The Grumpy Editor's guide to RSS aggregators
Your editor reads a lot of web sites. Quite a lot of web sites. This
reading has generally been a process of stepping through the bookmark list,
checking to see what is new on each of many interesting sites. Actually
going to sites to check for new news has
been an obsolete mode of operation for some time, but your editor can be a
little slow to come around, sometimes. Nonetheless, the nagging feeling
that there had to be a better way eventually got strong enough to inspire
an inquiry into the state of the art in RSS aggregators.
Most sites with news-oriented content export one or more files with
information about the most recently-posted articles; LWN's is over here. An RSS aggregator will grab the
headline files from sites of interest and present them, in some unified
format, to the reader. The result is a single interface to new postings
from a multitude of sites, and an end to the tedious business of plowing
through a long list of bookmarks.
There is a huge variety of RSS aggregators out there. To narrow things
down, your editor concentrated on standalone utilities with graphical
interfaces. There are some console-based aggregators available, and quite
a few web-based sites and systems. Your editor, believing (hoping) that an
interface designed specifically for the aggregation task will work best,
has chosen to pass over the other approaches for now.
When looking at RSS aggregators, there are a few issues to think about:
- How hard is it to get sites into the tool? Most, but not all,
aggregators can have an RSS feed URL dropped into them, making the
task easy. Just about every aggregator can import a feed list in the
OPML format, which makes switching between them easy.
- Which feed formats are supported? All aggregators can handle most
varieties of RSS; the newer Atom format is not yet as widely
supported.
- How does the tool help with organizing feeds? As the list of feeds
grows long, it is natural to want to organize them into categories.
After all, it does not do to mix those serious, work-oriented sites
with the more frivolous fare (LWN, say).
- Does the tool make it easy to keep up with a large number of feeds? A
tool which makes it easy to pass through a mixed presentation of all
new articles (perhaps limited to a specific category) will be faster
than one which required each site to be explicitly "opened."
- How does the tool handle updates? LWN's RSS feed accounts for a huge
part of our total traffic, and the situation is probably the same for
other sites. If your aggregator is pulling the feed every ten
minutes, you are helping to create a great deal of wasted traffic.
The defaults for polling intervals should be conservative, and, when
available, the aggregator should use the update time suggestions found
in the feed itself. There is no point in polling the "cute puppy of
the day" site several times each hour.
Various other factors come into play as well, as will be seen in the
discussions of the individual tools, below.
Akregator
Akregator is a KDE-based
tool with a reasonably long history. It is able to handle both RSS and
Atom feeds.
Akregator provides a file manager-like navigation pane on the left,
allowing the user to file feeds in a hierarchical system of folders. Each
entry includes the number of unread articles for that feed - a nice feature
that is not provided by all aggregators. Clicking on a folder will display
a mixture of articles from all feeds in that folder. A prominent button
allows the user to mark all articles as being read.
It is also possible to mark articles as being "important." The display can
be filtered (by way of a pulldown menu) so that only important, new, or
unread articles are shown. A search bar at the top can be used to further
limit the results to those matching a given string.
Of the tools reviewed, Akregator is probably the most flexible in how
it can be told to select articles for display.
While most aggregators hand off the task of displaying web pages to a
browser, akregator will, by default, display selected pages internally,
using a tabbed interface. This behavior can be changed, of course, and a
middle-click sends the URL to an external browser in any case.
For some reason, it is not possible to drag a feed URL from firefox and
drop it into an akregator window. So firefox users have to copy-and-paste
the URL into the "new feed" dialog. Dropping a URL from konqueror does
work, however. Feeds can be configured with their own archiving and update
interval preferences; akregator does not appear to use update intervals
supplied with the feeds themselves. If desired, akregator can generate
notifications when new articles are found.
Overall, akregator feels like a quick, flexible, and solid tool; definitely
one of the better aggregators out there.
Blam
Blam is a GNOME-based, C#/Mono application; it would appear to lack a web
site of its own. It is one of the simpler applications, lacking features
found in some of the other aggregators.
The blam left pane is a simple, alphabetical list of feeds; there is no
ability to rearrange or group them. A total count of unread articles is
given, but there is no user-visible per-feed count. (Actually, there is -
but the default width of the left pane hides it). There is no ability to
mix articles from multiple feeds into a single stream. Marking a feed
as read requires accessing a pulldown menu. Unlike almost every other
aggregator, blam sorts articles (by default) from the oldest to the newest.
Formatting of RSS items is done with gecko, with visually pleasing
results. Clicking on a URL displays the page in firefox; there does not
appear to be an option to make blam work with other browsers.
Blam does not automatically poll feeds by default; an explicit user action
is required. If automatic polling is turned on, the default interval is
fifteen minutes, which is rather short. Blam can handle Atom feeds, but
appears unable to work with feeds requiring authentication.
Blam does not appear to be able to
perform notifications, though it does put an icon into the GNOME
notification area.
Overall, your editor's opinion is that blam has some potential and a solid
base for the creation of a powerful tool. But the current version, despite
its 1.8.2 number, is not ready for widespread use.
