Episodes from the evolution of Fedora
The Fedora 7 release, due on May 24 (though it
appears that schedule may slip a bit), marks
the beginning of a new era for
this distribution. As that release approaches, a number of issues have
come up which merit some attention. Here's a review of some events in
Fedora land.
One of the core developments in Fedora 7, so to speak, is the merging of
the "Core" and "Extras" distributions. As of the next release, it is all
simply "Fedora." Given the nearness of the release, one would have thought
that this merger would have happened some time ago. As it happens, that
merger is just being finished up now. Much of the ground work was done
over the preceding months, leading up to the actual joining of the
repositories, source management subsystems, and build systems happening
now. As of this writing, the new source archives and build systems are up,
but the flow of packages into the Rawhide distribution has not resumed.
There has been a small amount of concern voiced by a few maintainers of
packages formerly found in Extras. In the good old days, they could post
an updated package at any time and have it go right into the repository. Now
that there is only one repository, the whole thing is currently frozen in
the run-up to the release. How to work in the new, unified environment is
still not entirely clear to all Extras package maintainers. Overall,
though, the number of glitches from the merger appears to be small - so
far. More information can be found in the draft
post-merge FAQ.
Red Hat's distributions have long been known for including software which
is not necessarily completely mature. Over the years, this company has
pushed in bleeding-edge technologies like ELF binaries, glibc2, SELinux,
and more; the end result has often been a combination of user pain and
accelerated development of the code in question. Fedora is in many ways
the true descendant of Red Hat Linux, and it continues the practice of
packaging very new technologies. Some users are beginning to wonder if
that practice has gone just a little too far this time, though.
The software in question is the Nouveau driver. This reverse-engineered
code is an eventual replacement for the binary-only drivers supplied by
NVIDIA. Someday, Nouveau will be the driver of choice for people with
NVIDIA hardware, but today is not that day. The Nouveau driver is still in
heavy development with a lot of problems to solve before it is ready for
production use. But Fedora 7 includes it anyway so that people with
an interest in trying out the new driver can do so.
Fedora 7 does not enable Nouveau for any system unless explicitly told to.
In theory, anybody who turns it on should know what they are getting into;
in practice, at least one user has already been
burned by trying Nouveau in a situation where it did not work. So some
voices have been heard to say that Nouveau has been included ahead of its
time and should be removed. Fedora developers still want to include it, though:
It is turned off by default just like the new Intel xorg driver in
FC6. That did help in users providing feedback when they turn it on
manually. It fits our mission of progressing Free software. This is
a important project. Anything that we can do to help is worth the
effort.
Others say that a project as important as Nouveau should not be subjected
to a tide of disappointed users who were lulled into trying the code before
its time by their distributor.
Chances are that Nouveau will remain. There is one remaining issue,
though: Nouveau is currently co-packaged with the stable "nv" driver that
people are actually expected to use. So Nouveau cannot be updated without
pushing out a new nv package. Given that Nouveau can be expected to evolve
considerably over the life of Fedora 7, impediments to the packaging
of updated versions seem like a bad idea. There is talk of splitting
Nouveau into its own package, which seems like a more than reasonable way
of solving this problem.
Finally, there is the issue of Python 2.5. That is the current version of
the language, and the version which will be shipped with Fedora 7.
The only problem is that the Zope content
management system, which serves as the base for Plone (and others), does
not work with this version of Python. So the current plan is for
Fedora 7 to ship without Zope or the packages which depend on
Zope.
Back in the days when Red Hat Linux fit on a single CD, a core component
like Python would not have been updated until everything which depended on
it was ready for the change. In fact, Red Hat Linux was glacially slow to
move to Python 2 for just this reason. Fedora is a much larger
distribution which lacks the same sort of firm central control, so it has
become much harder to delay an update like this. And, unlike Debian,
Fedora is unwilling to delay a distribution release until all such issues
are worked out.
Some Zope users would like to see Fedora ship a "compat-python24" package
so that Zope will continue to work. There is some opposition to this idea, though:
As the python maintainer, I am *STRONGLY* opposed to a
compat-python24 package. Because at the end of the day, bug
reports will get filed against the wrong python package (because
end-users aren't going to know or case). Security problems are
still going to end up having to be dealt with and likely through me
because the CVE will originally get filed against python and no one
will think about compat-python.
Jeremy Katz, the maintainer quoted above, would like to see a rule allowing
a package maintainer to veto the addition of older "compat" packages so
that they could avoid having to deal with these sorts of problems.
He seems likely to win this particular argument, meaning that there will
probably be no Python 2.4 in Fedora 7. The implication is that
interested people will end up creating a set of Zope and Python 2.4
packages for Fedora 7 and hosting them on a third-party server
somewhere. It will be a small amount of extra hassle for affected users,
but that can be worked around. The issue of security support (crucially
important for a complex, network-facing system like Zope) should be
considered by anybody wanting to run this code, however.
There have been suggestions that the
maintainer of the Zope package should undertake the task of making it work
with the version of Python found in Fedora 7:
I believe very strongly that it _is_ the package maintainer's job
to work with upstream code to make it work with Fedora, and this
kind of thing _is_ a packaging issue.
There's a reason we have Fedora package maintainers instead of just
automatically pulling in upstream tarballs and building them with
rpmbuild -ta. It's because the role of the package maintainer is to
make the package a _part_ of Fedora -- that's what makes Fedora a
coherent distribution and not just a semi-random collection of
packages.
In this view, making Zope work with Fedora's version of Python is much like
making it work with SELinux or Fedora's init scripts setup - just part of
the job of making a package for the distribution. Once again, this role
was probably easier to carry out back in the single-disk days. In any
case, the current Fedora Zope maintainer is not going to port Zope to
Python 2.5 - that is apparently a rather large job.
This, too, will pass, and Fedora 8 may well be able to welcome Zope back
into the fold. In the mean time, though, the Fedora developers are trying
to figure out just how their distribution should react to issues like
this. As Fedora evolves and becomes more open to the community, it will
have to better define its policies and set them down so that developers
know what to expect.
Comments (20 posted)
A think tank's view of free software
Back in early March, a company called the Olliance Group held a gathering
of about 100 corporate manager types at a resort in California's wine
country. This "
Open Source
think tank" has now produced
a 16-page
report [PDF]. It is, indeed, an interesting look at how a certain part
of the corporate world views free software - though, perhaps, not entirely
in the ways its authors intended.
When a self-appointed "think tank" gets together to talk about free
software, one is right to be cautious. When one of that event's top-level
sponsors is Microsoft, an extra degree of nervousness seems appropriate.
The other top-level sponsor, naturally, is Novell; the remainder of the
list is NEC, Unisys, Jasper Soft, OpenLogic, and SugarCRM. Not the most
community-oriented bunch one could have come up with.
LWN readers will be glad to know that "Overall, the CIOs unanimously
agreed that open source is viewed as a viable option in software
procurement decisions for their companies." Once they made that
admission, however, this group started to raise its complaints about open
source, many of which could have come from the 1990's. The first was lack
of support - evidently there still is not enough commercial support for
open source software. The report notes that "this is something the
open source industry will have to address to increase adoption by
companies." One would think that if there is truly a need for more
support these companies would see that need as a business opportunity
rather than an obligation.
Another problem, it seems, is interoperability:
CIOs desire greater interoperability built directly into open
source products. This is an area where proprietary solutions
maintain an advantage over open source, as it is far easier to
integrate and use a suite of proprietary applications that are
guaranteed to interoperate and that have common interfaces that
make it easier for end-users to learn and use the suite.
This is a surprising claim, given that free software developers generally
work toward interoperability with everything. The next claim is just as
surprising:
Open source lacks compliance with many standards when compared with
proprietary solutions. These standards include universal standards
such as ISO, and industry-specific standards (financial industry
standards, health care industry standards, etc.). It was
acknowledged however, that open source offers some advantages in
the area of technology standards through its openness and
transparency and its ability to facilitate the creation of de facto
standards such as Eclipse and ODF.
The description of OpenDocument
as a "de facto standard" borders on the dishonest. The various reasons why
certain "industry standards" may not be supported as well as others are not
examined.
Think tank attendees bemoaned the fact that monetizing open source remains
challenging. Then, there is this problem:
Open source generally
depends on a corps of motivated volunteer developers to develop
features. Often, the features that developers are interested in
working on are different then features that customers are
requesting. For example, Openoffice customers want more Visual
Basic macros to ensure interoperability with Microsoft Office, but
OO developers have not been all that interested in building VB
macros.
The idea that a company whose business model depends on better VB support
could devote resources to the creation of that support is not mentioned
anywhere in the report.
Licensing is an issue which is mentioned several times in the report:
Open source licensing is a big source of confusion due to the
number of open source licenses, and a lack of understanding on how
licenses impact business, as well as how licenses interact with one
another. Some licenses require technology to be shared with the
community, other licenses require attribution, and numerous
licenses have different ways of dealing with software
patents. Furthermore, many licenses are incompatible. License
proliferation, confusion and incompatibility are barriers to the
continued growth and adoption of open source.
Clearly, we would be better off with the simplicity, compatibility, and
fairness found in proprietary software licenses. Beyond that:
Think Tank participants bemoaned the lack of a business-friendly
license that adequately addresses issues such as copyright,
patents, attribution and indemnification. While nobody was
suggesting "yet another license" as the solution, the
dissatisfaction by commercial vendors and customers with the
existing licenses was clear.
It would be most enlightening to see what this "business-friendly license"
would involve, but the attendees apparently ran out of time before they
could elaborate on that point.
The GPLv3 draft was also discussed, with a generally negative response.
Another problem:
These issues also point to the need for better governance of open
source contributions. Currently, projects have many different
standards governing code contributions - some communities
vet the code, some require contribution agreements to be signed and
others have no such requirements. The lack of standards and
governance on contributions raises concerns on the source and
legitimacy of code that is incorporated into projects.
This is a claim that needs to be backed up: despite the intense attention
which has been given to the provenance of code in a number of high-profile
projects, the number of real problems has been exceedingly small. If the
attendees of this think tank wish to claim that the code found in free
software projects is less likely to be legitimate than proprietary code,
they need to come up with some evidence to that effect. Sadly, space
constraints appear to have prevented this evidence from being included in
the report.
Other worries include a lack of open source developers - their numbers are
not keeping up with the growth of the industry. The fact that quite a few
developers are coming out of universities is considered to be a good thing,
but not without reservations: "However a concern was expressed that
due to the popularity of open source development at universities, graduates
may be lacking key skills such as sound architecture, defining customer
needs and product management." We also hear that open source "tends
to fragment easily," presenting problems for vendors. "Commercial
open source tends to be less fragmented, while 'pure' open source tends to
be more fragmented."
All is not bad, though. Open source offers "flexibility in procurement"
and "flexibility in deployment" where "companies can mix and match open
source software as they please" - despite all of those interoperability and
standards compliance problems we heard about earlier. Faster product
cycles are seen to be good, as are faster bug fixes. Plus:
In addition, there is "perceived" value in the ability to fix or
enhance open source code at the CIOs pleasure even if the vast
majority of user organizations do not .
This "perceived" value is as close as this report ever gets to any sort of
freedom-related issue.
There is plenty more to look at in this report, but perhaps it is best to
finish with this observation:
Finally, OSS and proprietary models continue to converge.
Proprietary companies are taking elements of the open source model,
including faster development cycles, and free, downloadable trial
versions. OSS companies are taking elements of the proprietary
model, by offering support, updates and indemnification.
This report gives no space to the developers of all this software, beyond
complaining that both their numbers and their motivation to implement
Visual Basic macros are insufficient. There is no thought toward
maintaining healthy development and user communities, addressing
problematic legal issues, or contributing back to the community in any
way. These are people who see free software as a well from which they can
draw resources for their businesses, but that software is just a raw
material. They want to repackage and sell that material in as proprietary
a manner as possible.
If this group represents the future of the open source business community,
we could be in real trouble. A look at the list of sponsors given at the
top of this article is cause for comfort, however, as most of the companies
which have found real success with free software chose not to support this
event. So there is reason to believe that this "think tank" is not
representative of the wider business community, that, instead, it's a group
of leaders of businesses who wish they were doing better at
"monetizing" free software.
Comments (43 posted)
The Grumpy Editor's next project
LWN readers need not be told that this publication is strongly biased in
favor of free software. So it should come as no surprise that we follow
the path we preach for others. The entire LWN operation is based on free
software, from our desktops to the web servers. We are a free software
success story, just like all those other companies using free software.
Chances are, however, that many of those companies share the one exception
which can be found here at LWN: our business accounting is done using a
well-known, proprietary, small business bookkeeping tool. It has all the
problems associated with such tools: it holds our company data in an
opaque, proprietary format, it does not interoperate with the rest of our
operation, it does not work as reliably as we would like, and it
occasionally forces an expensive upgrade to a new version for no clear
reason. Plus there's that proprietary operating system that the
bookkeeping application depends on.
Various attempts to replace this application have failed to take off. It's
hard to replace a functioning, important business subsystem, and, frankly,
free alternatives in the business accounting area have been slow to reach a
mature state. Your editor has recently become determined to change this
situation, though. Enough is enough.
A new accounting system will have to meet a number of needs. To begin
with, it must be able to import accounts and historical data from the
proprietary application. It should operate in a multi-user,
network-friendly manner. We need all of the usual accounting functions,
from double-entry bookkeeping to easy export of data to our accountant to
the creation of the occasional pie chart. And we would really like the
ability to integrate it with the LWN site code, since so much of our
commerce goes through that code.
There are numerous projects in this space. Your editor's list of
candidates at the moment includes (in no particular order):
- GnuCash: this application is mostly
aimed at personal finance (see this review from 2005), but
it does have some business features built into it as well.
- SQL-Ledger: a longstanding
web-based business accounting system. The code is GPL-licensed (this
week), but its owner (DWS Systems, Inc.) has not always distinguished
itself as a community-oriented operation.
- Ledger-SMB started as a fork
of SQL-Ledger. It has gained significant community support and
diverged significantly in a short period of time.
- Lx-Office is
another SQL-Ledger fork. It appears to be aimed at the needs of
German companies.
- Compiere is an "integrated ERP
& CRM solution" which happens to have an accounting module built
into it. Like SQL-Ledger, Compiere is the product of a single company
which has not always been as open as its user community would like.
- Adempiere is a fork of
Compiere with a stronger community focus.
- TinyERP is billed as "the world's
most advanced open source ERP & CRM." It appears to have an
active community and a fair amount of documentation - as long as one
doesn't mind reading a little French here and there.
- Lazy8 is a general ledger package
written in Java. It appears to be less feature complete than many of
the others.
- OFBiz is an Apache "enterprise
automation software" project with an emphasis on supporting electronic
commerce. It is covered by the Apache license and is used as the base
for a number of other applications, both free and commercial. Free
applications based on OFBiz include Neogia, opentaps, and SourceTap.
- Project Open is a
web-based system with an emphasis on project management.
- ERP5 is "a full featured high end Open
Source / Libre Software solution published under GPL license and used
for mission critial ERP / CRM / MRP / SCM / PDM applications by
industrial organisations and government agencies." The current pace
of development on this project appears to be a little slow, though,
judging from the traffic on its mailing lists.
- Quasar is a formerly
proprietary package which was released under
the GPL at the beginning of 2005. Unfortunately, it appears that
not a whole lot has happened with this package since then.
- Several proprietary accounting packages for Linux exist as well. If
your editor determines that none of the free utilities is yet up to
the task, he will venture into this area. But one can hope that
entrusting a vital business function to another proprietary package
will not be necessary.
