LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Security news
Red Sheriff
[This article was contributed by Tom Owen]
Check your cookie list in your browser for cookies from imrworldwide.com -- if they're there, then the red sheriff is watching you.
You won't be alone. For well over a year, vexed users have been popping up on the newsgroups, in slashdot and on lists of all sorts with independent rediscoveries of Redsheriff's activities. Unscientific sampling suggests that machines not owned by paranoid technicians always have these cookies.
The web was not designed to make marketing easy. Proxies and other caches mean that the server logs can dramatically undercount page views and downloads. Spiders and bots work the other way, but there's no reason to believe they balance out. The users share and reuse their IP addresses, you can't tell for certain what country they're in, and they even lie to their own PCs. Maybe M. Mouse is a legitimate name in Martinique, and a birth date of 01/01/01 might just mean that you saw Steamboat Willie first time round. But probably not.
Advertisers hate this. They hate trusting the word of a site owner about page impressions, but even when those numbers make sense they still don't know if the campaign is reaching the target preteens, or is being wasted on middle-aged tax consultants who just really like Britney. Many of them prefer to stick with old media where they get respectable numbers from the likes of Nielsen and ABC.
So the demand for better information is huge, and there's a long history of attempts to get it: doubleclick, web bugs and third-party cookies. The big accounts at the traditional end of the industry prefer to trust names and methods translated from broadcast media: closely monitored sample panels, surveys and focus groups. That would be fine, but one thing that no-one has ever been able to do is reconcile the numbers from these two approaches.
Redsheriff want to bridge that gap -- by making the whole internet their panel.
Founded in Australia in 1996 as a research firm, by 2001 Redsheriff was expanding into technical means. Along the way, they picked up global ambitions and some serious capitalists led by WPP, Martin Sorrel's advertising conglomerate. Earlier website versions on the Wayback machine couple horrifying wild-west copy with fairly explicit information about their offerings which is lacking from the current site.
And in fact they keep a lowish profile all round. There are no secrets, but no fuss either and little interest in publicity. It doesn't matter: the evidence is easy enough to gather. Redsheriff client sites (try Selfridges) drop or reference two main components:
- A pair of persistent cookies -- IMRID and V5 -- reporting to imrworldwide.com, a domain registered to redsheriff. You seem to get an IMRID once only -- if it's there it'll never be altered. It seems as though it's intended to be a globally unique machine name. By contrast V5 updates for almost anything you do on the site.
- A java applet (real java, not a script) called Measure, mostly silent,
but recognisable from the console message
----------- RedSheriff Measurement ----------- Privacy: http://www.redsheriff.com/privacy.htm
It returns a record to imrworldwide.com when you leave a site.
Redsheriff say they can report on movement within a flash site, as well as use of non-client sites, and it looks as though these are jobs for the applet. There doesn't seem to be an ActiveX component yet, but given MS's attitude toward Java, this is probably only a matter of time.
So far, Redsheriff knows many of the sites you visit from day to day and year to year, and within some of them they know the pages you look at. This is a good start (for them), but technical means aren't enough: they don't know who you are. This next stage is probably what has piqued the interest of partners like WPP and Taylor Nelson Sofres
What these buyers want is income, age, education, family status, and Redsheriff apparently gets it the easy way: by popping up a questionnaire with a chance of winning some prize. This questionnaire carries the client site branding, but the data goes to the Redsheriff servers. As a final touch, some percentage of the responses are qualified with telephone interviews. The privacy policy is surprisingly less clear than it could be -- it looks as though some identifying personal information will be held on the basis of the target's consent implied when they filled in the survey.
Redsheriff is doing nothing all that weird, but the effect is still spooky. Assuming their software and datacenter work right, they'll know largely complete browsing histories stretching over years for vast numbers of computers. And if they can do the surveys right, many of these histories will carry trustworthy demographic information and many more will be similar enough to have it inferred. They can't quite equal a panel in joining up work and home browsing or breaking out multi-use PCs but their potential sample is so comprehensive they hardly care: the data are going to make them big money.
If you don't want to be part of this database, it's easy to stop without marring the browsing experience: simply block third party cookies (erase any you have) and don't run applets. It's that easy. Maybe that's why they don't want the public gaze.
BIND 9.2.2: Slipstream Release?
[This article was contributed by Tom Owen]
The recent discussion on Bugtraq (e.g. here and here) raised the ugly possibility that ISC was fixing security problems in BIND and keeping quiet about them.In fact it does seem as though the release could have been better described in the BIND list. Two faults are described at the end of the current Bind vulnerability listing and the reason for the omission looks easy to guess: One is in the resolver library rather than the daemon itself, and the other is caused by linking with an unfixed version of OpenSSL.
It's not wrong to keep up to date with BIND, but the earlier server is only vulnerable if you use DNSSEC and linked an older version of OpenSSL.
New vulnerabilities
ethereal - format string vulnerability
| Package(s): | ethereal | CVE #(s): | CAN-2003-0081 | ||||||||||||||||||
| Created: | March 10, 2003 | Updated: | June 12, 2003 | ||||||||||||||||||
| Description: | The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string overflow. This vulnerability has been present in Ethereal since the SOCKS dissector was introduced in version 0.8.7. It was discovered by Georgi Guninski. Additionally, the NTLMSSP code is susceptible to a heap overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade. See the full advisory for additional information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
mysqlcc - world readable file permissions
| Package(s): | mysqlcc | CVE #(s): | ||||
| Created: | March 7, 2003 | Updated: | March 12, 2003 | |||
| Description: | Gentoo reports that versions of mysqlcc prior to 0.8.9 had all configuration and connection files world readable. | |||||
| Alerts: |
| |||||
netscape-flash: buffer overflow
| Package(s): | netscape-flash | CVE #(s): | |||||||
| Created: | March 10, 2003 | Updated: | June 20, 2003 | ||||||
| Description: | Potentially exploitable buffer overflows exist in the Macromedia Flash Player. The full advisory is here. "The cumulative security patch is available today and addresses the potential for exploits surrounding buffer overflows (read/write) and sandbox integrity within the player, which might allow malicious users to gain access to a user's computer. The possibility of running native code on a users machine is a theoretical exploit, and extremely difficult to execute in practice. There are no known examples of running such native code from Macromedia Flash movies; however, even though this issue is difficult and theoretical in nature only, we are encouraging users to upgrade." | ||||||||
| Alerts: |
| ||||||||
qpopper - buffer overflow
| Package(s): | qpopper | CVE #(s): | CAN-2003-0143 | ||||||||||||
| Created: | March 12, 2003 | Updated: | March 21, 2003 | ||||||||||||
| Description: | As reported in this advisory, qpopper 4.0.x contains a buffer overflow vulnerability which may be exploited remotely - but only by an attacker possessing a valid username and password. | ||||||||||||||
| Alerts: |
| ||||||||||||||
usermode - local root compromise
| Package(s): | usermode | CVE #(s): | |||||||
| Created: | March 12, 2003 | Updated: | March 14, 2003 | ||||||
| Description: | The /usr/bin/shutdown program in the usermode package can be used to kill all running process and obtain a root shell. The best solution is simply to remove it. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
BitchX - denial of service
| Package(s): | BitchX | CVE #(s): | |||||||||||||
| Created: | February 20, 2003 | Updated: | May 26, 2003 | ||||||||||||
| Description: | From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are unaware of any patches or workarounds provided by panasync and or any members of #bitchx | ||||||||||||||
| Alerts: |
| ||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apcupsd - remote root vulnerability and buffer overflows
| Package(s): | apcupsd | CVE #(s): | CAN-2003-0098 CAN-2003-0099 | |||||||||||||||
| Created: | February 24, 2003 | Updated: | April 3, 2003 | |||||||||||||||
| Description: | From the MandrakeSoft
advisory:
A remote root vulnerability in slave setups and some buffer overflows in the network information server code were discovered by the apcupsd developers. They have been fixed in the latest unstable version, 3.10.5 which contains additional enhancements like USB support, and the latest stable version, 3.8.6. There are a few changes that need to be noted, such as the port has changed from port 7000 to post 3551 for NIS, and the new config only allows access from the localhost. Users may need to modify their configuration files appropriately, depending upon their configuration. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
BIND8: Multiple vulnerabilities
| Package(s): | bind | CVE #(s): | CAN-2002-1219 CAN-2002-1220 CAN-2002-1221 | |||||||||||||||||||||||||||
| Created: | November 13, 2002 | Updated: | March 6, 2003 | |||||||||||||||||||||||||||
| Description: | Three new vulnerabilities have been found in version 8 of the Berkeley
Internet Domain Server; see this
ISS advisory, the CERT Advisory
CA-2002-31, or the November 14 LWN
Security Page for details.
Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
CVS - exploitable double-free bug in the CVS server
| Package(s): | cvs | CVE #(s): | CAN-2003-0015 | ||||||||||||||||||||||||||||||||||||
| Created: | January 20, 2003 | Updated: | April 7, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this bug could be used by anonymous users to gain write privileges. Users with CVS write privileges can then use the Update-prog and Checkin-prog features to execute arbitrary commands on the server. All users of CVS are advised to upgrade to erratum packages which contain patches to correct the double-free bug. See also this CERT advisory | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
dhcp3 - ignored counter boundary
| Package(s): | dhcp3 | CVE #(s): | CAN-2003-0039 | ||||||||||||
| Created: | January 28, 2003 | Updated: | April 4, 2003 | ||||||||||||
| Description: | Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff which causes the network interface to reflect the packet back into the socket. To prevent loops the dhcrelay checks whether the relay-address is its own, in which case the packet would be dropped. In combination with a missing upper boundary for the hop counter an attacker can force the dhcp-relay to send a continuing packet storm towards the configured dhcp server(s). This patch introduces a new commandline switch ``-c maxcount'' and people are advised to start the dhcp-relay with ``dhcrelay -c 10'' or a smaller number, which will only create that many packets. The dhcrelay program from the ``dhcp'' package does not seem to be affected since DHCP packets are dropped if they were apparently relayed already. | ||||||||||||||
| Alerts: |
| ||||||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
file - memory allocation problem, stack overflow
| Package(s): | file | CVE #(s): | CAN-2003-0102 | |||||||||||||||||||||||||||||||||
| Created: | March 4, 2003 | Updated: | June 4, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Jeff Johnson found a memory allocation problem and David Endler found a stack overflow corruption problem in the file "Automatic File Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section and program header handling in file version 3.40. The folks at OpenPKG believe that file versions without those modifications are vulnerable to memory allocation and stack overflow problems which put security at risk. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
IM: creates temporary files insecurely
| Package(s): | im | CVE #(s): | CAN-2002-1395 | |||||||||
| Created: | December 3, 2002 | Updated: | March 6, 2003 | |||||||||
| Description: | Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
| |||||||||||
| Alerts: |
| |||||||||||
IMP - SQL injection vulnerability
| Package(s): | imp | CVE #(s): | CAN-2003-0025 | |||||||||
| Created: | January 15, 2003 | Updated: | July 8, 2003 | |||||||||
| Description: | The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem. | |||||||||||
| Alerts: |
| |||||||||||
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs | CVE #(s): | CAN-2002-1281 CAN-2002-1282 | ||||||||||||
| Created: | November 22, 2002 | Updated: | March 14, 2003 | ||||||||||||
| Description: | Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files: /usr/share/services/telnet.protocol and /usr/share/services/rlogin.protocol. If either file also exists in a user's ~/.kde/share/services directory, they should likewise be removed. See also: http://www.kde.org/info/security/advisory-20021111-1.txt | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mhc - insecure temporary file
| Package(s): | mhc | CVE #(s): | ||||
| Created: | February 28, 2003 | Updated: | March 5, 2003 | |||
| Description: | It has been discovered that adb2mhc from the mhc-utils package has a temporary file vulnerability. The default temporary directory uses a predictable name, allowing a local attacker to overwrite arbitrary files. | |||||
| Alerts: |
| |||||
micq: Denial of service
| Package(s): | micq | CVE #(s): | |||||||
| Created: | December 13, 2002 | Updated: | April 24, 2003 | ||||||
| Description: | Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client, discovered a problem in mICQ. Receiving certain ICQ message types that do not contain the required 0xFE seperator causes all versions to crash. | ||||||||
| Alerts: |
| ||||||||
MySQL: multiple vulnerabilities
| Package(s): | mysql | CVE #(s): | ||||||||||||||||||||||||||||||||||
| Created: | December 13, 2002 | Updated: | April 10, 2003 | |||||||||||||||||||||||||||||||||
| Description: | The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye | CVE #(s): | CAN-2003-0358 CAN-2003-0359 | |||||||||||||||
| Created: | February 18, 2003 | Updated: | July 15, 2003 | |||||||||||||||
| Description: | Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
OpenSSL: plaintext exposure vulnerability
| Package(s): | openssl | CVE #(s): | CAN-2003-0078 | |||||||||||||||||||||||||||
| Created: | February 19, 2003 | Updated: | March 6, 2003 | |||||||||||||||||||||||||||
| Description: | A vulnerability has been found in OpenSSL that, given the right conditions, could lead to the exposure of transactions in plain text. This problem looks difficult to exploit (it requires a man-in-the-middle attack, among other things), but one can't be too sure, so the OpenSSL project has released versions 0.9.7a (with the fix and some new features) and 0.9.6i (with fixes only). See the announcement for details. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
pam_xauth: root exploit
| Package(s): | pam_xauth | CVE #(s): | CAN-2002-1160 | |||||||||
| Created: | February 13, 2003 | Updated: | July 10, 2003 | |||||||||
| Description: | The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker. | |||||||||||
| Alerts: |
| |||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
sendmail - Remote Buffer Overflow
| Package(s): | sendmail | CVE #(s): | CAN-2002-1337 | |||||||||||||||||||||||||||||||||
| Created: | March 3, 2003 | Updated: | March 10, 2003 | |||||||||||||||||||||||||||||||||
| Description: | ISS has turned
up an unpleasant problem with sendmail; by sending a properly crafted
message, an attacker can run arbitrary code as root on a target
system. This is the sort of hole that can lead to all sorts of problems,
including widespread breakins and Internet worms. Everybody who is running
sendmail should upgrade to version 8.12.8 at the first
opportunity. Note that systems behind firewalls need to be fixed too.
See CERT Advisory CA-2003-07 for additional information. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
slocate - buffer overflow
| Package(s): | slocate | CVE #(s): | CAN-2003-0056 | |||||||||||||||
| Created: | February 5, 2003 | Updated: | May 8, 2003 | |||||||||||||||
| Description: | version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
snort - buffer overflow
| Package(s): | snort | CVE #(s): | CAN-2003-0033 | |||||||||||||||
| Created: | March 5, 2003 | Updated: | April 4, 2003 | |||||||||||||||
| Description: | A buffer overflow in the snort intrusion detection system can lead to remote code execution and/or disabling of intrusion detection. The 1.9.1 release fixes the problem. See this advisory for more information. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
squirrelmail - cross-site scripting vulnerability
| Package(s): | squirrelmail | CVE #(s): | CAN-2002-1276 CAN-2002-1341 | |||
| Created: | March 5, 2003 | Updated: | March 5, 2003 | |||
| Description: | A new cross-site scripting vulnerability afflicts Squrrelmail 1.2.10 and prior. | |||||
| Alerts: |
| |||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
tcpdump - infinite loop
| Package(s): | tcpdump | CVE #(s): | CAN-2003-0108 | |||||||||||||||||||||||||||
| Created: | February 27, 2003 | Updated: | May 1, 2003 | |||||||||||||||||||||||||||
| Description: | Andrew Griffiths and iDEFENSE Labs discovered a problem in tcpdump, a
powerful tool for network monitoring and data acquisition. An
attacker is able to send a specially crafted network packet which
causes tcpdump to enter an infinite loop.
In addition to the above problem the tcpdump developers discovered a potential infinite loop when parsing malformed BGP packets. They also discovered a buffer overflow that can be exploited with certain malformed NFS packets. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
typespeed: buffer overflow
| Package(s): | typespeed | CVE #(s): | |||||||
| Created: | January 1, 2003 | Updated: | June 17, 2003 | ||||||
| Description: | A problem has been discovered in the typespeed, a game that lets you measure your typematic speed. By overflowing a buffer a local attacker could execute arbitrary commands under the group id games. | ||||||||
| Alerts: |
| ||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
vnc - replay and cookie vulnerabilities
| Package(s): | vnc | CVE #(s): | CAN-2002-1336 CAN-2002-1511 | |||||||||||||||
| Created: | February 21, 2003 | Updated: | May 5, 2003 | |||||||||||||||
| Description: | VNC is a tool for providing a remote graphical user interface. Two
vulnerabilities have been found in versions of VNC shipped by Red Hat.
The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie. The VNC DES authentication scheme is implemented using a challenge-response architecture, producing a random and different challenge for each authentication attempt. A bug in the function for generating the random challenge caused the random seed to get reset to the current time on every authentication attempt. Therefore, two authentication attempts within the same second could receive the same challenge. An eavesdropper could exploit this vulnerability by replaying the response, thereby gaining authentication. All users of VNC are advised to upgrade to these erratum packages, which contain patches to correct these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
eterm, vte: dangerous interception of escape sequences
| Package(s): | vte, eterm | CVE #(s): | CAN-2003-0021 CAN-2003-0068 CAN-2003-0070 | |||||||||
| Created: | March 3, 2003 | Updated: | April 1, 2003 | |||||||||
| Description: | From the advisory: "Many of the features supported by popular terminal emulator software can be abused when un-trusted data is displayed on the screen. The impact of this abuse can range from annoying screen garbage to a complete system compromise. All of the issues below are actually documented features, anyone who takes the time to read over the man pages or source code could use them to carry out an attack." | |||||||||||
| Alerts: |
| |||||||||||
wget:directory traversal bug
| Package(s): | wget | CVE #(s): | CAN-2002-1344 |
| Created: | December 10, 2002 | Updated: | October 1, 2003 |
| Description: | Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). If the FTP client fails to do so | ||