Liferea
Liferea (the "Linux feed
reader") is a GNOME-based tool with a number of capabilities. It
can handle Atom feeds, and can also handle feeds with enclosures (the sort
normally used with podcasts). Update intervals provided with feeds are
respected (though they can be overridden by the user). Liferea can do
notifications if so desired.
Despite its GNOME origins, Liferea has a large number of configuration
options; only akregator compares on that score. It can be set up to
automatically download enclosures into a user-specified directory, so
those who follow podcasts can find new files waiting for them without having to
explicitly grab them. Liferea can be quickly configured to work with a
large variety of external browsers. Unfortunately, the switch controlling whether
already-read articles are displayed is hidden inside the configuration
dialogs; that adds up to a fair amount of clicking if the user wants to
change the display mode often.
Liferea has a plugin mechanism which can be used to load filters for feeds
of interest. There is a
respectable list of filters, many of which generate specialized RSS
feeds from web sites.
In general, Liferea is a pleasant and powerful tool - arguably the most
advanced of the GNOME-based aggregators.
RSSOwl
RSSOwl is a feed reader written on
Java. Your editor, it must be admitted, felt some trepidation when
yum wanted to download over 120MB of packages to install this
thing, but the investigative spirit cannot balk at such obstacles. So down it
came, along with its vast Java life support system. It's not every RSS
aggregator which requires eclipse just to install.
A quote on the RSSOwl site reads "Simply the best RSS reader. Fast,
lightweight and cross platform." Your editor begs to differ on the
"fast, lightweight" portion of that claim. Not only was RSSOwl not fast,
but, while it was running, nothing on the system was fast. It may
be that, on a different Java platform, things might be different. But, on
your editor's 1GB-memory system, RSSOwl managed to put everything into
full-scale thrash mode.
When first started, RSSOwl maximizes its window, a behavior which your
editor finds to be flat-out rude. Once it gets itself established (and has
been politely told how much screen space it may use), it is a reasonably
capable aggregator. It comes with a long list of built-in feeds, and it
has a search capability for finding more. Your editor, however, needed his
system back and was not able to allow a search to run to completion.
RSSOwl does not, by default, render HTML in article descriptions. This
behavior can be changed; in the process dragging the gecko engine into the mix. Feeds are
grouped hierarchically in the left pane, but it is not possible to mix
articles from multiple feeds. Opening a feed requires a double-click -
RSSOwl is the only aggregator reviewed which requires extra clicks in this
way. Each feed opens in its own tab. The search feature is more capable than
most, with the ability to work with boolean expressions.
For whatever reason, RSSOwl is able to export an RSS feed to a PDF file.
That must be useful to somebody, somewhere.
RSSOwl handles Atom feeds, and it can deal with feeds requiring
authentication. There is also an interface to AmphetaRate, which
can be used to generate recommendations for other sites of interest.
RSSOwl is certainly a capable tool, and it has some unique features. At
its current level of performance, however, it is not particularly usable -
at least on the Fedora platform.
Straw
Straw is a GNOME-based
aggregator written in Python. Its 0.26 version number suggests a young
project, but the first Straw release happened back in 2002. Straw is a
reasonably capable feed reader, but it has a couple of quirks.
One of those is that there is no hierarchical ordering of RSS feeds.
Instead, each feed may be assigned one or more keywords, and the view of
feeds can be restricted to a specific keyword. For added fun, the set of
legal keywords must be managed in a separate dialog; until a keyword has
been officially created in this manner, Straw will not acknowledge its
existence. Once the keywords have been established, the left-pane view can
be restricted to any one keyword.
Browsing through feeds is reasonably quick, once one gets the hang of
Straw's keyboard bindings, which use a lot of upper-case characters. If
one types lower-case keystrokes at the Straw
window, the reward is an unlabeled text entry field which materializes
toward the bottom of the screen; experimentation shows that this field can
be used to move directly to a feed by typing its name. There is no way to
mix articles from multiple feeds.
Straw does allow the configuration of per-feed update intervals, though it
does not appear to use feed-supplied intervals. There is a reasonable
search capability, but the resulting window behaves a bit strangely.
Articles from multiple feeds will appear there, but the normal keyboard
commands will not step through them - it is necessary to use the mouse.
Despite its relatively long history, Straw feels unfinished to your
editor. There are enough questionable user interface decisions to make
Straw relatively difficult to use - though somebody, clearly, likes it that
way.
Sage
There are a few RSS aggregators which have been implemented as Firefox
extensions, but the most advanced of those appears to be Sage. This aggregator is well
integrated into the browser, which does present certain advantages.
The Sage screen has three panes. The left column contains a hierarchical
list of subscribed feeds above a window containing a list of headlines from
the currently-selected feed. The bulk of the window, however, contains a
"newspaper style" rendering of the feed text in a somewhat strange
two-column layout with a fair amount of empty space. Clicking on a title
will pull up the full page. Sage allows the organization of this window to
be changed by way of style sheets; predictably, a fair number of
customized style sheets are available.
