Open-source badgeware
By Jonathan Corbet
July 31, 2007
"Badgeware" refers to a class of software with licenses requiring that some
sort of attribution of its origin be displayed in all copies. An example
which has seen much discussion over the last year is SugarCRM, whose
license required that every screen carry a 106x23 "Powered by SugarCRM"
logo and a copyright notice. This decoration was required for any program
derived from the SugarCRM code, even if it was far removed from SugarCRM in
its actual functionality. SugarCRM's pushing of this license and
describing it as "open source" caused a lot of fuss; many in the community
were glad when SugarCRM recently
announced
that it was dropping its badgeware license in favor of GPLv3.
Badgeware licenses are seen widely (though not universally) as not being
free. "Free," for the purposes of a discussion like this, means compliant
with the Open Source
Definition. It is said that badgeware provisions interfere with
clause 3, which requires that it be possible to create derived works.
Since the attribution functionality cannot be removed, certain kinds of
modifications are prohibited by attribution requirements. Provision 6 says that there
cannot be any discrimination against any particular field of endeavor;
badgeware requirements can prevent code from running in a mode where there
is no graphical interface, or where the display is so small (on a phone
handset, for example) that the requisite attribution would take up most of
the useful space. And term 10 requires that the license be
technology-neutral, which is hard to achieve if the license is requiring
that attribution be displayed in specific ways.
Even so, attribution requirements are not unknown in free software
licenses. The OSI-approved Adaptive Public
License (APL) has such a requirement. Version 2 of the General Public
License puts this requirement on derived works:
If the modified program normally reads commands interactively when
run, you must cause it, when started running for such interactive
use in the most ordinary way, to print or display an announcement
including an appropriate copyright notice and a notice that there
is no warranty (or else, saying that you provide a warranty) and
that users may redistribute the program under these conditions, and
telling the user how to view a copy of this License. (Exception: if
the Program itself is interactive but does not normally print such
an announcement, your work based on the Program is not required to
print an announcement.)
Early versions of the BSD license also carried the infamous advertising
clause. So attribution requirements are not exactly a new thing. The
debate on those licenses has certainly not ended; a number of companies
have taken the liberty of calling their badgeware licenses "open source"
despite the lack of any certification from the Open Source Initiative. In
most cases, that certification has not even been requested, perhaps because
the companies involved fear that the answer would not be to their liking.
An exception has been Socialtext, which submitted its Common
Public Attribution License for OSI approval (after several previous
rounds) in June. There was a long, inconclusive discussion.
The OSI's license committee considered the license in July, but
was unable to provide a recommendation.
Committee chair Russ Nelson personally recommended approval, though,
saying:
The APL was not a widely used license, I suspect because of its
complexity. Let's give attribution requirements another chance in
a simpler license. If such a licensed software does not achieve
the Open Source effect, it will put the issue to rest.
Shortly thereafter, the OSI board took his advice and approved the CPAL as an open-source license.
The CPAL (in its final
form) is based strongly on the Mozilla Public License, but it adds two
terms to the end. One, of course, is the attribution requirement:
...the Original Developer may include in Exhibit B ("Attribution
Information") a requirement that each time an Executable and
Source Code or a Larger Work is launched or initially run (which
includes initiating a session), a prominent display of the Original
Developer's Attribution Information (as defined below) must occur
on the graphic user interface employed by the end user to access
such Covered Code (which may include display on a splash screen),
if any. The size of the graphic image should be consistent with the
size of the other elements of the Attribution Information. If the
access by the end user to the Executable and Source Code does not
create a graphic user interface for access to the Covered Code,
this obligation shall not apply.
There are some limits on the attribution information - the phrase cannot
exceed ten words, for example. The attribution need only be displayed at
startup time, and not on every screen as some other licenses have
required. If there is no graphical interface, there is no requirement to
display the attribution information. So it would seem that this is about
as gentle as attribution requirements can be expected to be - and it is no
worse than was already approved in the APL.
One interesting term appears to have not drawn much scrutiny:
You acknowledge that all trademarks, service marks and/or trade
names contained within the Attribution Information distributed with
the Covered Code are the exclusive property of their owners and may
only be used with the permission of their owners, or under
circumstances otherwise permitted by law or as expressly set out in
this License.
Nothing in the license grants any sort of permission to use any trademarks
which might be contained in the required attribution information. Since
display of the attribution information is required, a denial of the right
to use the trademark could potentially shut down any right to use the software at all.
