LWN.net Logo

Security

Red Hat and IBM get certified

Red Hat and IBM recently announced that Red Hat Enterprise Linux 5 (RHEL5) has earned the highest level of security certification achievable by commercial off-the-shelf operating systems. The certification is applicable when RHEL5 is running on IBM hardware, but all of the software is freely available, which may reduce the worries of customers regardless of which hardware they are considering running Linux on. The Fedora and CentOS distributions will immediately benefit, because they use the same software and SELinux policies, but other distributions can use the information as well.

The certification that RHEL5 achieved comes from one of the most acronym-dense regions of the internet, which is, perhaps, unsurprising for a partnership between industry and the US government. Here is how the press release puts it:

[RHEL5] has been approved by the National Information Assurance Partnership for Common Criteria Evaluation & Validation Scheme [NIAP-CCEVS] at Evaluation Assurance Level 4 (EAL4+) for Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP), and Role-Based Access Control Protection Profile (RBAC).

The NIAP is overseen by the US National Security Agency (NSA) and exists to create and administer certification programs like CCEVS.

The various protection profiles list the security requirements that need to be met to be certified. CAPP is concerned mostly with standard UNIX-style users and permissions, with some audit requirements thrown in. LSPP and RBAC are concerned with the security capabilities provided by SELinux along with auditing requirements. The profiles document the behavior that is expected while the testing verifies that the system does indeed behave that way.

These kinds of certifications are nice, in a checkbox kind of way. There are many organizations that cannot or will not buy products that are not certified for a particular level and protection profile. Windows Server has been certified at EAL4, so filling in this checkbox for Linux may well remove a barrier to Linux adoption in some places. Obtaining certification at this level is great deal of work; Red Hat and IBM are to be commended for spending the time and money to get to this point.

That being said, what does an EAL4+ mean for the security of servers that run RHEL5? As we said in late 2003, when (pre-Novell) SuSE teamed up with IBM to get an EAL2+ certification, the answer is, unfortunately, not much. It would seem that EAL4+ is a big step up from EAL2+, which it is, but not in the kinds of protections it provides. The EAL level is completely driven by how much testing and documentation go into the certification; how much "assurance" there is that the profile is met. The same profile (CAPP) was used in both.

In addition, the protection profiles are limited to:

a level of protection, which is appropriate for an assumed non-hostile and well-managed user community requiring protection against threats of inadvertent or casual attempts to breach the system security. The profile is not intended to be applicable to circumstances in which protection is required against determined attempts by hostile and well-funded attackers to breach system security.

This puts most, if not all, interesting security threats outside of the scope of the testing. Adding two additional protection profiles, as was done this time, is certainly significant, but they still operate under the "no hostiles" caveat.

Kernel hacker James Morris comments on the certification:

A lot of people thought it would be outright impossible to get an open source OS certified at this level. Not only were they wrong, but we've done it in a way which makes it part of the mainline kernel, upstream userland, and integrated into standard distributions. It is not some out-dated, incompatible and outrageously expensive fork of the OS, as has historically been the case with trusted OSes. "Military-strength" security is just now just another feature you get as standard in Linux, and it receives the same testing and community benefits as the rest of the OS.

Evidently, "military strength" security is only able to resist its own users making mistakes rather than a concerted effort by an enemy, but this is still a marvelous accomplishment.

Perhaps the most unfortunate part of this certification process is that it is likely to vastly underestimate the abilities of an SELinux equipped system. It would be very interesting to see what kind of protection profile could actually be accommodated by RHEL5; it is likely to be much stronger than any we have seen from CCEVS. But, given that customers are typically interested in the checkbox much more than security, we will probably never know.

Comments (5 posted)

New vulnerabilities

apache2: information disclosure

Package(s):apache CVE #(s):CVE-2007-1862
Created:June 20, 2007 Updated:February 18, 2008
Description: From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users."
Alerts:
Fedora FEDORA-2008-1711 2008-02-15
Fedora FEDORA-2007-0704 2007-06-26
Mandriva MDKSA-2007:127 2007-06-19