Sage's feed discovery feature is nice: bring up a site of interest and
click on the little magnifying glass icon. The Sage code will dig through
the page and present any feeds it finds, allowing the user to subscribe to
any or all of them. No more time spent looking for that little "XML" icon.
There does not appear to be any option allowing the configuration of update
intervals. Sage is not able to display a mixture of feeds on a single
screen. There is also no ability to search for strings in feed text
(though the normal Firefox search mechanism can be used in the article
display screen).
Sage is a slick and well-developed product, and there is real value in
integrating the aggregator into the browser. If nothing else, there's one
less window hanging around and cluttering up the screen. Still, the task
of displaying a page is somewhat different from that of finding pages to
look at in the first place. A tool which maintains its focus on the latter
task should be able to provide a better interface than the Swiss army knife
approach of cramming all of the tools into a single package.
Conclusion
On that note, one might well ask: how well do the current tools work at
enabling us to find the articles of interest to us, quickly? The current
readers have some nice features, and your editor favors akregator and
liferea as the ones which are the most productive at this time. If your
purpose is to keep up with the latest from a variety of news sites, either
of those applications will do the job nicely.
Your editor can't help but feel that much of the RSS and aggregation
technology we are seeing now is just a stage in a longer transition, however. The net is
not just about dispatches from news sites. People are using web logs, RSS
feeds, "planet" sites and aggregator software in an attempt to organize,
follow, and participate in conversations. When evaluated for that purpose,
current RSS aggregators have quite a bit of ground to cover. Don Marti has
written some
worthwhile comments on this topic.
So there is some ground to be covered, yet. And that, in turn, suggests
that having a number of active development projects in this area is a good
thing. If the developers behind these applications can go beyond mere
aggregation, they stand a good chance of creating a new and powerful interface
to the net and the discussions taking place there. Your editor, while
pleased with the state of these tools as they exist now, is looking forward
to where they will go from here.
Comments (51 posted)
Gutenberg 2.0: the birth of open content
March 29, 2006
This article was contributed by Glyn Moody
A previous LWN.net
feature examined the
parallels between open source and open access, which strives for the free
online availability of the academic knowledge distilled into research
papers. Although it has some particular characteristics of its own, open
access can be considered part of a wider move to gain free online access to
general digital content.
The roots of this open content movement, as it came to be called, go back to
before the Internet existed, and when even computers were relatively rare
beasts. In 1971, the year Richard
Stallman joined the MIT AI Lab, Michael Hart
was given an operator's account on a Xerox
Sigma V mainframe at the
University of Illinois. Since he estimated this computer time had a nominal
worth of $100 million, he felt he had an obligation to repay this generosity
by using it to create something of comparable and lasting value.
His solution was to type in the US Declaration of Independence, roughly 5K
of ASCII, and to attempt to send it to everyone on ARPANET (fortunately,
this trailblazing attempt at spam failed). His insight was that once turned
from analogue to digital form, a book could be reproduced endlessly for
almost zero additional cost – what Hart termed "Replicator Technology". By
converting printed texts into etexts, he was able to create something whose
potential aggregate value far exceeded even the heady figure he put on the
computing time he used to generate it.
Hart chose the name "Project Gutenberg" for this body of etexts, making a
bold claim that they represented the start of something as epoch-making as
the original Gutenberg revolution. Indeed, he goes further: he sees the
original Gutenberg as the well-spring of the Industrial Revolution, and his
own project as the precursor of the next Industrial Revolution, where
Replicator Technology will be applied not just to digital entities – as with
Project Gutenberg – but to analogue ones too.
The Replicator idea is similar to one of the key defining characteristics of
free software: that it can be copied endlessly, at almost no marginal cost.
Hart's motivation for this move – the creation of a huge permanent store of
human knowledge – is very different from Stallman's reason for starting the
GNU project, which is powered by his commitment to spreading freedom. But on
the Project Gutenberg site, there
is a
discussion about the ambiguity of the
word "free" that could come straight from Stallman: "The word free in the
English language does not distinguish between free of charge and freedom.
.... Fortunately almost all Project Gutenberg ebooks are free of charge and
free as in freedom."
There are other interesting parallels between the two men. After they had
their respective epiphanies, both labored almost entirely alone to begin
with – Hart entering page after page of books into a computer, and Stallman
coding the first few programs of the GNU project. Even 20 years after
Project Gutenberg had begun, Hart had only created 10 ebooks (today, the
figure is 17,000). Given the dedication required, it is no surprise that
both are driven men, sustained by their sense of moral duty and of the
unparalleled possibilities for changing the world that the digital realm
offers.
Both, too, were aided enormously as the Internet grew and spread, since it
allowed the two projects to adopt a distributed approach for their work. In
the case of Project Gutenberg, this was formalized with the foundation of
the Distributed Proofreaders team in
October 2000; since then - and thanks in part to a Slashdotting in November
2002 - hundreds of books are being turned into ebooks every month.