So anybody who is considering building on a CPAL-licensed program would be
well advised to carefully study the trademark policies which apply to the
attribution information.
The CPAL also contains a Affero-style requirement that the source be made
available to anybody who uses the software. So anybody who builds a
web site based on CPAL-licensed code must be prepared to distribute their
source even if they are not distributing the software in any other form.
The reaction to this approval has not been universally positive. There are
many in our community who do not want to see badgeware legitimized as "open
source"; they see the CPAL as being a nose in the tent door with a very
large camel behind it. On the other hand, Socialtext has done its best to
play by the rules and has spent many months trying to craft attribution
terms which meet the community's standards. The real test, now, will be to
see whether others use this license or build upon CPAL-licensed software.
If that does not happen, the CPAL will have little effect regardless of
what the OSI thinks of it.
Comments (5 posted)
Thunderbird to form its own organization
By Jake Edge
August 1, 2007
A blog posting by Mitchell Baker, chief lizard wrangler and CEO at Mozilla
Corp., set off a firestorm of reaction, as it suggested that it might be best
for Thunderbird to split off from Mozilla. The reaction was probably much
stronger and louder than Baker expected, so she has followed up with a
number of additional posts, clarifying her statements. Though it is rather
counter-intuitive, it may actually be for the best, the main developers are
backing the plan. It could lead to bigger and better things for the
project.
Baker posted her thoughts last week, which were picked up by various online
news sources and the controversy began. Various conspiracy theories,
typically involving Google, were promulgated. The ultimate mission of both
Mozilla Foundation (MF) and Mozilla Corp. (MC) were debated, those organizations alternately ridiculed, reviled
and defended. In short, it was a typical internet flamefest, with far more
heat than light. Baker's original posting was lacking in many of the
details that she filled in later, making it far easier for commenters
to provide their own explanations. The picture that is emerging actually
seems quite positive for Thunderbird development.
Essentially, Baker, other Mozilla Foundation board members and the
lead developers all recognized that Thunderbird was not getting the
attention it deserved - it is overshadowed by Firefox, its higher profile
sibling. The MF has been focused on Firefox from the outset and
created Mozilla Corp. as the for-profit entity to handle the revenue
from the Firefox deal with Google. The vast majority of MC employees
are working on Firefox which is not likely to change. The two Mozilla
entities want to focus their energy on Firefox - Thunderbird was
suffering because of it.
Thunderbird has never attracted the following that Firefox has. In terms
of users, developers and community members, Thunderbird is probably two
orders of magnitude smaller than Firefox. Increasing the size of the
Thunderbird community is at least part of what Baker is trying to do. Her
original post is titled Email Call to Action and contains some
thoughts about coming up with a wider email vision that have mostly been drowned out in
the Thunderbird governance debate.
Baker outlined three possible scenarios for how to move Thunderbird out
from under the current structure and asked for suggestions on others. The
first and second options are similar in that they create a new foundation
for Thunderbird, either as a subsidiary of MF or as a full-fledged company
of its own. Both are considered to have a fairly high overhead,
organizationally, and creating a subsidiary foundation still does not
really address the problem, as MF will still be dealing with
Thunderbird issues. The third option is to spin off the
developers into a small, independent, for-profit services and consulting
company, while turning Thunderbird into a Mozilla community project, like SeaMonkey. Another,
potentially viable, option has emerged from the comments: Thunderbird could
move to another organization, the Apache Foundation is often mentioned,
where it would be on a more equal footing with that organization's other
projects.
Based on the thoughts
posted by Thunderbird lead developer, Scott MacGregor, it would appear that
the independent company option is emerging as the lead contender. It has
the advantage of being the simplest to set up and get going, with
"start-up" funding
being the major question. Based on Baker's posts, it would seem likely
that MC would help with funding, at least for a bit, but a revenue model of
some kind would have to come along relatively soon.
With Thunderbird as a community project, very little would change from an
external view. The development would stay on the Mozilla servers, the
source code repositories and bug tracking systems would not move. The main
difference would be that Thunderbird Corp. (or whatever it ends up being
called) would be responsible for making releases of the code, much like the
community handles SeaMonkey releases today. This would presumably allow
Thunderbird to be released on its own schedule, without any link to the
Firefox schedule.
