Restarting free SourceForge development
Back when VA Linux Systems (now VA Software) launched
SourceForge, the company put the
underlying source code out under the GPL. VA was, at that time, very much
an open source company, so releasing the code was a natural thing to do.
Since then, VA has transformed itself from an open source hardware company
to a proprietary software company based on SourceForge. So it is not all
that surprising that VA's enthusiasm for free SourceForge code releases has
waned; the last such release (from the "
alexandria-dev"
project) is dated November 4, 2001. Since then, VA has limited itself
to proprietary releases.
The free SourceForge releases are just that, however: free. And since they
are free software, there is no need to wait for VA to make new releases.
So it should come as no surprise that a number of SourceForge fork projects
have appeared. Most of these are the basis for other SourceForge-like
development sites:
- Berlios is, perhaps, the
earliest SourceForge fork still operating; this site headed off with
something like version 1.5 of the code.
- The GNU Project's Savannah site
is based on version 2.0 of the SourceForge code.
- Debian-sf, a packaging
of the code for Debian systems, uses version 2.5 - the last official
release from VA.
All of these projects have provided useful resources for the free software
community. They all have, however, gone off in their own directions to
attain their specific goals; in none of these cases has the general
development of the SourceForge code been one of those goals. (This is not
a criticism - realistic projects can only take on so much).
Thanks to a note from Rick
Moen (which is also the source for the version information above), we
have been clued in to the GForge Project,
which is trying to get development of the SourceForge code back on track.
GForge is headed up by Tim Perdue, who certainly has the right credentials
for the job: he was the original author of a good chunk of the original
SourceForge system.
GForge has started with the most recent code from the SourceForge.net CVS
server, which has been deemed version 2.61. It has since been enhanced
with Jabber support, an improved interface, a new forum system, and easier
installation. Quite
a bit of effort has also gone into cleaning up the code; optimizations for
hundreds of thousands of users have been deemed unnecessary, and "foundries
and related nonsense" have been excised from the code base. And, of
course, the whole thing is licensed under the GPL.
GForge should become the new focal point for development of the
SourceForge code. The Debian-sf project is already working with GForge;
Debian users can, with a suitable configuration file entry, install GForge
with an apt-get command. One can only hope that GForge will lead
to a new set of free software development sites popping up on the net, and
further diversification away from the "official" SourceForge site.
SourceForge remains a very expensive form of advertising for a company
which has lost interest in free software; relying on its continued
existence forever would be foolhardy.
As LWN has said before, VA has done the free software a great service by
running SourceForge for the last three years. In the long run, however, it
may turn out that the greater service was releasing the SourceForge code
under the GPL. That release has allowed the community to continue to use
and develop the SourceForge code after VA's business needs drew its
attention elsewhere. We will reap the benefits of that gift long after
SourceForge.net has shut down.
Comments (1 posted)
Linux and the total cost of ownership
We have seen, in recent days, a flurry of reports and analyst proclamations
to the effect that, while costing more up front, Windows ends up being
cheaper than Linux when the "total cost of ownership" (TCO) is figured.
This cost includes things like staff time, training costs, etc. Certainly
it makes sense to take a broad view of what a particular computing system
really costs to operate. And, certainly, the analyst reports are
objective; they would never, ever, after all, bias their reports in favor
of the large corporation that has paid for the work.
Even so, some questions come to mind.
Your editor, who, in a previous life, managed a medium-size system
administration group, observed that a single Linux or Unix system
administrator could handle about twice as many systems as a single Windows
administrator. As Windows systems replaced Unix systems on desktops, the
administration staff had to grow. Many others have publicly noted a
similar pattern. The observations of people actually running
system management groups do not carry the weight of a scientific analyst
report printed on Very Heavy Paper, but one might still ask: how is it that
Windows is cheaper to run when more people are required to do the job?
Windows systems have well-known virus problems. Large scale virus attacks
have led to direct costs for companies estimated in billions of dollars.
Most large networks require constantly-updated virus scanning systems,
active mail filtering, and regular "don't open that attachment" user
cluestick sessions. All this is expensive; have these costs been figured
into the TCO calculations?
Amazon.com claims to have saved $17 million by switching to Linux.