Moreover, just as free software paid back the debt by creating programs that
pushed Internet adoption to even higher levels, so Project Gutenberg
returned the compliment by making key early titles like "Zen and the Art of
the Internet" (June 1992) and "The
Hitchhikers Guide to the Internet"
(September 1992) available to help new Internet users find their way around.
The Internet was also the perfect low-cost distribution medium for the
digital creations of Hart and Stallman. After starting out at the University
of Illinois, Project Gutenberg was mirrored at the University of North
Carolina, under the auspices of Paul Jones,
one of the pioneers in facilitating free access to all kinds of digital
files. In 1992, SunSITE was launched there, designed as "a central
repository for a collection of public-domain software, shareware and other
electronic material such as research articles and electronic images"
according to the press release of the time. SunSITE became
iBiblio.org in 2000 (after briefly turning
into MetaLab in 1998), and received a $4
million grant from the Center for the Public Domain, set up by Red Hat
co-founders Bob Young and Marc Ewing. Over time, iBiblio became Project
Gutenberg's official host and primary distribution site.
To the collection of open content at SunSITE was soon added an early
GNU/Linux archive, managed
successively by Jonathan Magid, Erik Troan, and Eric Raymond. Given this
close association between SunSITE and GNU/Linux, it was only natural that it
became the host for the Linux Documentation Project (LDP)
when it was founded in 1992 by Matt Welsh, and this soon grew into another
important early collection of free content. The LDP began with the Linux
FAQ, and expanded to include a kernel hackers guide and system administrator
guide when Michael K. Johnson and Lars Wirzenius joined the project. These
texts were originally created in LaTeX, but documentation later appeared in
the then-new HTML. Around the same time, in April 1993, there were
discussions between people like Tim Berners-Lee, Guido van Rossum and Nathan
Torkington about the idea of working with Project Gutenberg to distribute
HTML versions of its etexts, in part, presumably, to use the
well-established Project Gutenberg to help promote the fledgling Web format.
An early concern about the LDP materials was that they might be published
commercially without permission. To avoid this, a fairly restrictive license
was employed, which allowed reproduction in electronic or printed form, but
only non-commercially, and without modifications. This was later relaxed,
and the current license allows derivative
works. This issue of whether to allow changes has been a vexed one from the
earliest days of online content: what were probably the first digital
documents available on a network, the RFCs (which first appeared in 1969,
even before ARPANET), had also forbidden modifications.
Since Project Gutenberg's materials are almost exclusively drawn from the
public domain (a few copyrighted works have been included with the author's
permission), it might be expected that the
license would allow any kind of
use, including modifications. However, it imposes a
number of conditions on those who wish to use the name Project Gutenberg in
the ebooks they distribute; in this case, only verbatim copies are
permitted, and commercial distributors must pay royalties. If all
references to the Project are stripped out, leaving the bare text, the
latter can be used in any way.
One other condition for etexts distributed under the Project Gutenberg name
is worth noting. The license stipulates:
if you provide access to or distribute copies of a Project
Gutenberg work in a format other than "Plain Vanilla ASCII" or
other format used in the official version posted on the official
Project Gutenberg-tm web site (www.gutenberg.net), you must, at no
additional cost, fee or expense to the user, provide a copy, a means
of exporting a copy, or a means of obtaining a copy upon request, of
the work in its original "Plain Vanilla ASCII" or other form.
Just as the GPL does for software, the Project Gutenberg license insists
that the "source code" of etexts distributed in non-ASCII formats be freely
available.
In fact, an explicit connection between Project Gutenberg and free software
is to be found at the top of every page on the Project Gutenberg Web site, which
offers thanks to those who wrote the programs which the site employs –
GNU/Linux, Apache, PostgreSQL, PHP, Perl and Python – and a link to the Free
Software Foundation.
Licensing proved to be the crucial issue for freely-available materials, and
it was only when it was fully resolved that open content really began to
take off. The next feature in this series will look at how that happened,
and what some of the immediate consequences were.
Glyn Moody writes about open source and open content at
opendotdotdot.
Comments (2 posted)
Page editor: Jonathan Corbet
Security
SQL injection attacks
March 24, 2006
This article was contributed by Jake Edge.
One of the more devastating attacks on a web application is also one of the
most common: SQL injection. This technique allows an attacker to gain
access to the database that underlies many web sites and read and potentially
modify data that is not meant to be available to users of that site. This article
provides an overview of how SQL injection works and what can be done to
avoid it.
A classic example of SQL injection starts with a query that looks
something like:
SELECT id FROM users WHERE name='$name' AND pass='$pass';
This query might be used to authenticate users when they log in to a
web site. If it returns a row, the user id returned is considered to
be authenticated and the application proceeds to serve the correct page
for that user. In this case, the
$name and
$pass variables
would come from a login form that might look something like:
<form method="post" action="login.php">
<input type="text" name="name">
<input type="password" name="pass">
<input type="submit" value="login">
</form>
If the login.php program in this example blindly sets the variables
to the values that come from the user, a malicious user can bypass the
authentication. Consider the following inputs:
$user = "' OR 1=1 ";
$pass = "' OR 1=1 LIMIT 1";
This results in a query that is completely different from what the web
programmer expected:
SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;
This query will always return one row (unless the table is empty) and it
is likely to be the first entry in the table. For many applications, that
entry is the administrative login; the one with the most privileges.
