LWN.net Logo

Security

SPF on vger

June 14, 2006

This article was contributed by Jake Edge.

A recent announcement about adding Sender Policy Framework (SPF) capabilities to the machine hosting the linux-kernel mailing list (lkml) has sparked a lively debate. The first step, it seems, is to add an SPF record for vger.kernel.org and later this summer to enable SPF checking on incoming email. Both steps are controversial and the majority of posters seem to be against the change, but Matti Aarnio, one of the postmasters for vger, plans to go ahead with the changes.

SPF is a technique that allows a domain to specify which hosts are allowed to send email that have an envelope sender (i.e. SMTP MAIL FROM) using that domain. A domain administrator adds a TXT record to the DNS entry for the domain that describes all hosts allowed to send mail. This allows receiving Mail Transfer Agents (MTAs) to look up the SPF record and determine whether the domain in the envelope has been forged -- at least in theory.

Unfortunately, there are a number of problems with this scheme, most having to do with email forwarding. Consider the case where a user has a yahoo.com email account that they are forwarding to their ISP. When yahoo forwards email that it receives, it uses the original envelope sender, but that domain has almost certainly not listed yahoo.com as an authorized sender. The same issue occurs if a user is trying to use their yahoo.com email as the sender, but are required to use their ISP's SMTP server. In that case, Yahoo will rightly not have the ISP listed as a legitimate sender for their domain.

The SPF folks have suggested solutions for these problems, but many of them require fundamental changes in how MTAs operate. The Sender Rewriting Scheme (SRS) proposal in particular breaks longstanding email tradition by having forwarding MTAs change the envelope sender as they forward email. Opponents of SPF not only argue that changing this tradition is a bad idea, but also that it is very unlikely to be widely implemented any time soon. Additionally, Mail User Agents (MUAs) would need to learn about SRS encoding in order to parse sender addresses for filtering email at the user end.

SPF does provide a way to definitively determine that an email is coming from an authorized host, but failing the SPF check does not in any way imply that the email is invalid, as the mail could have been forwarded by a non-SRS compliant MTA. The main benefit for domains that publish SPF records may be a reduction in the blowback from a 'joe job' (a spammer uses a victim domain as the sender on a large amount of spam, some of which bounces, leaving the victim to deal with all the bounce messages).

Opponents point out that because of the forwarding problems, publishing an SPF record for your domain essentially asks other MTAs to mark perfectly valid mail as suspicious at best and forged at worst. Worse yet, some mail administrators are configuring their MTAs to reject mail that fails SPF checking.

For the lkml, the immediate impact will be minimal, but still annoying to some. People who have subscribed using addresses that are forwarded to SPF-checking ISPs may no longer receive emails from the list. Some list archiving software may also be affected. Once SPF checking is enabled, some users may find their mail getting rejected depending on how strictly the SPF policy is enforced. Expect another hue and cry on the lkml when and if that happens.

Comments (20 posted)

New vulnerabilities

courier: denial of service

Package(s):courier CVE #(s):CVE-2006-2659
Created:June 9, 2006 Updated:August 4, 2006
Description: A denial of service vulnerability has been found in the function for encoding email addresses. Addresses containing a '=' before the '@' character caused the Courier to hang in an endless loop, rendering the service unusable.
Alerts:
Gentoo 200608-06 2006-08-04
Debian DSA-1101-1 2006-06-23
Ubuntu USN-294-1 2006-06-09

Comments (none posted)

dhcdbd: denial of service

Package(s):dhcdbd CVE #(s):
Created:June 14, 2006 Updated:June 14, 2006
Description: The dhcbcd daemon can be made to crash by invalid DHCP responses, causing NetworkManager to fail to work.
Alerts:
Ubuntu USN-299-1 2006-06-13

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gdm: privilege escalation

Package(s):gdm CVE #(s):CVE-2006-2452
Created:June 8, 2006 Updated:June 14, 2006
Description: gdm has a privilege escalation vulnerability that is tied to the face browser feature. If face browser is enabled, arbitrary users can access the gdm configuration screen, a feature that is normally accessible only to root. Other user accounts, and possibly the root account can then be subverted.
Alerts:
Mandriva MDKSA-2006:100 2006-06-13
Gentoo 200606-14 2006-06-12
Fedora FEDORA-2006-692 2006-06-09
SuSE SUSE-SR:2006:013 2006-06-09
Ubuntu USN-293-1 2006-06-09
rPath rPSA-2006-0098-1 2006-06-08