E*Trade, too, saved a lot of money by going to Linux. The City of Largo,
Florida, claims to save at least $1 million each year from its switch
to Linux desktop systems. Why didn't they switch to Windows, if it is so
much cheaper? (As an aside, this
NewsForge followup on Largo is well worth a read).
Linux-based systems can often run on the same hardware, without upgrades,
for longer. There is far less pressure for constant system upgrades - and
no EULAs requiring such upgrades. Have the costs of the additional hardware
and software upgrades required by Windows been taken into account?
Software license management is expensive. Companies must track the license
for every application installed on every system on their networks, and they
must cope with occasional annoyances like BSA audits and raids. Tracking
thousands of licenses on thousands of systems is not a part-time job; have
licensing compliance costs been figured into the TCO studies?
And so on. The real point is this: we should not give up the TCO argument
easily. Linux systems are, beyond doubt, overly difficult to administer -
especially for certain kinds of environments. There is a lot that can be
done to reduce ownership costs for Linux systems. But, even so, the
"Windows is cheaper" argument has not been made in any sort of convincing
way.
Comments (7 posted)
Three important trials
This has been a busy week for courts worldwide; important issues have been
heard on three different continents. For those who have not been following
them all...
In the U.S., the ElcomSoft trial was finally held this week after having
been delayed when the defendants were not allowed to enter the country.
The defense has stressed constitutional issues and fair use, but the judge has not
been interested. For example, ElcomSoft was not allowed to discuss
legitimate uses of ElcomSoft's eBook reading software. As
predicted, this case is
working with a very tight reading of the DMCA, and it seems unlikely to go
in ElcomSoft's favor. The trial will determine only whether ElcomSoft was
in violation of the DMCA as it is written; any constitutional challenges to
the DMCA will have to wait for the appeal. As of this writing, the
arguments were complete, but the case had not yet gone to the jury for a
verdict.
In Norway, Jon Johansen is standing trial for his role in the creation and
distribution of the DeCSS software. The prosecution is trying to prove
that DeCSS's purpose is to help DVD piracy; this despite the fact that real
pirates have no need for such a tool. Attempts have been made to discredit
Jon's defense by pointing out that he developed the code on Windows. This
trial is still underway as of this writing. (See also: this account of the first day of testimony).
Meanwhile, in Australia, the country's high court has ruled that Dow Jones
can be sued for libel in Victoria over an article published on its web
site (in the U.S.). An increasing number of countries seem to believe that
their laws
apply to Internet activity anywhere in the world. If people can be hauled
across oceans to face libel claims, they certainly can be made to face
other sorts of charges - patent infringement or circumvention of copy
protection, for example. This
article in The Economist suggests that, in the future, publishers will
block access to their material from countries with hostile libel laws. It
would be a shame if distribution of free software had to be restricted in
similar ways.
Comments (15 posted)
Page editor: Jonathan Corbet
Security
Security news
The Ptech Incident
[Editor's note: this article was contributed by LWN reader Tom Owen.]
Federal and state agents who visited
Quincy, Mass. software house Ptech
last week were probably mostly looking for financial links to al-Qaeda.
So perhaps it's just an unfortunate co-incidence that by Wednesday morning the
Ptech customer list had been removed from their web site. It was still cached
at Google,
though, and the names on it are a testament to the lure of the product and
efficiency of the Ptech sales team. How happy the US Air Force, NATO, Mitre
and the FBI are to discover that their knowledge management software comes
from a firm under such detailed investigation has yet to emerge, but officials
for the White House and the US Attorney in Boston have certainly been quick to
say that the software presents no obvious risk. Which raises the question: how
do they know?
Sensitive government and defense agencies probably won't load their
operational information on to a knowledge management system without some sort
of scrutiny of the software. There's no need for an Open Source license -- any
client with sufficient clout can cut a deal for source access. The trouble is
that a $1000 per day security consultant, faced with half a million lines of
Visual Basic and a non-disclosure agreement, is going to need extraordinary
powers to find twenty lines buried in, say, user management, which phone home
with a document index. Source access or not, it still comes down to trust, of
the company and each individual developer.