This simple example barely scratches the surface of the kinds of attacks
that can be made using SQL injection. Depending on the DBMS, it may be
possible to do multiple queries via an injection by separating each with a
semicolon:
SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;
which is, of course, a rather destructive injection.
MySQL does not allow multiple queries in a statement, but PostgreSQL is
susceptible to this technique.
Web site and/or database search functions are particularly dangerous because
they display their output; if a malicious user can inject any query they
choose, they can capture the entire contents of the database. The UNION
keyword can turn a query such as:
SELECT city, state FROM users WHERE name LIKE '%$search%';
into:
SELECT city, state FROM users
WHERE name LIKE '%%' UNION
SELECT name, pass FROM users
WHERE name LIKE '%%';
And instead of just printing the city and state of users that match the input
string, we are also printing the username and password of every user in the
system.
A certain amount of guessing column names and types is required if an
attacker does not have access to the database schema, but they are often
not very hard to guess given some understanding of the application.
Some database systems, notably Microsoft SQL Server, seem to deliberately
shoot themselves in the foot by providing the schema for all tables in
a generally accessible database, thereby removing all the guesswork.
Injection also requires a certain amount of imagination to visualize the
kinds of queries that might be going on behind the input boxes of a web
form. It requires quite a bit of trial and error unless one has access
to the source; this is why the majority of reported SQL injections are
in free software or open source web applications.
Note that it is not only web forms using the POST method that are vulnerable,
many web applications that use the GET method are vulnerable to injections
via the URL:
http://vulnerablewebapp.com/login.php?\
name=%27%20OR%201%3D1%20&pass=%27%20OR%201%3D1%20LIMIT%201
Like many other web vulnerabilities, SQL injection stems from insufficient
filtering of user input. Unfortunately, it is sometimes difficult to
determine what kinds of input should be accepted (for example the
password "' OR 1=1" would not necessarily seem illegal) and using
various filtering functions provided
by the language may not actually prevent injections. The PHP
addslashes() function is often used to sanitize user input because
it will put a backslash in front of single quotes which will stop the kinds
of injections described above. Unfortunately, there are
techniques
to circumvent this particular 'fix' as well.
Probably the simplest way to protect queries from SQL injection is by
using prepared statements with placeholders. Any reasonable database
interface will provide a way to use this functionality and in many
cases, it is fairly portable between languages and DBM systems.
Instead of directly interpolating string values into query strings, a query
is prepared using '?' as a placeholder for the variables as shown in the
following pseudocode:
$sth = prepare("SELECT id FROM users WHERE name=? AND pass=?");
execute($sth, $name, $pass);
This has a number of advantages: the DBMS library is responsible for properly
quoting the values and because of the way the variables are
bound to the query, they can never be treated as anything other than data
for the particular place they have in the prepared statement. This
effectively turns the injection attempt above into a query like:
SELECT id FROM users WHERE name='\' OR 1=1 ' AND pass='\' OR 1=1 LIMIT 1';
which is unlikely to authenticate.
Another way to defend against injections is by ensuring that all user input
is passed through a database specific quoting function before being used
in a query:
$name = db_quote($name);
$pass = db_quote($pass);
SELECT id FROM users WHERE name=$name AND pass=$pass;
Depending on the language and database API, this method may also be fairly
portable.
The final recommended technique is also the most complicated; but it can
provide an additional level of security if stored procedures are
available for the DBMS.
Stored procedures are queries (and more complicated functions) that are
created by the database administrator and stored with the database. These
procedures are then called by the application code to do any queries that
they require. The equivalent of the prepare functionality is done on
the procedures at the time they are stored and with proper coding, this
will prevent injections. One of the main advantages is that these procedures
run with the privileges of the user that stored them, instead of the user
invoking them and this allows the application to have a much more limited
set of privileges than it would normally require. The upshot is that it
can protect the database from reading or writing even if the application
is subverted in some way.
SQL injections are clearly a serious security problem, but one that can
be thwarted relatively easily once one understands the problem and the
ways to program around it.