A Thunderbird Corp. may very well struggle for revenue. MC has been so
successful because of their agreement with Google, making it the default
Firefox search engine and homepage. This has brought in tens of millions
of dollars in revenue, but it is hard to see how Thunderbird could
capitalize on a similar deal. Thunderbird is, at some level, in direct
competition with Google's Gmail service, which is what led some to believe
Google was behind the "ouster" of Thunderbird from Mozilla. Baker has clearly
stated that Google was completely uninvolved in the Thunderbird
discussion, but there are still some who believe otherwise.
Many vocal commenters on the various postings and stories are looking at
this as a hostile act by Mozilla. It appears, however, that this is truly an
attempt to recognize that things are not working and to try and find a
solution that will work. According to Baker, MacGregor and others, it
simply is not possible for two projects as disparate in size as Firefox and
Thunderbird to be handled within the same organization; the smaller always
gets the short end of the stick, a disproportionate short end. In order
for Thunderbird to thrive, it needs to find its own way.
It is hard to visualize Mozilla without Thunderbird or vice versa.
Thunderbird's adoption rate has definitely been helped by the association
with Mozilla (and Firefox). While they may officially be splitting up,
that may not affect very much in the minds of the public. SeaMonkey is
still associated with Mozilla, though it is run as a community project.
Thunderbird will still share lots of code with Firefox - the community
affiliation probably will not affect much, Thunderbird and Firefox are
likely inextricably linked.
The bigger question is whether a new Thunderbird organization can
continue to deliver email client innovation that can attract more users and
a larger community. The Lightning
calendar is something that Thunderbird has needed for a long time. It is
often the "yes, but" that is heard when organizations are considering
dropping proprietary alternatives in favor of Thunderbird. There are
plenty of new and exciting features on the Thunderbird
roadmap, it is merely a matter of choosing wisely, getting them
implemented and released, while struggling to find a revenue model that
works. It is a tall order, but, with a lot of hard work and a bit of luck,
it is achievable.
Comments (2 posted)
A turning point for open gadgets?
By Jonathan Corbet
July 31, 2007
The Economist recently ran
an
article on avoiding international roaming rates associated with
cellphone use while traveling. Your editor's recent schedule has made him
rather more than usually interested in that subject, so the article seemed
worth a read. It seems that there are not a whole lot of truly viable
solutions available at the moment; the recommended approach appears to be
to get an unlocked GSM phone and buy SIM cards locally - not something one
needs an Economist subscription to know about. Happily, the article
concludes that "relief" is at hand; it then expends several paragraphs on
just what form that relief will take:
Several months before Steve Jobs, Apple's media-savvy boss, gave
the world its first tantalising glimpse of the iPhone, something
remarkably similar in appearance (but wholly different within) was
shown to the Linux software community and other open-source
evangelists. OpenMoko, an initiative aimed at developing all the
technology for a mobile smart phone based on non-proprietary Linux
software, is everything the iPhone could have been but is not.
The article notes that the openness of the platform means that users will
be able to install applications without the approval (or knowledge) of
their cellular providers. Those applications can include voice over IP
tools which can work via a data connection through a local GSM provider,
thus shorting out the roaming and long distance charges. But there's a lot
more that can be done - things that no cellular provider ever dreamed of.
LWN readers will have often heard your editor's contention that truly open
gadgets must, sooner or later, take over the market. But that takeover has
been discouragingly slow in coming. Manufacturers prefer to keep their
products closed and under their control; other forces, including pressures
to support DRM schemes and regulatory issues, also come into play here.
So, while we have more gadgets to play with than ever before, most of those
gadgets cannot be hacked upon and extended to do interesting new things -
at least, not without a serious effort on the community's part to crack
them open.
Awareness of the problems associated with closed devices has grown far more
slowly than many of us would like. Most consumers, it seems, are
interested in devices that Just Work and have little interest in extending
them. So there is little pressure in the market for more open devices,
and, thus, little incentive for manufacturers to offer them.
The cellular industry may just be the place where this tide begins to
turn. In the U.S., at least, this industry works under an exploitive and
controlling model. Handsets are usually purchased through the provider,
are locked to that provider, and lack any features which said provider
worries could damage its revenue model. So even simple and obvious
functions, like copying pictures from the handset onto its owner's
computer, tend to be blocked. Voice over IP functionality which could be
used to evade roaming charges in distant countries is entirely out of the
question (though T-Mobile has just launched an interesting plan which
enables free calls from WiFi hotspots).