Comments (2 posted)

evolution-data-server: malicious server arbitrary code execution

Package(s):evolution-data-server CVE #(s):CVE-2007-3257
Created:June 18, 2007 Updated:November 7, 2007
Description: From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array."
Alerts:
Gentoo 200711-04 2007-11-06
Gentoo 200707-03 2007-07-02
SuSE SUSE-SA:2007:042 2007-07-05
Debian DSA-1325-1 2007-06-29
Fedora FEDORA-2007-594 2007-06-27
Fedora FEDORA-2007-595 2007-06-27
Mandriva MDKSA-2007:136 2007-06-26
Red Hat RHSA-2007:0510-01 2007-06-25
Red Hat RHSA-2007:0509-01 2007-06-25
Debian DSA-1321-1 2007-06-23
Ubuntu USN-475-1 2007-06-21
Fedora FEDORA-2007-0464 2007-06-16

Comments (1 posted)

gd: denial of service

Package(s):gd CVE #(s):CVE-2007-2756
Created:June 14, 2007 Updated:February 28, 2008
Description: Libgd2 has a denial of service vulnerability involving the incorrect validation of PNG callback results. If an application that is linked against libgd2 is used to process a specially-crafted PNG file, a denial of service involving CPU resource consumption can be caused.
Alerts:
Red Hat RHSA-2008:0146-01 2008-02-28
Slackware SSA:2007-178-01 2007-06-27
SuSE SUSE-SR:2007:013 2007-06-22
Mandriva MDKSA-2007:124 2007-06-13
Mandriva MDKSA-2007:123 2007-06-13
Mandriva MDKSA-2007:122 2007-06-13

Comments (none posted)

iscsi-initiator-utils: denial of service

Package(s):iscsi-initiator-utils CVE #(s):CVE-2007-3099 CVE-2007-3100
Created:June 14, 2007 Updated:June 20, 2007
Description: The iscsid SCSI management daemon has two denial of service vulnerabilities. The first involves checking the client's uid on the listening socket instead of the newly accepted connection, this allows anyone to to perform management operations on the iSCSI initiator and crash iscsid. The second vulnerability involves the iscsid logging mechanism. Logs are sent to a shared memory area and a child process feeds them to syslog. The memory is protected by a semaphore wet to mode 0666, allowing arbitrary access to the semaphore. Random users can lock up the semaphore and iscsid will block and hang on the next attempt to send a log message.
Alerts:
Debian DSA-1314-1 2007-06-19
Fedora FEDORA-2007-0543 2007-06-18
Red Hat RHSA-2007:0497-01 2007-06-14
Fedora FEDORA-2007-590 2007-06-13
Fedora FEDORA-2007-589 2007-06-13

Comments (none posted)

libexif: integer overflow

Package(s):libexif CVE #(s):CVE-2007-4168 CVE-2006-4168
Created:June 15, 2007 Updated:July 3, 2007
Description: An integer overflow flaw was found in the way libexif parses EXIF image tags. If a victim opens a carefully crafted EXIF image file it could cause the application linked against libexif to execute arbitrary code or crash.
Alerts:
SuSE SUSE-SA:2007:039 2007-07-03
Fedora FEDORA-2007-614 2007-06-27
Ubuntu USN-478-1 2007-06-26
Gentoo 200706-09 2007-06-26
Fedora FEDORA-2007-605 2007-06-25
rPath rPSA-2007-0131-1 2007-06-25
Foresight FLEA-2007-0028-1 2007-06-22
Mandriva MDKSA-2007:128 2007-06-19
Debian DSA-1310-1 2007-06-16
Red Hat RHSA-2007:0501-01 2007-06-14

Comments (none posted)

libphp-phpmailer: command execution

Package(s):libphp-phpmailer CVE #(s):CVE-2007-3215
Created:June 20, 2007 Updated:June 20, 2007
Description: libphp-phpmailer does not do sufficient input validation, enabling shell command injection attacks.
Alerts:
Debian DSA-1315-1 2007-06-19

Comments (none posted)

mplayer: buffer overflow

Package(s):mplayer CVE #(s):CVE-2007-2948
Created:June 20, 2007 Updated:July 25, 2007
Description: The CDDB code in mplayer suffers from "insufficient boundary checks," leaving it exposed to buffer overruns.
Alerts:
Gentoo 200707-07 2007-07-24
SuSE SUSE-SR:2007:014 2007-07-20
Mandriva MDKSA-2007:143 2007-07-10
Debian DSA-1313-1 2007-06-19