Comments (23 posted)
New vulnerabilities
firebird2: buffer overflow
| Package(s): | firebird2 |
CVE #(s): | CVE-2004-2043
|
| Created: | March 23, 2006 |
Updated: | March 24, 2006 |
| Description: |
The firebird2 database has a buffer overflow vulnerability
that can be exploited by remote users to crash the application. |
| Alerts: |
|
Comments (none posted)
freeradius: authentication bypass
| Package(s): | freeradius |
CVE #(s): | CVE-2006-1354
|
| Created: | March 24, 2006 |
Updated: | June 5, 2006 |
| Description: |
An unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote
attackers to bypass authentication or cause a denial of service (server
crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state
machine module. |
| Alerts: |
|
Comments (none posted)
nethack: privilege escalation
| Package(s): | nethack |
CVE #(s): | |
| Created: | March 24, 2006 |
Updated: | March 24, 2006 |
| Description: |
The rogue-like games NetHack, Slash'EM and Falcon's Eye are vulnerable to
local privilege escalation vulnerabilities that could potentially allow the
execution of arbitrary code as other users. |
| Alerts: |
|
Comments (none posted)
RealPlayer: buffer overflow
| Package(s): | RealPlayer |
CVE #(s): | CVE-2006-0323
|
| Created: | March 23, 2006 |
Updated: | March 27, 2006 |
| Description: |
RealPlayer has a buffer overflow vulnerability in the Flash
Media .swf file processing code. If a user is tricked into playing
a maliciously formed Flash Media file, arbitrary code may be executed
with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
ADOdb: PostgresSQL command injection
| Package(s): | adodb |
CVE #(s): | CVE-2006-0410
|
| Created: | February 6, 2006 |
Updated: | April 17, 2006 |
| Description: |
Andy Staudacher discovered that ADOdb does not properly sanitize all
parameters. By sending specifically crafted requests to an application
that uses ADOdb and a PostgreSQL backend, an attacker might exploit the
flaw to execute arbitrary SQL queries on the host. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2005-3352
|
| Created: | December 14, 2005 |
Updated: | May 10, 2006 |
| Description: |
Versions 1 and 2 of the apache web server suffer from a cross-site scripting vulnerability in the mod_imap module; see this bugzilla entry for details. |
| Alerts: |
|
Comments (none posted)
beagle: untrusted search path vulnerability
| Package(s): | beagle |
CVE #(s): | CVE-2006-1296
|
| Created: | March 21, 2006 |
Updated: | March 22, 2006 |
| Description: |
Untrusted search path vulnerability in Beagle 0.2.2.1 might allow local
users to gain privileges via a malicious beagle-info program in the current
working directory, or possibly directories specified in the PATH. |
| Alerts: |
|
Comments (none posted)
blender: integer overflow
| Package(s): | blender |
CVE #(s): | CVE-2005-4470
|
| Created: | January 6, 2006 |
Updated: | June 15, 2006 |
| Description: |
Damian Put discovered that Blender did not properly validate a 'length'
value in .blend files. Negative values led to an insufficiently sized
memory allocation. By tricking a user into opening a specially crafted
.blend file, this could be exploited to execute arbitrary code with the
privileges of the Blender user. |
| Alerts: |
|
Comments (none posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cairo: denial of service
| Package(s): | cairo |
CVE #(s): | CVE-2006-0528
|
| Created: | March 21, 2006 |
Updated: | March 31, 2006 |
| Description: |
The cairo library (libcairo), as used in GNOME Evolution and possibly other
products, allows remote attackers to cause a denial of service (persistent
client crash) via an attached text file that contains "Content-Disposition:
inline" in the header, and a very long line in the body, which causes the
client to repeatedly crash until the e-mail message is manually removed,
possibly due to a buffer overflow, as demonstrated using an XML
attachment. |
| Alerts: |
|
Comments (none posted)
ktools: buffer overflow
| Package(s): | centericq |
CVE #(s): | CVE-2005-3863
|
| Created: | December 7, 2005 |
Updated: | August 29, 2006 |
| Description: |
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
crossfire: buffer overflow
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1236
|
| Created: | March 20, 2006 |
Updated: | March 22, 2006 |
| Description: |
A buffer overflow has been discovered in the crossfire game which allows
remote attackers to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
crossfire: arbitrary code execution
| Package(s): | crossfire |
CVE #(s): | CVE-2006-1010
|
| Created: | March 14, 2006 |
Updated: | April 24, 2006 |
| Description: |
It was discovered that Crossfire, a multiplayer adventure game, performs
insufficient bounds checking on network packets when run in "oldsocketmode",
which may possibly lead to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
curl: heap-based buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2006-1061
|
| Created: | March 21, 2006 |
Updated: | June 28, 2006 |
| Description: |
Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows
remote attackers to execute arbitrary commands via a TFTP URL (tftp://)
with a valid hostname and a long path. |
| Alerts: |
|
Comments (none posted)
curl: buffer overflow
| Package(s): | curl |
CVE #(s): | CVE-2005-4077
|
| Created: | December 8, 2005 |
Updated: | March 27, 2006 |
| Description: |
The curl file transfer utility has a buffer overflow vulnerability
in the URL authentication code. If an overly long URL is used,
a buffer overflow can result, allowing for local unauthorized access. |
| Alerts: |
|
Comments (none posted)
cyrus-imapd: buffer overflows
| Package(s): | cyrus-imapd |
CVE #(s): | CAN-2005-0546
|
| Created: | February 23, 2005 |
Updated: | April 9, 2006 |
| Description: |
Cyrus-imapd, prior to version 2.2.12, contains several buffer overflows which could be exploited by an (authenticated) attacker to run code on the server system. |
| Alerts: |
|
Comments (none posted)
dia: missing input sanitizing
| Package(s): | dia |
CVE #(s): | CAN-2005-2966
|
| Created: | October 4, 2005 |
Updated: | April 6, 2006 |
| Description: |
Joxean Koret discovered that the SVG import plugin did not properly
sanitize data read from an SVG file. By tricking an user into opening
a specially crafted SVG file, an attacker could exploit this to
execute arbitrary code with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2006-1225
CVE-2006-1226
CVE-2006-1227
CVE-2006-1228
|
| Created: | March 17, 2006 |
Updated: | March 22, 2006 |
| Description: |
The Drupal Security Team discovered several vulnerabilities in Drupal,
a fully-featured content management and discussion engine.