As one can see, there is no shortage of alternatives to look at; no doubt
LWN readers will know of a few which your editor missed. Working through
this list will be more than enough to keep an editor busy for some time;
since your editor has no particular passion for accounting, it's also
likely to make him somewhat grumpier than usual. It's clearly not a topic
which can be covered in a single article. So expect a series of
installments as your editor heads into the accounting jungle and tries to
figure out whether it's possible to run a business completely on free
software or not.
Comments (37 posted)
Page editor: Jonathan Corbet
Security
Stability v. security fixes
May 9, 2007
This article was contributed by Jake Edge.
A whole pile of security
fixes for Red Hat Enterprise Linux 4 (RHEL4) was released at the beginning
of May; this event might not be noteworthy except that some of the
vulnerabilities were nearly two years old. This stands in contrast to
a recent Red Hat article describing the security track record of RHEL4,
which was covered on this page,
and made no mention of delays of this sort. Digging in a bit deeper to
try and understand why seems logical.
Of the thirteen fixes listed by LWN for that day, eleven are categorized
as having low severity by Red Hat, one is moderate and one is important.
The latter
is a recently reported vulnerability in xscreensaver that was given a
CVE number less than a month ago.
Of the dozen others, eight had CVE numbers from 2006 and four from 2005.
Red Hat
classifies
security issues based on their analysis of their impact; both "low" and
"moderate" vulnerabilities are unlikely to be exploitable, with "moderate"
vulnerabilities having worse
consequences if it does happen. Under those definitions, it would
certainly seem less important to get those fixes out, but it would also
seem like a headache to keep track of them. Fedora Core released fixes
for these issues ages ago and those seem to have worked out, why did Red Hat
sit on them for RHEL4 for so long? Mark Cox, from the Red Hat Security
Response Team explains:
So for example CVE-2005-4268 relies on an attacker giving a victim a
carefully crafted rather large cpio file, and getting the victim to open
it using the cpio command on a 64-bit platform. Even if the attacker
manages that, the ability to lead to code execution is unlikely. So we
defer these issues; customers don't want to go through an update and test
cycle just to fix such an issue. Then, when other issues of a higher
severity come up in the same package, or if we are to release an update
to that package for any other reason, we also pick up any fixes we
previously deferred.
Red Hat Enterprise Linux errata are batched into periodic 'updates'; what
was released this week was Update 5 for Red Hat Enterprise Linux 4.
So, for low and some moderate impact bugs, RHEL4 users must wait for patches
until some other issue with that package requires attention and then await
the next batch of fixes as an update release. An intervening update cycle
is not necessarily enough to push these fixes out as there have been several
update releases to RHEL4 since they were reported. RHEL customers prize
stability, and delayed security updates is part of Red Hat's process for
delivering that stability.
Security issues (and bugs in general) are funny beasts and sometimes their
implications do not become clear for a long time. Something that seems to
have a low impact is suddenly used in an unexpected way by a worm or some
other exploit and the impact needs to be recalculated. By holding back these
fixes for seemingly trivial security issues, Red Hat could be setting itself
up for an unpleasant security surprise someday.
Some customers may also feel that they are more at risk for a particular
issue than Red Hat thinks they are. Perhaps they use cpio
frequently on possibly untrusted data on their 64-bit machines. As things
currently stand, they had no fix available to them (at least via the normal
Red Hat update means) for more than a year; there was no easy way for them to
even know there is a problem. Red Hat tracks these bugs via bugzilla which
is open for anyone to use, but they only put out announcements when they
release a fix. It is hard to argue that customers should be trolling
security lists and/or bugzilla looking for security issues that might affect
them; this is, after all, what they pay Red Hat for.
As with seemingly everything in
the world of computers, there is a trade-off here; very few customers
would want to be upgrading their production systems frequently for low
impact bugs. On the other hand, they may not want to be exposed forever
to those same low impact bugs. Batching these kinds of fixes up into
security updates once or twice a year seems like a reasonable plan, but holding
on to updates for over a year may be just a bit more stability than some
customers were looking for.