Comments (none posted)

phpPgAdmin: cross-site scripting

Package(s):phppgadmin CVE #(s):CVE-2007-2865 CVE-2007-5728
Created:June 18, 2007 Updated:November 23, 2007
Description: A cross-site scripting (XSS) vulnerability in sqledit.php in phpPgAdmin 4.1.1 allows remote attackers to inject arbitrary web script or HTML via the server parameter.
Alerts:
SuSE SUSE-SR:2007:024 2007-11-22
Fedora FEDORA-2007-1013 2007-07-11
Fedora FEDORA-2007-0469 2007-06-16

Comments (none posted)

phprojekt: multiple vulnerabilities

Package(s):phprojekt CVE #(s):CVE-2007-1575 CVE-2007-1639 CVE-2007-1638 CVE-2007-1576
Created:June 20, 2007 Updated:June 20, 2007
Description: There is a long list of vulnerabilities in PHProjekt prior to version 5.2.1; they can be exploited (by an authenticated user) for SQL injection attacks, arbitrary PHP code execution, and cross-site scripting.
Alerts:
Gentoo 200706-07 2007-06-19

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

Asterisk: two SIP denial of service vulnerabilities

Package(s):Asterisk CVE #(s):CVE-2007-1561 CVE-2007-1594
Created:April 3, 2007 Updated:August 27, 2007
Description: The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code.
Alerts:
Debian DSA-1358-1 2007-08-26
SuSE SUSE-SA:2007:034 2007-06-06
Gentoo 200704-01 2007-04-02

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2006-5453 CVE-2006-5454 CVE-2006-5455
Created:November 10, 2006 Updated:August 28, 2007
Description: Bugzilla has the following vulnerabilities:

Input data passed to various fields is not properly sanitized before being passed back to users.

Users can gain unauthorized access to read attachment descriptions while using diff mode.

HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification.

Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users.

Alerts:
Debian DSA-1208-1 2006-11-11
Gentoo 200611-04 2006-11-09

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2007-2650
Created:June 5, 2007 Updated:July 20, 2007
Description: A vulnerability in the OLE2 parser in ClamAV was found that could allow a remote attacker to cause a denial of service via resource consumption with a carefully crafted OLE2 file.
Alerts:
Fedora FEDORA-2007-1154 2007-07-19
Debian DSA-1320-1 2007-06-23
Gentoo 200706-05 2007-06-15
Trustix TSLSA-2007-0020 2007-06-08
SuSE SUSE-SA:2007:033 2007-06-06
Mandriva MDKSA-2007:115 2007-06-04

Comments (none posted)

cups: denial of service

Package(s):cups CVE #(s):CVE-2007-0720
Created:March 26, 2007 Updated:February 7, 2008
Description: Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service.
Alerts:
Mandriva MDVSA-2008:036 2007-02-06
Mandriva MDKSA-2007:086 2007-04-16
Red Hat RHSA-2007:0123-01 2007-04-16
Gentoo 200703-28 2007-03-31
Foresight FLEA-2007-0003-1 2007-03-25

Comments (none posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

dovecot: directory traversal

Package(s):dovecot CVE #(s):CVE-2007-2231
Created:May 8, 2007 Updated:May 21, 2008
Description: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Alerts:
Red Hat RHSA-2008:0297-02 2008-05-21
Debian DSA-1359-1 2007-08-28
Ubuntu USN-487-1 2007-07-17
Fedora FEDORA-2007-493 2007-05-07

Comments (none posted)

evolution: format string error

Package(s):evolution CVE #(s):CVE-2007-1002
Created:March 27, 2007 Updated:February 27, 2008
Description: A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers.
Alerts:
SuSE SUSE-SR:2007:015 2007-08-03
Gentoo 200706-02 2007-06-06
Red Hat RHSA-2007:0158-01 2007-05-03
Foresight FLEA-2007-0010-1 2007-04-05
Fedora FEDORA-2007-404 2007-04-04
Fedora FEDORA-2007-393 2007-04-04
Mandriva MDKSA-2007:070 2007-03-27

Comments (1 posted)

pop mail man-in-the-middle attacks

Package(s):evolution thunderbird mutt fetchmail CVE #(s):CVE-2007-1558
Created:May 8, 2007 Updated:August 7, 2007
Description: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail.
Alerts:
Fedora FEDORA-2007-1447 2007-08-06
rPath rPSA-2007-0127-1 2007-06-19
Foresight FLEA-2007-0026-1 2007-06-18
rPath rPSA-2007-0122-1 2007-06-14
Red Hat RHSA-2007:0385-01 2007-06-07
rPath rPSA-2007-0114-1 2007-06-04
Mandriva MDKSA-2007:113 2007-06-04
Red Hat RHSA-2007:0386-01 2007-06-04
Fedora FEDORA-2007-0001 2007-06-01
Fedora FEDORA-2007-552 2007-05-31
Fedora FEDORA-2007-552 2007-05-31
Fedora FEDORA-2007-552 2007-05-31
Fedora FEDORA-2007-552 2007-05-31
Fedora FEDORA-2007-550 2007-05-31
Fedora FEDORA-2007-551 2007-05-31
Red Hat RHSA-2007:0401-01 2007-05-30
Fedora FEDORA-2007-539 2007-05-30
Fedora FEDORA-2007-540 2007-05-30
Red Hat RHSA-2007:0344-01 2007-05-30
Mandriva MDKSA-2007:107 2007-05-19
Mandriva MDKSA-2007:105 2007-05-17
Red Hat RHSA-2007:0353-01 2007-05-17
Fedora FEDORA-2007-484 2007-05-07
Fedora FEDORA-2007-485 2007-05-07

Comments (none posted)

fail2ban: denial of service

Package(s):fail2ban CVE #(s):CVE-2006-6302
Created:February 16, 2007 Updated:July 30, 2007
Description: fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address.
Alerts:
Gentoo 200702-05 2007-02-16

Comments (3 posted)

file: integer overflow

Package(s):file CVE #(s):CVE-2007-2799
Created:June 1, 2007 Updated:October 19, 2007
Description: Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file.
Alerts:
Gentoo 200710-19 2007-10-18
Debian DSA-1343-2 2007-09-25
Debian DSA-1343-1 2007-07-31
SuSE SUSE-SA:2007:040 2007-07-04
Fedora FEDORA-2007-0836 2007-07-03
Fedora FEDORA-2007-538 2007-06-11
Fedora FEDORA-2007-541 2007-06-11
Ubuntu USN-439-2 2007-06-11
Mandriva MDKSA-2007:114 2007-06-05
Gentoo 200705-25 2007-05-31

Comments (3 posted)

firefox: multiple vulnerabilities

Package(s):firefox mozilla seamonkey thunderbird CVE #(s):CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871
Created:June 4, 2007 Updated:August 29, 2007
Description: Various flaws were discovered in the layout and JavaScript engines. By tricking a user into opening a malicious web page, an attacker could execute arbitrary code with the user's privileges. (CVE-2007-2867, CVE-2007-2868)

A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869)

Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362)

A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871)

Alerts:
Ubuntu USN-469-2 2007-08-29
SuSE SUSE-SA:2007:036 2007-06-27
Mandriva MDKSA-2007:131 2007-06-20
Gentoo 200706-06 2007-06-19
Foresight FLEA-2007-0027-1 2007-06-20
Fedora FEDORA-2007-0544 2007-06-18
Mandriva MDKSA-2007:126-1 2007-06-16
Mandriva MDKSA-2007:126 2007-06-15
Slackware SSA:2007-165-01 2007-06-15
Debian DSA-1308-1 2007-06-14
Mandriva MDKSA-2007:120 2007-06-12
Mandriva MDKSA-2007:119 2007-06-12
Debian DSA-1305-1 2007-06-13
Debian DSA-1306-1 2007-06-12
Debian DSA-1300-1 2007-06-07
Ubuntu USN-469-1 2007-06-05
Slackware SSA:2007-152-02 2007-06-04
Ubuntu USN-468-1 2007-06-01

Comments (3 posted)

freetype: arbitrary code execution

Package(s):freetype CVE #(s):CVE-2007-2754
Created:May 24, 2007 Updated:July 19, 2007
Description: The Freetype font rendering library versions 2.3.4 and below has an integer sign error. Remote attackers may be able to create a specially crafted TrueType Font file with a negative n_points value that will cause an integer overflow and heap-based buffer overflow, allowing the execution of arbitrary code.
Alerts:
Debian DSA-1334 2007-07-18
SuSE SUSE-SA:2007:041 2007-07-04
Fedora FEDORA-2007-561 2007-06-18
Mandriva MDKSA-2007:121 2007-06-13
Foresight FLEA-2007-0025-1 2007-06-13
Red Hat RHSA-2007:0403-01 2007-06-11
Debian DSA-1302-1 2007-06-10
Fedora FEDORA-2007-0033 2007-06-01
Ubuntu USN-466-1 2007-05-30
Gentoo 200705-22 2007-05-30
Trustix TSLSA-2007-0019 2007-05-25
rPath rPSA-2007-0108-1 2007-05-23
Foresight FLEA-2007-0020-1 2007-05-21
OpenPKG OpenPKG-SA-2007.018 2007-05-24