- Due to missing input sanitizing a remote attacker could inject headers
of outgoing e-mail messages and use Drupal as a spam proxy. (CVE-2006-1225)
- Missing input sanity checks allows attackers to inject arbitrary web
script or HTML. (CVE-2006-1226)
- Menu items created with the menu.module lacked access control, which
might allow remote attackers to access administrator pages. (CVE-2006-1227)
- Markus Petrux discovered a bug in the session fixation which may allow
remote attackers to gain Drupal user privileges. (CVE-2006-1228)
|
| Alerts: |
|
Comments (none posted)
emacs21: format string vulnerability in "movemail"
| Package(s): | emacs21 |
CVE #(s): | CAN-2005-0100
|
| Created: | February 7, 2005 |
Updated: | May 15, 2006 |
| Description: |
Max Vozeler discovered a format string vulnerability in the "movemail"
utility of Emacs. By sending specially crafted packets, a malicious
POP3 server could cause a buffer overflow, which could be exploited to
execute arbitrary code with the privileges of the user and the "mail"
group. |
| Alerts: |
|
Comments (none posted)
enscript: arbitrary code execution
| Package(s): | enscript |
CVE #(s): | CAN-2004-1184
CAN-2004-1185
CAN-2004-1186
|
| Created: | January 21, 2005 |
Updated: | May 27, 2006 |
| Description: |
Erik Sjölund has discovered several security relevant problems in enscript,
a program to convert ASCII text into Postscript and other formats.
Unsanitized input can cause the execution of arbitrary commands via EPSF
pipe support. Due to missing sanitizing of filenames it is possible that a
specially crafted filename can cause arbitrary commands to be executed.
Multiple buffer overflows can cause the program to crash. |
| Alerts: |
|
Comments (none posted)
evolution: format string issues
Comments (2 posted)
fetchmail: multidrop bug
| Package(s): | fetchmail |
CVE #(s): | CVE-2005-4348
|
| Created: | December 20, 2005 |
Updated: | May 27, 2006 |
| Description: |
Fetchmail contains a bug which allows a malicious mail server to crash the
client by sending a message without headers. This occurs when running in
multidrop mode. |
| Alerts: |
|
Comments (none posted)
flash-plugin: arbitrary code execution
| Package(s): | flash-plugin |
CVE #(s): | CVE-2006-0024
|
| Created: | March 16, 2006 |
Updated: | March 22, 2006 |
| Description: |
The Macromedia Flash Player plugin has an arbitrary code execution
vulnerability that may be triggered by opening a
maliciously created Macromedia Flash file. |
| Alerts: |
|
Comments (none posted)
flex: buffer overflow
| Package(s): | flex |
CVE #(s): | CVE-2006-0459
|
| Created: | March 7, 2006 |
Updated: | March 28, 2006 |
| Description: |
Chris Moore discovered a buffer overflow in a particular class of
lexicographical scanners generated by flex. This could be exploited to
execute arbitrary code by processing specially crafted user-defined
input to an application that uses a flex scanner for parsing. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
gdb: multiple vulnerabilities
| Package(s): | gdb |
CVE #(s): | CAN-2005-1704
CAN-2005-1705
|
| Created: | May 20, 2005 |
Updated: | August 11, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands. |
| Alerts: |
|
Comments (5 posted)
gnupg: incorrect signature verification
| Package(s): | gnupg |
CVE #(s): | CVE-2006-0049
|
| Created: | March 13, 2006 |
Updated: | May 15, 2006 |
| Description: |
Another vulnerability has been found in
GnuPG. "Signature verification of non-detached signatures may give a
positive result but when extracting the signed data, this data may be
prepended or appended with extra data not covered by the signature. Thus
it is possible for an attacker to take any signed message and inject extra
arbitrary data." |
| Alerts: |
|
Comments (none posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 9, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
ilohamail: missing input sanitizing
| Package(s): | ilohamail |
CVE #(s): | CVE-2005-1120
|
| Created: | March 20, 2006 |
Updated: | March 22, 2006 |
| Description: |
Ulf Härnhammar from the Debian Security Audit Project discovered that
ilohamail, a lightweight multilingual web-based IMAP/POP3 client, does not
always sanitize input provided by users which allows remote attackers to
inject arbitrary web script or HTML. |
| Alerts: |
|
Comments (none posted)
imagemagick: arbitrary command execution
| Package(s): | imagemagick |
CVE #(s): | CVE-2005-4601
CVE-2006-0082
|
| Created: | January 24, 2006 |
Updated: | March 24, 2006 |
| Description: |
Florian Weimer discovered that the delegate code did not correctly
handle file names which embed shell commands (CVE-2005-4601). Daniel
Kobras found a format string vulnerability in the SetImageInfo()