Comments (2 posted)

gforge: cross-site scripting

Package(s):gforge CVE #(s):CVE-2005-2430
Created:June 9, 2006 Updated:June 14, 2006
Description: Joxean Koret discovered several cross-site scripting vulnerabilities in Gforge, an online collaboration suite for software development, which allow injection of web script code.
Alerts:
Debian DSA-1094-1 2006-06-08

Comments (none posted)

libgd2: denial of service

Package(s):libgd2 CVE #(s):CVE-2006-2906
Created:June 14, 2006 Updated:January 16, 2007
Description: Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications.
Alerts:
rPath rPSA-2007-0008-1 2007-01-15
Debian DSA-1117-1 2006-07-21
Mandriva MDKSA-2006:113 2006-06-27
Mandriva MDKSA-2006:112 2006-06-27
Ubuntu USN-298-1 2006-06-13

Comments (none posted)

libjpeg: Denial of Service

Package(s):jpeg libjpeg CVE #(s):
Created:June 12, 2006 Updated:June 14, 2006
Description: Tavis Ormandy of the Gentoo Linux Auditing Team discovered that the vulnerable JPEG library ebuilds compile JPEG without the --maxmem feature which is not recommended. By enticing a user to load a specially crafted JPEG image file an attacker could cause a denial of service, due to memory exhaustion.
Alerts:
Gentoo 200606-11 2006-06-11

Comments (none posted)

openldap: stack-based buffer overflow

Package(s):openldap CVE #(s):CVE-2006-2754
Created:June 8, 2006 Updated:June 27, 2006
Description: OpenLDAP is vulnerable to a stack-based buffer overflow in the st.c file from slurpd. Attackers may be able to use a long hostname to execute arbitrary code.
Alerts:
Ubuntu USN-305-1 2006-06-27
Gentoo 200606-17 2006-06-15
rPath rPSA-2006-0099-1 2006-06-09
Mandriva MDKSA-2006:096 2006-06-07

Comments (none posted)

squirrelmail: file inclusion vulnerability

Package(s):squirrelmail CVE #(s):CVE-2006-2842
Created:June 8, 2006 Updated:July 11, 2006
Description: Squirrelmail, a PHP-based webmail package, has a file inclusion vulnerability.
Alerts:
Fedora FEDORA-2006-788 2006-07-10
Red Hat RHSA-2006:0547-01 2006-07-03
Mandriva MDKSA-2006:101 2006-06-14
Fedora FEDORA-2006-680 2006-06-07
Fedora FEDORA-2006-668 2006-06-07

Comments (none posted)

tor: multiple vulnerabilities

Package(s):tor CVE #(s):CVE-2006-0414
Created:June 8, 2006 Updated:June 14, 2006
Description: Tor, an anonymizing communication service implementation, has multiple vulnerabilities including a buffer overflow, a denial of service vulnerability and an information leak problem.
Alerts:
Gentoo 200606-04 2006-06-07

Comments (none posted)

webcalendar: uninitialized variable

Package(s):webcalendar CVE #(s):CVE-2006-2762
Created:June 13, 2006 Updated:June 14, 2006
Description: A vulnerability has been discovered in webcalendar, a PHP-based multi-user calendar, that allows a remote attacker to execute arbitrary PHP code when register_globals is turned on.
Alerts:
Debian DSA-1096-1 2006-06-13

Comments (none posted)

wordpress: arbitrary command execution

Package(s):wordpress CVE #(s):CVE-2006-2667 CVE-2006-2702
Created:June 12, 2006 Updated:June 14, 2006
Description: WordPress insufficiently checks the format of cached username data. An attacker could exploit this vulnerability to execute arbitrary commands by sending a specially crafted username. As of Wordpress 2.0.2 the user data cache is disabled as the default.
Alerts:
Gentoo 200606-08 2006-06-09

