Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
|
|
| |
|
| |
Security
Two years of RHEL4 risk
April 25, 2007
This article was contributed by Jake Edge.
A recently released
report
on the security track record of Red Hat Enterprise Linux 4 (RHEL4) sets out
to quantify the risks that an administrator would have faced when using
the distribution. It takes a comprehensive look at all of the vulnerabilities
that were classified as 'critical' in the two years since RHEL4 was released.
A measure of pride is evident in the recognition that there were only three
critical vulnerabilities in the default server install, a rather
nice accomplishment; the study itself is an even better result and it
should set the bar for other similar studies in the future.
In stark contrast to almost daily studies that purport to 'prove' that
Redmond's latest offering is vastly superior to Linux in the security arena,
the RHEL study simply looks at the reported vulnerabilities
in that distribution and leaves any comparisons for others. The study mainly
focuses on the critical vulnerabilities, but it does look at the
'Vulnerability Workload Index' for a server install with all available packages.
This index is meant to give a rough measure of the amount of work an
administrator would need to do to keep a system free from all vulnerabilities.
The most interesting conclusion that can be drawn from the graph is that
the overall workload is pretty flat, there are certainly peaks, but it
is neither increasing nor decreasing over time. Because the software released
with RHEL4 is, of course, getting older and the upstream projects are likely
to be releasing newer versions, a case could be made either way regarding
increasing stability vs. more security issues found over time and it
would appear that the two roughly balance each other.
Flaws that get the 'critical' designation are those that can lead to a system
compromise in an automatic way without any user action. These are the kinds
of bugs that could be exploited by worms to invade and propagate. The
critical designation has been stretched to cover web browser bugs that
are exploited when a user visits a site with malicious code. The vast
majority of critical bugs fall into the latter category and that difference
leads to 60 flaws in a system with all packages installed, 50 of which
can be traced to Mozilla products or the HelixPlayer plugin.
The study goes into the 60 critical flaws in some depth, categorizing them by
type and reporting on the so-called 'days of risk' (number of days after
a vulnerability report before a fix is available). All critical flaws were
fixed within two calendar days and 60% were fixed on the same day. The
riskiest packages are also listed using a weighted score based on
the number and severity of bugs in that package with various Mozilla projects
coming out on top. Interestingly, the kernel dropped from #1 last year to #4
in the current report.
The risk to a system is not only a function of the vulnerabilities in the
packages it has installed; exploits 'in the wild' also factor into it.
The report looks in detail at exploits for
37 vulnerabilities, many of which are, unsurprisingly, either browser
or 'user complicit' exploits. Triggering a user complicit exploit requires
convincing a user to perform some action with a malicious file; because
administrators should be wary of such things or even of running a browser
from a privileged account, the impact of those exploits are limited.
The seven kernel and six server exploits represent a more dangerous class,
with system compromise a distinct possibility. None of the kernel exploits
were remote and all were either denial of service or privilege escalation
bugs. Each of the server application exploits could lead to compromise
of the non-root user that runs the service.
It is interesting to note that
SELinux and
Exec-Shield
are specifically
mentioned as either eliminating or reducing the impact of eleven of these
exploits. Both of these security tools are installed by default with RHEL4
and are targeted at stopping or reducing the effectiveness of just these
kinds of attacks. Exec-Shield uses address space randomization and
protection against executing code from the stack to avoid executing
arbitrary code in the presence of a buffer overflow or similar flaw.
The SELinux policy that ships with RHEL4 restricts users and processes
to only that set of resources they need for their normal function and that
can reduce the kinds of problems an exploited process can cause.
While they are no substitute for correctly written code, these technologies
are clearly helpful to reduce security threats; with luck other techniques
will come along that continue this kind of work.
This is the second report on RHEL4 security; the
first
covers the first year of release. Based on a comment on his original
article, the author is planning a four year retrospective on RHEL3 in
November which should be interesting as well. The comment indicates
only six critical vulnerabilities in the RHEL3 default install in its three
and a half years.