The cellular telephone has become an increasingly personal and
indispensable tool. It is picking up a number of interesting new
capabilities. Almost everybody has one in the richer parts of the world -
and, often, in the less-rich parts as well. Phones which carry arbitrary
restrictions designed to further somebody else's agenda will get the
attention of people who are not ordinarily tuned into software freedom
issues. That will be especially true when freer alternatives are out there
and their potential becomes clear.
So the OpenMoko phone may yet prove to be the revolutionary device that
some of its backers have promised. Unlike every other Linux-based cellular
phone produced so far, it will be an open system, free for anybody to
extend in any number of ways. If this phone lives up to its potential at
all, people will see what it can do and start asking why their shiny new
handset can't be extended in the same ways. They might just start
demanding a higher degree of openness from their vendors and/or providers.
If we are lucky, purveyors of closed devices will start finding it harder
to compete. Maybe, just maybe, the OpenMoko phone will succeed in teaching
people about the value of free devices and, as a result, help bring an end
to an era of hardware designed to serve the interests of people other than
its owner.
[As to whether the OpenMoko will live up to its potential: LWN has ordered
one of their early development devices with the idea of writing an article
or two about it. Anybody who has been following that situation knows that
OpenMoko's fulfillment operation is currently not living up to much
of any potential. Stay tuned, hopefully we'll have a device to review
sometime soon.]
Comments (26 posted)
Page editor: Jonathan Corbet
Security
Our devices are spilling our secrets
By Jake Edge
August 1, 2007
Recent news about
a certain much-anticipated work of fiction being posted to the internet, in
advance of its scheduled release, was not terribly surprising. The method
used was, perhaps, a bit crude, and certainly time consuming, but it got
the job done. Unbeknownst to the anonymous poster, their camera helpfully
provided some extra
information that might be used to track them down. Our devices are
collecting all kinds of data about our habits and they are increasingly
divulging that data in unexpected ways.
In the case of the Harry Potter book, the camera serial number was recorded
in the Exchangeable image file format
(Exif) data of the JPEG files of each page. Based on that information,
Canon, the camera's manufacturer, may be able to match the camera to its
original purchaser. If the camera has been serviced in the three years
since it was released, that would also create an entry matching the serial
number to the owner at that time. Neither of those conclusively links a
person to the "crime", if it even is a crime, but they could give any
investigators a good place to start.
It could have been a lot worse - some camera models have GPS capability
built-in with Exif fields available to store that information on each shot.
Perhaps the photo shoot happened deep enough inside some building that the
GPS would not work, but over the hours it took to do that project, it seems
quite possible that at least one shot would get tagged. It would be pretty
easy to track down where the photos were taken if some were tagged
with latitude and longitude coordinates. If it did not bring the police
around, it certainly might have brought legions of Potter fans, eager to
acquire the book early.
GPS data encoded into each photograph that you take, is a useful
feature, keeping track of where the photos were taken some years down the
road after (human) memory has failed. The other Exif data, much of which
is detailed information about camera settings, is probably quite useful to
photographers and is much simpler than trying to keep a record of
exposure settings as you take pictures. Gathering and storing the data
is quite helpful, it is the unexpected disclosure that causes problems.
It would be easy to ignore this problem, writing it off to an ignorant
user, who should have scrubbed the Exif data before posting,
but the problem comes in other guises as well.
The US Secret Service evidently wants to be
able to track your printer output, presumably as part of their
anti-counterfeiting responsibilities, so they have convinced laser printer
manufacturers to secretly add the now-famous yellow dots
to each color page that is printed. Some of these codes have been cracked
by the Electronic Frontier Foundation (EFF) and others, and have been found
to contain model and serial numbers along with a timestamp of the print time.
It is much harder to blame ignorant users when the device manufacturer
actively tries to hide the fact that identifying information is being
leaked. Worse yet, it appears that inquiring about this practice
and asking how to turn it off
can lead to a visit from the Secret Service. There is nothing quite like a
visit from a federal agent to stifle dissent. The folks at Seeing Yellow have lots more
information, including a plan to overwhelm the agency through sheer numbers
of people asking how to turn this "feature" off.
