09-07
Fedora FEDORA-2005-852 squid 2005-09-06
Fedora FEDORA-2005-851 squid 2005-09-06

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds