Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for February 28, 2008
A Beijing trip report
China would seem like an ideal environment for free software. The Chinese have a need for vast amounts of software as their country rapidly industrializes, they have reasons to prefer software which is not controlled by American corporations, and they have been coming under some pressure from those same corporations to do something about their little habit of copying proprietary software without much regard for details like license agreements. Free software offers them the ability to take control of their own software, make sure it lacks unwelcome surprises, and copy it as much as they like. And China has been making a lot of use of Linux and free software, but, as is the case with many Asian countries, China's presence in the development community is relatively small.Encouraging participation from Asian countries has been a goal of the Linux Foundation for some time; one result of that is the series of symposiums held in Japan over the last few years. Now, for the first time, the Foundation has extended this series to China. On February 19 and 20, the first Linux Developer Symposium China was held in Beijing. This event was organized in cooperation with the China Open Source Promotion Union (COPU). Your editor had the privilege of speaking at this meeting.
This was not the kind of developer-oriented gathering that one might expect to find in many other parts of the world. Far too many suits and ties, for example. Often the focus of the event appeared to be the creation of photo opportunities while people (who were not developers) gave speeches. In general, it was organized in a mode of talking to the participants, rather than talking with them. The agenda makes this clear: 17 speakers on the first day, with only one break (for lunch). The talks were well received by a sellout crowd, but there was not a lot of opportunity for people to talk.
The second day featured a round table discussion and a set of BOF sessions. The round table was interesting, though it focused on issues which are not necessarily development oriented: Linux adoption in mobile devices, competing with pirated copies of Windows, etc. The BOF was, in many ways, the most interesting part of the whole event; this was where participants could find people with similar interests and simply ask questions. Your editor fielded questions on security modules, the kevent interface, community participation in Asia, language issues, and more. Chinese developers, like their Japanese counterparts, seem to be reluctant to ask questions in front of a large group. But, in a closer situation, the floodgates open and all kinds of questions come out.
Unfortunately, the second day was open only to a small subset of the conference attendees, and that subset was heavy on the managerial side. So a lot of people who could have benefited most from the BOF session were not there.
One topic which never came up - until your editor raised it briefly at the round table session - was license compliance. For the most part, it does not seem to be on the radar there. Your editor was told that GPL violations are common with products which are sold in the Chinese market but not exported elsewhere; the people involved can assume, with seemingly good reason, that nobody will take them to court. There is also a fair amount of driver work being done for companies in other countries; once the code is shipped the original developers forget about it and move on to the next project. Quite a bit of that code never makes it into the mainline.
This sort of activity fails to give back to the community which provided Linux in the first place. But it also hurts the developers involved. They do not become part of the community, do not get recognition for their work, and miss the opportunity to learn from others. During the press conference on the first day, it was noted that Chinese companies are having a hard time hiring Linux developers, and that more training opportunities would be a good thing. Your editor felt the need to point out that, of all the people working in free software projects, very few of them are specifically trained to do so. It's more a matter of individual initiative. Training is good, but the training received in Chinese universities should be more than adequate for those looking to get involved with free software.
Andrew Morton took that theme further by pointing out that, rather than complaining about difficulties in hiring, these companies would be better off encouraging community participation and skills development within their existing staff. That would be more productive than chasing the same small set of developers that everybody else is trying to hire. On the second day, Dave Neary made the crucial point that community participation is something that individuals - not companies - do. There are a lot of companies worldwide which have a hard time understanding how free software development works, and China is no exception.
One last note on hiring free software hackers. Your editor ran across this article, which states:
In such a situation (assuming the claim is true - something your editor cannot vouch for), finding developers who are able and willing to learn how to hack on free software should not be that hard.
Meanwhile, your editor was struck by the energy and initiative shown by the Beijing Linux Users Group, which helped with many aspects of the event. BLUG is busily organizing gatherings and creating a local community out of Beijing's hackers. A real spark is glowing there; it will be interesting to see how that group develops in the near future.
![[Tourists on the great wall]](/images/conf/china2008/GreatWall-sm.jpg)
All told, the event was a clear success. It was a proper media event which
raised the profile of Linux in China and showed that Linux developers care
enough about the country to pay a visit. A mixture of local and imported
developers were able to present their work to an attentive and interested
audience. The discussions brought developers closer and, hopefully, sent
them away with interesting things on their "to do" lists. And,
importantly, the visiting developers learned something about China that
goes beyond the proper technique for eating Peking Duck or the effort
required to climb the Great Wall (or to circumvent the rather obnoxious great
firewall). With luck, we have a better understanding of what developers
are up to in that part of the world and how we can help them to participate
fully in our projects. And that can only be a good thing.
(Some pictures from the event have been posted. Unbelievable numbers of photos were taken, so more can be expected to surface at some point. But, under no circumstances should anyone look at the scurrilous photo posted by Andrew Morton.)
Ten-year timeline part 6: almost to the present
Part 5 of this increasingly long series stopped in March, 2004, when BitMover loudly proclaimed that the use of BitKeeper had doubled the pace of kernel development. This installment picks up from there, looking at a year when BitKeeper remained in the news, the SCO case was in progress, software patents became more threatening, and more.
- April 8, 2004: The first X.org release. SELinux shows up in a Fedora Core 2 test release. Red Hat v. SCO is put on indefinite hold (where it remains to this day). Anti-software-patent demonstrations are held in Europe.
This week featured some important news. The launch of X.org signaled the resurrection of Linux desktop work and the beginning of a much more interesting and promising era. Meanwhile, Fedora took the lead in pushing SELinux-based mandatory access control technology into a general-purpose system. That work is still very much in progress nearly four years later, but, like it or not, SELinux has become an important part of our defensive arsenal.
- April 15, 2004: The 2.6.6
kernel gains POSIX message queues, filesystem speedups, internal API
changes, laptop mode, 4K stacks, auditing, the CFQ I/O scheduler,
and more. Sun and Microsoft
make a $2 billion deal. Lindows becomes Linspire.
- April 22, 2004: Linspire
files to go public. BayStar tells SCO it wants its money back.
- April 29, 2004: Gentoo founder Daniel Robbins leaves the project.
Something else which was going on during this time was a rising level of discontent over the management of the Fedora project, which was not turning out to be the open community that many had hoped for. Pause for a moment and revisit this classic dialog posted by Konstantin Ryabitsev, which so clearly documented how the situation was seen by the community at that time. Fedora has come a long way since then.
- May 20, 2004: The European Council approves the software patent directive, sending it back to the Parliament for final passage.
Remember: the directive approved by the Council was the original version which legitimized software patents, not the version amended by the Parliament which did not. Thus started the final (so far) round in the fight against European software patents - a round which we eventually won.
- May 27, 2004: The kernel adopts the Signed-off-by: convention. The 2.6.7 kernel gains scheduling domains, the object-based reverse mapping VM, filtered wakeups, and more.
The thing to remember here is that 2.6 was alleged to be a stable kernel series, and everybody was still waiting for 2.7 to start. Linus defended the massive VM changes with the claim that they were, in fact, an "implementation detail." The realization that the kernel development process had, in fact, already changed did not come through until...
- July 22, 2004: The "new" kernel development process is adopted.
This kernel summit decision - which, among other things, said that there would be no 2.7 kernel - surprised almost everybody. Certainly there have been some issues since then, but nobody really wants to go back to the old, pre-2.6 days.
- August 5, 2004: Open
Source Risk Management funds a study showing that the kernel infringes
on 283 patents, offers patent suit insurance. SCO Forum is held,
featuring a keynote by Rob Enderle; the rest of the world looks on
incredulously. The Munich Linux deployment is put on hold as a result
of software patent fears.
- August 19, 2004: Lindows gives up on its IPO. The 2.6.8.1 kernel is released.
There were interesting cross-currents happening at this time. On the one hand, companies like Open Source Risk Management were trying to use SCO as a way to scare companies (and individual developers) into buying its insurance offerings. On the other, there was a hallucinogenic aspect to the SCO Forum discussions that escaped nobody; SCO's time of being taken seriously by the wider world was already done.
It's worth noting that OSRM still exists, but its insurance offering now is for companies worried about GPL-infringement suits.
Meanwhile, 2.6.8.1 was the first three-dot kernel release ever; it was rushed out in response to an unpleasant, last-minute bug in 2.6.8.
- August 26, 2004: IBM
brings GPL-infringement charges against SCO. LWN fails to reproduce
the posted reiser4 filesystem benchmarks, gets in trouble with
Namesys.
- September 16, 2004: Sun announces plans to open-source Solaris. OSDL and the Free Standards Group announce a plan for cooperation on the Linux Standard Base.
OSDL and the FSG were, at this point, separate groups which, at times, almost seemed to be in competition with each other. Those days, of course, are no more: the two have since merged and become the Linux Foundation.
- September 23, 2004: the Ubuntu distribution announces its existence.
Who would have thought that one could create a major new distribution in 2004? One might well wonder whether the situation is any less open now.
- October 7, 2004: the
bnetd developers lose their DMCA case. Concerns about kernel quality
are expressed. Microsoft's FAT patent is overturned.
- October 14, 2004: Novell
says it will use its patents "as appropriate" to defend free software
projects against patent attacks. Jeff Merkey offers $50,000 for the
right to take the kernel proprietary. The realtime preemption patch
set gets started.
- October 21, 2004: the
first Ubuntu release (4.10) comes out. Busybox 1.0 is released at
last. Mozilla begins fund raising to advertise Firefox in the New
York Times.
- November 11, 2004: Firefox 1.0 is released. Novell gets $500 million in anti-trust cash from Microsoft.
The Firefox 1.0 release was, in a very real sense, the much-delayed culmination of the process which began back in 1998, when Netscape announced that it would be releasing its code. Firefox was almost seven years in the making, but, sometimes, late really is better than never. Even those of us who use a different browser should be thankful for the effect Firefox has had toward the creation of a standard-compliant web and a competitive environment for web browsers.
- November 18, 2004: the
Linux Core Consortium is formed by Conectiva, MandrakeSoft, Progeny,
and Turbolinux.
- December 2, 2004: MandrakeSoft turns a profit.
Whether it's called United Linux, the Linux Core Consortium, or Manbo-Labs, this is an idea which returns on occasion: pool effort on the creation of a base distribution so that each player can concentrate their differentiation efforts on the higher levels. It often seems not to work, though. It is hard to compete with more community-based distributions through the establishment of a base platform by corporate fiat. It seems that the true "base" distributions have names like Debian or Fedora.
- January 13, 2005: Debian
runs afoul of the Mozilla trademark policy. The European Parliament
attempts to restart the software patent discussion from the
beginning.
- January 27, 2005: Sun
starts releasing Solaris code under the CDDL.
- February 3, 2005: The
Software Freedom Law Center is founded. Eben Moglen starts talking
about GPLv3. Russ Nelson becomes the president of the Open Source
Initiative - briefly.
- February 10, 2005: IBM's requests for summary judgment in the SCO case are dismissed - temporarily - by Judge Kimball. BitKeeper flame wars return, this time about the locking-up of history metadata and license-based prohibitions on its extraction.
The locking-up of metadata within BitKeeper was a sore point even for developers who had accepted BitKeeper in general. Larry McVoy was unsympathetic, though, stating that he was operating within his rights. This episode was the beginning of the end for BitKeeper and the kernel.
- March 3, 2005:
MandrakeSoft acquires Conectiva. The European Commission ignores the
European Parliament's request to restart the software patent directive
process.
- March 10, 2005: Kernel quality concerns lead to the creation of the -stable tree.
Those quality concerns are not gone now, though they have diminished somewhat. The -stable tree seemed like an experiment at the time, but it has proved successful and is still being produced almost three years later.
- April 7, 2005: The
BitKeeper era comes to an abrupt end when the free-beer license for
the software is terminated by BitMover. (Unfounded) rumors about a
merger between UserLinux and Ubuntu circulate.
- April 14, 2005: Linus posts the first version of git. MandrakeSoft becomes Mandriva.
The termination of free-beer BitKeeper was probably inevitable from the very beginning of its existence; trying to maintain a closed system with proprietary data formats in the middle of a highly open process was always a losing proposition. For some time, many of us had feared that it could end in a much uglier way than it actually played out. We, the community, had danced on some thin ice for a while, but, when it broke, the water was only ankle-deep. We got lucky.
As your editor has said before, BitKeeper did us a lot of good by bringing order to the kernel development process when things had been working very poorly, and by showing the world what distributed revision control could do. It set the stage for what came after. Git was not the first free distributed revision control system, but it was the first to be employed on such a massive scale. In a real sense, git launched a new era of free software development.
On that note, this article will end - and, probably, the retrospective series ends as well. As events become more recent, the difficulty of putting them into historical perspective gets greater. A retrospective covering the remaining 2+ years risks becoming a repeat of the annual timelines and adding little of value. That period is best left for the 20-year retrospective.
So, the entire LWN staff would like to say "thanks!" one last time to our readers, who have treated us so well for the last ten years. It has been an incredible ride.
Interoperating with Microsoft
Last week, with much fanfare, Microsoft announced a change in its practices in order to "expand interoperability". It is a rather sizable shift away from some of its previous inflammatory statements about free software—though it scrupulously avoids that term—but whether it is the harbinger of a more open Microsoft, or yet another empty pronouncement, is still unclear. It does contain things of interest to the community, in particular the patent enumeration, but there are pitfalls as well.
The largest chunk of what Microsoft promises is documentation for APIs and protocols used by some of their most popular products. They immediately released some 30,000 pages of Windows protocol specifications, much of which the Samba project had to pay to access last December. In addition, they will be releasing documentation suitable for developers wishing to interoperate with "Windows Vista (including the .NET Framework), Windows Server 2008, SQL Server 2008, Office 2007, Exchange Server 2007, and Office SharePoint Server 2007, and future versions of all these products."
Microsoft has also promised to list which of the documented protocols are covered by one of its patents or patent applications. We may finally start to get a handle on the infamous "235 patents" that Linux and free software supposedly infringe. These patents will be available for license on the standard "reasonable and non-discriminatory" (RAND) terms, with an interesting addition: "low royalty rates". The patent list is not yet available, but may be of use in ways that Microsoft does not intend; invalidating some of the patents with prior art for example.
As Microsoft is well aware, RAND terms are a non-starter for free software because they restrict redistribution of the code. The company has tried to soften that blow, perhaps, by rehashing its "covenant not to sue" developers that originated as part of the Novell interoperability agreement. The covenant may be a great public relations ploy, but does little to alleviate concerns that free software developers will have in implementing patented protocols. It is the rare developer who finds an itch to develop code to talk to Microsoft servers and who has no thought of using or distributing it commercially.
There are also provisions in the announcement for documentation of Microsoft implementations of industry standards. A cynic might wonder why additional information is needed, they are, after all, supposed to be standards. The unfortunate reality is that Microsoft does extend such standards for its own purposes in incompatible ways; having that kind of information can only help web browsers, directory services, and other multi-platform tools.
For a company as adamantly opposed to Open Document Format (ODF) as it claims to be, it is a bit surprising to see that they plan changes to Microsoft Office to "promote user choice among document formats". APIs for document format plug-ins along with the ability for users to make their own choice about the default save format will be added. How reasonable those APIs are and how faithfully they can encapsulate Office documents will be an interesting test of both Microsoft's sincerity and ODF's capabilities. It is also a pretty clear attempt to at least appear to be playing nicely with ODF while its competing OOXML format is being considered for an ISO standard.
There are also various platitudes about "opening dialogs" and "expanding outreach" with the community included in the announcement. It will be interesting to see how that actually plays out. It is, however, hard to imagine even a year ago seeing a posting on a Microsoft-sponsored site entitled "How open source has influenced Windows Server 2008". In less than seven years, we have moved from a "cancer" to influencing its flagship products.
One obvious conclusion that can be drawn from this and other Microsoft initiatives is that it is feeling a fair amount of pressure from customers, the European Union, standards groups, and free software. These kinds of changes, even if they don't go as far as the rhetoric would lead one to believe, are a pretty substantial shift in Microsoft culture and thinking. Unfortunately, they do also seem to be angling for the long-sought "Linux tax"—a payment, even just a small one, for each and every Linux deployment.
So far, Microsoft doesn't seem to have caught on to the idea that most Linux installations are free in both senses of the term. There is no per-installation, per-processor, per-core licensing stream to tap into. One of the headaches that free software users avoid is keeping track of all those licenses, enforced by the ever-present threat of a Business Software Alliance audit. It has, to a limited extent, already tapped into—and likely tapped out—that revenue from the deals with Novell and other distributors.
Overall, this seems like a positive step. It clearly acknowledges the role that free software (or open source if you prefer) is playing in both the commercial marketplace and the marketplace of ideas. The actual effects of this announcement for our community may be small, but it may also be indicative of Microsoft moving in a more cooperative direction. That would be a rather nice thing to see.
Page editor: Jonathan Corbet
Security
Cascading security updates
When following the distributions' security updates on a daily basis, as we do at LWN, certain days are more work than others. Two weeks ago we had a rather full update with no less than 28 packages updated for Fedora (most of those for both F7 and F8), along with a handful of updates from other distributions. It turns out that the majority of the Fedora updates had a single cause: a set of serious vulnerabilities in Mozilla Firefox.
How does a single update to an application ripple so far that more than a dozen packages have to be rebuilt? One would think there would be shared libraries that would get updated, with applications picking up those changes the next time they are run. That is, in theory, how things are supposed to work, but in this case, the underlying libraries have no fixed application binary interface (ABI). So, changes to those libraries require any applications that use them to be rebuilt and retested.
Gecko is the rendering engine used by Mozilla in their products to display HTML. Various other packages have started using it as well because of its speed and standards compliance. Because Mozilla sometimes breaks the ABI between releases, even minor releases, distributions may be stuck rebuilding those applications when a new version of the library is released. Normally, that only happens when packaging a new version of the distribution—or when serious security flaws are found.
Mozilla's solution for this problem is XULRunner which will provide a stable ABI for applications. As XULRunner and its companion libxul become more widely available, the applications that currently link to the Gecko libraries will presumably switch to avoid these kinds of problems in the future. It is highly unlikely that we have seen the last security problem in the Gecko engine, so reducing the cascade that results from finding one would be welcome.
Because of problems with the ABI changing in the past, Fedora chooses to make the applications' library version number exactly track the Mozilla release number. Some other distributions do not do that, so unless the ABI does change, they do not need to update each package that uses the libraries. This has some advantages, but could lead to broken applications if an ABI change goes unnoticed.
We have also seen similar cascades of updates, most notably from the xpdf PDF viewer. Unlike Gecko, there is no library for xpdf, leading multiple applications to include its source into their own. When a flaw is found, several different applications (cups, gpdf, etc.) across all distributions need to be updated immediately, leading to a similar effect as was seen with the Gecko vulnerabilities. Hopefully, over time, the development of the poppler library will mitigate this problem somewhat.