Comments (none posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2006-2802
Created:June 9, 2006 Updated:September 29, 2006
Description: Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input module. By tricking an user into opening a malicious remote media location, a remote attacker could exploit this to crash Xine library frontends (like totem-xine, gxine, or xine-ui) and possibly even execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2006:176 2006-09-28
Mandriva MDKSA-2006:175 2006-09-28
Mandriva MDKSA-2006:174 2006-09-28
Mandriva MDKSA-2006:173 2006-09-28
Gentoo 200609-08 2006-09-13
Slackware SSA:2006-207-04 2006-07-27
Debian DSA-1105-1 2006-07-07
Mandriva MDKSA-2006:108 2006-06-20
Ubuntu USN-295-1 2006-06-09

Comments (none posted)

xine-ui: format string vulnerabilities

Package(s):xine-ui CVE #(s):CVE-2006-2230
Created:June 9, 2006 Updated:January 24, 2007
Description: Several format string vulnerabilities have been discovered in xine-ui, the user interface of the xine video player, which may cause a denial of service.
Alerts:
Gentoo 200701-18 2007-01-23
Debian DSA-1093-1 2006-06-08

Comments (none posted)

Updated vulnerabilities

awstats: missing input sanitizing

Package(s):awstats CVE #(s):CVE-2006-2237
Created:May 19, 2006 Updated:June 20, 2006
Description: Hendrik Weimer discovered that specially crafted web requests can cause awstats, a powerful and featureful web server log analyzer, to execute arbitrary commands.
Alerts:
SuSE SUSE-SA:2006:033 2006-06-20
Ubuntu USN-290-1 2006-06-08
Gentoo 200606-06 2006-06-07
Debian DSA-1075-1 2006-05-26
Ubuntu USN-285-1 2006-05-23
Debian DSA-1058-1 2006-05-18

Comments (none posted)

binutils: buffer overflow

Package(s):binutils CVE #(s):CVE-2006-2362
Created:May 27, 2006 Updated:August 29, 2006
Description: The GNU Binutils has a buffer overflow vulnerability in libbfd. Maliciously crafted Tektronix Hex Format files with improper length characters can cause a crash and possibly lead to the execution of arbitrary code.
Alerts:
Mandriva MDKSA-2006:153 2006-08-28
Ubuntu USN-292-1 2006-06-09
OpenPKG OpenPKG-SA-2006.009 2006-05-26

Comments (none posted)

blender: integer overflow

Package(s):blender CVE #(s):CVE-2005-4470
Created:January 6, 2006 Updated:June 15, 2006
Description: Damian Put discovered that Blender did not properly validate a 'length' value in .blend files. Negative values led to an insufficiently sized memory allocation. By tricking a user into opening a specially crafted .blend file, this could be exploited to execute arbitrary code with the privileges of the Blender user.
Alerts:
Debian-Testing DTSA-29-1 2006-06-15
Debian DSA-1039-1 2006-04-24
Gentoo 200601-08 2006-01-13
Ubuntu USN-238-2 2006-01-06
Ubuntu USN-238-1 2006-01-06

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

ktools: buffer overflow

Package(s):centericq CVE #(s):CVE-2005-3863
Created:December 7, 2005 Updated:August 29, 2006
Description: From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H Research Team discovered a buffer overflow in kkstrtext.h of the ktools library, which is included in (at least) centericq and motor.
Alerts:
Gentoo 200608-27 2006-08-29
Debian DSA-1088-1 2006-06-03
Debian DSA-1083-1 2006-05-31
Gentoo 200512-11 2005-12-20
Debian-Testing DTSA-23-1 2005-12-05

Comments (none posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:May 8, 2007
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:July 13, 2006
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
Red Hat RHSA-2006:0539-01 2006-07-12
Gentoo 200606-07 2006-06-09
SuSE SUSE-SA:2006:027 2006-05-31
rPath rPSA-2006-0082-1 2006-05-25

Comments (1 posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2004-2541
Created:May 22, 2006 Updated:June 12, 2006
Description: A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.
Alerts:
Gentoo 200606-10 2006-06-11
Debian DSA-1064-1 2006-05-19