A true open source project is a very different matter. It's not possible to
fool the whole developer community -- a secret like that just won't keep. It
might be possible to corrupt individuals, and it's certainly possible for
terrorists to join and contribute code. But the bent code is there for all to
see, and the folks reading it are developers intimately familiar with the
purpose and structure of the system. A trapdoor or a leak is still possible,
but it's much more likely to be spotted.
Wired quotes
Michael Wendy of the Initiative for Software Choice:
"It's important to note that a development model is only a process,"
Wendy said. "It does not guarantee, in and of itself, that a product
produced under one type of model will be any better than another product
produced under a different model. In other words, no single development
mode inherently produces safer, more secure software."
It's not bad for a first try, but the ISC will have to do better than that.
Comments (6 posted)
Understanding the Windows EAL4 rating
Microsoft has made a fair amount of noise about the "Common Criteria EAL4"
rating recently awarded to Windows 2000. For those of you who are curious
about what that actually means,
this article by Jonathan
Shapiro is well worth reading.
EAL4 means that the design documents were reviewed using
non-challenging criteria. This is sort of like having an accounting
audit where the auditor checks that all of your paperwork is there
and your business practice standards are appropriate, but never
actually checks that any of your numbers are correct. An EAL4
evaluation is not required to examine the software at all.
In other words, this certification does not mean a whole lot. People who
are interested in the security of their systems still need to look at the
systems themselves and draw their own conclusions; there is no magic rating
that will take the brain work out of the process.
Comments (1 posted)
New vulnerabilities
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
OpenLDAP2: remote command execution
| Package(s): | OpenLDAP2 |
CVE #(s): | CAN-2002-1378
CAN-2002-1379
|
| Created: | December 6, 2002 |
Updated: | February 21, 2003 |
| Description: |
OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found
several buffer overflows and other bugs remote attackers could exploit to
gain access on systems running vulnerable LDAP servers. In addition to
these bugs, various local exploitable bugs within the OpenLDAP2 libraries
(openldap2-devel package) have been fixed.
Since there is no workaround possible except shutting down the LDAP server,
an update is strongly recommended. |
| Alerts: |
|
Comments (1 posted)
smb2www: arbitrary command execution
| Package(s): | smb2www |
CVE #(s): | |
| Created: | December 5, 2002 |
Updated: | December 11, 2002 |
| Description: |
Robert Luberda found a security problem in smb2www, a Windows Network
client that is accessible through a web browser. This could lead a remote
attacker to execute arbitrary programs under the user id www-data on the
host where smb2www is running. |
| Alerts: |
|
Comments (none posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache shared memory scoreboard vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2002-0839
|
| Created: | October 9, 2002 |
Updated: | December 18, 2002 |
| Description: |
Versions of Apache prior to 1.3.27 contain a couple of scoreboard-related
vulnerabilities which can be exploited by local users running under the
Apache user ID. In-server scripting languages, such as PHP, are the most
likely means of carrying out the attacks. One vulnerability causes the
server to fork off new processes, leading to denial of service scenarios;
the other allows an attacker to send SIGUSR1 to any process as root,
probably killing that process. See this
iDEFENSE advisory for the details. |
| Alerts: |
|
Comments (3 posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
BIND8: Multiple vulnerabilities
Comments (1 posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
dhcpcd: Character expansion vulnerability
| Package(s): | dhcpcd |
CVE #(s): | |
| Created: | November 19, 2002 |
Updated: | January 10, 2003 |
| Description: |
dhcpcd is an RFC2131 and RFC1541 compliant DHCP client daemon.
dhcpcd has the ability to execute an external script named
/sbin/dhcpcd-<interface>.exe when assigning a new IP address to a network
interface. This script sources a file named
/var/lib/dhcpcd/dhcpcd-<interface>.info that contains several shell
variables and assigments with DHCP information.