Imagine a world where the government required each person to carry a
device that: knew its location via GPS, had the ability to take pictures and
wireless connectivity. It is a scenario that would be ripe for abuse. In many
ways, lots of people already, voluntarily, live in that world as cell phones
have all those characteristics. It is not inconceivable that the cell phone
manufacturers have already had a visit, from the Department of Homeland
Security (DHS) or some other three-letter agency of the government, asking
for help in the "War on Terror." The devices are certainly capable of
reporting location (possibly with a helpful photo of people in the vicinity)
back to the carrier and through them to the DHS. Probably, hopefully, that
is not (yet?) happening, but there is no real technical barrier.
If we ratchet the paranoia level down a notch, cell phones, in
particular smart phones, still pose an enormous target for the criminal
world. Subverting phones that have cameras and GPS, to run them under the
control of an attacker, makes an incredible surveillance tool. By using
the same kinds of techniques that are used to spread viruses and spyware
today, it should not be difficult to get targets to willingly perform
actions that will lead to the subversion of their phone. From
there, the attacker can get all of the call records, photos, calendar items
and contacts while directing the phone to transmit its location every
minute to the attacker.
Not only could this kind of information be used by stalkers, muggers and other
criminals, this same capability could be used by lovers or employers to
track people, keeping tabs on their movements and contacts. Rather than
hire a private investigator, a jealous husband or wife might just borrow
the other's phone, surf to a spyware site, and install a tracking program
themselves. The opportunities are endless and exceedingly frightening for
anyone concerned about privacy in today's world.
There are no easy answers on how to protect oneself against these
unintentional data leaks. The organizations and individuals interested in
collecting the data are doubly interested in concealing the fact that they
are doing it, but, worse still, it is difficult for users to detect. If a
cell phone is sending a short burst of encrypted information every minute,
how would the average user, or even a sophisticated lab, detect and decode
that data? If someone had not stumbled upon the yellow dots, we might be
printing traceable documents, in blissful ignorance, to this day. What
other, similar kinds of tracking are going on that we do not yet know about?
Free software can certainly help with this problem, but it is no
panacea. Being able to replace the software in a device, with code that
can be scrutinized and built before installing, is a good way to know what
the device will do. Getting code that is vouched for by a trusted group,
also serves to alleviate privacy leakage concerns. That is not the end of
the story, unfortunately, as the hardware itself may be the culprit. Laser
printer hardware is likely responsible for the identifying
information in the output, making it rather difficult to replace. It is
extremely difficult to know what the hardware in other devices might be
doing behind our backs.
The truly paranoid will not be willing to trust any hardware they did not
build themselves, perhaps from individual transistors, while trying to
figure out how to trust
the compiler. For the rest of us, open platforms, like OpenMoko, with free software and
hardware, may provide reasons to believe that our data is protected;
unless, of course, the device gets stolen or lost - encryption anyone?
Comments (10 posted)
New vulnerabilities
gpdf: integer overflow
| Package(s): | cups poppler xpdf |
CVE #(s): | CVE-2007-3387
|
| Created: | July 31, 2007 |
Updated: | November 28, 2007 |
| Description: |
The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more. |
| Alerts: |
|
Comments (1 posted)
drupal: cross site request forgery
| Package(s): | drupal |
CVE #(s): | |
| Created: | July 27, 2007 |
Updated: | August 1, 2007 |
| Description: |
From DRUPAL-SA-2007-017:
"Several parts in Drupal core are not protected against cross site
request forgeries due to inproper use of the Forms API, or by taking action
solely on GET requests. Malicious users are able to delete comments and
content revisions and disable menu items by enticing a privileged users to
visit certain URLs while the victim is logged-in to the targeted
site." |
| Alerts: |
|
Comments (2 posted)
festival: privilege escalation
| Package(s): | festival |
CVE #(s): | |
| Created: | July 26, 2007 |
Updated: | August 1, 2007 |
| Description: |
The festival text-to-speech converter has a privilege escalation
vulnerability. The festival daemon runs with root privileges,
a local attacker can connect to to the daemon and execute arbitrary
commands as root. |
| Alerts: |
|
Comments (1 posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2007-3844
CVE-2007-3845
|
| Created: | August 1, 2007 |
Updated: | February 20, 2008 |
| Description: |
A flaw was discovered in handling of "about:blank" windows used by
addons. A malicious web site could exploit this to modify the contents,
or steal confidential data (such as passwords), of other web pages.
(CVE-2007-3844)
Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious web page,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3845) |
| Alerts: |
|
Comments (none posted)
gdm: denial of service
| Package(s): | gdm |
CVE #(s): | CVE-2007-3381
|
| Created: | August 1, 2007 |
Updated: | September 20, 2007 |
| Description: |
JLANTHEA reported a denial of service flaw in the way that gdm listens on its Unix domain socket.