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:October 10, 2007
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gd: buffer overflow

Package(s):gd CVE #(s):CVE-2007-0455
Created:February 7, 2007 Updated:February 28, 2008
Description: The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable.
Alerts:
Red Hat RHSA-2008:0146-01 2008-02-28
Ubuntu USN-473-1 2007-06-11
OpenPKG OpenPKG-SA-2007.016 2007-05-18
Trustix TSLSA-2007-0007 2007-02-13
Fedora FEDORA-2007-150 2007-02-12
Fedora FEDORA-2007-149 2007-02-12
rPath rPSA-2007-0028-1 2007-02-08
Mandriva MDKSA-2007:038 2006-02-06
Mandriva MDKSA-2007:036 2006-02-06
Mandriva MDKSA-2007:035 2006-02-06

Comments (2 posted)

horde-kronolith: local file inclusion

Package(s):horde-kronolith CVE #(s):CVE-2006-6175
Created:January 17, 2007 Updated:March 7, 2008
Description: Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered string is used instead of a sanitized string to view local files. An authenticated attacker could craft an HTTP GET request that uses directory traversal techniques to execute any file on the web server as PHP code, which could allow information disclosure or arbitrary code execution with the rights of the user running the PHP application (usually the webserver user).
Alerts:
Gentoo 200701-11 2007-01-16

Comments (none posted)

ImageMagick: integer overflows

Package(s):imagemagick CVE #(s):CVE-2007-1797
Created:April 4, 2007 Updated:April 17, 2008
Description: Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.
Alerts:
Red Hat RHSA-2008:0165-01 2008-04-16
Red Hat RHSA-2008:0145-01 2008-04-16
Fedora FEDORA-2007-1340 2007-07-30
Mandriva MDKSA-2007:147 2007-07-20
Ubuntu USN-481-1 2007-07-10
Gentoo 200705-13 2007-05-10
Fedora FEDORA-2007-414 2007-04-17
Fedora FEDORA-2007-413 2007-04-05
rPath rPSA-2007-0064-1 2007-04-04

Comments (none posted)

imlib2: arbitrary code execution

Package(s):imlib2 CVE #(s):CVE-2006-4806 CVE-2006-4807 CVE-2006-4808 CVE-2006-4809
Created:November 6, 2006 Updated:August 13, 2007
Description: M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2007:156 2007-08-10
Gentoo 200612-20 2006-12-20
Fedora FEDORA-EXTRAS-2006-004 2006-11-09
Mandriva MDKSA-2006:198-1 2006-11-06
Mandriva MDKSA-2006:198 2006-11-06
Ubuntu USN-376-2 2006-11-06
Ubuntu USN-376-1 2006-11-03

Comments (none posted)

ipsec-tools: denial of service

Package(s):ipsec-tools CVE #(s):CVE-2007-1841
Created:April 10, 2007 Updated:August 28, 2007
Description: A flaw was discovered in the IPSec key exchange server "racoon". Remote attackers could send a specially crafted packet and disrupt established IPSec tunnels, leading to a denial of service.
Alerts:
Fedora FEDORA-2007-665 2007-08-27
Debian DSA-1299-1 2007-06-07
Red Hat RHSA-2007:0342-01 2007-05-17
Gentoo 200705-09 2007-05-08
SuSE SUSE-SR:2007:008 2007-04-27
Mandriva MDKSA-2007:084 2007-04-16
Ubuntu USN-450-1 2007-04-09

Comments (none posted)

jasper: denial of service

Package(s):jasper CVE #(s):CVE-2007-2721
Created:June 1, 2007 Updated:November 6, 2007
Description: The jpc_qcx_getcompparms function in jpc/jpc_cs.c could allow remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files.
Alerts:
Mandriva MDKSA-2007:209 2007-11-05
Mandriva MDKSA-2007:208 2007-11-05
Ubuntu USN-501-2 2007-10-22
Ubuntu USN-501-1 2007-08-20
Mandriva MDKSA-2007:129 2007-06-19
Fedora FEDORA-2007-0001 2007-06-01