Comments (1 posted)

curl: heap-based buffer overflow

Package(s):curl CVE #(s):CVE-2006-1061
Created:March 21, 2006 Updated:June 28, 2006
Description: Heap-based buffer overflow in cURL and libcURL 7.15.0 through 7.15.2 allows remote attackers to execute arbitrary commands via a TFTP URL (tftp://) with a valid hostname and a long path.
Alerts:
OpenPKG OpenPKG-SA-2006.012 2006-06-28
Trustix TSLSA-2006-0016 2006-03-24
Gentoo 200603-19 2006-03-21
Fedora FEDORA-2006-189 2006-03-21

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dia: format string vulnerabilities

Package(s):dia CVE #(s):CVE-2006-2453 CVE-2006-2480
Created:May 24, 2006 Updated:June 8, 2006
Description: The dia drawing utility suffers from several format string vulnerabilities exploitable via a maliciously crafted dia file - or a file with a well-chosen name.
Alerts:
Gentoo 200606-03 2006-06-07
SuSE SUSE-SR:2006:012 2006-06-02
Red Hat RHSA-2006:0541-02 2006-06-01
Mandriva MDKSA-2006:093 2006-05-30
Fedora FEDORA-2006-580 2006-05-24
Ubuntu USN-286-1 2006-05-24

Comments (none posted)

dovecot: information disclosure

Package(s):dovecot CVE #(s):CVE-2006-2414
Created:May 31, 2006 Updated:June 14, 2006
Description: The Dovecot imap server contains a directory traversal vulnerability which could be exploited by authenticated users to read files other than their mailboxes.
Alerts:
Ubuntu USN-288-4 2006-06-13
Debian DSA-1080-1 2006-05-29

Comments (1 posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla CVE #(s):CVE-2006-0749 CVE-2006-1724 CVE-2006-1727 CVE-2006-1728 CVE-2006-1729 CVE-2006-1730 CVE-2006-1731 CVE-2006-1732 CVE-2006-1733 CVE-2006-1734 CVE-2006-1735 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1740 CVE-2006-1741 CVE-2006-1742
Created:April 14, 2006 Updated:June 9, 2006
Description: There are multiple vulnerabilities in Firefox and related products including Thunderbird, SeaMonkey and the Mozilla Suite. This CERT Advisory contains additional information.
Alerts:
Ubuntu USN-296-1 2006-06-09
Fedora-Legacy FLSA:189137-2 2006-06-06
Fedora-Legacy FLSA:189137-1 2006-06-06
Gentoo 200605-09 2006-05-08
Slackware SSA:2006-123-02 2006-05-04
Fedora FEDORA-2006-494 2006-05-03
Fedora FEDORA-2006-493 2006-05-03
Fedora FEDORA-2006-491 2006-05-03
Fedora FEDORA-2006-490 2006-05-03
Fedora FEDORA-2006-487 2006-05-03
Fedora FEDORA-2006-495 2006-05-03
Fedora FEDORA-2006-492 2006-05-03
Fedora FEDORA-2006-486 2006-05-03
Fedora FEDORA-2006-489 2006-05-03
Fedora FEDORA-2006-488 2006-05-03
Ubuntu USN-276-1 2006-05-03
Slackware SSA:2006-120-01 2006-05-01
Gentoo 200604-18 2006-04-28
Mandriva MDKSA-2006:078 2006-04-25
Mandriva MDKSA-2006:076 2006-04-25
Debian DSA-1044-1 2006-04-26
SuSE SUSE-SA:2006:022 2006-04-25
Mandriva MDKSA-2006:075 2006-04-24
Slackware SSA:2006-114-01 2006-04-25
Gentoo 200604-12 2006-04-23
Red Hat RHSA-2006:0330-01 2006-04-21
SuSE SUSE-SA:2006:021 2006-04-20
Ubuntu USN-271-1 2006-04-19
Fedora FEDORA-2006-411 2006-04-18
Fedora FEDORA-2006-410 2006-04-18
Red Hat RHSA-2006:0329-01 2006-04-18
Slackware SSA:2006-107-01 2006-04-17
Red Hat RHSA-2006:0328-01 2006-04-14

