Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for July 26, 2007
Fedora's mid-life crisis
The conversation started innocuously enough - or maybe it didn't. Rahul Sundaram's question was this: given recent decisions in the U.S. Supreme Court, might Fedora actually be able to point at repositories containing codecs which are said to infringe upon U.S. software patents? And, more to the point, regardless of what Red Hat's legal department says, does Fedora want to do such a thing? Fedora leader Max Spevack responded that, to answer this question, "the Fedora Board needs to reaffirm its larger strategy about Multimedia." There was some digression on how firmware does (or does not) differ from proprietary codecs. Then Mike McGrath broadened the scope further with a quick question:
The following is a quote from Bill Nottingham's response, but his message is worth reading in its entirety:
So, we muddle along. Since no one has a plan or a target market, we implement whatever features the developers happen to think of, or random features vaguely relating to future enterprise development. Or we just incorporate the latest upstream....
Right now we don't have any overriding set of goals. So we never really say 'no, that isn't what we want Fedora to do' to anything that fits our simple 'uses open source, isn't completely targeted to obsolete things' mantra, and we attempt to do all of these things... which means we'll probably fail at all of them.
This message clearly resonated among the Fedora developers, none of whom stood up to say that he or she had a clear idea of who the target market is. Fedora hackers are looking over at Ubuntu, which has adopted a focused view of what it is trying to do and which has had significant success as a result. The Fedora project is seen as lacking that focus; it's not sure of what it's trying to do. As the distribution matures, its community is starting to ask itself some hard questions about where it is trying to go. It's a sort of free software project mid-life crisis.
Initially, Fedora's mission was seen - at least by outsiders - as serving as a proving ground for software destined to go into Red Hat Enterprise Linux and as a way to keep the venerable Red Hat Linux product around. So the target market will have been Red Hat itself, along with the Red Hat Linux users that Red Hat believed - almost certainly correctly - were an important part of making its enterprise offerings successful. There was no painful introspection in those days; Fedora mostly did what Red Hat wanted done - integrating Xen, for example - with the result that users began to despair of it ever being a truly community-oriented distribution.
The situation has since changed considerably. Red Hat still holds considerable sway over what Fedora does by virtue of paying a large number of engineers to work on it. But the distribution has become much more open and more driven by what its community wants it to be - should the community decide what that is.
There is a certain interest in turning Fedora into a polished desktop distribution. Doing so would require making some hard decisions: focusing on a single desktop, for example. It would require some sort of solution to the patent-encumbered codec problem. The support period - recently lengthened to just over one year - would probably have to be made longer yet. Much work would have to be done to make the various components of the distribution work together better; the tug-of-war between the two ways of configuring network interfaces (system-config-network and NetworkManager) was mentioned a few times.
Maybe, instead, Fedora wants to be a solid base upon which others can create finished distributions, much like the role Debian plays for Ubuntu. There is a certain amount of pride over the project's revisor tool which makes it easy to create derivative versions of Fedora. If this tool worked well with external repositories, others could take on the work (and legal risk, if any) of creating and distributing versions of Fedora with complete codec support, binary-only drivers, or any of the other things which are not consistent with Fedora's philosophy. Aside from the fact that Fedora is still seen (by its developers) as needing more "polish" to serve in this role, there is an interesting set of trademark issues which comes into play once a derivative distribution has something other than Fedora packages in it.
Fedora's trademark policy is already seen as an impediment by people making derived distributions (such as Dell's firmware updates live CD). It will be even harder for people trying to take Fedora into entirely new territory. The issues can be resolved by simply removing all references to the Fedora name, but there are advantages on both sides if derived distributions can claim to be based on Fedora. There has been some talk on how the policies could be changed, but anything concrete will happen some time from now, if ever.
Alternatively, Fedora could be a distribution for developers who want something close to the leading edge and who are less concerned with "polish." It's a legitimate audience, but it is also limited in size.
A number of other scenarios have been presented, but what is really required is for people to make the decisions and to get the work done to implement those decisions. It seems that Fedora is currently short of decision makers. Jesse Keating expressed it this way:
Anybody who aspires to be an executive chef can, if they actually try to make significant changes, expect a fair amount of resistance from elsewhere in the community. But perhaps the time has come for somebody who looks forward to that sort of challenge. The Fedora project has a solid base to build on and an increasingly open community process to help it get to where it wants to be. With the right focus on an interesting set of goals, Fedora could surprise the world. This distribution should have no trouble proving that it's not over the hill yet.
An "online desktop" for GNOME?
An "online desktop" is not exactly a new idea, as X-based thin clients have been around for twenty years or more, but combining the desktop and the web is an idea that is gaining some momentum, at least in the GNOME community. The online-desktop project is an attempt to define a mashup of Linux, GNOME and web applications into something completely new. It is an ambitious goal, which will be met with a fair amount of skepticism, likely by all of the communities being mashed.
In a keynote at the recent GUADEC 2007 conference, Bryan Clark and Havoc Pennington laid out a vision (slides in PDF format) of the online-desktop (OD) with the following top-level description:
Many people are or will be using online applications almost exclusively, with the operating system just providing a platform to run the browser, at least according to Pennington and Clark.
The OD would seamlessly connect the browser-based applications with any native programs that remain, storing data locally and remotely. This would allow users to access their data, including settings and preferences, from any internet connected device. A user would be able to jump between multiple computers and mobile devices, finding their entire desktop environment and data available on each. A new disk and fresh install would no longer require a tedious reconfiguration of preferences and restoration of backups, a user would simply log in to the 'service' and pick them all up.
This network-centric view of computer usage is not particularly new either - Sun's "the network is the computer" initiative is a famous (or infamous) example. The keynote points to plans for the next version of Windows, which will be more closely integrated with Microsoft's internet services, as an indicator that the OD direction is the right one. In order for Microsoft to play its usual lock-in game, it would need to provide most or all of the kinds of web applications that people already use. OD proposes to integrate with the existing applications, presenting a single view that incorporates them and facilitates sharing between them, without the lock-in.
The requisite demo during the keynote was of Big Board, a GNOME Python application, that prototypes portions of the OD, using the Mugshot project. A high-level implementation plan was also presented:
SEARCH AND DESTROY everything that leaves my data stranded
on a single computer.
INTEGRATE the best web applications with the desktop.
RETHINK the user experience to take advantage of live
connections to friends on the net.
CHANGE THE DEFAULTS so naïve users taking no special action
will create collaborative, backed-up, online data rather than local
files.
By its very nature, OD has a very distributed architecture. It is meant to talk to various servers to store data using the services (Flickr, Picasa, Gmail, etc.) that the user is already using. But there will also be data that needs to be stored, for instance preferences and configuration information, for which a service will need to be created. This service is envisioned to be decentralized, with at least some of the servers run by the community. Like many parts of the project, it is still in the planning stages.
The project is young, with thoughts and discussion starting to pop up on the GNOME desktop-devel mailing list in April. Since the conference, things have started to heat up, the website has moved from within Mugshot to its own site, some mockups have been created and there has been a bit of a discussion about an acronym. An obvious choice, using the first letters of GNOME Online Desktop leaves something to be desired, so current candidates seem to be GOLD (OnLine Desktop) or GOOD (Open Online Desktop). Others would rather see it referred to as GNOME Online without an acronym; we stayed out of it and used OD.
Another piece that is in the planning stages is an API for desktop applications to be able to share HTTP state and cache information. With multiple programs talking to some of the same websites, cookies, at least, will need to be shared between them. Sharing data that has been cached from websites, between the browser and other programs that use it, would be useful to reduce traffic as well.
Mixing and matching different web application APIs and storing lots of personal data on remote servers will require careful thought about security. There is some mention of "strong cryptography" being used, but the concerns mentioned so far seem mostly concerned about handling (and losing) private keys. Overall, the security issue seems to be a low priority. A post to Pennington's blog seems to miss the point, comparing the OD security issues to that of online banking. Banks only store the information they have, not the sum total of all data one might have on their computer. In order to fulfill the "secure and virus-free" portion of the goal statement, a lot more thinking and effort will have to be focused there.
Folks typically carry more powerful computers, with more storage, in their pockets today, than were even available to home users twenty years ago. That trend seems to be continuing, at least for now, so there should be ways to carry our own data with us. Desktops that were set up to handle external, plugged-in storage devices and easily switch to an environment stored there would remove the need to store that data on an internet server, except, perhaps, for backups. This might be a simpler alternative that removes some of the concern about loss of data control.
There are lots of opportunities to share and collaborate using web applications, for pictures, text, video, music, etc. But there is also lots of data folks may not want to share. Financial information, email, contracts and work-related documents are just a few of the things that people very well might want to keep private, naïve or no. It will be very difficult to set up an environment that turns all data, by default, into "collaborative, backed-up, online data", without sometimes exposing sensitive data. Using the word processing tool to type a blog entry and a love letter should not automatically expose both to the world.