Any local user can crash the locally running X session. |
| Alerts: |
|
Comments (none posted)
libvorbis: multiple memory corruption flaws
| Package(s): | libvorbis |
CVE #(s): | CVE-2007-3106
CVE-2007-4029
|
| Created: | July 27, 2007 |
Updated: | January 22, 2008 |
| Description: |
This iSEC Partners security advisory has
details on multiple memory corruption flaws in libvorbis. |
| Alerts: |
|
Comments (none posted)
qt: arbitrary code execution
| Package(s): | qt |
CVE #(s): | CVE-2007-3388
|
| Created: | August 1, 2007 |
Updated: | December 10, 2007 |
| Description: |
Format string bugs were found in several Qt warning messages.
Applications using Qt for processing certain data types could
trigger them if the data caused Qt to print warnings. The bugs
potentially allow to execute arbitrary code via specially crafted
files (CVE-2007-3388). |
| Alerts: |
|
Comments (none posted)
unrar: integer signedness error
| Package(s): | unrar |
CVE #(s): | CVE-2007-3726
|
| Created: | July 31, 2007 |
Updated: | August 1, 2007 |
| Description: |
Integer signedness error in the SET_VALUE function in rarvm.cpp in unrar
3.70 beta 3, as used in products including WinRAR and RAR for OS X, allows
user-assisted remote attackers to cause a denial of service (crash) via a
crafted RAR archive that causes a negative signed number to be cast to a
large unsigned number. |
| Alerts: |
|
Comments (1 posted)
vim: arbitrary code execution
| Package(s): | vim |
CVE #(s): | CVE-2007-2953
|
| Created: | July 30, 2007 |
Updated: | September 20, 2007 |
| Description: |
vim is vulnerable to a user-assisted attack in which vim may execute arbitrary code when helptags is run on data that has been maliciously crafted. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache2: information disclosure
| Package(s): | apache |
CVE #(s): | CVE-2007-1862
|
| Created: | June 20, 2007 |
Updated: | February 18, 2008 |
| Description: |
From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not
properly copy all levels of header data, which can cause Apache to
return HTTP headers containing previously-used data, which could be
used to obtain potentially sensitive information by unauthorized users." |
| Alerts: |
|
Comments (2 posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-3304
CVE-2006-5752
|
| Created: | June 27, 2007 |
Updated: | February 18, 2008 |
| Description: |
The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with
the server-status page publicly accessible and ExtendedStatus enabled were
vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux
the server-status page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752) |
| Alerts: |
|
Comments (1 posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
Asterisk: two SIP denial of service vulnerabilities
| Package(s): | Asterisk |
CVE #(s): | CVE-2007-1561
CVE-2007-1594
|
| Created: | April 3, 2007 |
Updated: | August 27, 2007 |
| Description: |
The Madynes research team at INRIA has discovered that Asterisk contains a
null pointer dereferencing error in the SIP channel when handling INVITE
messages. Furthermore qwerty1979 discovered that Asterisk 1.2.x fails to
properly handle SIP responses with return code 0. A remote attacker could
cause an Asterisk server listening for SIP messages to crash by sending a
specially crafted SIP message or answering with a 0 return code. |
| Alerts: |
|
Comments (none posted)
avahi: denial of service
| Package(s): | avahi |
CVE #(s): | CVE-2007-3372
|
| Created: | June 28, 2007 |
Updated: | September 18, 2007 |
| Description: |
Avahi is vulnerable to a local denial of service that can be caused by
making an erroneous call to the assert() function. |
| Alerts: |
|
Comments (none posted)
bind: DNS cache poisoning
| Package(s): | bind |
CVE #(s): | CVE-2007-2926
|
| Created: | July 24, 2007 |
Updated: | August 20, 2007 |
| Description: |
A flaw was found in the way BIND generates outbound DNS query ids. If an
attacker is able to acquire a finite set of query IDs, it becomes possible
to accurately predict future query IDs. Future query ID prediction may
allow an attacker to conduct a DNS cache poisoning attack, which can result
in the DNS server returning incorrect client query data. |
| Alerts: |
|
Comments (none posted)
bochs: buffer overflow
| Package(s): | bochs |
CVE #(s): | CVE-2007-2893
|
| Created: | July 20, 2007 |
Updated: | November 19, 2007 |
| Description: |
A heap-based buffer overflow in the bx_ne2k_c::rx_frame function in
iodev/ne2k.cc in the emulated NE2000 device in Bochs 2.3 allows local users
of the guest operating system to write to arbitrary memory locations and
gain privileges on the host operating system via vectors that cause TXCNT
register values to exceed the device memory size, aka "RX Frame heap
overflow." |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
centericq: buffer overflows
| Package(s): | centericq |
CVE #(s): | CVE-2007-3713
|
| Created: | July 20, 2007 |
Updated: | December 17, 2007 |
| Description: |
Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow
remote attackers to execute arbitrary code via unspecified vectors. NOTE:
the provenance of this information is unknown; the details are obtained
solely from third party information. NOTE: this might overlap
CVE-2007-0160. |
| Alerts: |
|
Comments (none posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-3725
|
| Created: | July 24, 2007 |
Updated: | February 27, 2008 |
| Description: |
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
emacs21: denial of service
| Package(s): | emacs21 |
CVE #(s): | CVE-2007-2833
|
| Created: | June 21, 2007 |
Updated: | August 29, 2007 |
| Description: |
The emacs21 editor has a denial of service vulnerability.