Comments (1 posted)

gdb: multiple vulnerabilities

Package(s):gdb CVE #(s):CAN-2005-1704 CAN-2005-1705
Created:May 20, 2005 Updated:August 11, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer overflow in the BFD library, resulting in a heap overflow. A review also showed that by default, gdb insecurely sources initialization files from the working directory. Successful exploitation would result in the execution of arbitrary code on loading a specially crafted object file or the execution of arbitrary commands.
Alerts:
Red Hat RHSA-2006:0354-01 2006-08-10
Red Hat RHSA-2006:0368-01 2006-07-20
Mandriva MDKSA-2005:215 2005-11-23
Fedora FEDORA-2005-1033 2005-10-27
Fedora FEDORA-2005-1032 2005-10-27
Red Hat RHSA-2005:801-01 2005-10-18
Red Hat RHSA-2005:763-01 2005-10-11
Red Hat RHSA-2005:709-01 2005-10-05
Red Hat RHSA-2005:673-01 2005-10-05
Red Hat RHSA-2005:659-01 2005-09-28
Fedora FEDORA-2005-498 2005-06-29
Fedora FEDORA-2005-497 2005-06-29
Gentoo 200506-01 2005-06-01
Trustix TSLSA-2005-0025 2005-05-31
Mandriva MDKSA-2005:095 2005-05-30
Ubuntu USN-136-2 2005-05-27
Ubuntu USN-136-1 2005-05-27
Ubuntu USN-135-1 2005-05-27
Gentoo 200505-15 2005-05-20

Comments (5 posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 9, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

ImageMagick: heap overflow vulnerability

Package(s):ImageMagick CVE #(s):CVE-2006-2440
Created:May 25, 2006 Updated:September 5, 2006
Description: The ImageMagick DisplayImageCommand has a heap overflow vulnerability. If an maliciously created unexpanded glob is passed to ImageMagick, a heap overflow can result.
Alerts:
Debian DSA-1168-1 2006-09-04
Fedora FEDORA-2006-588 2006-05-24
Fedora FEDORA-2006-587 2006-05-24

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2005-3732
Created:December 1, 2005 Updated:June 8, 2006
Description: ipsec-tools has a remote denial of service vulnerability in the racoon daemon. If racoon is running in aggressive mode, it fails to check all peer payloads during When the daemon the IKE negotiation phase, allowing a malicious peer to crash the daemon. One should always be careful around aggressive racoons.
Alerts:
Fedora-Legacy FLSA:190941 2006-06-06
Red Hat RHSA-2006:0267-01 2006-04-25
Debian DSA-965-1 2006-02-06
Mandriva MDKSA-2006:020 2006-01-25
SuSE SUSE-SA:2005:070 2005-12-20
Gentoo 200512-04 2005-12-12
Ubuntu USN-221-1 2005-12-01

Comments (none posted)

kdebase: local root vulnerability

Package(s):kdebase CVE #(s):CAN-2005-2494
Created:September 7, 2005 Updated:August 11, 2006
Description: The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
Alerts:
Red Hat RHSA-2006:0582-01 2006-08-10
Debian DSA-815-1 2005-09-16
Slackware SSA:2005-251-01 2005-09-09
Ubuntu USN-176-1 2005-09-07
Mandriva MDKSA-2005:160 2005-09-06

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:November 27, 2006
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-2271 CVE-2006-2272 CVE-2006-2274 CVE-2006-2275 CVE-2006-1864
Created:May 12, 2006 Updated:July 13, 2006
Description: Multiple vulnerabilities in the Linux have been found.
  • An error in the Stream Control Transmission Protocol (SCTP) code that uses incorrect state table entries when certain ECNE chunks are received in CLOSED state, could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • An error exist when handling incoming IP-fragmented SCTP control chunks, which could be exploited by attackers to cause a kernel panic via a specially crafted packet.
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (infinite recursion and crash) via a packet that contains two or more DATA fragments, which causes an skb pointer to refer back to itself when the full message is reassembled, leading to infinite recursion in the sctp_skb_pull function
  • Linux SCTP (lksctp) allows remote attackers to cause a denial of service (deadlock) via a large number of small messages to a receiver application that cannot process the messages quickly enough, which leads to "spillover of the receive buffer."
  • A vulnerability has been identified due to an input validation error when processing arguments containing backslash ("\\") characters passed to certain commands (e.g. "cd"), which could be exploited by authenticated attackers to escape chroot restrictions for a CIFS or SMBFS mounted filesystem.
Alerts:
Red Hat RHSA-2006:0580-01 2006-07-13
Red Hat RHSA-2006:0579-01 2006-07-13
Debian DSA-1103-1 2006-06-27
SuSE SUSE-SA:2006:028 2006-05-31
Red Hat RHSA-2006:0493-01 2006-05-24
Mandriva MDKSA-2006:086 2006-05-18
Trustix TSLSA-2006-0026 2006-05-12