An interesting, related development is an attempt to define what a "free" or "open" web service is. If a user's personal data is to be stored somewhere other than the local disk, potentially multiple places, it must be clear what rights the user has to that data. The responsibilities of the service must be clearly defined as well. Luis Villa has some thoughts about the framework in which an Open Service Definition might come about.
The framework consists of sets of goals, preconditions and rights, each of which can be thought of as a "sliding scale". He goes into some detail enumerating each of the sets and discussing various settings that could be made on the scales and the impacts that has on freedom and openness, for both users and providers. By using OD as a test case while discussing various settings with interested parties, Villa hopes to come out with a set of definitions and licenses that, in many ways, parallel the Free Software and Open Source definitions. It is an issue that is much larger than the OD project and one that bears watching.
The biggest question, perhaps, is whether this is the "right" direction for GNOME and for desktops in general. Is personal computing finally headed toward a completely network-centric existence? If so, are HTTP, HTML, Javascript, AJAX, and the like up to the task? One is reminded of the wisdom of the Magic 8-ball: Answer hazy, ask again later. One advantage that free software has over some of its competitors is its diversity; we are certain to see other implementations of an online desktop (Pyro for example) as well as desktops that resist the close integration to the web. Free software will truly give users the ability to choose the one that works for them; users of proprietary systems may not be so lucky.
Where have the universities gone?
When Greg Kroah-Hartman talked about the provenance of Linux kernel code at the Ottawa Linux Symposium, one member of the audience asked about whether contributions from universities were tracked. The answer is that universities were handled like any other source and tracked accordingly. If code is contributed by somebody who works for the university (a faculty member, in other words), the university is credited as having supported the work. Contributions from students tend to be treated as "hobbyist" work, but there are few significant contributors who fall into this category. There is, in fact, very little code coming from the university environment in general. Your editor was able to find exactly five files in the 2.6.23-rc1 kernel tree which contain a 2007 copyright credited to a University.It was not always that way; universities used to be heavily involved in the creation and distribution of free software (though it did not originally carry that name). The BSD Unix distribution - the first to support virtual memory and drive VAXen worldwide - came from the University of California at Berkeley. Linux became the master's thesis for one Linus Torvalds. The X Consortium grew out of a project at MIT - it was part of Project Athena, which was the source of much interesting work. The GNU project has its roots at MIT as well. Alan Cox did much of his crucial early Linux work while at Swansea University. Ted Ts'o, another important early contributor, was based at MIT.
Looking further back, graybeards among us will remember the influential WATFOR Fortran compiler from the University of Waterloo. Much interesting work (and code) came from the Andrew project at Carnegie Mellon University. Two of your editors got their start at the University of Colorado working with a project called Toolpack, creating Fortran developer tools; their names can be found in this old report [PDF]. The list goes on at some length. Over the years, we have all been the beneficiaries of a great deal of creativity (and code) to come out of the university environment.
While there are still interesting projects happening at universities, the flow of code has nearly stopped. This seems strange; one need not dig too far into the curriculum at most computer science departments to find operating systems classes using Linux as a teaching tool, but these same computer science departments are, as a whole, not contributing back changes to that tool. This is a large and rather unremarked-upon change in how free software works; it would be interesting to understand what force is driving this change.
Your editor has spent a few weeks querying contacts in the academic world, but the amount of useful information coming back is surprisingly small. An "I don't know" answer from a computer science department chair was not expected. So, rather than provide definitive answers, your editor will have to engage in some definitive handwaving.
One obvious change is that the amount of code coming from the corporate environment has grown from nearly zero to something huge. As the proprietary software idea took over the industry, the idea that a company would give away its code came to look similar to the notion of opening up its bank account to all comers. At the same time, individuals rarely had the resources to develop and contribute code themselves, and the supporting community was not there. So universities were about the only real source for freely-circulated software. Thanks to the culture of openness in academia, passing that code around (and improving it) seemed like a natural thing to do.
Unfortunately, that code of openness has suffered somewhat in more recent times. In many parts of the world, universities are able to privatize and commercialize interesting work, even if that work was funded by public money. University researchers have strong incentives to put their energy (and their code) into startup companies instead of contributing that code back to the community. Look, for example, at the story of the Stanford Checker, which was initially built on gcc. Rather than contribute that code, the developers created a private company (Coverity) to commercialize it. The community has certainly benefited from Coverity's work, but we still do not have a static analysis tool with anything near the power of the erstwhile "Stanford Checker."
