LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

oCERT and oss-security

By Jake Edge
June 4, 2008

Two recently announced organizations, the Open Source Computer Emergency Response Team (oCERT) and Open Source Software Security (oss-security), are both looking to assist projects with security issues in a complementary way. Each is focusing on different kinds of problems that free software projects face when trying to secure their code.

oCERT is modeled on the various national CERT organizations, but focused on free software:

The service aims to help both large infrastructures, like major distributions, and smaller projects that can't afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

In addition, oCERT is doing vulnerability research on free software projects. So far, they have released four advisories after coordinating with the affected projects and distributions. It is a way for team members—or anonymous researchers—to collect their vulnerability research and push it through the process.

The oCERT team consists of five security professionals from Inverse Path, Google, and Intel, along with a two-person advisory board. Various projects have also signed up as members including several Linux distributions, security and other free software tools, as well as OpenBSD. In order to become a member, an project or organization must meet some fairly stringent membership requirements that include agreeing to the disclosure policy. Others can submit vulnerability information without becoming a member.

oss-security is more of an open group, without any formal membership, that is looking to foster more discussion of security issues:

The purpose of oss-security is to encourage public discussion of security flaws, concepts, and practices in the open source community. We don't want to simply be an information clearinghouse, or to replace any of the current security lists and groups. The goal is to fill an existing vacuum by encouraging active participation of those interested in the ideas and unique challenges in securing Open Source software. This includes activities such as flaw discovery, understanding, reporting, and overall best practices.

The oss-security mailing list is one of the focal points of the group's efforts. Some of the topics currently being discussed are helping projects with code reviews, getting CVE IDs assigned for specific vulnerabilities, and the IP address change of the "L" root nameserver.

The oss-security wiki seeks to gather relevant security information from projects and vendors in a single location. This includes security contacts, helpful mailing lists, bug tracker locations, distribution security patch repositories, and the like. If it gets fully populated and is kept up-to-date, it will be a tremendous resource for the community.

Up to a certain point, more organizations looking to improve free software security can only be a good thing. Each of these seems to have a focus that is not met by existing groups, so they can hopefully fill a need in the community. The private, vendor-sec mailing list has long been used by distributors, whereas oCERT and oss-security are more focused on the project side of the equation. With luck, that will lead to better code and more coordination for projects and distributions.

Comments (none posted)

Security reports

Enterprise Linux 5.1 to 5.2 risk report

Red Hat's Mark Cox has produced a report on the vulnerabilities fixed between Red Hat Enterprise Linux 5.1 and 5.2. These periodic reports do a bit of analysis of the numbers of flaws as well as their impact. In addition, Cox looks at the threat mitigation provided by security technologies like SELinux and ExecShield that ship with RHEL. "Red Hat Enterprise Linux 5 shipped with a number of security technologies designed to make it harder to exploit vulnerabilities and in some cases block exploits for certain flaw types completely. For the period of this study there were two flaws blocked that would otherwise have required updates."

Comments (5 posted)

New vulnerabilities

cbrpager: unauthorized command execution

Package(s):cbrpager CVE #(s):
Created:May 29, 2008 Updated:June 4, 2008
Description: cbrpager has a vulnerability involving the execution of commands due to improper shell escaping.
Alerts:
Fedora FEDORA-2008-4501 2008-05-28
Fedora FEDORA-2008-4440 2008-05-28
Fedora FEDORA-2008-4528 2008-05-28

Comments (none posted)

evolution: arbitrary code execution

Package(s):evolution CVE #(s):CVE-2008-1108
Created:June 4, 2008 Updated:June 26, 2008
Description:

From the Red Hat advisory:

A flaw was found in the way Evolution parsed iCalendar timezone attachment data. If mail which included a carefully crafted iCalendar attachment was opened, arbitrary code could be executed as the user running Evolution. (CVE-2008-1108)