It is
difficult to put a label on the level of 'security risk' that a particular
system has, but RHEL4 would seem to have a fairly low risk overall. If one
keeps up with the patches and is reasonably cognizant of security practices,
the chances for a system compromise are low. This is a real accomplishment
by the Red Hat team and should be a feather in the cap for Linux in
general. No software is perfect and an operating system or distribution
is just a collection of software so vigilance is required. Without examining
our track record, it is difficult to gauge progress and this kind of report is
an excellent way to track that progress; hopefully other distributions will
follow suit.
Comments (1 posted)
New vulnerabilities
3proxy: buffer overflow
| Package(s): | 3proxy |
CVE #(s): | CVE-2007-2031
|
| Created: | April 23, 2007 |
Updated: | April 25, 2007 |
| Description: |
The 3proxy development team reported a buffer overflow in the logurl()
function when processing overly long requests. A remote attacker could
send a specially crafted transparent request to the proxy, resulting in the
execution of arbitrary code with privileges of the user running 3proxy.
This has been fixed in the 3proxy 0.5.3i bugfix
release. |
| Alerts: |
|
Comments (none posted)
aircrack-ng: remote execution of arbitrary code
| Package(s): | aircrack-ng |
CVE #(s): | CVE-2007-2057
|
| Created: | April 23, 2007 |
Updated: | May 23, 2007 |
| Description: |
Jonathan So reported that the airodump-ng module does not correctly
check the size of 802.11 authentication packets before copying them
into a buffer. A remote attacker could trigger a stack-based buffer
overflow by sending a specially crafted 802.11 authentication packet to a
user running airodump-ng with the -w (--write) option. This could lead to
the remote execution of arbitrary code with the permissions of the user
running airodump-ng, which is typically the root user. |
| Alerts: |
|
Comments (none posted)
blender: user-assisted remote execution of arbitrary code
| Package(s): | blender |
CVE #(s): | CVE-2007-1253
|
| Created: | April 24, 2007 |
Updated: | April 25, 2007 |
| Description: |
Stefan Cornelius of Secunia Research discovered an insecure use of the
"eval()" function in kmz_ImportWithMesh.py. A remote attacker could entice
a user to open a specially crafted Blender file (.kmz or .kml), resulting
in the execution of arbitrary Python code with the privileges of the user
running Blender. |
| Alerts: |
|
Comments (1 posted)
clamav: several vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2007-1745
CVE-2007-1997
|
| Created: | April 20, 2007 |
Updated: | May 9, 2007 |
| Description: |
The chm_decompress_stream function in libclamav/chmunpack.c leaks file
descriptors, which has unknown impact and attack vectors involving a
crafted CHM file. (CVE-2007-1745)
Integer signedness error in the (1) cab_unstore and (2) cab_extract
functions in libclamav/cab.c might allow remote attackers to execute
arbitrary code via a crafted CHM file that contains a negative integer,
which passes a signed comparison and leads to a stack-based buffer
overflow. (CVE-2007-1997) |
| Alerts: |
|
Comments (none posted)
Courier-IMAP: remote execution of arbitrary code
| Package(s): | courier-imap |
CVE #(s): | |
| Created: | April 23, 2007 |
Updated: | April 25, 2007 |
| Description: |
CJ Kucera has discovered that some Courier-IMAP scripts don't properly
handle the XMAILDIR variable, allowing for shell command injection. A
remote attacker could send specially crafted login credentials to a
Courier-IMAP server instance, possibly leading to remote code execution
with root privileges. |
| Alerts: |
|
Comments (2 posted)
opera: several vulnerabilities
Comments (none posted)
postgresql: privilege escalation