Comments (none posted)

kdebase: information leak

Package(s):kdebase CVE #(s):CVE-2007-2022
Created:June 13, 2007 Updated:September 19, 2007
Description: A problem with the interaction between the Flash Player and the Konqueror web browser was found. The problem could lead to key presses leaking to the Flash Player applet instead of the browser. NOTE: CVE number may be incorrect, see CVE entry
Alerts:
rPath rPSA-2007-0190-1 2007-09-18
Mandriva MDKSA-2007:138 2007-07-03
Red Hat RHSA-2007:0494-01 2007-06-13

Comments (1 posted)

kdelibs: cross-site scripting

Package(s):kdelibs konqeror CVE #(s):CVE-2007-0537
Created:February 5, 2007 Updated:August 13, 2007
Description: Konqueror 3.5.5 does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment, a related issue to CVE-2007-0478.
Alerts:
Mandriva MDKSA-2007:157 2007-08-10
Gentoo 200703-10 2007-03-10
rPath rPSA-2007-0052-1 2007-03-07
Ubuntu USN-420-1 2007-02-06
Mandriva MDKSA-2007:031 2007-02-02

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2007-1357
Created:April 16, 2007 Updated:November 14, 2007
Description: The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum.
Alerts:
SuSE SUSE-SA:2007:035 2007-06-14
Ubuntu USN-464-1 2007-05-23
SuSE SUSE-SA:2007:030 2007-05-10
SuSE SUSE-SA:2007:029 2007-05-03
rPath rPSA-2007-0071-1 2007-04-16
Fedora FEDORA-2007-432 2007-04-13
Fedora FEDORA-2007-433 2007-04-13

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-5749 CVE-2006-4814 CVE-2006-6106
Created:January 5, 2007 Updated:May 7, 2008
Description: A security issue has been reported in Linux kernel due to an error in drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()" function never initializes an event timer before scheduling it with the "add_timer()" function.

The mincore function in the kernel does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock.

Another vulnerability has been reported in Linux kernel caused by a boundary error within the handling of incoming CAPI messages in net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain Kernel data structures.

Alerts:
CentOS CESA-2008:0211 2008-05-07
Red Hat RHSA-2008:0211-01 2008-05-07
Debian DSA-1503 2008-02-22
Debian DSA-1503-2 2008-03-06
SuSE SUSE-SA:2007:035 2007-06-14
SuSE SUSE-SA:2007:053 2007-10-12
Ubuntu USN-416-2 2007-03-01
Ubuntu USN-416-1 2007-02-01
rPath rPSA-2007-0031-1 2007-02-09
Mandriva MDKSA-2007:040 2007-02-07
Red Hat RHSA-2007:0014-01 2007-01-30
Mandriva MDKSA-2007:025 2007-01-23
Fedora FEDORA-2007-058 2007-01-18
Mandriva MDKSA-2007:012 2006-01-12
Trustix TSLSA-2007-0002 2007-01-05

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4623
Created:October 18, 2006 Updated:November 14, 2007
Description: The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data.
Alerts:
Ubuntu USN-489-1 2007-07-19
rPath rPSA-2006-0194-1 2006-10-17

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2007-0005 CVE-2007-1000
Created:March 15, 2007 Updated:November 14, 2007
Description: The Linux kernel has a boundary error problem with the Omnikey CardMan 4040 driver read and write functions. This can be used to cause a buffer overflow and possible execution or arbitrary code with kernel privileges.

The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c is vulnerable to a NULL pointer dereference. Local users can use this to crash the kernel or to disclose kernel memory.

Alerts:
Fedora FEDORA-2007-599 2007-06-21
Ubuntu USN-489-1 2007-07-19
Ubuntu USN-486-1 2007-07-17
Debian DSA-1286-1 2007-05-02
Red Hat RHSA-2007:0169-01 2007-04-30
Mandriva MDKSA-2007:078 2007-04-04
Fedora FEDORA-2007-336 2007-03-14
Fedora FEDORA-2007-335 2007-03-14

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-0007 CVE-2007-0006
Created:February 15, 2007 Updated:November 14, 2007
Description: Linux kernel versions from 2.6.9 to 2.6.20 have a denial of service vulnerability. A remote attacker can cause the key_alloc_serial function's key serial number collision avoidance code to have a null dereference, resulting in a crash.
Alerts:
Fedora FEDORA-2007-599 2007-06-21
Red Hat RHSA-2007:0099-02 2007-03-14
rPath rPSA-2007-0050-1 2007-03-06
Red Hat RHSA-2007:0085-01 2007-02-27
Mandriva MDKSA-2007:047 2007-02-21
Fedora FEDORA-2007-226 2007-02-13
Fedora FEDORA-2007-225 2007-02-13