The same commercial forces almost certainly have the effect of drawing effective developers out of the university environment. Talented students who might once have gone on for advanced degrees or continued to work within the university are likely to have plenty of more lucrative options elsewhere. This will be especially true for those who have demonstrated that they can create useful, production-quality code. So, perhaps, it is not surprising that many of the most productive free software developers are no longer found at universities.
Another disincentive for university contributors is that few free software projects are interested in prototypical or overly experimental code. A potential kernel contribution must be rock-solid, well-benchmarked, with well-defined needs and users. A university project may explore an interesting idea far enough to generate the required publications, but the resulting code is likely to be far from ready for mainline inclusion. It may well be that, for many university researchers, there is no real reason to make the effort to get their code merged, even if the work would be useful in a more practical environment. Funding agencies and tenure committees do not normally consider community contributions when making their decisions.
Code contributed to the community also requires ongoing maintenance, something which many university environments are not well prepared to support. Graduate students move on to other challenges, and faculty go on to the next project. It is hard to write a successful grant application for maintenance work. So interesting code has a real chance of simply being dropped once the research objectives have been achieved - or the funding has run out.
So there are a number of reasons for the reduction in university participation in the development process. That participation has certainly not fallen to zero. We can thank the University of Michigan for much of our NFSv4 code. A lot of USB work has come out of the Rowland Institute at Harvard. Much of the early eCryptfs work happened at Stony Brook University. The University of Waikato has contributed to the DCCP protocol implementation. The Helsinki University of Technology works with the IPv6 code, as have the University of Tokyo and Keio University. These are just a few recent contributions to the kernel; clearly, the scope of university contributions to the community goes far beyond that. But these contributions are buried by the code coming from other sources. For better or for worse, the period when universities were the source of a large portion of our free software code base would appear to have passed. But that period left us with a strong foundation on which to build the systems we have today.
Page editor: Jonathan Corbet
Security
Cache poisoning vulnerability found in BIND
Domain Name System (DNS) cache poisoning has been a problem, on and off, for years. There has been a kind of an arms race with security researchers periodically finding problems in DNS server implementations and the vendors racing to fix them. Amit Klein of Trusteer recently released a vulnerability report for the Berkeley Internet Name Daemon (BIND) showing a rather reliable means to poison the cache of a nameserver that runs it. The consequences of this poisoning can be quite severe, invisibly rerouting traffic bound for a given host to one under an attacker's control.
We will dispense with the usual overview of DNS, it was briefly described in an April LWN article - the vulnerability executive summary and Wikipedia article have useful descriptions as well.
There are essentially two types of DNS servers: those that directly reply to queries about a particular zone (zone servers) and those that cache query results (caching servers). An internet service provider or company will typically set up a few caching DNS servers that actually talk to the zone servers, and configure all client machines to make their DNS requests to the caching servers. Once an entry has been entered into the cache of those servers, it will not be requested again until the time-to-live (TTL) of the entry expires. If an attacker can get an incorrect entry put into the cache, especially one with a very long TTL, he can redirect traffic to servers under his control. This is the "poison" in the cache.
DNS uses User Datagram Protocol (UDP), which is stateless rather than connection-oriented. This allows attackers to send "answers" to DNS queries that they never received. They can forge the IP address of the nameserver that would be queried; if the bogus response is received before the real response, it will be used and the real one dropped. Several steps are taken to make it more difficult for an attacker to forge a response, but one of those countermeasures was not correctly implemented in BIND, leading to this most recent vulnerability.
The DNS protocol contains a 16-bit transaction ID field that must be matched between the query and the response in order to be considered valid. Early DNS implementations just incremented those transaction IDs for each new query, making it trivial for an attacker's program to predict which was coming next. The obvious fix is to randomize the transaction IDs, which is exactly what BIND did, unfortunately not quite as randomly as they might have hoped.
Random number generation (RNG) is one of those things that seems like it should be blindingly simple, but turns out to be incredibly difficult to do correctly. For things like games or simulations, it is relatively straightforward to create an RNG with reasonable properties, but for security and cryptography, it is much more difficult. One of the key properties that a crypto-strength RNG must have is unpredictability. One way to look at that is to determine how much RNG output an attacker must see before they can make informed guesses about the next "random" number. This is where the BIND algorithm was found to be lacking.
By studying the code used to generate the transaction IDs, Klein noticed that if the transaction ID was even (least significant bit was zero), there were only ten possible values that could be generated as the next transaction ID. Other techniques had been able to reduce the search space to around 5000 possibilities, but forging and sending that many bogus DNS responses before the real reply reaches the recipient is not a very reliable poisoning technique. With only ten responses to send, it is quite possible to get the bogus response there first, especially if the real DNS server is busy and responds a little slowly.