| Package(s): | postgresql |
CVE #(s): | CVE-2007-2138
|
| Created: | April 24, 2007 |
Updated: | June 18, 2007 |
| Description: |
PostgreSQL 8.2 and all back versions are vulnerable to a privilege escalation exploit
in SECURITY DEFINER functions. |
| Alerts: |
|
Comments (none posted)
sqlite: buffer overflow
| Package(s): | sqlite |
CVE #(s): | CVE-2007-1888
|
| Created: | April 19, 2007 |
Updated: | April 25, 2007 |
| Description: |
The sqlite lightweight DBMS has a buffer overflow vulnerability that
may be used by context-dependent attackers to execute arbitrary
code by using an empty value for the in parameter. |
| Alerts: |
|
Comments (1 posted)
webcalendar: cross-site scripting
| Package(s): | webcalendar |
CVE #(s): | CVE-2006-6669
|
| Created: | April 23, 2007 |
Updated: | April 25, 2007 |
| Description: |
A cross-site scripting (XSS) vulnerability in export_handler.php in
WebCalendar 1.0.4 and earlier allows remote attackers to inject arbitrary
web script or HTML via the format parameter. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk |
CVE #(s): | CVE-2007-1561
CVE-2007-1594
|
| Created: | April 3, 2007 |
Updated: | August 27, 2007 |
| Description: |
The Madynes research team at INRIA has discovered that Asterisk contains a
null pointer dereferencing error in the SIP channel when handling INVITE
messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to
properly handle SIP responses with return code 0. A remote attacker could
cause an Asterisk server listening for SIP messages to crash by sending a
specially crafted SIP message or answering with a 0 return code. |
| Alerts: |
|
Comments (none posted)
bluez-utils: hidd vulnerability
| Package(s): | bluez-utils |
CVE #(s): | CVE-2006-6899
|
| Created: | January 16, 2007 |
Updated: | May 14, 2007 |
| Description: |
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dokuwiki: cross-site scripting vulnerability
| Package(s): | dokuwiki |
CVE #(s): | CVE-2006-6965
|
| Created: | April 12, 2007 |
Updated: | April 18, 2007 |
| Description: |
DokuWiki has a cross-site scripting vulnerability that is caused by
insufficient user input sanitization of the GET variable 'media' in
the fetch.php file. If a user can be tricked into clicking on a
specially crafted link, CRLF characters can be injected into the variable
allowing arbitrary scripts to be executed with the user's permissions. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
dovecot: information exposure
| Package(s): | dovecot |
CVE #(s): | |
| Created: | April 18, 2007 |
Updated: | April 18, 2007 |
| Description: |
Dovecot is vulnerable to a trivial information exposure in which files
outside the user's mail directory could be opened if the zlib plugin is
used. |
| Alerts: |
|
Comments (2 posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
fail2ban: denial of service
| Package(s): | fail2ban |
CVE #(s): | CVE-2006-6302
|
| Created: | February 16, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address. |
| Alerts: |
|
Comments (3 posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
file: denial of service
| Package(s): | file |
CVE #(s): | CVE-2007-2026
|
| Created: | April 18, 2007 |
Updated: | May 25, 2007 |
| Description: |
The gnu regular expression code in file 4.20 allows context-dependent
attackers to cause a denial of service (CPU consumption) via a crafted
document with a large number of line feed characters, which is not well
handled by OS/2 REXX regular expressions that use wildcards, as originally
reported for AMaViS. |
| Alerts: |
|
Comments (none posted)
file: arbitrary code execution
| Package(s): | file |
CVE #(s): | CVE-2007-1536
|
| Created: | March 22, 2007 |
Updated: | May 30, 2007 |
| Description: |
The "file" utility incorrectly checks the allocated heap memory size.