Comments (8 posted)
New vulnerabilities
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
elinks: code execution
| Package(s): | elinks |
CVE #(s): | CVE-2007-2027
|
| Created: | May 7, 2007 |
Updated: | June 7, 2007 |
| Description: |
Arnaud Giersch discovered that elinks incorrectly attempted to load
gettext catalogs from a relative path. If a user were tricked into
running elinks from a specific directory, a local attacker could execute
code with user privileges. |
| Alerts: |
|
Comments (none posted)
gimp: symlink issue
| Package(s): | gimp |
CVE #(s): | |
| Created: | May 8, 2007 |
Updated: | May 9, 2007 |
| Description: |
The GIMP package in Fedora includes a helper script
/usr/sbin/gimp-plugin-mgr for plugins contained in other packages, for
example, xsane-gimp. This script manages symlinks from the GIMP plugin
directory (which may change between upgrades) to the actual location of the
plugins. A bug has been fixed in this erratum of GIMP that was in all
older GIMP packages. The bug concerns the execution order in which the
symlinks are installed and removed, causing the symlinks to vanish when the
GIMP package is updated. |
| Alerts: |
|
Comments (none posted)
ldap-account-manager: privilege escalation, possible cross-site scripting
| Package(s): | ldap-account-manager |
CVE #(s): | CVE-2006-7191
CVE-2007-1840
|
| Created: | May 7, 2007 |
Updated: | May 9, 2007 |
| Description: |
An untrusted search path vulnerability in lamdaemon.pl in LDAP Account
Manager (LAM) before 1.0.0 allows local users to gain privileges via a
modified PATH that points to a malicious rm program. (CVE-2006-7191)
lib/modules.inc in LDAP Account Manager (LAM) before 1.3.0 does not escape
HTML special characters in LDAP data, which allows remote attackers to have
an unknown impact, probably cross-site scripting (XSS). (CVE-2007-1840) |
| Alerts: |
|
Comments (none posted)
lftp: shell command execution
| Package(s): | lftp |
CVE #(s): | CVE-2007-2348
|
| Created: | May 4, 2007 |
Updated: | May 9, 2007 |
| Description: |
mirror --script in lftp before 3.5.9 does not properly quote shell
metacharacters, which might allow remote user-assisted attackers to execute
shell commands via a malicious script. NOTE: it is not clear whether this
issue crosses security boundaries, since the script already supports
commands such as "get" which could overwrite executable files. |
| Alerts: |
|
Comments (none posted)
moin: arbitrary JavaScript execution
| Package(s): | moin |
CVE #(s): | CVE-2007-2423
|
| Created: | May 8, 2007 |
Updated: | March 10, 2008 |
| Description: |
A flaw was discovered in MoinMoin's error reporting when using the
AttachFile action. By tricking a user into viewing a crafted MoinMoin
URL, an attacker could execute arbitrary JavaScript as the current
MoinMoin user, possibly exposing the user's authentication information
for the domain where MoinMoin was hosted. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2007-1864
CVE-2007-2509
CVE-2007-2510
|
| Created: | May 8, 2007 |
Updated: | July 18, 2007 |
| Description: |
A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A
PHP script which implements an XML-RPC server using this extension
could allow a remote attacker to execute arbitrary code as the 'apache'
user. Note that this flaw does not affect PHP applications using the
pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864)
A flaw was found in the PHP 'ftp' extension. If a PHP script used this
extension to provide access to a private FTP server, and passed untrusted
script input directly to any function provided by this extension, a remote
attacker would be able to send arbitrary FTP commands to the server.