If an attacker (at attacker.com) wanted to poison the cache entry of financial-site.com for the users at randomisp.com, they would need to lure a user of randomisp.com's caching DNS server to visit attacker.com. When the DNS server at randomisp.com queries the attacker.com DNS server, that server looks at the transaction ID, if it is odd, it sends back a redirection to itself (using a DNS feature called CNAME chaining). If the transaction ID is even, it quickly calculates the ten possible values for the next transaction ID and starts sending responses for financial-site.com using those IDs. In addition, it redirects the query to financial-site.com. If that site is not in the cache, or its cache entry has expired, randomisp.com's DNS server will make a query, probably using one of the ten transaction IDs (unless an intervening query has gone out), to financial-site.com. It is very likely that one of the bogus responses will be picked up and the attacker now controls the mapping of financial-site.com to an IP address, for all users of randomisp.com.
Normally, the invitation to visit attacker.com would go out as spam or by some other means that tricks users into going places that they probably should not. No particular ISP is targeted, the poisoning is used as part of a pharming attack. Pharming is typically used to get credentials, usernames and passwords, for financial and other sites by spoofing a well-known website on an attacker's server. Because of the cache poisoning, the user could use a bookmark or even type in the financial-site.com address, but still end up at the attacker's site. The website graphics and login process are duplicated there which causes the user (or his browser's password manager) to type in the credentials and hit submit.
The full report makes for quite an interesting read. Klein describes several other means of attack and weaknesses in the BIND RNG, including ways to completely recover the internal state of the RNG. Internet Systems Consortium (ISC), the maintainers of BIND have released an updated version, with a new RNG, though there was very little description of the problem or the fix in their advisory. The problem has been assigned CVE-2007-2926 but, as of this writing, that is just a placeholder.
This is quite a serious vulnerability and should be rather embarrassing to the folks at ISC. The problems with transaction IDs and the need for their unpredictability have been known for many years. It is not at all beyond the realm of possibility that the analysis done by Klein, was done by the attacker community some time ago, and has been used already. Widespread usage would likely have been detected, but if used judiciously, it could have been exploited for quite some time.
Another technique that could help avoid these kinds of attacks would be to randomize (crypto-strength RNG, of course) the source UDP port on each query. BIND currently chooses a single random UDP source port at startup time and uses that throughout its life. If an attacker could not predict the port to send a bogus response to, it almost would not matter that they could predict what response to send.
Security news
Samsung fixes its printer drivers
One week ago we reported that Samsung's printer driver installation script compromised the security of the systems it was run on by turning a few small applications (like OpenOffice.org) into setuid root executables. We have just heard from Samsung that this problem has been fixed. A quick look at the new installer confirms that the calls making those applications setuid have been commented out, though the structure to do that work remains in place.
Wesabe's automatic banking Firefox extension
Wesabe has announced the availability of an open source Firefox extension to help with online banking. "Setting up Wesabe accounts for banks that provide automatic data downloads, including American Express, Chase and USAA, only takes seconds -- members simply need to enter their username and password. The extension auto-records a login and download, and then plays it back as frequently as the member wants updated data. The extension works equally as well for banks that don't provide automatic downloads -- members use the extension to 'record' an actual download session from their bank Web site, a process that typically takes between one and two minutes." One can only hope that this source gets audited well; it would be an optimal trojan horse platform, and is sure to be a cracker target as well.
New vulnerabilities
bind: DNS cache poisoning
| Package(s): | bind | CVE #(s): | CVE-2007-2926 | |||||||||||||||||||||||||||||||||||||||
| Created: | July 24, 2007 | Updated: | August 20, 2007 | |||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the way BIND generates outbound DNS query ids. If an attacker is able to acquire a finite set of query IDs, it becomes possible to accurately predict future query IDs. Future query ID prediction may allow an attacker to conduct a DNS cache poisoning attack, which can result in the DNS server returning incorrect client query data. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
bochs: buffer overflow
| Package(s): | bochs | CVE #(s): | CVE-2007-2893 | ||||||||||||
| Created: | July 20, 2007 | Updated: | November 19, 2007 | ||||||||||||
| Description: | A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users of the guest operating system to write to arbitrary memory locations and gain privileges on the host operating system via vectors that cause TXCNT register values to exceed the device memory size, aka "RX Frame heap overflow." | ||||||||||||||
| Alerts: |
| ||||||||||||||
centericq: buffer overflows
| Package(s): | centericq | CVE #(s): | CVE-2007-3713 | |||||||||
| Created: | July 20, 2007 | Updated: | December 17, 2007 | |||||||||
| Description: | Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might overlap CVE-2007-0160. | |||||||||||
| Alerts: |
| |||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: denial of service
| Package(s): | kernel | CVE #(s): | CVE-2007-3642 | ||||||||||||
| Created: | July 23, 2007 | Updated: | November 13, 2007 | ||||||||||||
| Description: | The decode_choice function in net/netfilter/bf_conntrack_h323_asn1.c in the Linux kernel before 2.6.22 allows remote attackers to cause a denial of service (crash) via an encoded, out-of-range index value for a choice field, which triggers a NULL pointer dereference. | ||||||||||||||
| Alerts: |
| ||||||||||||||
lighttpd: denial of service
| Package(s): | lighttpd | CVE #(s): | CVE-2007-3946 CVE-2007-3947 CVE-2007-3948 CVE-2007-3949 CVE-2007-3950 | ||||||||||||||||||
| Created: | July 19, 2007 | Updated: | February 27, 2008 | ||||||||||||||||||
| Description: | The lighttpd web server has multiple vulnerabilities involving a remote access-control setting circumvention that is performed by the sending of malformed requests. This can be used to crash the server and cause a denial of service. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
nginx: cross site scripting
| Package(s): | nginx | CVE #(s): | ||||
| Created: | July 20, 2007 | Updated: | July 25, 2007 | |||
| Description: | Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server written by Igor Sysoev. The "msie_refresh" directive could allow cross site scripting. | |||||
| Alerts: |
| |||||
nvclock: insecure tmp file usage
| Package(s): | nvclock | CVE #(s): | CVE-2007-3531 | |||
| Created: | July 25, 2007 | Updated: | July 25, 2007 | |||
| Description: | A local attacker could create a specially crafted temporary file in /tmp to execute arbitrary code with the privileges of the user running NVCLock. | |||||
| Alerts: |
| |||||
redhat-cluster-suite: denial of service
| Package(s): | redhat-cluster-suite | CVE #(s): | CVE-2007-3380 | |||||||||
| Created: | July 19, 2007 | Updated: | November 14, 2007 | |||||||||
| Description: | The redhat cluster suite's cluster manager is vulnerable to a remote attack. Attackers can connect to the DLM port and block subsequent DLM operations, resulting in a denial of service. | |||||||||||
| Alerts: |
| |||||||||||
tcpdump: integer overflow
| Package(s): | tcpdump | CVE #(s): | CVE-2007-3798 | ||||||||||||||||||||||||||||||
| Created: | July 20, 2007 | Updated: | November 15, 2007 | ||||||||||||||||||||||||||||||
| Description: | An integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6 and earlier allows remote attackers to execute arbitrary code via crafted TLVs in a BGP packet, related to an unchecked return value. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
Updated vulnerabilities
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk | CVE #(s): | CVE-2007-1561 CVE-2007-1594 | |||||||||
| Created: | April 3, 2007 | Updated: | August 27, 2007 | |||||||||
| Description: | The Madynes research team at INRIA has discovered that Asterisk contains a null pointer dereferencing error in the SIP channel when handling INVITE messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to properly handle SIP responses with return code 0. A remote attacker could cause an Asterisk server listening for SIP messages to crash by sending a specially crafted SIP message or answering with a 0 return code. | |||||||||||
| Alerts: |
| |||||||||||
HelixPlayer: arbitrary code execution
| Package(s): | HelixPlayer | CVE #(s): | CVE-2007-3410 | ||||||||||||
| Created: | June 27, 2007 | Updated: | September 17, 2007 | ||||||||||||
| Description: | A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. It was possible for a malformed SMIL file to execute arbitrary code with the permissions of the user running HelixPlayer. (CVE-2007-3410) | ||||||||||||||
| Alerts: |
| ||||||||||||||
LedgerSMB: authentication bypass
| Package(s): | LedgerSMB | CVE #(s): | |
| Created: | July 18, 2007 | Updated: | July 18, 2007 |
| Description: | The problem occurs because of a flaw in the redirect code which was replaced in order to support additional environments. The redirection code in this case can be accessed through the login module and tricked into providing access without proper authentication. | ||