Comments (1 posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4535 CVE-2006-4538
Created:September 18, 2006 Updated:December 3, 2007
Description: Sridhar Samudrala discovered a local denial of service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535)

Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538)

Alerts:
Red Hat RHSA-2007:1049-01 2007-12-03
Mandriva MDKSA-2006:182 2006-10-11
Red Hat RHSA-2006:0689-01 2006-10-05
Debian DSA-1184-2 2006-09-26
Debian DSA-1184-1 2006-09-25
Debian DSA-1183-1 2006-09-25
Ubuntu USN-347-1 2006-09-18

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2007-1861 CVE-2007-2242
Created:May 1, 2007 Updated:February 8, 2008
Description: The netlink protocol has an infinite recursion bug that allows users to cause a kernel crash. Also the IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.
Alerts:
SuSE SUSE-SA:2008:006 2008-02-07
Ubuntu USN-508-1 2007-08-31
Mandriva MDKSA-2007:171 2007-08-28
Ubuntu USN-489-1 2007-07-19
Ubuntu USN-486-1 2007-07-17
SuSE SUSE-SA:2007:051 2007-09-06
Mandriva MDKSA-2007:216 2007-11-13
Red Hat RHSA-2007:0347-01 2007-05-16
Debian DSA-1289-1 2007-05-13
Foresight FLEA-2007-0016-1 2007-05-08
rPath rPSA-2007-0084-1 2007-05-01
Fedora FEDORA-2007-483 2007-05-01
Fedora FEDORA-2007-482 2007-05-01

Comments (none posted)

kernel: denial of service by memory consumption

Package(s):kernel CVE #(s):CVE-2006-2936
Created:July 17, 2006 Updated:November 14, 2007
Description: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued.
Alerts:
SuSE SUSE-SA:2007:035 2007-06-14
Mandriva MDKSA-2006:151 2006-08-25
Mandriva MDKSA-2006:150 2006-08-25
Ubuntu USN-331-1 2006-08-03
rPath rPSA-2006-0130-1 2006-07-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2007-0772
Created:February 23, 2007 Updated:November 14, 2007
Description: The Linux kernel before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free of an incorrect pointer.
Alerts:
Fedora FEDORA-2007-599 2007-06-21
Ubuntu USN-451-1 2007-04-10
SuSE SUSE-SA:2007:021 2007-03-16
Mandriva MDKSA-2007:060 2006-03-09
Fedora FEDORA-2007-291 2007-03-02
Fedora FEDORA-2007-277 2007-03-02
SuSE SUSE-SA:2007:018 2007-02-27
rPath rPSA-2007-0036-1 2007-02-23

Comments (none posted)

kernel: several vulnerabilities

Package(s):kernel CVE #(s):CVE-2007-1353 CVE-2007-2451 CVE-2007-2453
Created:June 11, 2007 Updated:March 6, 2008
Description: Ilja van Sprundel discovered that Bluetooth setsockopt calls could leak kernel memory contents via an uninitialized stack buffer. A local attacker could exploit this flaw to view sensitive kernel information. (CVE-2007-1353)

The GEODE-AES driver did not correctly initialize its encryption key. Any data encrypted using this type of device would be easily compromised. (CVE-2007-2451)

The random number generator was hashing a subset of the available entropy, leading to slightly less random numbers. Additionally, systems without an entropy source would be seeded with the same inputs at boot time, leading to a repeatable series of random numbers. (CVE-2007-2453)

Alerts:
Debian DSA-1504 2008-02-22
Debian DSA-1503-2 2008-03-06
Debian DSA-1503 2008-02-22
Red Hat RHSA-2007:0488-01 2007-06-25
Debian DSA-1356-1 2007-08-15
SuSE SUSE-SA:2007:051 2007-09-06
Mandriva MDKSA-2007:216 2007-11-13
Mandriva MDKSA-2007:171 2007-08-28
Red Hat RHSA-2007:0671-01 2007-08-16
Red Hat RHSA-2007:0673-01 2007-08-08
Red Hat RHSA-2007:0672-01 2007-08-08
Ubuntu USN-489-1 2007-07-19
Ubuntu USN-486-1 2007-07-17
Fedora FEDORA-2007-600 2007-06-25
Fedora FEDORA-2007-599 2007-06-21
SuSE SUSE-SA:2007:035 2007-06-14
Red Hat RHSA-2007:0376-01 2007-06-14
Fedora FEDORA-2007-0409 2007-06-13
Ubuntu USN-470-1 2007-06-08