Comments (none posted)

kernel: netfilter memory corruption

Package(s):kernel CVE #(s):CVE-2006-2444
Created:May 25, 2006 Updated:July 5, 2006
Description: The 2.6.12 kernel has a remote memory corruption vulnerability that can be remotely triggered by loading the ip_nat_snmp_basic module and traffic is network-translated on port 161 or 162.
Alerts:
Mandriva MDKSA-2006:116 2006-07-05
Ubuntu USN-302-1 2006-06-15
Trustix TSLSA-2006-0030 2006-05-26
Mandriva MDKSA-2006:087 2006-05-24

Comments (none posted)

kernel: information disclosure

Package(s):kernel CVE #(s):CVE-2006-1343
Created:May 31, 2006 Updated:July 20, 2006
Description: The 2.6 kernel netfilter code contains an information leak; this vulnerability has been fixed in the 2.6.16.19 release.
Alerts:
Red Hat RHSA-2006:0437-01 2006-07-20
Debian DSA-1097-1 2006-06-14
Fedora FEDORA-2006-698 2006-06-11
Fedora FEDORA-2006-697 2006-06-11
Trustix TSLSA-2006-0032 2006-06-05
rPath rPSA-2006-0087-1 2006-05-31

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: buffer overflows in PNG handling

Package(s):libgd2 CVE #(s):CAN-2004-0990 CAN-2004-0941
Created:October 29, 2004 Updated:June 28, 2006
Description: Several buffer overflows have been discovered in libgd's PNG handling functions.
If an attacker tricked a user into loading a malicious PNG image, they could leverage this into executing arbitrary code in the context of the user opening image. Most importantly, this library is commonly used in PHP. One possible target would be a PHP driven photo website that lets users upload images. Therefore this vulnerability might lead to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function.
Alerts:
Mandriva MDKSA-2006:114 2006-06-27
Red Hat RHSA-2006:0194-01 2006-02-01
Fedora-Legacy FLSA:152838 2005-07-15
Red Hat RHSA-2004:638-01 2004-12-17
Ubuntu USN-33-1 2004-11-29
Debian DSA-602-1 2004-11-29
Debian DSA-601-1 2004-11-29
Mandrake MDKSA-2004:132 2004-11-15
Ubuntu USN-25-1 2004-11-15
Fedora FEDORA-2004-412 2004-11-11
Fedora FEDORA-2004-411 2004-11-11
Ubuntu USN-21-1 2004-11-09
Debian DSA-591-1 2004-11-09
Debian DSA-589-1 2004-11-09
Gentoo 200411-08 2004-11-03
OpenPKG OpenPKG-SA-2004.049 2004-10-30
Ubuntu USN-11-1 2004-10-28

Comments (none posted)

libpam-ldap: authentication bypass

Package(s):libpam-ldap CVE #(s):CAN-2005-2641
Created:August 25, 2005 Updated:October 6, 2006
Description: libpam-ldap, the PAM LDAP interface, has a vulnerability in which it fails to authenticate with an LDAP server which is not configured properly, allowing an authentication bypass.
Alerts:
rPath rPSA-2006-0183-1 2006-10-05
Mandriva MDKSA-2005:190 2005-10-20
Gentoo 200508-22 2005-08-31
Debian DSA-785-1 2005-08-25

