Freeing web services with Forkolator
By Jake Edge
November 28, 2007
The next battle in the war for software and data freedom is likely to be in
the online services realm. There are already calls for legislation to
govern what Gmail and Facebook can do with your data along with efforts to
provide free alternatives to some popular web applications. Coming at the
problem from a different direction, the Forkolator project is looking toward a
world where free web applications are not only free to change, but those
changes are immediately available to use on the same site.
Many of the web applications that people use today are not free in any
sense other than price. There are also lots of applications that are free
software – Wikipedia and Wordpress are often used as examples –
but changing the source code for them does little to change the user's
experience, because the service controls the software version that they
run. This is as it should be, few would argue that Wikipedia
should be forced to run some modified version of their code. Vast
quantities of collaboratively developed data reside there, however, that
any modified version of Wikipedia would want to access. Currently, one
could work with the Wikipedia folks to get the change integrated into their
codebase and eventually rolled-out for users, or one could fork the project.
The Forkolator vision – at this point it is not much more than that
– is to provide a third choice. In a mockup of the
Wordpress management interface, Forkolator founder Erik Pukinskis added
a "fork this page" button. Somewhere down the road, if Wordpress were written to support
Forkolator, that button would instantiate a copy of the server code running
on the server, with access to all the same data. It
would then allow a user to change the underlying code to fix a bug or add a
feature, which would then run live in that instance. Users who accessed
the weblog or management screen would use the updated code.
Obviously, people that are able to host their own Wordpress instances are
able to do this already – it is free software after all. What
may be missing is the collaborative environment that a blog hosted at
wordpress.com provides. Wordpress is free software, but wordpress.com
does not provide a free, as in freedom, service. Likewise for Wikipedia,
most of the value is in the site itself and the data; even forking it only
gives a static version at the point of the fork. The Forkolator concept
would provide another level of freedom; one could have their
own view of Wikipedia running side-by-side with the standard code, allowing
users to decide which they preferred.
At the moment, Forkolator is a PHP application that provides a web-based
integrated development
environment (IDE) that can be forked and modified live. It
provides a kind of proof-of-concept; an IDE running in the browser may
not provide the ideal development environment. Ruby on Rails already has
Heroku, which shares many traits with the
Forkolator vision. The focus of Heroku seems to be avoiding the pain of
deploying an individual web application rather than Forkolator's explicit
push for freedom in the web services arena.
The problems inherent in allowing users to modify the function of a
server-side application are legion. Forkolator advocate Sandy Armstrong
calls
the problems "staggering" and they are; providing security, privacy,
and stability while still allowing user modification is uncharted
territory. Solving those problems in a sensible fashion will make or break
the project and it is far from clear that they can be solved.
There is talk that some of the problems inherent in the model could be
solved in the same way that wiki defacements are handled; by the community.
If a rogue user modified the web application to be a spambot, for example,
other users could shut down or quarantine the fork. Data access is another
area that will need close attention. Obviously the application needs read
and write access to the database, but how can you keep rogue applications
from trashing the data for everyone else? This goes well beyond defacing
individual pages, wholesale removal of all content could be effected by a
malicious application. The Forkolator team will need to come up with ways
to deal with all of these kinds of problems and more.
Forkolator is in its infancy – perhaps gestation is more accurate
– with an enormous number of serious technical hurdles to overcome,
but it does provide an interesting view of how free web services could
work. It is not a model that all web applications will adopt, with good
reason, but for sites that are largely collaborative in nature, it could make a
great deal of sense. Whether Forkolator, Heroku, or some other framework
can actually deliver the vision remains to be seen. We will be watching.
Comments (17 posted)
Linux in realtime
By Jake Edge
November 28, 2007
The Ninth Real-Time Linux Workshop, held in early November in Linz Austria,
provides a look into the current direction of realtime Linux research as
well as applications of the technology. LinuxDevices has collected up the
available papers from the workshop which make for interesting reading.
Roughly half of the papers cover applications, from robotics to train
monitoring, while the other half cover realtime development and measuring
the impacts of various techniques.
Realtime Linux solutions have branched out quite a bit since the original
RTLinux. Because that solution is patented, now owned by Wind River, and largely unmaintained, various other
solutions are maturing. In addition, the realtime preemption (RT_PREEMPT)
patches are also making their way into
the mainline kernel. For "hard" realtime, guarantees must be made about
the interrupt (and other) latencies in the system; so far Linux with
RT_PREEMPT has not been proven to make those guarantees. It does provide a
solution described by some of the authors as "good enough"
for many hard realtime applications, however.
Several of the papers covered various aspects of the performance of the
RT_PREEMPT kernel. Worst-case latencies for low-end PowerPC and
ARM processors (suitable for embedded applications) were measured and
reported. Two different clock frequencies were used for each processor
to determine if there was a simple relationship between processor speed and
latency: "A better realtime behavior cannot be achieved by simply
choosing a processor with a higher clock frequency."
Another paper measured the impact of RT_PREEMPT on general system
performance to try and gauge the cost of those kernel changes. They found
"no significant impact of [RT_PREEMPT] on the general performance of the system
unlike the preempt patches of earlier kernel versions." They also
measured latencies and jitter to try to determine its suitability for hard
realtime tasks, finding that even though there are no guaranteed worst case
latencies, RT_PREEMPT kernels are not "definitely unsuitable".
The third paper measuring performance looked at the performance
characteristics of an RT_PREEMPT kernel on an industrial controller
board. In addition, the measurements were validated using a paint robot.
Their conclusion provides a nice summary of the progress the Linux kernel
has made for realtime applications:
Linux has for a long time proven that its stability is excellent, and now
we see that the real-time performance is really moving towards other
commercial real-time operating systems. The ability to be able to run a
real-time application on the same processor as other standard applications
is a winning combination. This is really what favors Linux as a real-time
operating system compared to other dedicated real-time operating systems.
Research into how to effectively use multi-processor and multi-core systems
for realtime tasks was the topic of another of the presentation.
LITMUSRT
is a kernel modification that implements pluggable schedulers. It was created to test different kinds of
scheduling policies to discover which algorithms
work best for realtime
applications on multiple processors.
An area that generally receives little notice in the realtime community is
disk I/O, but a paper
presented looks to change that. The authors looked at existing I/O
schedulers for realtime systems and found them lacking – the models
used are too simplistic and do not take into account prefetching and
write-caching. They implemented a more realistic model into an I/O
scheduler for RTLinux and report their results.
The XtratuM "nanokernel" is a
virtualization solution used in realtime applications. Linux has
also been ported to run on XtratuM for the x86 architecture, which allows
it to run alongside a realtime OS. Two papers were concerned with
XtratuM, one covering a FIFO
implementation between XtratuM domains, allowing communication between
guest OSes. The other covered porting it to the
PowerPC architecture.
PaRTiKle
OS is a compatible replacement for RTLinux, allowing applications built
for that platform to run unchanged. It uses an entirely different
technique, implementing the kernel system calls itself, rather than using
the Linux kernel. This makes the connection to Linux a bit tenuous, but
because it avoids the RTLinux patents and is LGPL licensed, it may be a
useful migration path for RTLinux users.
The participation of Universities at the workshop is something that stands out right away.
The vast majority of the papers came from Universities, mostly European
– unsurprising given the location – but from
China and Mexico as well. LWN raised some questions about the lack
of
University participation in Linux development back in July, perhaps part
of the answer lies in the realtime realm. It is unclear how much of the
code will actually
reach the mainline, but the number of University participants in the
workshop is impressive.
This article just notes some of the papers presented, for those interested,
there is much more available. The papers covering various applications where
realtime Linux is actually being used are very detailed. We can expect to
see Linux used more frequently in these kinds of applications in the future.
Comments (none posted)
Electing the GNOME Foundation board
By Jonathan Corbet
November 27, 2007
The GNOME Foundation is charged with several tasks, including serving as
the official voice of the project, coordinating releases, deciding which
projects fit under the GNOME umbrella, supporting events, and more. Once a
year, a board of directors is chosen by the Foundation's members. This
time around, there are
ten
candidates running for the seven available positions. This
election may seem like another boring bureaucratic exercise, but its
results are important: GNOME is the desktop used by a great many free
software users, and it is the platform supported by the Free Software
Foundation.
In a number of ways, this seems like one of the more tense elections of its
kind in our community. A number of items discussed last year (such as the
hiring of a business development manager and/or executive director) remain
undone. The workings of the board seem distant and obscure to some GNOME
developers. There are clear
tensions between some of the project's leaders. Criticism of the
project's participation in the OOXML standardization process seems unlikely
to let up anytime soon. And there seems to be a general sense of
frustration that the board's members are too busy to get things done and too unwilling to delegate things to others. It's also worth noting that the winners will be serving a relatively long term; a change in the Foundation's bylaws means that the next election will happen sometime around June, 2009.
Given that, the themes which have come out in the electoral debate should
be clear. How should the whole OOXML participation process have been
handled? What should be done with the Foundation's money (about $150,000
in the bank and $50,000 in receivables, according to the minutes from a recent board meeting)?
How should GNOME push forward into interesting areas, such as mobile
applications and web-hosted services? And how can the board become more
effective than it has been in the past?
Along with deciding on these issues, the new board will have one other new
decision ahead of it. Until very recently, the Foundation has operated
under a single president: a certain Miguel de Icaza. Miguel has been
absent from the GNOME development community for some time, and many of the
developers in that community have not found themselves in agreement with
the public positions he has taken. The current board has convinced
Miguel to resign the presidency, and has changed the
by-laws its practices to the effect
that, in the future, the president will be appointed by the board. The
interim president will be Quim Gil.
In that context, here are a few selections from recent statements by this
year's candidates.
Brian Cameron
I think it is an important part of the Foundation to encourage new
people to get involved with volunteer aspects of the community. I
would like to encourage more participation from communities that
are not so well represented today. For example, users with
accessibility needs. I think having someone on the board with
accessibility experience is important to foster these sorts of
things.
Full posting.
I think it would add value to spend more on marketing and on
evangelical community building opportunities. For example, Windows
and MacOS have flashy "Welcome to the desktop" presentations.
Perhaps it is time for the GNOME community to find ways to better
advertise itself.
Full posting.
Behdad Esfahbod
One tipping point for GNOME would be when the membership/community
stops thinking of board as visionaries who set the direction and
happenings of project and starts seeing that it's just set of
trusted people who volunteered to do the boring and frustrating
tasks (take my word for that) that are so essential to the project
but no-one else is doing. [...]
As for the issue of single standards, I hate it when people use
standardization as a tool to take advantage over their competitors.
"I got here first, so you can't" is exactly what's broken about the
patent system right now. Think about it.
Full posting.
George Kraft
Personally, I would not mind it if GNOME were more compatible with
web services; however, I would not want a desktop which is
dependent on them. A danger of an online desktop would be the
dependency on non libre software services where we are not invited
to make changes. [...]
There are important topics like the Online Desktop and OOXML which
many are interested in; however, I would like to bring to
everyone's attention that GNOME accessibility could be positioned
as a clear winner over Windows's MSAA and KDE accessibility, but
instead GNOME's accessibility is on the defensive. From an
accessibility perspective, GNOME could be winning the hearts and
minds of corporations and government agencies; however, GNOME
accessibility is being threatened by the deprecation of Orbit2 &
its migration to DBus, and the migration of Microsoft's UIA to
GNU/Linux. Why regress and/or re-engineer when we can beat the
competition now?
Full posting.
Og Maciel
[T]he Online Desktop could be the one thing that will tip the scale
when users choose their desktop environment. I've had the
opportunity to see a few demos and was fairly impressed with its
potential. I believe that it is not up to the Board to decide on
the implementation or even which tools/languages to use, but serve
as a facilitator and guiding light to make sure that the project
stays on track and focused... GNOME users have become used to
expect innovation and great software in every release, so the
Online Desktop could definitely provide that extra buzz!
Full posting.
I'd like to see more support going for the guys behind Abiword,
Glom, Gnumeric, Epiphany, etc... Open Office and Firefox are GREAT
examples of good software but I happen to believe that we already
have great software in our code base that has been delegated to
second place. How about we promote a an event where people who are
involved with the software mentioned before plus anyone who can be
of help and offer insight can sit down and jot down what needs to
be done in order to bring them out of the closet?
Full posting.
John Palmieri
I see the GNOME Online push as pulling us into the Wild West of the
Web platform where everyone is staking their claims and there is
yet to be monopolies to stifle innovation. Sure Google is big but
sites like Facebook and Wikipedia were able to emerge. The only
way to defeat entrenched adversaries in business is to outflank
them with disruptive technology. Microsoft did it to IBM with the
Desktop, Google did it to Microsoft with web search and we have the
chance to bring in integrated Open Source web applications to the
mix and even define a new era of Open Services.
Full posting.
Well one weak point is the board seems almost foreign to the every
day GNOME contributor. People vote and pretty much forget about
the inner workings until Slashdot gets a hold on some
sensationalized story and a press release is put out and still to
the outside world the role of the foundation is unclear. It is
hard to figure out weak points because it is hard to see exactly
what the foundation does. I would fix this by communicating any
decision, from the mundane to the sensational, in an easy to digest
format on my blog. Meeting minutes and press releases are just not
enough. Active engagement of the community is a must.
Full posting.
Lucas Rocha
I think the Online Desktop initiative is a great opportunity for us
to enwide the scope of GNOME project from a specific desktop
environment to a broader user experiences set. This means taking
advantage of this huge amount of funny, socially powerful, useful
information and services available on the Web. Embracing Online
Desktop also means trying to bring a new set of goals to GNOME
which are related to a more social and entertaining user
experience, something that, in my opinion, has been lacking in
GNOME for a long time.
Full posting.
I think the most serious problem about GNOME Foundation
participation on ECMA TC45-M was that it wasn't properly explained
and clarified to the community at the time it started. The
statement came after a lot of noise.
Full posting.
Vincent Untz
About the GNOME Foundation being part of the OOXML ECMA committee:
I've supported this decision and I still do. If we can have someone
asking for clarifications and maybe even have the ability to
improve the format, it'd be wrong to not do it and just complain
about the format. We want our users to read their files, and some
will have OOXML files. This means I'll want our applications to be
able to read such files, and therefore that a better documentation
of the format is good.
Full posting.
We've seen this year that hiring an "executive director" is hard,
very hard. I'm hopeful that hiring a sysadmin would be
(comparatively) easier. And I'm also hopeful that we can get some
funding to hire the sysadmin. So my plan is to hire a sysadmin
using part of what we have in our back account now and using some
new funding, and keep enough cash so that we can hire an "executive
director" too. It might sound too ambitious, but I think it's
doable and that it's the best way to go.
Full posting.
Diego Escalante Urrelo
Support initiatives in Latin America for getting people involved as
users and developers. Concretely, I would like to "deploy" 2 or 3
of our rockstars next year to a LA-tour, as seen on
marketing-list
and later
gugmasters
the idea has had a positive response. I would like to serve as a
direct link to this initiative and hopefully other similar ones.
Full posting.
I would have included a line in all-caps saying "GNOME Foundation
doesn't like OOXML, we have someone in the committee because
standard or not Ms is gonna push it everywhere, so we are taking
the chance to ask questions and raise concern on all the problems
we can find."
Full posting.
Luis Villa
I'll be running again for the Board this year. This will be an
unusual candidacy. I will not be running to do various and sundry
board tasks; I'll be running to do exactly one thing: legal work- a
vote for me is a vote that says 'Luis should be the coordinator of
all GNOME-related legal issues.'
Full posting.
I think it is inevitable that GNOME, or GNOME partners, will be
offering web-backed services to GNOME users. My personal vision for
that is to dot the i's and cross the t's on the legal parts- to
make sure that as we sail into uncharted waters, the rights of
GNOME users and contributors are being protected.
Full posting.
I wish [the statement on OOXML] were more explicit about how the
Foundation feels that the ODF folks have been undermining the
standards process. It isn't obvious to everyone that ODF shares
much of the blame for the politicization of the process, so the
statements about that in the statement are a little vague.
Full posting.
Jeff Waugh
It is ISO's role to facilitate the development of standards in a
coherent, transparent manner, not to determine the market demand
for a given standard. I think it's extremely short-sighted to
protest OOXML on the basis of "competing standards" given that
standards exist for technologies that we are very likely to want
true Free standards for in the future - for example, video encoders
and decoders.
Full posting.
We must have a full time staff member to manage any further hires,
as there is no way our part time administrator should have to deal
with any duties related to management. So, of the two, I'd prefer a
full time, management capable hire before a sysadmin hire.
Full posting
Ballots must be returned by December 9, and the initial results from
the election are due to be announced on December 11; stay tuned.
Comments (10 posted)
Page editor: Jonathan Corbet
Security
ITU getting serious about botnets
By Jake Edge
November 28, 2007
Botnets are an increasing problem in today's internet. They can do much
harm in the way of spam propagation and distributed denial of service
attacks, but they also tend to
evolve much more quickly than preventative measures. The International
Telecommunication Union, an organization that predates the internet
by more than 100 years, wants to do something about that. To that end,
they are creating a Botnet
Mitigation Toolkit.
The ITU is now an agency of the United Nations, which puts it in the right
place to assist with botnet mitigation. Much like the internet, botnets do
not respect political boundaries; it is often the case that a botnet is
attacking a target in one country, from hosts in multiple countries, using
a command and control (C&C) infrastructure in yet another country. It will
take an international response to thwart an attack of that sort.
The toolkit is primarily focused at developing countries; it is meant to provide
guidelines and best practice information to entities that need it. There
are three types of information in the toolkit: legal, technical, and
social. Each has a role to play in successfully handling botnets and their
effects.
From a legal standpoint, many developing countries do not have laws
governing "cybercrime" that could be used to shut down or redirect botnet
traffic. The toolkit will contain recommendations for how such legislation
might be structured, what kind of jurisdiction requirements make sense, as
well as the kinds of evidence that are likely to be available. One of the more
serious difficulties is rectifying the needs of botnet fighters with
the privacy of internet users. A country's privacy laws may cover what
information can be gathered. A paper
describing the toolkit (PDF), which is still in draft form, has some
information about the intersection of privacy rights and internet security,
but this is clearly an area that will need to be handled carefully.
Another policy area that will be covered by the toolkit is in establishing
a framework for handling incidents that occur. How to establish
monitoring, putting together a collaboration between the government and
internet service providers, along with deterring internet criminals from
setting up shop in the country are all facets of a national "cybersecurity"
policy. If a country is starting from a point where none of this kind of
organization exists, which is true for much of the developing world, the
toolkit will provide the government with the right questions to ask and
areas that need a decision. At a
minimum, it will also make recommendations that may be followed or ignored.
From a technical standpoint, internet service providers may need information on
best practices for securing their networks from external threats. They
also may need information on handling malicious traffic originating in
their networks. The toolkit intends to provide information on both. The
contents of the paper contain a great deal of good information for those
that are interested. Even for ISPs in developed countries, there is much
that could be learned.
The social aspect of dealing with botnets is perhaps the most difficult part,
but, if successful, may provide the best defense. Like the technical
measures, this is by no means a problem only in developing countries.
Users everywhere need to learn good habits when using the internet.
Free software is specifically called out as part of the solution in the social
section of the paper, not because it is more resistant to malware (which is
unclear), but because it can always be upgraded to fix security flaws.
Many users in developing countries use unlicensed software from proprietary vendors
that is difficult or impossible to upgrade.
The ITU toolkit is a worthy project, which will hopefully be well received
by countries around the world. Due care needs to be taken so that it is
not seen as something being imposed by the developed world. Even if botnets
are not currently causing any major pain for a country, they certainly
will some day. Getting out ahead of that curve would be of great benefit,
hopefully most countries will see it that way.
A pilot project is planned for Malaysia, in cooperation with the government
there, in 2008 that will
allow the ITU to fine tune its message and the toolkit. After that, it can
start rolling it out in other interested
countries. It may be a few years off, but bot herders may start feeling
the heat.
Comments (19 posted)
Security news
Insecurity Blues: Jeremy Allison reflects on Samba security flaws
Jeremy Allison, of the Samba project,
reflects on the recent security flaws in Samba, how responses (and response times) have changed over time, and how they try to avoid new security problems. "
What we do now on seeing a security bug is immediately audit the entire code-base to discover if there are any similar problems, or even similar coding practices that might cause future problems, and re-write or remove all such code. It takes longer, but is much safer in the long run. If you examine parts of the Samba code you'll find common functions that are known to be insecure simply won't compile if added to our code. A set of automated macros warns of any use of known bad functions."
(thanks to Richard Hillesley)
Comments (79 posted)
EFF's IP interference detection toolkit
The Electronic Frontier Foundation has announced the release of a set of
reports on ISP manipulation of IP traffic and some comprehensive
documentation on how to detect that manipulation for yourself. The
document on
detecting packet injection appears to mostly be a set of detailed
instructions on using Wireshark to compare TCP streams at both ends.
Full Story (comments: none)
New vulnerabilities
cacti: SQL injection vulnerability
| Package(s): | cacti |
CVE #(s): | CVE-2007-6035
|
| Created: | November 22, 2007 |
Updated: | February 18, 2008 |
| Description: |
Versions of Cacti prior to 0.8.7a have an SQL injection vulnerability.
Remote attackers can execute arbitrary SQL commands via unspecified vectors. |
| Alerts: |
|
Comments (none posted)
CSTeX: multiple vulnerabilities
| Package(s): | CSTeX |
CVE #(s): | |
| Created: | November 26, 2007 |
Updated: | November 28, 2007 |
| Description: |
From the Gentoo advisory:
Remote attackers could possibly execute arbitrary code and local
attackers could possibly overwrite arbitrary files with the privileges
of the user running CSTeX via multiple vectors. |
| Alerts: |
|
Comments (none posted)
feynmf: symlink vulnerability
| Package(s): | feynmf |
CVE #(s): | CVE-2007-5940
|
| Created: | November 28, 2007 |
Updated: | November 28, 2007 |
| Description: |
The feynmf drawing package suffers from a symbolic link vulnerability. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox seamonkey |
CVE #(s): | CVE-2007-5947
CVE-2007-5959
CVE-2007-5960
|
| Created: | November 27, 2007 |
Updated: | March 3, 2008 |
| Description: |
A cross-site scripting flaw was found in the way Firefox handled the
jar: URI scheme. It was possible for a malicious website to leverage this
flaw and conduct a cross-site scripting attack against a user running
Firefox. (CVE-2007-5947)
Several flaws were found in the way Firefox processed certain malformed web
content. A webpage containing malicious content could cause Firefox to
crash, or potentially execute arbitrary code as the user running Firefox.
(CVE-2007-5959)
A race condition existed when Firefox set the "window.location" property
for a webpage. This flaw could allow a webpage to set an arbitrary Referer
header, which may lead to a Cross-site Request Forgery (CSRF) attack
against websites that rely only on the Referer header for protection.
(CVE-2007-5960)
|
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-5500
|
| Created: | November 28, 2007 |
Updated: | July 8, 2008 |
| Description: |
The wait_task_stopped function in the Linux kernel before 2.6.23.8 checks a TASK_TRACED bit instead of an exit_state value, which allows local users to cause a denial of service (machine crash) via unspecified vectors. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2007-5501
|
| Created: | November 28, 2007 |
Updated: | March 7, 2008 |
| Description: |
The tcp_sacktag_write_queue function in net/ipv4/tcp_input.c in Linux kernel 2.6.21 through 2.6.23.7, and 2.6.24-rc through 2.6.24-rc2, allows remote attackers to cause a denial of service (crash) via crafted ACK responses that trigger a NULL pointer dereference. |
| Alerts: |
|
Comments (none posted)
lcms: stack-based buffer overflow
| Package(s): | lcms |
CVE #(s): | CVE-2007-2741
|
| Created: | November 23, 2007 |
Updated: | December 7, 2007 |
| Description: |
Stack-based buffer overflow in Little CMS (lmcs) before 1.15 allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted ICC profile in a JPG file. |
| Alerts: |
|
Comments (none posted)
mysql-dfsg: multiple vulnerabilities
| Package(s): | mysql-dfsg |
CVE #(s): | CVE-2007-2583
CVE-2007-2691
CVE-2007-2692
CVE-2007-3782
|
| Created: | November 27, 2007 |
Updated: | July 30, 2008 |
| Description: |
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and
5.1 before 5.1.18-beta, allows context-dependent attackers to cause a
denial of service (crash) via a crafted IF clause that results in a
divide-by-zero error and a NULL pointer dereference. (CVE-2007-2583)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not
require the DROP privilege for RENAME TABLE statements, which allows remote
authenticated users to rename arbitrary tables. (CVE-2007-2691)
The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before
5.1.18 does not restore THD::db_access privileges when returning from SQL
SECURITY INVOKER stored routines, which allows remote authenticated users
to gain privileges. (CVE-2007-2692)
MySQL Community Server before 5.0.45 allows remote authenticated users to
gain update privileges for a table in another database via a view that
refers to this external table. (CVE-2007-3782) |
| Alerts: |
|
Comments (none posted)
nss_ldap: credential or other information disclosure
| Package(s): | nss_ldap |
CVE #(s): | CVE-2007-5794
|
| Created: | November 26, 2007 |
Updated: | July 30, 2008 |
| Description: |
From the Gentoo advisory:
Josh Burley reported that nss_ldap does not properly handle the LDAP
connections due to a race condition that can be triggered by
multi-threaded applications using nss_ldap, which might lead to
requested data being returned to a wrong process.
|
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2007-5708
|
| Created: | November 23, 2007 |
Updated: | April 9, 2008 |
| Description: |
slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when
running as a proxy-caching server, allocates memory using a malloc variant
instead of calloc, which prevents an array from being initialized properly
and might allow attackers to cause a denial of service (segmentation fault)
via unknown vectors that prevent the array from being null terminated. |
| Alerts: |
|
Comments (none posted)
pcre: buffer overflows in library
| Package(s): | pcre |
CVE #(s): | CVE-2006-7228
CVE-2006-7230
CVE-2007-1661
CVE-2007-4766
CVE-2007-4767
|
| Created: | November 23, 2007 |
Updated: | July 16, 2008 |
| Description: |
Specially crafted regular expressions could lead to buffer overflows in the pcre library. Applications using pcre to process regular expressions from untrusted sources could therefore potentially be exploited by attackers to execute arbitrary code as the user running the application. |
| Alerts: |
|
Comments (1 posted)
pcre: buffer overflows
| Package(s): | pcre3 |
CVE #(s): | CVE-2007-1662
CVE-2007-4768
|
| Created: | November 27, 2007 |
Updated: | May 7, 2008 |
| Description: |
Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the
end of the string when searching for unmatched brackets and parentheses,
which allows context-dependent attackers to cause a denial of service
(crash), possibly involving forward references. (CVE-2007-1662)
Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE)
library before 7.3 allows context-dependent attackers to execute arbitrary
code via a singleton Unicode sequence in a character class in a regex
pattern, which is incorrectly optimized. (CVE-2007-4768) |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: SQL injection
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2007-5976
CVE-2007-5977
|
| Created: | November 22, 2007 |
Updated: | November 28, 2007 |
| Description: |
phpMyAdmin prior to version 2.11.2.1 has an SQL injection vulnerability
in db_create.php. Remote authenticated users with CREATE DATABASE privileges can use this to execute arbitrary SQL commands via the db parameter.
db_create.php also has a related cross-site scripting vulnerability.
Remote authenticated users can inject arbitrary web scripts or HTML
using a hex-encoded IMG element in the db parameter in a POST request. |
| Alerts: |
|
Comments (none posted)
Tk: buffer overflow
| Package(s): | tk8.3 |
CVE #(s): | CVE-2007-5378
|
| Created: | November 28, 2007 |
Updated: | February 22, 2008 |
| Description: |
The Tk toolkit's GIF-reading code contains a buffer overflow which could be exploited via a malicious image file. Fixes may be found in versions 8.4.12 and 8.3.5. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2007-6114
CVE-2007-6117
CVE-2007-6118
CVE-2007-6120
CVE-2007-6121
|
| Created: | November 27, 2007 |
Updated: | December 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in the Wireshark
network traffic analyzer, which may lead to denial of service or the
execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
zaptel: possible privilege escalation
| Package(s): | zaptel |
CVE #(s): | CVE-2007-5690
|
| Created: | November 28, 2007 |
Updated: | November 28, 2007 |
| Description: |
Asterisk Zaptel 1.4.5.1 contains a buffer overflow which might be exploitable by local users - though the actual exploitability of this problem is disputed. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache2: information disclosure
| Package(s): | apache |
CVE #(s): | CVE-2007-1862
|
| Created: | June 20, 2007 |
Updated: | February 18, 2008 |
| Description: |
From the Mandriva advisory: "The recall_headers function in mod_mem_cache in Apache 2.2.4 does not
properly copy all levels of header data, which can cause Apache to
return HTTP headers containing previously-used data, which could be
used to obtain potentially sensitive information by unauthorized users." |
| Alerts: |
|
Comments (2 posted)
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CVE-2007-3304
CVE-2006-5752
|
| Created: | June 27, 2007 |
Updated: | February 18, 2008 |
| Description: |
The Apache HTTP Server did not verify that a process was an Apache child
process before sending it signals. A local attacker who has the ability to
run scripts on the Apache HTTP Server could manipulate the scoreboard and
cause arbitrary processes to be terminated, which could lead to a denial of
service. (CVE-2007-3304)
A flaw was found in the Apache HTTP Server mod_status module. Sites with
the server-status page publicly accessible and ExtendedStatus enabled were
vulnerable to a cross-site scripting attack. On Red Hat Enterprise Linux
the server-status page is not enabled by default and it is best practice to
not make this publicly available. (CVE-2006-5752) |
| Alerts: |
|
Comments (1 posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache2: denial of service
| Package(s): | apache2 |
CVE #(s): | CVE-2007-1863
|
| Created: | November 19, 2007 |
Updated: | February 18, 2008 |
| Description: |
From the CVE entry:
cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. |
| Alerts: |
|
Comments (1 posted)
httpd: denial of service, cross-site scripting
| Package(s): | apache httpd |
CVE #(s): | CVE-2007-3847
CVE-2007-4465
|
| Created: | September 25, 2007 |
Updated: | February 15, 2008 |
| Description: |
A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory
listings are used, and the AddDefaultCharset directive has been removed
from the configuration, a cross-site-scripting attack may be possible
against browsers which do not correctly derive the response character set
following the rules in RFC 2616. (CVE-2007-4465) |
| Alerts: |
|
Comments (none posted)
bochs: denial of service
| Package(s): | bochs |
CVE #(s): | CVE-2007-2894
|
| Created: | November 19, 2007 |
Updated: | November 20, 2007 |
| Description: |
From the CVE entry:
The emulated floppy disk controller in Bochs 2.3 allows local users of the guest operating system to cause a denial of service (virtual machine crash) via unspecified vectors, resulting in a divide-by-zero error. |
| Alerts: |
|
Comments (none posted)
cacti: denial of service
| Package(s): | cacti |
CVE #(s): | CVE-2007-3112
CVE-2007-3113
|
| Created: | September 18, 2007 |
Updated: | February 18, 2008 |
| Description: |
A vulnerability in Cacti 0.8.6i and earlier versions allows remote
authenticated users to cause a denial of service (CPU consumption) via
large values of the graph_start, graph_end, graph_height, or graph_width
parameters. |
| Alerts: |
|
Comments (none posted)
centericq: buffer overflows
| Package(s): | centericq |
CVE #(s): | CVE-2007-3713
|
| Created: | July 20, 2007 |
Updated: | December 17, 2007 |
| Description: |
Multiple buffer overflows in Konst CenterICQ 4.9.11 through 4.21 allow
remote attackers to execute arbitrary code via unspecified vectors. NOTE:
the provenance of this information is unknown; the details are obtained
solely from third party information. NOTE: this might overlap
CVE-2007-0160. |
| Alerts: |
|
Comments (none posted)
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | CVE-2007-3725
|
| Created: | July 24, 2007 |
Updated: | February 27, 2008 |
| Description: |
A NULL pointer dereference has been discovered in the RAR VM of Clam
Antivirus (ClamAV) which allows user-assisted remote attackers to
cause a denial of service via a specially crafted RAR archives. |
| Alerts: |
|
Comments (none posted)
clamav: multiple vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2007-4510
CVE-2007-4560
|
| Created: | September 3, 2007 |
Updated: | February 13, 2008 |
| Description: |
Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2007-4510:
It was discovered that the RTF and RFC2397 parsers can be tricked
into dereferencing a NULL pointer, resulting in denial of service.
CVE-2007-4560:
It was discovered clamav-milter performs insufficient input
sanitizing, resulting in the execution of arbitrary shell commands.
|
| Alerts: |
|
Comments (none posted)
conga: denial of service
| Package(s): | conga |
CVE #(s): | CVE-2007-4136
|
| Created: | November 7, 2007 |
Updated: | November 22, 2007 |
| Description: |
A flaw was found in ricci during a code audit. A remote attacker who is
able to connect to ricci could cause ricci to temporarily refuse additional
connections, a denial of service (CVE-2007-4136). |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups |
CVE #(s): | CVE-2007-0720
|
| Created: | March 26, 2007 |
Updated: | February 7, 2008 |
| Description: |
Previous versions of the cups package could be forced to hang via a client
"partially negotiating" an ssl connection. In this state, cups would not
allow other connections to be made, a denial of service. |
| Alerts: |
|
Comments (none posted)
gpdf: integer overflow
| Package(s): | cups poppler xpdf |
CVE #(s): | CVE-2007-3387
|
| Created: | July 31, 2007 |
Updated: | November 28, 2007 |
| Description: |
The gpdf library contains an integer overflow which can be exploited via a malicious PDF file. This code finds its way into multiple packages, including xpdf, kpdf, poppler, cups, and more. |
| Alerts: |
|
Comments (1 posted)
debian-goodies: privilege escalation
| Package(s): | debian-goodies |
CVE #(s): | CVE-2007-3912
|
| Created: | October 5, 2007 |
Updated: | March 24, 2008 |
| Description: |
Thomas de Grenier de Latour discovered that the checkrestart program included
in debian-goodies did not correctly handle shell meta-characters. A local
attacker could exploit this to gain the privileges of the user running
checkrestart. |
| Alerts: |
|
Comments (none posted)
Django: denial of service
| Package(s): | Django |
CVE #(s): | CVE-2007-5712
|
| Created: | November 12, 2007 |
Updated: | May 21, 2008 |
| Description: |
From the CVE notice:
The internationalization (i18n) framework in Django 0.91, 0.95, 0.95.1, and 0.96, and as used in other products such as PyLucid, when the USE_I18N option and the i18n component are enabled, allows remote attackers to cause a denial of service (memory consumption) via many HTTP requests with large Accept-Language headers. |
| Alerts: |
|
Comments (none posted)
dovecot: privilege escalation
| Package(s): | dovecot |
CVE #(s): | CVE-2007-4211
|
| Created: | August 15, 2007 |
Updated: | May 21, 2008 |
| Description: |
From the rPath advisory: "Previous versions of the dovecot package are vulnerable to a
minor privilege escalation attack in which an authenticated
user may exploit an ACL plugin weakness to save message flags
without having proper permissions." |
| Alerts: |
|
Comments (none posted)
dovecot: directory traversal
| Package(s): | dovecot |
CVE #(s): | CVE-2007-2231
|
| Created: | May 8, 2007 |
Updated: | May 21, 2008 |
| Description: |
Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot
before 1.0.rc29, when using the zlib plugin, allows remote attackers to
read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot)
sequence in the mailbox name. |
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2007-5593
CVE-2007-5594
CVE-2007-5595
CVE-2007-5596
CVE-2007-5597
|
| Created: | October 24, 2007 |
Updated: | December 7, 2007 |
| Description: |
From the Fedora advisory:
- Upgrade to 5.3, fixes:
- HTTP response splitting.
- Arbitrary code execution.
- Cross-site scripting.
- Cross-site request forgery.
- Access bypass.
|
| Alerts: |
|
Comments (none posted)
eggdrop: stack-based buffer overflow
| Package(s): | eggdrop |
CVE #(s): | CVE-2007-2807
|
| Created: | September 7, 2007 |
Updated: | January 7, 2008 |
| Description: |
A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop
1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC
servers to execute arbitrary code via a long private message. |
| Alerts: |
|
Comments (none posted)
emacs: command execution via local variables
| Package(s): | emacs |
CVE #(s): | CVE-2007-5795
|
| Created: | November 14, 2007 |
Updated: | February 5, 2008 |
| Description: |
From the original Debian problem report: "In Debian's version of GNU Emacs 22.1+1-2, the `hack-local-variables'
function does not behave correctly when `enable-local-variables' is
set to :safe. The documentation of `enable-local-variables' states
that the value :safe means to set only safe variables, as determined
by `safe-local-variable-p' and `risky-local-variable-p' (and the data
driving them), but Emacs ignores this and instead sets all the local
variables." When this setting (which is not the default) is in effect, opening a hostile file could lead to the execution of arbitrary commands. |
| Alerts: |
|
Comments (1 posted)
evolution: format string error
| Package(s): | evolution |
CVE #(s): | CVE-2007-1002
|
| Created: | March 27, 2007 |
Updated: | February 27, 2008 |
| Description: |
A format string error in the "write_html()" function in calendar/gui/
e-cal-component-memo-preview.c when displaying a memo's categories can
potentially be exploited to execute arbitrary code via a specially crafted
shared memo containing format specifiers. |
| Alerts: |
|
Comments (1 posted)
firebird: buffer overflow
| Package(s): | firebird |
CVE #(s): | CVE-2007-3181
|
| Created: | July 2, 2007 |
Updated: | March 27, 2008 |
| Description: |
The Firebird DBMS has a buffer overflow vulnerability involving
the processing of connect requests with an overly large p_cnct_count
value. Remote attackers can send a specially crafted
request to the server in order to potentially execute arbitrary code with
the permissions of the Firebird user. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2007-3844
CVE-2007-3845
|
| Created: | August 1, 2007 |
Updated: | February 20, 2008 |
| Description: |
A flaw was discovered in handling o |