emacs21 can be made to crash by viewing "certain types of images". |
| Alerts: |
|
Comments (none posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
evolution-data-server: malicious server arbitrary code execution
| Package(s): | evolution-data-server |
CVE #(s): | CVE-2007-3257
|
| Created: | June 18, 2007 |
Updated: | November 7, 2007 |
| Description: |
From the GNOME
bugzilla: "The "SEQUENCE" value in the GData of the IMAP code
(camel-imap-folder.c) is converted from a string using strtol. This allows
for negative values. The imap_rescan uses this value as an int. It checks
for !seq and seq>summary.length. It doesn't check for seq <
0. Although seq is used as the index of an array." |
| Alerts: |
|
Comments (1 posted)
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail |
CVE #(s): | CVE-2007-1558
|
| Created: | May 8, 2007 |
Updated: | August 7, 2007 |
| Description: |
The APOP protocol allows remote attackers to guess the first 3 characters
of a password via man-in-the-middle (MITM) attacks that use crafted message
IDs and MD5 collisions. NOTE: this design-level issue potentially affects
all products that use APOP, including (1) Thunderbird, (2) Evolution, (3)
mutt, and (4) fetchmail. |
| Alerts: |
|
Comments (none posted)
fail2ban: log injection vulnerability
| Package(s): | fail2ban |
CVE #(s): | |
| Created: | June 22, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.8 is susceptible to a log injection vulnerability. See this
ossec.net entry for more information. |
| Alerts: |
|
Comments (none posted)
fail2ban: denial of service
| Package(s): | fail2ban |
CVE #(s): | CVE-2006-6302
|
| Created: | February 16, 2007 |
Updated: | July 30, 2007 |
| Description: |
fail2ban 0.7.4 and earlier does not properly parse sshd logs file, which
allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file
and cause a denial of service by adding arbitrary IP addresses to the sshd
log file, as demonstrated by logging in to ssh using a login name
containing certain strings with an IP address. |
| Alerts: |
|
Comments (3 posted)
file: integer overflow
| Package(s): | file |
CVE #(s): | CVE-2007-2799
|
| Created: | June 1, 2007 |
Updated: | October 19, 2007 |
| Description: |
Colin Percival from FreeBSD reported that the previous fix for the
file_printf() buffer overflow introduced a new integer overflow. A remote
attacker could entice a user to run the file program on an overly large
file (more than 1Gb) that would trigger an integer overflow on 32-bit
systems, possibly leading to the execution of arbitrary code with the
rights of the user running file. |
| Alerts: |
|
Comments (3 posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox mozilla seamonkey thunderbird |
CVE #(s): | CVE-2007-1362
CVE-2007-2867
CVE-2007-2868
CVE-2007-2869
CVE-2007-2870
CVE-2007-2871
|
| Created: | June 4, 2007 |
Updated: | August 29, 2007 |
| Description: |
Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious web page, an attacker could
execute arbitrary code with the user's privileges. (CVE-2007-2867,
CVE-2007-2868)
A flaw was discovered in the form autocomplete feature. By tricking a user
into opening a malicious web page, an attacker could cause a persistent
denial of service. (CVE-2007-2869)
Nicolas Derouet discovered flaws in cookie handling. By tricking a user
into opening a malicious web page, an attacker could force the browser to
consume large quantities of disk or memory while processing long cookie
paths. (CVE-2007-1362)
A flaw was discovered in the same-origin policy handling of the
addEventListener JavaScript method. A malicious web site could exploit
this to modify the contents, or steal confidential data (such as
passwords), of other web pages. (CVE-2007-2870)
Chris Thomas discovered a flaw in XUL popups. A malicious web site
could exploit this to spoof or obscure portions of the browser UI,
such as the location bar. (CVE-2007-2871) |
| Alerts: |
|
Comments (3 posted)