There are lots of good reasons to separate code into components where possible, but security is an important one. Creating and maintaining an ABI is sometimes difficult, but generally worth the trouble. Imagine the chaos that could result from a security vulnerability requiring an ABI change in glibc.
Security news
Cold Reboot Attacks on Disk Encryption
Ed Felten's Freedom to Tinker weblog has a report on research he and his colleagues have done on subverting whole disk encryption by reading the keys from RAM after the machine has been power-cycled. "The root of the problem lies in an unexpected property of today’s DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn't so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system."
Security reports
Risk report: Three years of Red Hat Enterprise Linux 4
Red Hat has published an updated version of its risk report for RHEL4, summarizing the security vulnerabilities in that distribution for the last three years and how Red Hat responded to them. "Fixes for 81% of critical flaws were available from Red Hat Network at latest one calendar day after public disclosure of the flaw. 63% of the critical flaws were fixed on the very same day. This fast response time is a deliberate goal of the Red Hat Security Response Team and forms an essential part of reducing customer risk from critical flaws." It would be nice if all distributors would produce an occasional report like this.
New vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2007-5659 CVE-2007-5663 CVE-2007-5666 CVE-2007-0044 | ||||||
| Created: | February 22, 2008 | Updated: | March 3, 2008 | ||||||
| Description: | Several flaws were found in the way Adobe Reader processed malformed PDF files. An attacker could create a malicious PDF file which could execute arbitrary code if opened by a victim. A flaw was found in the way the Adobe Reader browser plug-in honored certain requests. A malicious PDF file could cause the browser to request an unauthorized URL, allowing for a cross-site request forgery attack. | ||||||||
| Alerts: |
| ||||||||
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2007-3762 CVE-2007-3763 CVE-2007-3764 CVE-2007-4103 | |||||||||
| Created: | February 27, 2008 | Updated: | February 27, 2008 | |||||||||
| Description: | Asterisk suffers from a protocol handling error, a buffer overflow, and a NULL pointer dereferencing bug in the IAX2 channel driver, and a memory overflow in the Skinny channel driver. | |||||||||||
| Alerts: |
| |||||||||||
clamav: heap corruption
| Package(s): | clamav | CVE #(s): | CVE-2008-0728 | |||||||||
| Created: | February 22, 2008 | Updated: | April 18, 2008 | |||||||||
| Description: | From the CVE entry: libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." | |||||||||||
| Alerts: |
| |||||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-0886 | ||||||
| Created: | February 27, 2008 | Updated: | February 27, 2008 | ||||||
| Description: | From the Mandriva advisory: A flaw was found in how CUPS handled the addition and removal of remote printers via IPP that could allow a remote attacker to send a malicious IPP packet to the UDP port causing CUPS to crash. | ||||||||
| Alerts: |
| ||||||||
cups: denial of service
| Package(s): | cups | CVE #(s): | CVE-2008-0882 | ||||||||||||||||||||||||
| Created: | February 22, 2008 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handles the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to crash. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2008-0596 CVE-2008-0597 | |||||||||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | |||||||||||||||
| Description: | From the Red Hat advisory: A flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. A remote attacker could send malicious UDP IPP packets causing the CUPS daemon to attempt to dereference already freed memory and crash. (CVE-2008-0597) A memory management flaw was found in the way CUPS handled the addition and removal of remote shared printers via IPP. When shared printer was removed, allocated memory was not properly freed, leading to a memory leak possibly causing CUPS daemon crash after exhausting available memory. (CVE-2008-0596) These issues were found during the investigation of CVE-2008-0882. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
diatheke: insufficient input sanitizing
| Package(s): | diatheke | CVE #(s): | CVE-2008-0932 | ||||||||||||
| Created: | February 26, 2008 | Updated: | March 4, 2008 | ||||||||||||
| Description: | From the Debian advisory: Dan Dennison discovered that Diatheke, a CGI program to make a bible website, performs insufficient sanitizing of a parameter, allowing a remote attacker to execute arbitrary shell commands as the web server user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
dnssec-tools: insufficient validation
| Package(s): | dnssec-tools | CVE #(s): | |||||||
| Created: | February 26, 2008 | Updated: | February 27, 2008 | ||||||
| Description: | DNSSEC-Tools 1.3.2 contains several fixes, including a patch to the libval DNSSEC validation library to ensure that the signature that validates it is a signature of the trust anchor itself. | ||||||||
| Alerts: |
| ||||||||
dspam: insecure password
| Package(s): | dspam | CVE #(s): | CVE-2007-6418 | |||