Simon Kelley pointed out a vulnerability in the way quotes inside these
assignments are treated. By exploiting this, a malicious DHCP server (or
attackers able to spoof DHCP responses) can execute arbitrary shell
commands on the DHCP client (which is run by root). |
| Alerts: |
|
Comments (none posted)
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | December 5, 2002 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
Another set of fetchmail buffer overflows
| Package(s): | fetchmail fetchmail-ssl |
CVE #(s): | |
| Created: | October 1, 2002 |
Updated: | December 17, 2002 |
| Description: |
e-matters GmbH has issued an advisory
warning of a new set of buffer overflows in the fetchmail header parsing
code. The vulnerabilities have been fixed in fetchmail 6.1.0. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
freeswan: Denial of Service
| Package(s): | freeswan |
CVE #(s): | |
| Created: | December 4, 2002 |
Updated: | December 4, 2002 |
| Description: |
Bindview discovered a problem in several IPSEC implementations that do not
properly handle certain very short packets. IPSEC is a set of security
extensions to IP which provide authentication and encryption. Debian's FreeS/WAN package contains this vulnerability, which can lead to kernel crashes. |
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 20, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
gtetrinet: buffer overflows
| Package(s): | gtetrinet |
CVE #(s): | |
| Created: | November 25, 2002 |
Updated: | December 11, 2002 |
| Description: |
Several buffer overflows were found in gtetrinet versions below
0.4.3. According to the authors these could be remotely exploited. |
| Alerts: |
|
Comments (none posted)
html2ps: arbitrary code execution
| Package(s): | html2ps |
CVE #(s): | |
| Created: | November 8, 2002 |
Updated: | December 6, 2002 |
| Description: |
The SuSE Security Team found a vulnerability in html2ps, a HTML to
PostScript converter, that opened files based on unsanitized input
insecurely. This problem can be exploited when html2ps is installed
as filter within lrpng and the attacker has previously gained access
to the lp account. |
| Alerts: |
|
Comments (none posted)
IM: creates temporary files insecurely
| Package(s): | im |
CVE #(s): | CAN-2002-1395
|
| Created: | December 3, 2002 |
Updated: | March 6, 2003 |
| Description: |
Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
- The impwagent program creates a temporary directory in an insecure
manner in /tmp using predictable directory names without checking
the return code of mkdir, so it's possible to seize a permission
of the temporary directory by local access as another user.
- The immknmz program creates a temporary file in an insecure manner
in /tmp using a predictable filename, so an attacker with local
access can easily create and overwrite files as another user.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs |
CVE #(s): | CAN-2002-1281
CAN-2002-1282
|
| Created: | November 22, 2002 |
Updated: | March 14, 2003 |
| Description: |
Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory,
they should likewise be removed.
See also:
http://www.kde.org/info/security/advisory-20021111-1.txt |
| Alerts: |
|
Comments (none posted)
kdenetwork: buffer overflow
| Package(s): | kdenetwork |
CVE #(s): | CAN-2002-1247
|
| Created: | November 11, 2002 |
Updated: | December 20, 2002 |
| Description: |
iDEFENSE reports a security vulnerability in the klisa package, that
provides a LAN information service similar to "Network Neighbourhood",
which was discovered by Texonet. It is possible for a local attacker
to exploit a buffer overflow condition in resLISa, a restricted
version of KLISa. The vulnerability exists in the parsing of the
LOGNAME environment variable, an overly long value will overwrite the
instruction pointer thereby allowing an attacker to seize control of
the executable. |
| Alerts: |
|
Comments (none posted)
kernel: local denial of service vulnerability
| Package(s): | kernel |
CVE #(s): | |
| Created: | November 19, 2002 |
Updated: | February 5, 2003 |
| Description: |
All versions of the Linux kernel from (at least) 2.2.x through 2.4.19 and
2.5.47 contain a vulnerability which allows any local user to crash the
system. This LWN article describes how the
exploit works in detail. The vulnerability affects only x86 systems. |
| Alerts: |
|
Comments (none posted)
krb5: Buffer Overflow in Kerberos Administration Daemon
| Package(s): | krb5, heimdal |
CVE #(s): | CAN-2002-1235
|
| Created: | October 29, 2002 |
Updated: | January 14, 2003 |
| Description: |
CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon
Systems Affected
- MIT Kerberos version 4 and version 5 up to and including
krb5-1.2.6
- KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version
0.5.1
- Other Kerberos implementations derived from vulnerable MIT or KTH
code
Overview
Multiple Kerberos distributions contain a remotely exploitable buffer
overflow in the Kerberos administration daemon. A remote attacker
could exploit this vulnerability to gain root privileges on a
vulnerable system.
The CERT/CC has received reports that indicate that this vulnerability
is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002
notes that an exploit is circulating.
