Obviously incorrect 2003 predictions
It's that time of year again. Traditionally the first LWN Weekly Edition
of the year includes some predictions of what may happen in the near
future. It is worthwhile, occasionally, to step back and think about what
may be on the horizon, even though the real thing will, as always, include
surprises that we are not able to anticipate.
Besides, real news tends to be scarce about now.
So, without further ado, here's a few Obviously Incorrect Predictions for
the next year.
- Use of Linux in government will increase, especially outside
of the U.S. Government, officials are increasingly concerned about
security, long-term public access to records, costs, and the health of
the local software industry. Free software offers help in all of
those areas. Governments move slowly, but there will be significant
steps toward governmental adoption of free software in the coming
year.
- There will be high-profile desktop deployments, inside and
outside of government. Linux as a desktop system is good enough for
many users now, and is only getting better. As the number of success
stories grows, more organizations will take the plunge and switch over
to free software.
- There will be a direct patent challenge to one or more
free software products. Thus far, there has been a great deal of
nervousness about software patents, and people have occasionally had
to code their way around patent issues. But there has been a distinct
lack of actual infringement suits. Suing a free software user for
patent infringement will be a powerful way of creating uncertainty
throughout the community, however; 2003 may well be the year that this
weapon gets used.
- It will be a watershed year in intellectual property law, but
we are not foolish enough to try to predict which way it will go. It
could be that, in 2003, copyright extension is struck down, the DMCA
is revised and defanged, and the entertainment industry figures out
that it needs to go after pirates instead of harassing its customers.
Or the courts could be hostile, the CBDTPA could be passed, new
encryption restrictions could surface, and
"trusted computing systems" could come closer to reality.
The first scenario is not out of the question. The copyright
extension and ElcomSoft cases have done a lot to raise awareness of
the excesses of American (and, increasingly, worldwide) intellectual
property law. The costs (and vulnerabilities) of copy protection
systems are increasingly apparent to all. We won the encryption
battle, and we could well win this one too. But the forces behind the
attempted intellectual property takeover will not give up easily. One
way or the other, 2003 will be interesting.
- The 2.6 kernel will be released, but probably not until well
into the second half of the year. Chances are the 2.7 development
series will not open in 2003. Of course, all bets are off if Linus
starts accepting new developments in 2.5, but chances are that will
not happen.
- There will be a SourceForge crisis in 2003. SourceForge
is operated by a company which is still bleeding cash, and which no
longer has any real interest in free software. VA Software's
investors and board are bound to question the value of the free
SourceForge service. That service may well be cut back - or start
demanding some sort of payment - in the coming year.
- UnitedLinux will not be enough to save all four of its
participants; at least one of them will probably exit the distribution
business by the end of the year. MandrakeSoft, which is in a cash
crunch as of this writing, will pull through with support from its
users and emerge as a viable (if smaller) company.
Those are our guesses for what this year holds for Linux and free
software. These predictions are offered in the hope that they will be
useful, but they come with NO WARRANTY regarding their fitness for any
particular purpose or relation to any sort of reality.
Comments (2 posted)
Distribution support: how long is long enough?
[This article was contributed by LWN reader
Joe 'Zonker' Brockmeier]
Red Hat's
recently
announced errata policy has drawn some fire from the Linux community
for being too stingy. The new policy guarantees that releases will be
supported for "at least 12 months from the date of initial release." To
look at it another way, it paves the way for Red Hat to end support for
products only one year after release. Red Hat's 8.0 release, officially
released on September 30 of last year, is slated for retirement on
December 31, 2003. Fourteen months is a fairly short life cycle for an
operating system, particularly since most companies and users won't be
switching to a new release immediately.
An end of life policy isn't new to Linux vendors, though such a short life
span is. SuSE announced
last year that the
company would be retiring releases after two years. Caldera and
Mandrake also end support for their products after a few years, though they
seem to have no posted policy stating a specific shelf life for the products.
Some have noted that Red Hat may be trying to move users to its
"Advanced Server" product. While the latest "consumer" release of Red
Hat is being retired at the end of this year, Advanced Server won't be
put out to pasture until 2005. Naturally, Red Hat charges much more for
the Advanced Server product.
When a company like Microsoft decides to end support for a product, it
puts its customers in a fairly unpleasant situation: Be stranded with an
unsupported platform that will no longer receive bugfixes and support
for new hardware, or buck up the money for upgrades and possibly break
support for older applications and face hardware upgrades. Red Hat's
customers are in a different position, however, since they possess the full
source to their operating system; there's nothing that says that someone
else can't maintain a release
past Red Hat's expiration date.
Companies that specialize in Linux support (e.g. Tummy.com, others)
could provide longer-term support for companies (and
individuals who happen to have the cash) for a fee. For that matter,
there's no reason a savvy admin couldn't continue to patch a system on
their own without official errata from Red Hat. If demand is great
enough, Red Hat users might even form a community effort to release
errata for older releases, though that might be more effort than simply
upgrading to new releases or switching distributions. It will be some
time before we see just how well, or how badly, Red Hat's policy change
goes over with the Linux Community. It's likely that it will draw little
attention until the expiration dates start to approach.
While many Linux users may complain about having to upgrade or scrounge
for patches on their own, there is some justification for Red Hat and
other vendors to stop supporting older releases. The Open Source
development model moves very quickly, making it difficult for a vendor
to continue support for a wide variety of packages that may put out many
releases a year. Not only does the vendor need to provide updates for
each package, they must ensure that the updates don't conflict with or
break other packages that may depend on them. For a company struggling
to be profitable while still giving away its software, it may make a
large difference in the bottom line.
Comments (13 posted)
On the licensing of software patents
Unless it is changed before adoption, the proposed
W3C
royalty-free patent policy will allow "field of use" provisions.
Patented technologies which are included in a W3C standard must be licensed
for royalty-free use - but only for implementations of the the standard
itself. Owners of patents can still require license payments for any other
use of the technology.
What this means, of course, is that, if a W3C standard contains patented
technology with "field of use" restrictions, no implementation of that
standard may be distributed under the GPL. The GPL does not allow that
sort of restrictions. Free implementations of such standards can be
distributed under BSD-style licenses, so it remains possible to implement
the standard in free software. But the range of that freedom has been
restricted somewhat.
These terms make an interesting contrast with another form of royalty-free
patent licensing. Companies like Red Hat and FSMLabs have licensed their
patents for use in free software - but only for software licensed under the
GPL. BSD-licensed implementations are not covered by these patent
licenses.
If these trends continue, the proliferation of software patents is going to
bring about a partial partitioning of the free software ecosystem. The two
types of patent licensing are, essentially, allergic to each other, and can
not be mixed. This is not a new situation - mixing free software with
different licenses can be problematic even without the additional
complication of patent issues. But adding in incompatible patent licensing
creates new and dangerous problems.
Software patents may well turn out to be one of the more potent weapons
against free software in general. Patent infringement lawsuits can be
filed against any user of the allegedly infringing software, not
just its developers or distributors. A couple of high-profile examples of
companies being dragged into court for using a free program would serve to
create a great deal of fear, uncertainty, and doubt among all free software
users - even if the patent suits are eventually tossed out. The free
software will have to step carefully when implementing algorithms covered
by patents - and that may well not be enough.
Comments (8 posted)
Quick LWN update
The LWN staff has survived the holidays in reasonably good form. Hopefully
the same is true for all of you; we wish you all the best for the new year.
Quite a few LWN subscriptions have expired over the holidays - many people,
it seems, signed up at the beginning for a three-month subscription, and
that has run out. If you are one of those folks, please consider renewing
your subscription so you can have access to LWN's premium content and
features and stay on top of what's happening in the Linux and free software
community.
The final version of the LWN 2002 Linux
Timeline is now available.
Enjoy the first LWN Weekly Edition of 2003, and thanks, as always, for
supporting LWN.net.
Comments (7 posted)
Page editor: Jonathan Corbet
Security
Security news
Postfix 2.0.0
[This article was contributed by LWN reader
Tom Owen]
Wietse Venema released
Postfix
2.0.0 on December 23. Originally created as the IBM "Secure
Mailer" and released under GPL at the beginning of 1998, Postfix is a
drop-in sendmail replacement designed from the ground up to be secure.
Venema has a long history in the secure software area; his. TCP Wrappers
package has been going into Linux distributions unchanged for five years
now. So a new major release of one of his packages is worth a look.
The Postfix 2.0.0
release
notes
list dozens of new features, changes and fixes, mostly consolidations of patch
releases accumulated over the last year.
The reason for the major version change seems to be to flag some of the
changes listed as incompatibilities with 1.1.0.
Few of these will cause problems at most sites but virtual domain admins and
those receiving mail for users listed in a table (i.e. not in the local
/etc/passwd file) will need to read the upgrade notes with special
care.
Postfix's strong spam control gets a substantial upgrade with extra control
over DNS checks and a rewrite of the
relay blacklist (RBL)
handling code with new configuration directives.
Content filtering based on regular expression matching in headers and body is
improved with finer granularity, faster processing, better handling for MIME
and other attachments, a more expressive regular expression language and more
options to deal with the messages that match.
The many improvements to MIME handling
allow better control over the processing of messages with attachments.
Meanwhile,
only mail mavens and frustrated crackers will care about the subtle
semantic changes in fancier address formats and headers.
Sysadmins will mostly be pleased with performance improvements and better
logging for Postcript and RBL actions.
Features like MacOS X support and the better LDAP client have a narrower appeal.
And of course there are occasional items on the way out:
Sendmail-style virtual domains are no longer documented.
This part of Postfix was too confusing.
Postfix administrators will be pleased by 2.0.0.
They've seen most of it already in the patch releases,
and for such a central piece of infrastructure, that's the way it should be.
Postfix is still the same straightforward, rather easy to configure mail
server, with excellent compatibility as a sendmail replacement and out of the
box security.
And that may be the most important lesson from Postfix:
not the secure, flexible, multi-process, untrusting design,
not the reduction in the mailer monoculture,
not even the lucid and closely documented code.
Just that security and ease of use are, sometimes, compatible.
Comments (1 posted)
Secure Programming for Linux and Unix HOWTO updated
David A. Wheeler has announced the availability of an updated version of
his "Secure Programming for Linux and Unix HOWTO." "
...this version
adds new text on handling tmp files
where there are tmp cleaners running (true on most real systems -
this causes particular problems with mktemp(1)),
notes on avoiding buffer overflow in FD_SET/FD_CLR(), and
a long discussion on a new attack against web-based systems:
session fixation. I also added text about protecting secrets in
memory."
Full Story (comments: 1)
New vulnerabilities
bugzilla - cross site scripting
| Package(s): | bugzilla |
CVE #(s): | |
| Created: | December 30, 2002 |
Updated: | January 1, 2003 |
| Description: |
A cross site scripting vulnerability has been reported for Bugzilla, a
web-based bug tracking system. Bugzilla does not properly sanitize
any input submitted by users. As a result, it is possible for a
remote attacker to create a malicious link containing script code
which will be executed in the browser of a legitimate user, in the
context of the website running Bugzilla. This issue may be exploited
to steal cookie-based authentication credentials from legitimate users
of the website running the vulnerable software.
This vulnerability only affects users who have the 'quips' feature
enabled and who upgraded from version 2.10. |
| Alerts: |
|
Comments (1 posted)
cups - multiple vulnerabilities
Comments (none posted)
cyrus-imapd - Remote command execution vulnerability
| Package(s): | cyrus-imapd |
CVE #(s): | |
| Created: | December 29, 2002 |
Updated: | January 1, 2003 |
| Description: |
The Cyrus IMAP Server is an e-mail application that uses the Internet
Message Access Protocol (IMAP). It allows an user to perform certain mail
functions on a remote server rather than on a local computer.
Timo Sirainen discovered[1] a remotely exploitable pre-login buffer
overflow in cyrus imapd. The problem resides in the way memory is managed
(an integer overflow can cause less memory than needed to be allocated).
This vulnerability[2] may be exploited prior to authentication to the IMAP
server and could allow a remote attacker to read other users' mail and to
execute arbitrary code with the privileges of the user running the IMAP
server (Conectiva Linux has a special unprivileged user called 'cyrus'
responsible for that).
REFERENCES:
1.http://online.securityfocus.com/archive/1/301864
2.http://www.kb.cert.org/vuls/id/740169 |
| Alerts: |
|
Comments (none posted)
cyrus-sasl - buffer overflows
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2002-1347
|
| Created: | December 27, 2002 |
Updated: | January 7, 2003 |
| Description: |
"Insufficient buffer length checking in user name canonicalization
may allow attacker to execute arbitrary code on servers using Cyrus
SASL library. Client side library also has the bug but since the user
name is asked from the local user, there's probably not many
applications that care about it, except maybe webmails and the like.
This overflow only happens if default realm is set."
"LDAP authentication with saslauthd doesn't allocate enough memory
when it needs to escape characters '*', '(', ')', '\' and '\0' in
username and realm. This should be easily exploited with glibc's
malloc implementation."
"Log writer might not have allocated memory for the trailing \0 in
message. Probably hard to exploit, although you can affect the
logging data with at least anonymous authentication."
Read the full advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=103946297703402&w=2 |
| Alerts: |
|
Comments (none posted)
Helix Server - buffer overflows
| Package(s): | Helix Universal Server |
CVE #(s): | |
| Created: | January 1, 2003 |
Updated: | January 1, 2003 |
| Description: |
According to this NGSSoftware advisory, the
Helix Universal Server (version 9.0 and earlier) has several buffer
overflow vulnerabilities. A
patch has been made available by RealNetworks. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
KDE - command parameter quoting problems
| Package(s): | kde |
CVE #(s): | CAN-2002-1393
|
| Created: | December 23, 2002 |
Updated: | February 21, 2003 |
| Description: |
In some instances, KDE (versions 2 and 3) fails to properly quote parameters of instructions
passed to a command shell for execution.
These parameters may incorporate data such as URLs, filenames and e-mail
addresses, and this data may be provided remotely to a victim in an e-mail,
a webpage or files on a network filesystem or other untrusted source.
By carefully crafting such data an attacker might be able to execute
arbitary commands on a vulnerable sytem using the victim's account and
privileges.
See this announcement for more details. |
| Alerts: |
|
Comments (none posted)
typespeed: buffer overflow
| Package(s): | typespeed |
CVE #(s): | |
| Created: | January 1, 2003 |
Updated: | June 17, 2003 |
| Description: |
A problem has been discovered in the typespeed, a game that lets you
measure your typematic speed. By overflowing a buffer a local
attacker could execute arbitrary commands under the group id games. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
BIND8: Multiple vulnerabilities
Comments (1 posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
dhcpcd: Character expansion vulnerability
| Package(s): | dhcpcd |
CVE #(s): | |
| Created: | November 19, 2002 |
Updated: | January 10, 2003 |
| Description: |
dhcpcd is an RFC2131 and RFC1541 compliant DHCP client daemon.
dhcpcd has the ability to execute an external script named
/sbin/dhcpcd-<interface>.exe when assigning a new IP address to a network
interface. This script sources a file named
/var/lib/dhcpcd/dhcpcd-<interface>.info that contains several shell
variables and assigments with DHCP information.
Simon Kelley pointed out a vulnerability in the way quotes inside these
assignments are treated. By exploiting this, a malicious DHCP server (or
attackers able to spoof DHCP responses) can execute arbitrary shell
commands on the DHCP client (which is run by root). |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
IM: creates temporary files insecurely
| Package(s): | im |
CVE #(s): | CAN-2002-1395
|
| Created: | December 3, 2002 |
Updated: | March 6, 2003 |
| Description: |
Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
- The impwagent program creates a temporary directory in an insecure
manner in /tmp using predictable directory names without checking
the return code of mkdir, so it's possible to seize a permission
of the temporary directory by local access as another user.
- The immknmz program creates a temporary file in an insecure manner
in /tmp using a predictable filename, so an attacker with local
access can easily create and overwrite files as another user.
|
| Alerts: |
|
Comments (none posted)
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs |
CVE #(s): | CAN-2002-1281
CAN-2002-1282
|
| Created: | November 22, 2002 |
Updated: | March 14, 2003 |
| Description: |
Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory,
they should likewise be removed.
See also:
http://www.kde.org/info/security/advisory-20021111-1.txt |
| Alerts: |
|
Comments (none posted)
kernel: local denial of service vulnerability
| Package(s): | kernel |
CVE #(s): | |
| Created: | November 19, 2002 |
Updated: | February 5, 2003 |
| Description: |
All versions of the Linux kernel from (at least) 2.2.x through 2.4.19 and
2.5.47 contain a vulnerability which allows any local user to crash the
system. This LWN article describes how the
exploit works in detail. The vulnerability affects only x86 systems. |
| Alerts: |
|
Comments (none posted)
krb5: Buffer Overflow in Kerberos Administration Daemon
| Package(s): | krb5, heimdal |
CVE #(s): | CAN-2002-1235
|
| Created: | October 29, 2002 |
Updated: | January 14, 2003 |
| Description: |
CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon
Systems Affected
- MIT Kerberos version 4 and version 5 up to and including
krb5-1.2.6
- KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version
0.5.1
- Other Kerberos implementations derived from vulnerable MIT or KTH
code
Overview
Multiple Kerberos distributions contain a remotely exploitable buffer
overflow in the Kerberos administration daemon. A remote attacker
could exploit this vulnerability to gain root privileges on a
vulnerable system.