firefox, thunderbird, seamonkey: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2007-3738
CVE-2007-3656
CVE-2007-3670
CVE-2007-3285
CVE-2007-3737
CVE-2007-3089
CVE-2007-3736
CVE-2007-3734
CVE-2007-3735
|
| Created: | July 18, 2007 |
Updated: | May 12, 2008 |
| Description: |
shutdown and moz_bug_r_a4 reported two separate ways to modify an
XPCNativeWrapper such that subsequent access by the browser would result in
executing user-supplied code. (CVE-2007-3738)
Michal Zalewski reported that it was possible to bypass the same-origin
checks and read from cached (wyciwyg) documents It is possible to access
wyciwyg:// documents without proper same domain policy checks through the
use of HTTP 302 redirects. This enables the attacker to steal sensitive
data displayed on dynamically generated pages; perform cache poisoning; and
execute own code or display own content with URL bar and SSL certificate
data of the attacked page (URL spoofing++). (CVE-2007-3656)
Internet Explorer calls registered URL protocols without escaping quotes
and may be used to pass unexpected and potentially dangerous data to the
application that registers that URL Protocol. (CVE-2007-3670)
Ronald van den Heetkamp reported that a filename URL containing %00
(encoded null) can cause Firefox to interpret the file extension
differently than the underlying Windows operating system potentially
leading to unsafe actions such as running a program. This is only
accessible locally. (CVE-2007-3285)
An attacker can use an element outside of a document to call an event
handler allowing content to run arbitrary code with chrome
privileges. (CVE-2007-3737)
Ronen Zilberman and Michal Zalewski both reported that it was possible to
exploit a timing issue to inject content into about:blank frames in a
page. When opening a window from a script, it is possible to spoof the
content of the newly opened window's frames within a short time frame,
while the window is loading. (CVE-2007-3089)
Mozilla contributor moz_bug_r_a4 demonstrated that the methods
addEventListener and setTimeout could be used to inject script into another
site in violation of the browser's same-origin policy. This could be used
to access or modify private or valuable information from that other
site. (CVE-2007-3736)
As part of the Firefox 2.0.0.5 update releases Mozilla developers fixed
many bugs to improve the stability of the product. Some of these crashes
that showed evidence of memory corruption under certain circumstances and
we presume that with enough effort at least some of these could be
exploited to run arbitrary code. Note: Thunderbird shares the browser
engine with Firefox and could be vulnerable if JavaScript were to be
enabled in mail. This is not the default setting and we strongly discourage
users from running JavaScript in mail. Without further investigation we
cannot rule out the possibility that for some of these an attacker might be
able to prepare memory for exploitation through some means other than
JavaScript, such as large images. (CVE-2007-3734, CVE-2007-3735) |
| Alerts: |
|
Comments (none posted)
flac123: arbitrary code execution
| Package(s): | flac123 |
CVE #(s): | CVE-2007-3507
|
| Created: | July 13, 2007 |
Updated: | October 22, 2007 |
| Description: |
A stack-based buffer overflow in the local__vcentry_parse_value function in
vorbiscomment.c in flac123 (aka flac-tools or flac) before 0.0.10 allows
user-assisted remote attackers to execute arbitrary code via a large
comment value_length. |
| Alerts: |
|
Comments (none posted)
flash-plugin: input validation flaw
| Package(s): | flash-plugin |
CVE #(s): | CVE-2007-3456
|
| Created: | July 12, 2007 |
Updated: | August 10, 2007 |
| Description: |
The Firefox flash-plugin module has an input validation flaw
involving the display of certain content. If a user can be tricked
into opening a specially crafted Adobe Flash file, it may be possible
to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | October 10, 2007 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|