(CVE-2007-2509)
A buffer overflow flaw was found in the PHP 'soap' extension, regarding the
handling of an HTTP redirect response when using the SOAP client provided
by this extension with an untrusted SOAP server. No mechanism to trigger
this flaw remotely is known. (CVE-2007-2510) |
| Alerts: |
|
Comments (none posted)
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail |
CVE #(s): | CVE-2007-1558
|
| Created: | May 8, 2007 |
Updated: | August 7, 2007 |
| Description: |
The APOP protocol allows remote attackers to guess the first 3 characters
of a password via man-in-the-middle (MITM) attacks that use crafted message
IDs and MD5 collisions. NOTE: this design-level issue potentially affects
all products that use APOP, including (1) Thunderbird, (2) Evolution, (3)
mutt, and (4) fetchmail. |
| Alerts: |
|
Comments (none posted)
pptpd: denial of service
| Package(s): | pptpd |
CVE #(s): | CVE-2007-0244
|
| Created: | May 9, 2007 |
Updated: | September 3, 2007 |
| Description: |
The PoPToP server daemon contains a bug which allows an attacker to tear down a connection through a malformed GRE packet. |
| Alerts: |
|
Comments (none posted)
python: information disclosure
| Package(s): | python |
CVE #(s): | CVE-2007-2052
|
| Created: | May 9, 2007 |
Updated: | July 28, 2008 |
| Description: |
Python 2.4 and 2.5 contain a bug in PyLocale_strxfrm() which could enable an attacker to read portions of unrelated memory. |
| Alerts: |
|
Comments (none posted)
tetex: buffer overflow
| Package(s): | tetex |
CVE #(s): | CVE-2007-0650
|
| Created: | May 8, 2007 |
Updated: | May 13, 2008 |
| Description: |
A buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in
teTeX might allow user-assisted remote attackers to overwrite files and
possibly execute arbitrary code via a long filename. NOTE: other overflows
exist but might not be exploitable, such as a heap-based overflow in the
check_idx function. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
aircrack-ng: remote execution of arbitrary code
| Package(s): | aircrack-ng |
CVE #(s): | CVE-2007-2057
|
| Created: | April 23, 2007 |
Updated: | May 23, 2007 |
| Description: |
Jonathan So reported that the airodump-ng module does not correctly
check the size of 802.11 authentication packets before copying them
into a buffer. A remote attacker could trigger a stack-based buffer
overflow by sending a specially crafted 802.11 authentication packet to a
user running airodump-ng with the -w (--write) option. This could lead to
the remote execution of arbitrary code with the permissions of the user
running airodump-ng, which is typically the root user. |
| Alerts: |
|
Comments (none posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk |
CVE #(s): | CVE-2007-1561
CVE-2007-1594
|
| Created: | April 3, 2007 |
Updated: | August 27, 2007 |
| Description: |
The Madynes research team at INRIA has discovered that Asterisk contains a
null pointer dereferencing error in the SIP channel when handling INVITE
messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to
properly handle SIP responses with return code 0. A remote attacker could
cause an Asterisk server listening for SIP messages to crash by sending a
specially crafted SIP message or answering with a 0 return code. |
| Alerts: |
|
Comments (none posted)
bluez-utils: hidd vulnerability
| Package(s): | bluez-utils |
CVE #(s): | CVE-2006-6899
|
| Created: | January 16, 2007 |
Updated: | May 14, 2007 |
| Description: |
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
capi4k-utils: buffer overflow
| Package(s): | capi4k-utils |
CVE #(s): | CVE-2007-1217
|
| Created: | April 30, 2007 |
Updated: | May 2, 2007 |
| Description: |
The bufprint() function in capi4k-utils fails to properly check boundaries
of data coming from CAPI packets. A local attacker could possibly escalate
privileges or cause a Denial of Service by sending a crafted CAPI packet. |
| Alerts: |
|
Comments (none posted)
clamav: several vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2007-1745
CVE-2007-1997
|
| Created: | April 20, 2007 |
Updated: | May 9, 2007 |
| Description: |
The chm_decompress_stream function in libclamav/chmunpack.c leaks file
descriptors, which has unknown impact and attack vectors involving a
crafted CHM file. (CVE-2007-1745)
Integer signedness error in the (1) cab_unstore and (2) cab_extract
functions in libclamav/cab.c might allow remote attackers to execute
arbitrary code via a crafted CHM file that contains a negative integer,
which passes a signed comparison and leads to a stack-based buffer
overflow. (CVE-2007-1997) |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | May 8, 2007 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
fail2ban: denial of service
| Package(s): | fail2ban |
CVE #(s): | CVE-2006-6302
|
| Created: | February 16, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address. |
| Alerts: |
|
Comments (3 posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
file: denial of service
| Package(s): | file |
CVE #(s): | CVE-2007-2026
|
| Created: | April 18, 2007 |
Updated: | May 25, 2007 |
| Description: |
The gnu regular expression code in file 4.20 allows context-dependent
attackers to cause a denial of service (CPU consumption) via a crafted
document with a large number of line feed characters, which is not well
handled by OS/2 REXX regular expressions that use wildcards, as originally
reported for AMaViS. |
| Alerts: |
|
Comments (none posted)
file: arbitrary code execution
| Package(s): | file |
CVE #(s): | CVE-2007-1536
|
| Created: | March 22, 2007 |
Updated: | May 30, 2007 |
| Description: |
The "file" utility incorrectly checks the allocated heap memory size.