| Alerts: | (No alerts in the database for this vulnerability) | ||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | |||||||||||||||
| Created: | June 1, 2007 | Updated: | December 12, 2007 | |||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
X.org: temp file vulnerability
| Package(s): | X.org | CVE #(s): | CVE-2007-3103 | |||||||||||||||
| Created: | July 12, 2007 | Updated: | July 31, 2007 | |||||||||||||||
| Description: | The X.Org X11 xfs font server has a temp file vulnerability in the startup script. A local user can modify the permissions of the script in order to elevate their local privileges. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache2: information disclosure
| Package(s): | apache | CVE #(s): | CVE-2007-1862 | |||||||||
| Created: | June 20, 2007 | Updated: | February 18, 2008 | |||||||||
| Description: | From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously-used data, which could be used to obtain potentially sensitive information by unauthorized users." | |||||||||||
| Alerts: |
| |||||||||||
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-3304 CVE-2006-5752 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 27, 2007 | Updated: | February 18, 2008 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with the server-status page publicly accessible and ExtendedStatus enabled were vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux the server-status page is not enabled by default and it is best practice to not make this publicly available. (CVE-2006-5752) | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | |||||||||||||||
| Created: | August 9, 2006 | Updated: | February 5, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
avahi: denial of service
| Package(s): | avahi | CVE #(s): | CVE-2007-3372 | ||||||
| Created: | June 28, 2007 | Updated: | September 18, 2007 | ||||||
| Description: | Avahi is vulnerable to a local denial of service that can be caused by making an erroneous call to the assert() function. | ||||||||
| Alerts: |
| ||||||||
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2006-5453 CVE-2006-5454 CVE-2006-5455 | ||||||
| Created: | November 10, 2006 | Updated: | August 28, 2007 | ||||||
| Description: | Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before being passed back to users. Users can gain unauthorized access to read attachment descriptions while using diff mode. HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification. Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users. | ||||||||
| Alerts: |
| ||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-2650 | ||||||||||||||||||
| Created: | June 5, 2007 | Updated: | July 20, 2007 | ||||||||||||||||||
| Description: | A vulnerability in the OLE2 parser in ClamAV was found that could allow a remote attacker to cause a denial of service via resource consumption with a carefully crafted OLE2 file. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2007-0720 | |||||||||||||||
| Created: | March 26, 2007 | Updated: | February 7, 2008 | |||||||||||||||
| Description: | Previous versions of the cups package could be forced to hang via a client "partially negotiating" an ssl connection. In this state, cups would not allow other connections to be made, a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
curl: insufficient verification methods
| Package(s): | curl | CVE #(s): | CVE-2007-3564 | ||||||
| Created: | July 17, 2007 | Updated: | July 19, 2007 | ||||||
| Description: | The GnuTLS certificate verification methods implemented in Curl did not check for expiration and activation dates. When performing validations, tools using libcurl3-gnutls would incorrectly allow connections to sites using expired certificates. | ||||||||
| Alerts: |
| ||||||||
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl | CVE #(s): | CVE-2006-1721 | ||||||||||||||||||||||||
| Created: | April 21, 2006 | Updated: | September 4, 2007 | ||||||||||||||||||||||||
| Description: | Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dovecot: directory traversal
| Package(s): | dovecot | CVE #(s): | CVE-2007-2231 | |||||||||
| Created: | May 8, 2007 | Updated: | August 29, 2007 | |||||||||
| Description: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | |||||||||||
| Alerts: |
| |||||||||||
emacs21: denial of service
| Package(s): | emacs21 | CVE #(s): | CVE-2007-2833 | ||||||||||||
| Created: | June 21, 2007 | Updated: | August 29, 2007 | ||||||||||||
| Description: | The emacs21 editor has a denial of service vulnerability. emacs21 can be made to crash by viewing "certain types of images". | ||||||||||||||
| Alerts: |
| ||||||||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail | CVE #(s): | CVE-2007-1558 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 8, 2007 | Updated: | August 7, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server | CVE #(s): | CVE-2007-3257 | ||||||||||||||||||||||||||||||||||||
| Created: | June 18, 2007 | Updated: | November 7, 2007 | ||||||||||||||||||||||||||||||||||||
| Description: | From the GNOME bugzilla: "The "SEQUENCE" value in the GData of the IMAP code (camel-imap-folder.c) is converted from a string using strtol. This allows for negative values. The imap_rescan uses this value as an int. It checks for !seq and seq>summary.length. It doesn't check for seq < 0. Although seq is used as the index of an array." | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
fail2ban: log injection vulnerability
| Package(s): | fail2ban | CVE #(s): | |||||||
| Created: | June 22, 2007 | Updated: | July 30, 2007 | ||||||
| Description: | fail2ban 0.8 is susceptible to a log injection vulnerability. See this ossec.net entry for more information. | ||||||||
| Alerts: |
| ||||||||
fail2ban: denial of service
| Package(s): | fail2ban | CVE #(s): | CVE-2006-6302 | |||
| Created: | February 16, 2007 | Updated: | July 30, 2007 | |||
| Description: | fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in to ssh using a login name containing certain strings with an IP address. | |||||
| Alerts: |
| |||||
file: integer overflow
| Package(s): | file | CVE #(s): | CVE-2007-2799 | ||||||||||||||||||||||||||||||
| Created: | June 1, 2007 | Updated: | October 19, 2007 | ||||||||||||||||||||||||||||||
| Description: | Colin Percival from FreeBSD reported that the previous fix for the file_printf() buffer overflow introduced a new integer overflow. A remote attacker could entice a user to run the file program on an overly large file (more than 1Gb) that would trigger an integer overflow on 32-bit systems, possibly leading to the execution of arbitrary code with the rights of the user running file. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla seamonkey thunderbird | CVE #(s): | CVE-2007-1362 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 4, 2007 | Updated: | August 29, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-2867,
CVE-2007-2868)
A flaw was discovered in the form autocomplete feature. By tricking a user into opening a malicious web page, an attacker could cause a persistent denial of service. (CVE-2007-2869) Nicolas Derouet discovered flaws in cookie handling. By tricking a user into opening a malicious web page, an attacker could force the browser to consume large quantities of disk or memory while processing long cookie paths. (CVE-2007-1362) A flaw was discovered in the same-origin policy handling of the addEventListener JavaScript method. A malicious web site could exploit this to modify the contents, or steal confidential data (such as passwords), of other web pages. (CVE-2007-2870) Chris Thomas discovered a flaw in XUL popups. A malicious web site could exploit this to spoof or obscure portions of the browser UI, such as the location bar. (CVE-2007-2871) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey | CVE #(s): | CVE-2007-3738 CVE-2007-3656 CVE-2007-3670 CVE-2007-3285 CVE-2007-3737 CVE-2007-3089 CVE-2007-3736 CVE-2007-3734 CVE-2007-3735 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 18, 2007 | Updated: | March 31, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing++). (CVE-2007-3656) Internet Explorer calls registered URL protocols without escaping quotes and may be used to pass unexpected and potentially dangerous data to the application that registers that URL Protocol. (CVE-2007-3670) Ronald van den Heetkamp reported that a filename URL containing %00 (encoded null) can cause Firefox to interpret the file extension differently than the underlying Windows operating system potentially leading to unsafe actions such as running a program. This is only accessible locally. (CVE-2007-3285) An attacker can use an element outside of a document to call an event handler allowing content to run arbitrary code with chrome privileges. (CVE-2007-3737) Ronen Zilberman and Michal Zalewski both reported that it was possible to exploit a timing issue to inject content into about:blank frames in a page. When opening a window from a script, it is possible to spoof the content of the newly opened window's frames within a short time frame, while the window is loading. (CVE-2007-3089) Mozilla contributor moz_bug_r_a4 demonstrated that the methods addEventListener and setTimeout could be used to inject script into another site in violation of the browser's same-origin policy. This could be used to access or modify private or valuable information from that other site. (CVE-2007-3736) As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed many bugs to improve the stability of the product. Some of these crashes that showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
flac123: arbitrary code execution
| Package(s): | flac123 | CVE #(s): | CVE-2007-3507 | ||||||
| Created: | July 13, 2007 | Updated: | October 22, 2007 | ||||||
| Description: | A stack-based buffer overflow in the local__vcentry_parse_value function in vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows user-assisted remote attackers to execute arbitrary code via a large comment value_length. | ||||||||
| Alerts: |
| ||||||||
flash-plugin: input validation flaw
| Package(s): | flash-plugin | CVE #(s): | CVE-2007-3456 | ||||||||||||
| Created: | July 12, 2007 | Updated: | August 10, 2007 | ||||||||||||
| Description: | The Firefox flash-plugin module has an input validation flaw involving the display of certain content. If a user can be tricked into opening a specially crafted Adobe Flash file, it may be possible to execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
freetype: arbitrary code execution
| Package(s): | freetype | CVE #(s): | CVE-2007-2754 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | May 24, 2007 | Updated: | July 19, 2007 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | The Freetype font rendering library versions 2.3.4 and below has an integer sign error. Remote attackers may be able to create a specially crafted TrueType Font file with a negative n_points value that will cause an integer overflow and heap-based buffer overflow, allowing the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 |
| Created: | June 8, 2006 | Updated: | October 10, 2007 |