The CERT/CC has received reports that indicate that this vulnerability
is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002
notes that an exploit is circulating.
We strongly encourage sites that use vulnerable Kerberos distributions
to verify the integrity of their systems and apply patches or upgrade
as appropriate. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc |
CVE #(s): | CAN-2002-0738
CAN-2002-1307
CAN-2002-1388
|
| Created: | September 11, 2002 |
Updated: | January 3, 2003 |
| Description: |
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. |
| Alerts: |
|
Comments (none posted)
micq: Denial of service
| Package(s): | micq |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 24, 2003 |
| Description: |
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash. |
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
Mozilla: Privacy leak and other vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CAN-2002-1126
CAN-2002-1091
|
| Created: | November 1, 2002 |
Updated: | February 13, 2003 |
| Description: |
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to
corrupt heap memory and execute arbitrary code via a GIF image with a zero
width.
See also Mozilla's
Recently fixed security issues page.
All users are encouraged to upgrade to this latest stable 1.0.x release of
Mozilla. |
| Alerts: |
|
Comments (none posted)
MySQL: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 10, 2003 |
| Description: |
The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
OpenLDAP2: remote command execution
| Package(s): | OpenLDAP2 |
CVE #(s): | CAN-2002-1378
CAN-2002-1379
|
| Created: | December 6, 2002 |
Updated: | February 21, 2003 |
| Description: |
OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found
several buffer overflows and other bugs remote attackers could exploit to
gain access on systems running vulnerable LDAP servers. In addition to
these bugs, various local exploitable bugs within the OpenLDAP2 libraries
(openldap2-devel package) have been fixed.
Since there is no workaround possible except shutting down the LDAP server,
an update is strongly recommended. |
| Alerts: |
|
Comments (1 posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
pine: buffer overflow parsing "From:" addresses
| Package(s): | pine |
CVE #(s): | CAN-2002-1320
|
| Created: | November 27, 2002 |
Updated: | January 3, 2003 |
| Description: |
A malicious user could send a message with a specially crafted "From:"
address and cause a segmentation fault on the client. Pine 4.50 fixes this
vulnerability (CAN-2002-1320) and several others. Read the full advisory
here. |
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL |
CVE #(s): | |
| Created: | August 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions. |
| Alerts: |
|
Comments (none posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
squirrelmail: cross-site scripting vulnerability
| Package(s): | squirrelmail |
CVE #(s): | CAN-2002-1131
CAN-2002-1132
|
| Created: | October 16, 2002 |
Updated: | January 2, 2003 |
| Description: |
The Squirrelmail web mail package has a cross-site scriptinog vulnerability; versions 1.2.7 and prior are affected. See the advisory for details. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Tomcat 4.x JSP source code exposure vulnerability
| Package(s): | tomcat |
CVE #(s): | |
| Created: | September 25, 2002 |
Updated: | January 29, 2003 |
| Description: |
Rossen Raykov reports that Tomcat 4.0.5 and 4.1.12 fix a JSP source code exposure vulnerability
in "Tomcat 4.0.4 and 4.1.10 (probably all other earlier versions also).".
The current version of Tomcat is available here.
|
| Alerts: |
|
Comments (none posted)
traceroute-nanog: buffer overflow and root exploit
| Package(s): | traceroute-nanog/nkitb |
CVE #(s): | |
| Created: | November 12, 2002 |
Updated: | February 27, 2003 |
| Description: |
Traceroute is a tool that can be used to track packets in a TCP/IP network
to determine it's route or to find out about not working routers.
Traceroute-nanog requires root privilege to open a raw socket. It does not
relinquish these privileges after doing so. This allows a malicious user to
gain root access by exploiting a buffer overflow at a later point. |
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
wget:directory traversal bug
| Package(s): | wget |
CVE #(s): | CAN-2002-1344
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST
command includes any directory information along with the list of filenames
required by the FTP protocol (RFC 959, section 4.1.3).
If the FTP client fails to do so, a malicious FTP server can send filenames
beginning with '/' or containing '/../' which can be used to direct a
vulnerable FTP client to write files (such as .forward, .rhosts, .shosts,
etc.) that can then be used for later attacks against the client machine.
See also
this Bugtraq article from 1997.
CAN-2002-1344 |
| Alerts: |
|