| Created: | February 22, 2008 | Updated: | February 27, 2008 | |||
| Description: | From the Debian advisory: Tobias Gruetzmacher discovered that a Debian-provided CRON script in dspam, a statistical spam filter, included a database password on the command line when using the MySQL backend. This allowed a local attacker to read the contents of the dspam database, such as emails. | |||||
| Alerts: |
| |||||
ghostscript: buffer overflow
| Package(s): | ghostscript gs | CVE #(s): | CVE-2008-0411 | |||||||||||||||||||||||||||||||||
| Created: | February 27, 2008 | Updated: | April 10, 2008 | |||||||||||||||||||||||||||||||||
| Description: | The Ghostscript color-space handling code suffers from a buffer overflow which may be exploitable by way of a specially-crafted postscript file. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
kernel: arbitrary code execution
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2004-2731 | ||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||
| Description: | From the Debian advisory: CVE-2004-2731: infamous41md reported multiple integer overflows in the Sbus PROM driver that would allow for a DoS (Denial of Service) attack by a local user, and possibly the execution of arbitrary code. | ||||||||
| Alerts: |
| ||||||||
kernel: memory corruption
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2006-5753 | ||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||
| Description: | From the Debian advisory: CVE-2006-5753: Eric Sandeen provided a fix for a local memory corruption vulnerability resulting from a misinterpretation of return values when operating on inodes which have been marked bad. | ||||||||
| Alerts: |
| ||||||||
kernel: denial of service
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2006-6053 | ||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||
| Description: | From the Debian advisory: CVE-2006-6053: LMH reported a potential local DoS which could be exploited by a malicious user with the privileges to mount and read a corrupted ext3 filesystem. | ||||||||
| Alerts: |
| ||||||||
kernel: denial of service
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2007-2525 | |||||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | |||||||||
| Description: | From the Debian advisory: CVE-2007-2525: Florian Zumbiehl discovered a memory leak in the PPPOE subsystem caused by releasing a socket before PPPIOCGCHAN is called upon it. This could be used by a local user to DoS a system by consuming all available memory. | |||||||||||
| Alerts: |
| |||||||||||
kernel: reduction in random entropy
| Package(s): | kernel-source-2.4.27 | CVE #(s): | CVE-2007-4311 | ||||||
| Created: | February 25, 2008 | Updated: | March 6, 2008 | ||||||
| Description: | From the Debian advisory: CVE-2007-4311: PaX team discovered an issue in the random driver where a defect in the reseeding code leads to a reduction in entropy. | ||||||||
| Alerts: |
| ||||||||
kernel: denial of service
| Package(s): | kernel-source-2.6.8 | CVE #(s): | CVE-2006-7203 | |||
| Created: | February 25, 2008 | Updated: | February 27, 2008 | |||
| Description: | From the Debian advisory: CVE-2006-7203: OpenVZ Linux kernel team reported an issue in the smbfs filesystem which can be exploited by local users to cause a DoS (oops) during mount. | |||||
| Alerts: |
| |||||
moin: multiple XSS vulnerabilities
| Package(s): | moin | CVE #(s): | CVE-2008-0780 CVE-2008-0781 | ||||||||||||||||||
| Created: | February 21, 2008 | Updated: | April 29, 2008 | ||||||||||||||||||
| Description: | moin has cross site scripting vulnerabilities in the login action and the AttachFile action. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
qemu: unchecked block read/write
| Package(s): | qemu kvm | CVE #(s): | |||||||||||||
| Created: | February 26, 2008 | Updated: | February 27, 2008 | ||||||||||||
| Description: | From this post to the Debian security list: "I think I have discovered a vulnerability in qemu. It is related to the block device drivers: that is, the backends which implement the functionality offered to a guest via emulated block devices such as the emulated IDE controller." | ||||||||||||||
| Alerts: |
| ||||||||||||||
splitvt: privilege escalation
| Package(s): | splitvt | CVE #(s): | CVE-2008-0162 | ||||||
| Created: | February 22, 2008 | Updated: | March 4, 2008 | ||||||
| Description: | From the Debian advisory: Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing 'xprop'. This could allow any local user to gain the privileges of group utmp. | ||||||||
| Alerts: |
| ||||||||
turba2: access violation
| Package(s): | turba2 | CVE #(s): | CVE-2008-0807 | |||||||||||||||||||||
| Created: | February 25, 2008 | Updated: | February 29, 2008 | |||||||||||||||||||||
| Description: | From the Debian advisory: Peter Paul Elfferich discovered that turba2, a contact management component for horde framework did not correctly check access rights before allowing users to edit addresses. This could result in valid users being able to alter private address records. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
wordpress: multiple vulnerabilities
| Package(s): | wordpress | CVE #(s): | CVE-2007-3238 CVE-2007-2821 CVE-2008-0193 CVE-2008-0194 | |||
| Created: | February 22, 2008 | Updated: | February 27, 2008 | |||
| Description: | From the Debian advisory:
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. (CVE-2007-3238) SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. (CVE-2007-2821) Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. (CVE-2008-0193) Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. (CVE-2008-0194) | |||||
| Alerts: |
| |||||
wyrd: insecure temporary file
| Package(s): | wyrd | CVE #(s): | CVE-2008-0806 | ||||||
| Created: | February 26, 2008 | Updated: | February 27, 2008 | ||||||
| Description: | wyrd 1.4.3b allows local users to overwrite arbitrary files via a symlink attack on the wyrd-tmp.[USERID] temporary file. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
cairo: integer overflow
| Package(s): | Cairo | CVE #(s): | CVE-2007-5503 | |||||||||||||||||||||||||||||||||
| Created: | November 29, 2007 | Updated: | April 10, 2008 | |||||||||||||||||||||||||||||||||
| Description: | Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
MySQL: privilege escalation
| Package(s): | MySQL | CVE #(s): | CVE-2007-3781 CVE-2007-5969 | ||||||||||||||||||||||||||||||
| Created: | December 11, 2007 | Updated: | April 7, 2008 | ||||||||||||||||||||||||||||||
| Description: | MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)
MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781) | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
SDL_image: buffer overflows
| Package(s): | SDL_image | CVE #(s): | CVE-2007-6697 CVE-2008-0544 | |||||||||||||||
| Created: | February 8, 2008 | Updated: | March 27, 2008 | |||||||||||||||
| Description: | From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Sun JDK/JRE: multiple vulnerabilities
| Package(s): | Sun JDK/JRE | CVE #(s): | CVE-2007-2435 CVE-2007-2788 CVE-2007-2789 | ||||||||||||||||||
| Created: | June 1, 2007 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Xorg: multiple vulnerabilities
| Package(s): | Xorg | CVE #(s): | CVE-2007-5760 CVE-2007-5958 CVE-2007-6427 CVE-2007-6428 CVE-2007-6429 CVE-2008-0006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.org security advisory: Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
acroread: multiple vulnerabilities
| Package(s): | acroread | CVE #(s): | CVE-2008-0655 CVE-2008-0667 CVE-2008-0726 | |||||||||
| Created: | February 18, 2008 | Updated: | March 3, 2008 | |||||||||
| Description: | From the SUSE advisory: CVE-2008-0655: Multiple unspecified vulnerabilities in Adobe Reader and Acrobat before 8.1.2 have unknown impact and attack vectors. CVE-2008-0667: The DOC.print function in the Adobe JavaScript API, as used by Adobe Acrobat and Reader before 8.1.2, allows remote attackers to configure silent non-interactive printing, and trigger the printing of an arbitrary number of copies of a document. CVE-2008-0726: Integer overflow in Adobe Reader and Acrobat 8.1.1 and earlier allows remote attackers to execute arbitrary code via crafted arguments to the printSepsWithParams, which triggers memory corruption. | |||||||||||
| Alerts: |
| |||||||||||
apache: cross-site scripting
| Package(s): | apache | CVE #(s): | CVE-2006-3918 | ||||||||||||||||||
| Created: | August 9, 2006 | Updated: | April 4, 2008 | ||||||||||||||||||
| Description: | From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
apache: several vulnerabilities
| Package(s): | apache | CVE #(s): | CVE-2007-5000 CVE-2007-6388 CVE-2008-0005 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 15, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_imap module. On sites where mod_imap was
enabled and an imagemap file was publicly available, a cross-site scripting
attack was possible. (CVE-2007-5000)
A flaw was found in the mod_status module. On sites where mod_status was enabled and the status pages were publicly available, a cross-site scripting attack was possible. (CVE-2007-6388) A flaw was found in the mod_proxy_ftp module. On sites where mod_proxy_ftp was enabled and a forward proxy was configured, a cross-site scripting attack was possible against Web browsers which did not correctly derive the response character set following the rules in RFC 2616. (CVE-2008-0005) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
asterisk: possible SQL injection
| Package(s): | asterisk | CVE #(s): | CVE-2007-6170 | |||||||||
| Created: | December 3, 2007 | Updated: | April 15, 2008 | |||||||||
| Description: | Tilghman Lesher discovered that the logging engine of Asterisk, a free software PBX and telephony toolkit, performs insufficient sanitizing of call-related data, which may lead to SQL injection. | |||||||||||
| Alerts: |
| |||||||||||
bind: off-by-one error
| Package(s): | bind | CVE #(s): | CVE-2008-0122 | ||||||||||||
| Created: | January 22, 2008 | Updated: | March 14, 2008 | ||||||||||||
| Description: | Off-by-one error in the inet_network function in libc in FreeBSD 6.2, 6.3, and 7.0-PRERELEASE and earlier allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. | ||||||||||||||
| Alerts: |
| ||||||||||||||
boost: denial of service
| Package(s): | boost | CVE #(s): | CVE-2008-0171 CVE-2008-0172 | |||||||||||||||||||||
| Created: | January 17, 2008 | Updated: | March 14, 2008 | |||||||||||||||||||||