Comments (none posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2656
Created:May 26, 2006 Updated:June 8, 2006
Description: The tiffsplit command has a problem in the way that it handles fixed-size buffers, a stack overflow can result.
Alerts:
Ubuntu USN-289-1 2006-06-08
Debian DSA-1091-1 2006-06-08
Mandriva MDKSA-2006:095 2006-06-05
Fedora FEDORA-2006-592 2006-05-25
Fedora FEDORA-2006-591 2006-05-25

Comments (none posted)

mailman: denial of service

Package(s):mailman CVE #(s):CVE-2006-0052
Created:March 30, 2006 Updated:June 9, 2006
Description: Mailman 2.1.5 and below have a denial of service vulnerability in the Scrubber.py script. If a maliciously created message with a mime multi part format is received, mailman delivery can be stopped.
Alerts:
Red Hat RHSA-2006:0486-01 2006-06-09
SuSE SUSE-SR:2006:008 2006-04-07
Debian DSA-1027-1 2006-04-06
Ubuntu USN-267-1 2006-04-03
Mandriva MDKSA-2006:061 2006-03-29

Comments (none posted)

mozilla products have multiple vulnerabilities

Package(s):mozilla seamonkey firefox thunderbird CVE #(s):CVE-2006-2775 CVE-2006-2776 CVE-2006-2777 CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782 CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786 CVE-2006-2787
Created:June 5, 2006 Updated:August 2, 2006
Description: There are multiple vulnerabilities in products based on Mozilla components, particularly Gecko. This CERT advisory contains details.
Alerts:
Debian DSA-1134-1 2006-08-02
Ubuntu USN-297-3 2006-07-26
Ubuntu USN-323-1 2006-07-25
Ubuntu USN-296-2 2006-07-25
Debian DSA-1120-1 2006-07-23
Debian DSA-1118-1 2006-07-22
Red Hat RHSA-2006:0578-01 2006-07-20
SuSE SUSE-SA:2006:035 2006-06-23
Gentoo 200606-21 2006-06-19
Fedora FEDORA-2006-717 2006-06-15
Fedora FEDORA-2006-715 2006-06-15
Ubuntu USN-297-2 2006-06-15
Ubuntu USN-297-1 2006-06-13
Gentoo 200606-12 2006-06-11
Slackware SSA:2006-155-02 2006-06-05
rPath rPSA-2006-0091-1 2006-06-02

Comments (none posted)

mpg123: buffer overflows

Package(s):mpg123 CVE #(s):CVE-2006-1655
Created:May 24, 2006 Updated:July 3, 2006
Description: mpg123 does not properly validate MPEG 2.0 layer 3 files, leading to a number of buffer overflow vulnerabilities.
Alerts:
Gentoo 200607-01 2006-07-03
Mandriva MDKSA-2006:092 2006-05-26
Debian DSA-1074-1 2006-05-24

Comments (none posted)

mysql: SQL injection vulnerability

Package(s):mysql CVE #(s):CVE-2006-2753
Created:June 2, 2006 Updated:June 16, 2006
Description: This MySQL 4.1.20 release announcement covers an SQL injection vulnerability.
Alerts:
Ubuntu USN-303-1 2006-06-16
Fedora FEDORA-2006-702 2006-06-13
Fedora FEDORA-2006-703 2006-06-13
Gentoo 200606-13 2006-06-11
Red Hat RHSA-2006:0544-01 2006-06-09
Trustix TSLSA-2006-0034 2006-06-09
Mandriva MDKSA-2006:097 2006-06-07
Debian DSA-1092-1 2006-06-08
Slackware SSA:2006-155-01 2006-06-05
rPath rPSA-2006-0089-1 2006-06-01

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva MDKSA-2006:064 2006-04-03

Comments (2 posted)

mysql: information leaks

Package(s):mysql mysql-dfsg CVE #(s):CVE-2006-1516 CVE-2006-1517
Created:May 8, 2006 Updated:June 23, 2006
Description: Stefano Di Paola discovered an information leak in the login packet parser. By sending a specially crafted malformed login packet, a remote attacker could exploit this to read a random piece of memory, which could potentially reveal sensitive data. (CVE-2006-1516)

Stefano Di Paola also found a similar information leak in the parser for the COM_TABLE_DUMP request. (CVE-2006-1517)