If a remote attacker can trick a user into looking at specially crafted
files with file, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
firefox: FTP PASV port-scanning
| Package(s): | firefox seamonkey |
CVE #(s): | CVE-2007-1562
|
| Created: | March 23, 2007 |
Updated: | June 4, 2007 |
| Description: |
According to this
advisory, the FTP protocol includes the PASV (passive) command which is
used by Firefox to request an alternate data port. The specification of the
FTP protocol allows the server response to include an alternate server
address as well, although this is rarely used in practice. |
| Alerts: |
|
Comments (1 posted)
freeradius: memory leak
| Package(s): | freeradius |
CVE #(s): | CVE-2007-2028
|
| Created: | April 17, 2007 |
Updated: | May 15, 2007 |
| Description: |
A memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to
cause a denial of service (memory consumption) via a large number of
EAP-TTLS tunnel connections using malformed Diameter format attributes,
which causes the authentication request to be rejected but does not reclaim
VALUE_PAIR data structures. |
| Alerts: |
|
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
ImageMagick: integer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2007-1797
|
| Created: | April 4, 2007 |
Updated: | April 17, 2008 |
| Description: |
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667. |
| Alerts: |
|
Comments (none posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2007-1841
|
| Created: | April 10, 2007 |
Updated: | August 28, 2007 |
| Description: |
A flaw was discovered in the IPSec key exchange server "racoon". Remote
attackers could send a specially crafted packet and disrupt established
IPSec tunnels, leading to a denial of service. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2006-4339
CVE-2006-4790
CVE-2006-6731
CVE-2006-6736
CVE-2006-6737
CVE-2006-6745
|
| Created: | January 18, 2007 |
Updated: | June 8, 2007 |
| Description: |
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files. |
| Alerts: |
|
Comments (1 posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-1357
|
| Created: | April 16, 2007 |
Updated: | November 14, 2007 |
| Description: |
The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before
2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of
service (crash) via an AppleTalk frame that is shorter than the specified
length, which triggers a BUG_ON call when an attempt is made to perform a
checksum. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | May 7, 2008 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2007-0005
CVE-2007-1000
|
| Created: | March 15, 2007 |
Updated: | November 14, 2007 |
| Description: |
The Linux kernel has a boundary error problem with the
Omnikey CardMan 4040 driver read and write functions. This can be used
to cause a buffer overflow and possible execution or arbitrary code with
kernel privileges.
The ipv6_getsockopt_sticky function in
net/ipv6/ipv6_sockglue.c is vulnerable to a NULL pointer dereference.
Local users can use this to crash the kernel or to disclose kernel
memory. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-0007
CVE-2007-0006
|
| Created: | February 15, 2007 |
Updated: | November 14, 2007 |
| Description: |
Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service
vulnerability. A remote attacker can cause the key_alloc_serial
function's key serial number collision avoidance code to have a
null dereference, resulting in a crash. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | December 3, 2007 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-0772
|
| Created: | February 23, 2007 |
Updated: | November 14, 2007 |
| Description: |
The Linux kernel before 2.6.20.1 allows remote attackers to cause a denial
of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free
of an incorrect pointer. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
krb5: multiple vulnerabilities
| Package(s): | krb5 |
CVE #(s): | CVE-2007-0956
CVE-2007-0957
CVE-2007-1216
|
| Created: | April 3, 2007 |
Updated: | March 24, 2008 |
| Description: |
A flaw was found in the username handling of the MIT krb5 telnet daemon
(telnetd). A remote attacker who can access the telnet port of a target
machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001
Buffer overflows were found which affect the Kerberos KDC and the kadmin
server daemon. A remote attacker who can access the KDC could exploit this
bug to run arbitrary code with the privileges of the KDC or kadmin server
processes. MIT krb5 Security Advisory
2007-002
A double-free flaw was found in the GSSAPI library used by the kadmin
server daemon. MIT krb5 Security Advisory
2007-003 |
| Alerts: |
|
Comments (none posted)
ktorrent: incorrect validation
| Package(s): | ktorrent |
CVE #(s): | CVE-2007-1384
CVE-2007-1385
CVE-2007-1799
|
| Created: | March 13, 2007 |
Updated: | October 24, 2007 |
| Description: |
Bryan Burns of Juniper Networks discovered that KTorrent did not
correctly validate the destination file paths nor the HAVE statements
sent by torrent peers. A malicious remote peer could send specially
crafted messages to overwrite files or execute arbitrary code with user
privileges. |
| Alerts: |
|
Comments (1 posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgtop2: buffer overflow
| Package(s): | libgtop2 |
CVE #(s): | CVE-2007-0235
|
| Created: | January 15, 2007 |
Updated: | August 9, 2007 |
| Description: |
The /proc parsing routines in libgtop are vulnerable to a buffer overflow.
If an attacker can run a process in a specially crafted long
path then trick a user into running gnome-system-monitor,
arbitrary code can be executed with the user's privileges. |
| Alerts: |
| |
|