| Description: | From the Ubuntu alert: Will Drewry and Tavis Ormandy discovered that the boost library did not properly perform input validation on regular expressions. An attacker could send a specially crafted regular expression to an application linked against boost and cause a denial of service via application crash. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
clamav: arbitrary code execution
| Package(s): | clamav | CVE #(s): | CVE-2008-0318 | ||||||||||||||||||
| Created: | February 13, 2008 | Updated: | April 18, 2008 | ||||||||||||||||||
| Description: | From the CVE: Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: denial of service
| Package(s): | clamav | CVE #(s): | CVE-2007-3725 | ||||||||||||
| Created: | July 24, 2007 | Updated: | February 27, 2008 | ||||||||||||
| Description: | A NULL pointer dereference has been discovered in the RAR VM of Clam Antivirus (ClamAV) which allows user-assisted remote attackers to cause a denial of service via a specially crafted RAR archives. | ||||||||||||||
| Alerts: |
| ||||||||||||||
clamav: arbitrary file overwrite
| Package(s): | clamav | CVE #(s): | CVE-2007-6595 | |||||||||
| Created: | February 18, 2008 | Updated: | April 24, 2008 | |||||||||
| Description: | From the CVE entry: ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files in the cli_gentempfd function in libclamav/others.c or on (2) .ascii files in sigtool, when utf16-decode is enabled. | |||||||||||
| Alerts: |
| |||||||||||
cups: buffer overflow
| Package(s): | cups | CVE #(s): | CVE-2007-5848 | ||||||||||||
| Created: | January 7, 2008 | Updated: | February 27, 2008 | ||||||||||||
| Description: | From the CVE entry: Buffer overflow in CUPS in Apple Mac OS X 10.4.11 allows local admin users to execute arbitrary code via a crafted URI to the CUPS service. From the rPath advisory: Previous versions of the cups package contain a buffer-overflow weakness. It is not believed that this weakness can be exploited to execute malicious code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cups: multiple vulnerabilities
| Package(s): | cups | CVE #(s): | CVE-2007-5849 CVE-2007-6358 CVE-2007-4352 CVE-2007-5392 CVE-2007-5393 | ||||||||||||||||||||||||
| Created: | December 19, 2007 | Updated: | April 3, 2008 | ||||||||||||||||||||||||
| Description: | The cups 1.3.5 release fixes a number of vulnerabilities in the PDF filters. Additionally, there is a buffer overflow in the SNMP code and a temporary file vulnerability. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
debian-goodies: privilege escalation
| Package(s): | debian-goodies | CVE #(s): | CVE-2007-3912 | ||||||
| Created: | October 5, 2007 | Updated: | March 24, 2008 | ||||||
| Description: | Thomas de Grenier de Latour discovered that the checkrestart program included in debian-goodies did not correctly handle shell meta-characters. A local attacker could exploit this to gain the privileges of the user running checkrestart. | ||||||||
| Alerts: |
| ||||||||
evolution: format string error
| Package(s): | evolution | CVE #(s): | CVE-2007-1002 | |||||||||||||||||||||
| Created: | March 27, 2007 | Updated: | February 27, 2008 | |||||||||||||||||||||
| Description: | A format string error in the "write_html()" function in calendar/gui/ e-cal-component-memo-preview.c when displaying a memo's categories can potentially be exploited to execute arbitrary code via a specially crafted shared memo containing format specifiers. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
exiftags: multiple vulnerabilities
| Package(s): | exiftags | CVE #(s): | CVE-2007-6354 CVE-2007-6355 CVE-2007-6356 | |||||||||
| Created: | December 31, 2007 | Updated: | April 1, 2008 | |||||||||
| Description: | From the Gentoo advisory: Meder Kydyraliev (Google Security) discovered that Exif metadata is not properly sanitized before being processed, resulting in illegal memory access in the postprop() and other functions (CVE-2007-6354). He also discovered integer overflow vulnerabilities in the parsetag() and other functions (CVE-2007-6355) and an infinite recursion in the readifds() function caused by recursive IFD references (CVE-2007-6356). | |||||||||||
| Alerts: |
| |||||||||||
firebird: buffer overflow
| Package(s): | firebird | CVE #(s): | CVE-2007-3181 | ||||||
| Created: | July 2, 2007 | Updated: | March 27, 2008 | ||||||
| Description: | The Firebird DBMS has a buffer overflow vulnerability involving the processing of connect requests with an overly large p_cnct_count value. Remote attackers can send a specially crafted request to the server in order to potentially execute arbitrary code with the permissions of the Firebird user. | ||||||||
| Alerts: |
| ||||||||
firefox: multiple vulnerabilities
| Package(s): | firefox | CVE #(s): | CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | February 8, 2008 | Updated: | March 26, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious
website could force arbitrary files from the user's computer to be
uploaded without consent. (CVE-2008-0414)
Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416) Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420) Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||