If a remote attacker can trick a user into looking at specially crafted
files with file, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
firefox: FTP PASV port-scanning
| Package(s): | firefox seamonkey |
CVE #(s): | CVE-2007-1562
|
| Created: | March 23, 2007 |
Updated: | June 4, 2007 |
| Description: |
According to this
advisory, the FTP protocol includes the PASV (passive) command which is
used by Firefox to request an alternate data port. The specification of the
FTP protocol allows the server response to include an alternate server
address as well, although this is rarely used in practice. |
| Alerts: |
|
Comments (1 posted)
freeradius: memory leak
| Package(s): | freeradius |
CVE #(s): | CVE-2007-2028
|
| Created: | April 17, 2007 |
Updated: | May 15, 2007 |
| Description: |
A memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to
cause a denial of service (memory consumption) via a large number of
EAP-TTLS tunnel connections using malformed Diameter format attributes,
which causes the authentication request to be rejected but does not reclaim
VALUE_PAIR data structures. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | February 28, 2008 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gimp: arbitrary code execution
| Package(s): | gimp |
CVE #(s): | CVE-2007-2356
|
| Created: | May 1, 2007 |
Updated: | June 11, 2007 |
| Description: |
From this Secunia
advisory: "Marsu has discovered a vulnerability in Gimp, which
can be exploited by malicious people to compromise a user's system. The
vulnerability is caused due to an error within the "set_color_table()"
function in plug-ins/common/sunras.c. This can be exploited to cause a
stack-based buffer overflow by e.g. tricking a user into opening a
specially crafted .RAS file." |
| Alerts: |
|
Comments (3 posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | June 1, 2007 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
ImageMagick: integer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2007-1797
|
| Created: | April 4, 2007 |
Updated: | April 17, 2008 |
| Description: |
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote
attackers to execute arbitrary code via (1) a crafted DCM image, which
results in a heap-based overflow in the ReadDCMImage function, or (2) the
(a) colors or (b) comments field in a crafted XWD image, which results in a
heap-based overflow in the ReadXWDImage function, different issues than
CVE-2007-1667. |
| Alerts: |
|
Comments (none posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
ipsec-tools: denial of service
| Package(s): | ipsec-tools |
CVE #(s): | CVE-2007-1841
|
| Created: | April 10, 2007 |
Updated: | August 28, 2007 |
| Description: |
A flaw was discovered in the IPSec key exchange server "racoon". Remote
attackers could send a specially crafted packet and disrupt established
IPSec tunnels, leading to a denial of service. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2006-4339
CVE-2006-4790
CVE-2006-6731
CVE-2006-6736
CVE-2006-6737
CVE-2006-6745
|
| Created: | January 18, 2007 |
Updated: | June 8, 2007 |
| Description: |
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files. |
| Alerts: |
|
Comments (1 posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a |