function (CVE-2006-0082). By tricking a user into processing an image
file with a specially crafted file name, these two vulnerabilities
could be exploited to execute arbitrary commands with the user's
privileges. These vulnerability become particularly critical if
malicious images are sent as email attachments and the email client
uses imagemagick to convert/display the images (e. g. Thunderbird and
Gnus). |
| Alerts: |
|
Comments (none posted)
imap: buffer overflow in c-client
| Package(s): | imap |
CVE #(s): | CAN-2003-0297
|
| Created: | February 18, 2005 |
Updated: | April 9, 2006 |
| Description: |
A buffer overflow flaw was found in the c-client IMAP client. An attacker
could create a malicious IMAP server that if connected to by a victim could
execute arbitrary code on the client machine. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2005-3732
|
| Created: | December 1, 2005 |
Updated: | June 8, 2006 |
| Description: |
ipsec-tools has a remote
denial of service vulnerability in the racoon daemon.
If racoon is running in aggressive mode, it fails to check all peer
payloads during
When the daemon the IKE negotiation phase, allowing a malicious peer
to crash the daemon. One should always be careful around aggressive racoons. |
| Alerts: |
|
Comments (none posted)
kdebase: local root vulnerability
| Package(s): | kdebase |
CVE #(s): | CAN-2005-2494
|
| Created: | September 7, 2005 |
Updated: | August 11, 2006 |
| Description: |
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | November 27, 2006 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-0741
CVE-2006-0555
|
| Created: | March 2, 2006 |
Updated: | March 23, 2006 |
| Description: |
The Linux kernel has multiple vulnerabilities including
a sanity check problem with sys_mbind that can lead to a local
denial of service, an ELF vulnerability that can crash
Intel EM64T systems and an NFS client panic problem that
can be triggered by direct I/O from a local user. |
| Alerts: |
|
Comments (none posted)
kernel multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2005-3527
CVE-2005-3783
CVE-2005-3784
CVE-2005-3805
CVE-2005-3806
CVE-2005-3808
|
| Created: | January 20, 2006 |
Updated: | April 18, 2006 |
| Description: |
Here's another set of vulnerabilities in the Linux kernel:
- A race condition in the 2.6 kernel could allow a local user to cause a
DoS by triggering a core dump in one thread while another thread has a
pending SIGSTOP (CVE-2005-3527).
- The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using
CLONE_THREAD, does not use the thread group ID to check whether it is
attaching to itself, which could allow local users to cause a DoS
(CVE-2005-3783).
- The auto-reap child process in 2.6 kernels prior to 2.6.15 include
processes with ptrace attached, which leads to a dangling ptrace
reference and allows local users to cause a crash (CVE-2005-3784).
- A locking problem in the POSIX timer cleanup handling on exit on
kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local
user to cause a deadlock involving process CPU timers (CVE-2005-3805).
- The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to
2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances,
which allows local users to corrupt kernel memory or cause a crash by
triggering a free of non-allocated memory (CVE-2005-3806).
- An integer overflow in 2.6.14 and earlier could allow a local user to
cause a hang via 64-bit mmap calls that are not properly handled on a
32-bit system (CVE-2005-3808).
|
| Alerts: |
|
Comments (none posted)
kernel-patch-vserver: missing attribute support
| Package(s): | kernel-patch-vserver util-vserver |
CVE #(s): | CVE-2005-4347
CVE-2005-4418
|
| Created: | March 21, 2006 |
Updated: | March 22, 2006 |
| Description: |
Several vulnerabilities have been discovered in the Debian vserver support
for Linux. Bjørn Steinbrink discovered that the chroot barrier is not set
correctly with util-vserver which may result in unauthorized escapes from a
vserver to the host system. (CVE-2005-4347) The default policy of
util-vserver is set to trust all unknown capabilities instead of
considering them as insecure. (CVE-2005-4418) |
| Alerts: |
|
Comments (none posted)
libapreq2: algorithm weakness
| Package(s): | libapreq2-perl apache2 |
CVE #(s): | CVE-2006-0042
|
| Created: | March 14, 2006 |
Updated: | April 18, 2006 |
| Description: |
An algorithm weakness has been discovered in Apache2::Request, the
generic request library for Apache2 which can be exploited remotely
and cause a denial of service via CPU consumption. |
| Alerts: |
|
Comments (5 posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: buffer overflows in PNG handling