We strongly encourage sites that use vulnerable Kerberos distributions
to verify the integrity of their systems and apply patches or upgrade
as appropriate. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc |
CVE #(s): | CAN-2002-0738
CAN-2002-1307
CAN-2002-1388
|
| Created: | September 11, 2002 |
Updated: | January 3, 2003 |
| Description: |
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. |
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
mod_ssl: cross site scripting problem
| Package(s): | mod_ssl, libapache-mod-ssl |
CVE #(s): | CAN-2002-1157
|
| Created: | October 22, 2002 |
Updated: | December 12, 2002 |
| Description: |
Joe Orton discovered a cross site scripting problem in mod_ssl, an
Apache module that adds Strong cryptography (i.e. HTTPS support) to
the webserver. The module will return the server name unescaped in
the response to an HTTP request on an SSL port.
Like the other recent Apache XSS bugs, this only affects servers using
a combination of "UseCanonicalName off" and wildcard DNS. This is very
unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it
already escapes this HTML. |
| Alerts: |
|
Comments (none posted)
Mozilla: Privacy leak and other vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CAN-2002-1126
CAN-2002-1091
|
| Created: | November 1, 2002 |
Updated: | February 13, 2003 |
| Description: |
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to
corrupt heap memory and execute arbitrary code via a GIF image with a zero
width.
See also Mozilla's
Recently fixed security issues page.
All users are encouraged to upgrade to this latest stable 1.0.x release of
Mozilla. |
| Alerts: |
|
Comments (none posted)
ypserv: NIS information leak
| Package(s): | nis, ypserv |
CVE #(s): | CAN-2002-1232
|
| Created: | October 21, 2002 |
Updated: | December 5, 2002 |
| Description: |
Thorsten Kukuck discovered a problem in the ypserv program which is
part of the Network Information Services (NIS). A memory leak in all
versions of ypserv prior to 2.5 is remotely exploitable. When a
malicious user could request a non-existing map the server will leak
parts of an old domainname and mapname. |
| Alerts: |
|
Comments (none posted)
Buffer overflow in nss_ldap
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0825
CAN-2002-0374
|
| Created: | October 9, 2002 |
Updated: | December 11, 2002 |
| Description: |
The nss_ldap package has a buffer overflow which can be exploited when the
module configures itself from information in DNS. The problem is fixed in
nss_ldap-199 and later. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
pine: buffer overflow parsing "From:" addresses
| Package(s): | pine |
CVE #(s): | CAN-2002-1320
|
| Created: | November 27, 2002 |
Updated: | January 3, 2003 |
| Description: |
A malicious user could send a message with a specially crafted "From:"
address and cause a segmentation fault on the client. Pine 4.50 fixes this
vulnerability (CAN-2002-1320) and several others. Read the full advisory
here. |
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL |
CVE #(s): | |
| Created: | August 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions. |
| Alerts: |
|
Comments (none posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
squirrelmail: cross-site scripting vulnerability
| Package(s): | squirrelmail |
CVE #(s): | CAN-2002-1131
CAN-2002-1132
|
| Created: | October 16, 2002 |
Updated: | January 2, 2003 |
| Description: |
The Squirrelmail web mail package has a cross-site scriptinog vulnerability; versions 1.2.7 and prior are affected. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: buffer overflow
| Package(s): | tcpdump |
CVE #(s): | |
| Created: | November 20, 2002 |
Updated: | December 19, 2002 |
| Description: |
A new buffer overflow in the printing of BGP packets could, conceivably, be remotely exploitable. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat |
CVE #(s): | |
| Created: | September 25, 2002 |
Updated: | January 29, 2003 |
| Description: |
Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
|
| Alerts: |
|
Comments (none posted)
traceroute-nanog: buffer overflow and root exploit
| Package(s): | traceroute-nanog/nkitb |
CVE #(s): | |
| Created: | November 12, 2002 |
Updated: | February 27, 2003 |
| Description: |
Traceroute is a tool that can be used to track packets in a TCP/IP network
to determine it's route or to find out about not working routers.
Traceroute-nanog requires root privilege to open a raw socket. It does not
relinquish these privileges after doing so. This allows a malicious user to
gain root access by exploiting a buffer overflow at a later point. |
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