Alerts:
SuSE SUSE-SA:2006:036 2006-06-23
Debian DSA-1079-1 2006-05-29
Debian DSA-1073-1 2006-05-22
Debian DSA-1071-1 2006-05-22
Fedora FEDORA-2006-553 2006-05-17
Fedora FEDORA-2006-554 2006-05-17
Gentoo 200605-13 2006-05-11
Slackware SSA:2006-129-02 2006-05-10
Mandriva MDKSA-2006:084 2006-05-10
Ubuntu USN-283-1 2006-05-08

Comments (1 posted)

ntp: uses wrong gid

Package(s):ntp CVE #(s):CAN-2005-2496
Created:August 26, 2005 Updated:August 11, 2006
Description: When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. This problem is now fixed by this update.
Alerts:
Red Hat RHSA-2006:0393-01 2006-08-10
Mandriva MDKSA-2005:156 2005-09-06
Debian DSA-801-1 2005-09-05
Ubuntu USN-175-1 2005-09-01
Fedora FEDORA-2005-812 2005-08-26

Comments (none posted)

openmotif: buffer overflows

Package(s):openmotif CVE #(s):CVE-2005-3964
Created:December 29, 2005 Updated:July 27, 2006
Description: The libUil component of the OpenMotif toolkit has a pair of buffer overflow vulnerabilities that can possibly be used for the execution of arbitrary code.
Alerts:
Fedora FEDORA-2006-854 2006-07-26
Red Hat RHSA-2006:0272-01 2006-04-04
Gentoo 200512-16 2005-12-28

Comments (none posted)

OpenSSH: double shell expansion

Package(s):openssh CVE #(s):CVE-2006-0225
Created:January 23, 2006 Updated:July 20, 2006
Description: OpenSSH has a double shell expansion vulnerability in local to local and remote to remote copy with scp.
Alerts:
Red Hat RHSA-2006:0298-01 2006-07-20
Red Hat RHSA-2006:0044-01 2006-03-07
Ubuntu USN-255-1 2006-02-21
Gentoo 200602-11 2006-02-20
Fedora-Legacy FLSA:168935 2006-02-18
OpenPKG OpenPKG-SA-2006.003 2006-02-18
Slackware SSA:2006-045-06 2006-02-15
SuSE SUSE-SA:2006:008 2006-02-14
Mandriva MDKSA-2006:034 2006-02-06
Fedora FEDORA-2006-056 2006-01-23

Comments (none posted)

perl: setuid vulnerabilities

Package(s):perl CVE #(s):CAN-2005-0155 CAN-2005-0156
Created:February 2, 2005 Updated:August 11, 2006
Description: There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
Alerts:
Red Hat RHSA-2006:0605-01 2006-08-10
Fedora FEDORA-2005-353 2005-05-02
Red Hat RHSA-2005:103-01 2005-02-15
Gentoo 200502-13 2005-02-11
SuSE SUSE-SR:2005:004 2005-02-11
Mandrake MDKSA-2005:031 2005-02-08
Red Hat RHSA-2005:105-01 2005-02-07
Ubuntu USN-72-1 2005-02-02

Comments (none posted)

php: multiple vulnerabilities

Package(s):php CVE #(s):CVE-2006-1990 CVE-2006-1991 CVE-2006-3017
Created:May 25, 2006 Updated:August 18, 2006
Description: The php wordwrap() function is vulnerable to an integer overflow. Attackers can submit long arguments to cause a heap-based buffer overflow, allowing arbitrary code execution.

PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function. An attacker can use an out-of-bounds offset argument to cause a memory access violation, causing a denial of service.

A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables

Alerts:
Slackware SSA:2006-217-01 2006-08-07
Gentoo 200605-08:02 2006-05-08
Fedora-Legacy FLSA:175040 2006-07-27
Ubuntu USN-320-2 2006-07-26
Red Hat RHSA-2006:0567-01 2006-07-25
Ubuntu USN-320-1 2006-07-19
Red Hat RHSA-2006:0568-01 2006-07-12
Mandriva MDKSA-2006:122 2006-07-13
SuSE SUSE-SA:2006:034 2006-06-22
SuSE SUSE-SA:2006:031 2006-06-14
Mandriva MDKSA-2006