Comments (none posted)

kernel: several vulnerabilities

Package(s):kernel CVE #(s):CVE-2006-5823 CVE-2006-6054 CVE-2007-1592
Created:June 12, 2007 Updated:March 6, 2008
Description: A flaw in the cramfs file system allows invalid compressed data to cause memory corruption (CVE-2006-5823)

A flaw in the ext2 file system allows an invalid inode size to cause a denial of service (system hang) (CVE-2006-6054)

A flaw in IPV6 flow label handling allows a local user to cause a denial of service (crash) (CVE-2007-1592)

Alerts:
Debian DSA-1503-2 2008-03-06
Debian DSA-1504 2008-02-22
Debian DSA-1503 2008-02-22
Red Hat RHSA-2007:0673-01 2007-08-08
Red Hat RHSA-2007:0672-01 2007-08-08
SuSE SUSE-SA:2007:035 2007-06-14
Red Hat RHSA-2007:0347-01 2007-05-16
SuSE SUSE-SA:2007:043 2007-07-09
Debian DSA-1304-1 2007-06-16
rPath rPSA-2007-0124-1 2007-06-14
Red Hat RHSA-2007:0436-01 2007-06-11

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-5757
Created:November 13, 2006 Updated:November 14, 2007
Description: From the MOKB-05-11-2006 advisory: "The ISO9660 filesystem handling code of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This particular vulnerability seems to be caused by a race condition and a signedness issue. When performing a read operation on a corrupted ISO9660 fs stream, the isofs_get_blocks() function will enter an infinite loop when __find_get_block_slow() callback from sb_getblk() fails ("due to various races between file io on the block device and getblk")."
Alerts:
Fedora FEDORA-2007-599 2007-06-21
Fedora FEDORA-2006-1223 2006-11-12
Fedora FEDORA-2006-1221 2006-11-10

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-2935 CVE-2006-4145 CVE-2006-3745
Created:September 1, 2006 Updated:July 30, 2008
Description: Previous versions of the kernel package are subject to several vulnerabilities. Certain malformed UDF filesystems can cause the system to crash (denial of service). Malformed CDROM firmware or USB storage devices (such as USB keys) could cause system crash (denial of service), and if they were intentionally malformed, can cause arbitrary code to run with elevated privileges. In addition, the SCTP protocol is subject to a remote system crash (denial of service) attack.
Alerts:
Red Hat RHSA-2008:0665-01 2008-07-24
SuSE SUSE-SA:2007:053 2007-10-12
SuSE SUSE-SA:2006:064 2006-11-10
Red Hat RHSA-2006:0710-01 2006-10-19
SuSE SUSE-SA:2006:057 2006-09-28
Trustix TSLSA-2006-0051 2006-09-15
Ubuntu USN-346-2 2006-09-14
Ubuntu USN-346-1 2006-09-14
rPath rPSA-2006-0162-1 2006-08-31

Comments (none posted)

krb5: multiple vulnerabilities

Package(s):krb5 CVE #(s):CVE-2007-0956 CVE-2007-0957 CVE-2007-1216
Created:April 3, 2007 Updated:March 24, 2008
Description: A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. MIT krb5 Security Advisory 2007-001

Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. MIT krb5 Security Advisory 2007-002

A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. MIT krb5 Security Advisory 2007-003

Alerts:
Mandriva MDKSA-2007:077-1 2007-04-10
Foresight FLEA-2007-0008-1 2007-04-05
SuSE SUSE-SA:2007:025 2007-04-05
Mandriva MDKSA-2007:077 2006-04-04
rPath rPSA-2007-0063-1 2007-04-04
Ubuntu USN-449-1 2007-04-04
Gentoo 200704-02 2007-04-03
Fedora FEDORA-2007-409 2007-04-03
Fedora FEDORA-2007-408 2007-04-03
Debian DSA-1276-1 2007-04-03
Red Hat RHSA-2007:0095-01 2007-04-03

Comments (none posted)

ktorrent: incorrect validation

Package(s):ktorrent CVE #(s):CVE-2007-1384 CVE-2007-1385