Alerts:
CentOS CESA-2008:0514 2008-06-26
Gentoo 200806-06 2008-06-16
SuSE SUSE-SA:2008:028 2008-06-13
Mandriva MDVSA-2008:111 2008-06-10
Ubuntu USN-615-1 2008-06-06
Fedora FEDORA-2008-5018 2008-06-06
Fedora FEDORA-2008-5016 2008-06-06
Fedora FEDORA-2008-4990 2008-06-06
CentOS CESA-2008:0515 2008-06-04
CentOS CESA-2008:0516 2008-06-04
Red Hat RHSA-2008:0515-01 2008-06-04
Red Hat RHSA-2008:0514-01 2008-06-04
Red Hat RHSA-2008:0517-01 2008-06-04
Red Hat RHSA-2008:0516-01 2008-06-04

Comments (none posted)

evolution: arbitrary code execution

Package(s):evolution CVE #(s):CVE-2008-1109
Created:June 4, 2008 Updated:June 26, 2008
Description:

From the Red Hat advisory:

A heap-based buffer overflow flaw was found in the way Evolution parsed iCalendar attachments with an overly long "DESCRIPTION" property string. If a user responded to a carefully crafted iCalendar attachment in a particular way, arbitrary code could be executed as the user running Evolution. (CVE-2008-1109).

Alerts:
CentOS CESA-2008:0514 2008-06-26
Gentoo 200806-06 2008-06-16
SuSE SUSE-SA:2008:028 2008-06-13
Mandriva MDVSA-2008:111 2008-06-10
Ubuntu USN-615-1 2008-06-06
Fedora FEDORA-2008-5018 2008-06-06
Fedora FEDORA-2008-5016 2008-06-06
Fedora FEDORA-2008-4990 2008-06-06
CentOS CESA-2008:0515 2008-06-04
Red Hat RHSA-2008:0515-01 2008-06-04
Red Hat RHSA-2008:0514-01 2008-06-04

Comments (none posted)

imlib2: buffer overflow in the XPM loader

Package(s):imlib2 CVE #(s):CVE-2008-2426
Created:June 3, 2008 Updated:December 22, 2008
Description: From the Secunia advisory: "Secunia Research has discovered two vulnerabilities in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library."
Alerts:
Ubuntu USN-697-1 2008-12-22
SuSE SUSE-SR:2008:018 2008-09-19
Mandriva MDVSA-2008:123 2007-06-25
Debian DSA-1594-1 2008-06-11
Gentoo 200806-03 2008-06-08
Fedora FEDORA-2008-4871 2008-06-03
Fedora FEDORA-2008-4950 2008-06-03
Fedora FEDORA-2008-4842 2008-06-03

Comments (none posted)

openssl: multiple vulnerabilities

Package(s):openssl CVE #(s):CVE-2008-0891 CVE-2008-1672
Created:May 29, 2008 Updated:January 8, 2009
Description: From the Mandriva alert:

Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause a crash. (CVE-2008-0891)

Testing using the Codenomicon TLS test suite discovered a flaw if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. (CVE-2008-1672)

Alerts:
Fedora FEDORA-2009-0325 2009-01-08
Slackware SSA:2008-210-08 2008-07-29
Ubuntu USN-620-1 2008-06-26
Gentoo 200806-08 2008-06-23
rPath rPSA-2008-0181-1 2008-06-02
Fedora FEDORA-2008-4723 2008-05-30
Mandriva MDVSA-2008:107 2008-05-28

Comments (none posted)

stunnel: certificate verification issue

Package(s):stunnel CVE #(s):CVE-2008-2420
Created:May 30, 2008 Updated:August 14, 2008
Description: From the Red Hat alert: The OCSP functionality in stunnel before 4.24 does not properly search certificate revocation lists (CRL), which allows remote attackers to bypass intended access restrictions by using revoked certificates.
Alerts:
Gentoo 200808-08 2008-08-08
Mandriva MDVSA-2008:168 2007-08-13
Fedora FEDORA-2008-4531 2008-05-28
Fedora FEDORA-2008-4579 2008-05-28
Fedora FEDORA-2008-4606 2008-05-28

Comments (none posted)

system-config-network: privilege escalation

Package(s):system-config-network CVE #(s):CVE-2008-2359
Created:May 29, 2008 Updated:June 4, 2008
Description: From the Fedora 8 alert: This bug enabled every console user to change the network configuration. Systems with system-config-network-1.5.5-1.fc8 installed should install this update.
Alerts:
Fedora FEDORA-2008-4633 2008-05-28

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds