DARPA Cancels OpenBSD Funding
[This article was contributed by Joe 'Zonker' Brockmeier]
If you follow the news at all, you've probably already heard about the
OpenBSD project losing the funding from the U.S. Defense Advanced
Research Projects Agency (DARPA). What's less than clear is why the
funding has been pulled. In fact, it's quite a test to figure out who's
actually responsible for pulling the plug, much less the reason. DARPA
is, essentially, just an intermediate agency for the funding, which is
passed on to the University of Pennsylvania. The funds themselves come
from the Air Force Research Laboratory.
Most speculation has gone to comments made by OpenBSD project leader
Theo de Raadt. The comments in question come from an interview in The
Globe and Mail, where de Raadt is quoted as saying he's "uncomfortable"
about the source of the grant. De Raadt also told the Globe and Mail that,
"I try to convince myself that our grant means a half of a cruise missile
doesn't get built," which might not sit well with U.S. military types. A
few days after the comment appeared in the Globe and Mail, de Raadt was
contacted by University of Pennsylvania professor Jonathan Smith. According
to de Raadt, Smith objected to the comment, but wouldn't give a specific
reason why. The funding was pulled on Thursday of last week.
If that is the reason for the cancellation, it's not the official story
from DARPA, in as much as DARPA has or will give an official story. A
statement forwarded to LWN by de Raadt, attributed to DARPA spokesperson
Jan Walker, claims that the funding is under review.
As a result of the DARPA review of the project, and due to world events
and the evolving threat posed by increasingly capable nation-states, the
Government [sic] on April 21 advised the University to suspend work on
the "security fest" portion of the project.
Walker did not respond to e-mails or phone calls requesting confirmation
of this statement or requests to elaborate on or clarify the statement.
The most immediate consequence is that the OpenBSD project has had the
rug pulled out from under them with regards to the upcoming hackathon in
Canada. 60 OpenBSD developers are scheduled to travel to Canada for the
event, almost all of whom have already purchased tickets based on a
go-ahead given in January. The hotel was contacted and told to cancel
the reservation, despite the fact that an 80% cancellation fee is
in effect. According to de Raadt, this amounts to about $24,000
Canadian. De Raadt also reports that the hotel was instructed not to
allow anyone to pay the remaining balance to keep the reservation.
However, de Raadt said that the hotel has agreed to cut the OpenBSD
project a deal for the hackathon, even if they cannot apply the
cancellation fee to the bill.
Fernando Pereira, chairman of the Department of Computer and Information
Science at the University of Pennsylvania sent this statement to the
OpenBSD "misc" mailing list to explain why the cancellation fee cannot
be used towards the hotel costs:
When the contracting agency requested that work be stopped
on the security fests component of POSSE, the only expenses that they
would still allow are documented losses to the conference hotel due to
cancellation. Any other use of funds, including use of the cancellation
costs in partial support of conference accommodation, would not be an
allowable contract expense. Contrary to a widespread misconception, the
University of Pennsylvania could not have "allowed" that use of US
Government funds. The funds belong to the US Government, not to the
University.
Apparently, quite a few people in the OpenBSD community have already
sent letters of protest to the University of Pennsylvania, newspapers
and other sources. If you'd like to write a letter to complain or
comment on the decision to official sources, de Raadt notes that it's
helpful to have the contract number. The contract was granted by the Air
Force Research Lab, Material Command, and is DARPA contract number
F30602-01-2-0537.
With the exception of the hackathon, the loss of funding may not be as
dramatic as it sounds. On Monday, de Raadt said that the OpenBSD project
had already received about $7,000 in donations, and more was "in the
mail." The OpenBSD project has been around for eight years, and has done
just fine without the DARPA funding. In addition, the funding was set to
run out within four months anyway and de Raadt noted that he works
through a Canadian contracting company that should ensure that he
receives the rest of his pay for the next four months. The major losers
appear to be the University of Pennsylvania grad students who were also
receiving money from the grant, as well as the 60 OpenBSD developers who
are wondering whether there will be a place for them to stay when they
arrive at the hackathon.
Comments (16 posted)
Novell and Linux
Readers of the discussion on LWN.net may have seen comments posted by
Kristopher Magnusson, who happens to be the chair of Novell's "Open Source
Review Board" and the person responsible for managing the company's
relations with the free software community. We had the opportunity to ask
Mr. Magnusson a few questions about Novell's plans with regard to Linux;
his answers appear below. But first, a couple of other Novell-related
items:
- Novell has become
a gold sponsor of the Linux
Professional Institute, and is recommending LPI certification as
part of its own certification program.
- Jack Messman, Novell's CEO, has sent us a
clarification of Novell's view of Linux and the free software
community, and an apology for some remarks in an interview that did
not come out quite right. " Novell wouldn't be spending the
tremendous time, money and resources to make this strategy a reality
if we didn't believe in the present and future of Linux. After
building and enhancing NetWare for 20 years, this is new territory for
us. We simply ask for your patience along the way."
And now, on to the interview.
LWN:
In the ComputerWorld interview, CEO Jack Messman said "Linux is an immature
operating system right now. It hasn't had somebody like Novell worrying
about making it robust, reliable and scalable for very much time. We think
we can bring that to the Linux kernel." He has since noted that he could
have expressed himself better, and his apologies have been accepted. But
the point remains that Novell sees room for improvement in the Linux
kernel. The kernel developers agree, of course; otherwise they would be
working on something else. Could you explain what improvements Novell would
like to see in the Linux kernel?
First, I want to reiterate that Novell believes the Linux kernel is
quite mature, robust, reliable and scalable as it is today, or else we
wouldn't have decided to use it in NetWare 7. That said, at this point,
Novell currently has no definitive plans to improve the kernel, though
as Jack indicated we will indirectly enhance it by the services that
runs on top. We intend to let the Linux developer community go through
its normal development process and use whatever kernel they develop
as-is.
Job number one for Novell engineering is to port the services that run
on the operating system. Whether customers are running NetWare 7 on the
Linux kernel or the NetWare kernel, we want to make sure they have
access to the very best services for file, print, storage, directories,
messaging, collaboration, resource management, Web development and many
others.
LWN:
Which of those (if any) does Novell plan to work on (and contribute
back)
itself?
As I stated, we like the Linux kernel as-is, and have no plans at this
point to to develop our own improvements. Novell's focus today is
delivering a number of services above the kernel.
LWN:
A quick search through the linux-kernel mailing list did not turn up
any
Novell engineers participating in the discussion - at least, none that
identified themselves as such. Does Novell have engineers working on
the
Linux kernel, and do they plan to participate in the development
community?
We do have a team of Linux engineers who have joined the Linux-kernel
mailing list and they are reading the Linux-kernel mailing list posts.
My understanding is that they are getting a feel for how the discussions
take place before they actually participate with questions and so
forth--they want to understand the lay of the land before they jump in
head-first.
LWN:
The recent announcements mention Novell's contributions to various
open
source projects, including Apache and OpenLDAP. Can you give a quick
summary of what some of the more important contributions have been?
Novell has been quietly engaging the open source community for a number
of years. For example, our OpenLDAP work has been quietly humming along
for four years. And it's not well known that we've thrown our weight
solidly behind the "AMP (Apache/MySQL/PHP)" platform that's been so
popular on Linux. Because of our AMP work, developers can take AMP code
and move it to NetWare 6.5 pretty much unmodified.
Our Apache work is one of our more important contributions. We have a
strong relationship with the Apache Software Foundation. In the case of
Apache, Novell's lead engineer in charge of porting Apache to NetWare is
a member of the Apache Software Foundation, which gives him code
check-in privileges as well as some degree of control over the general
technical direction of Apache development. Further, Novell has been very
conscientious about contributing our improvements to the Apache codebase
back to the Apache Foundation.
Novell recently formed a relationship with MySQL AB. We licensed a
commercial version of MySQL to ship their database on every NetWare 6.5
CD, and this has been a big hit with our biggest customers. We practice
a kind of open source process between our two companies--Novell
engineers porting MySQL code make improvements that we contribute back
to MySQL AB. These improvements find their way into the GPL version of
the database, which benefits everyone who uses the open source version
of MySQL.
Novell also has a relationship with the PHP group that's part of the
Apache Software Foundation. We ported PHP to NetWare as part of our AMP
strategy, and we made a number of improvements to the PHP code that we
contributed to that organization.
Beyond AMP, our relationship with OpenLDAP dates back to 1999, when
Novell was looking for open source C-based libraries for programmatic
access to LDAP directories. We found OpenLDAP's implementation, which
needed some work. We decided to pitch in and help; so we completed the
work for them and contributed our improvements back to OpenLDAP. Next,
we needed a set of Java libraries. OpenLDAP didn't have any, so we wrote
our own and contributed them to OpenLDAP outright under their BSD-based
license. After four years, we still check in Java library code to
OpenLDAP on a weekly basis. Most recently, a few months ago, we
contributed to OpenLDAP a DSMLv2 server written in Java.
So we've been consuming open source software for some time, and have
been contributing our improvements back to each community. It's been a
satisfying process over the years to see our improvements included in
new versions of each piece of software.
LWN:
Novell has released its UDDI code with a fair amount of fanfare. Can
we
look forward to other releases of Novell technology in the near
future?
Yes, we will definitely release more technology in the future. In fact,
we have another open source announcement planned for later in the spring
that, like the UDDI server, is related to standards activities. We are
also evaluating which proprietary Novell technologies could be good
candidates for open source release, although we haven't finalized those
decisions yet.
LWN:
If I understand correctly, Netware 7.0 will be able to run on top of
the
Linux kernel. The thinking seems to be that giving customers the option
to
move to Linux will make them more inclined to stay with Netware. Is
that
an accurate summation of Novell's strategy? How will Novell respond if
it
turns out that most customers would rather run on the Linux kernel?
I think it's only one element of our strategy that the option to move
to Linux will make our customers more inclined to stay with NetWare.
Both versions will be bona fide NetWare 7--whether customers purchase
the version that runs on the Linux kernel or the NetWare kernel, they're
both revenue-generating products for Novell. If it turns out that most
customers would rather run on the Linux kernel, then it would only
validate our decision to move NetWare services to Linux. This is the
same approach that we've taken with other products, like eDirectory,
NetMail, and iFolder.
LWN:
Taking it one step further...if Netware 7 runs well on the Linux
kernel,
what reason would Novell have to continue developing and maintaining
its
own kernel? What advantage does a proprietary kernel give to Novell
when
it can run Linux and benefit from the reliability and scalability work
being done by IBM, SGI, HP, Red Hat, SuSE, and others?
Novell still has a huge installed base of NetWare customers who depend
on a clear upgrade path to the next version of NetWare running on the
NetWare kernel. That's why we have a dual-kernel strategy--to ensure
that we don't lose customers who want to upgrade to the non-Linux
version of NetWare 7. Besides, Linux and the NetWare kernel are both
excellent pieces of engineering that have benefitted from years of
enhancements and improvements. Many traditional NetWare customers will
want the value of the NetWare kernel.
LWN:
For customers wanting to run Netware over Linux, will Novell ship a
specific distribution, or will customers be expected to obtain a
supported
distribution from elsewhere?
The answer to this question is in a state of flux. We're not sure yet
exactly how this is going to work yet--please bear with us while we sort
this out.
LWN:
Why is Novell releasing Netware on top of Linux, rather than (or, at
least,
prior to) Windows?
We're going with Linux because our customers are telling us that they
are moving off of Windows and onto Linux. It's as simple as that. Linux
has the momentum and the mindshare and we want to lend our considerable
energy to Linux.
Comments (4 posted)
Opteron launches
AMD has, at last,
released
its long-awaited "Opteron" (or "Hammer") processor. LWN does not normally
devote much space to following developments in the microprocessor field,
but Opteron is worth a mention. There is a good chance that this is the
architecture many of us will be running in the future.
Opteron has the potential to deliver the best from both the 32-bit and
64-bit computing worlds. It will run 32-bit x86 code natively, and with
good performance. That is a nice feature for people with binary
applications, of course, though it is less useful in the free software
world. If you have source (and an operating system which has been 64-bit
capable for years), support for a new processor is often just a matter of
running "make." There is another important aspect to 32-bit support,
however: for most applications, 32-bits is the optimal size. Moving to a
64-bit mode involves a sizeable expansion of a program's code and data,
with bad effects on cache utilization, virtual memory use, and memory bus
bandwidth. Building "cat" as a 64-bit application can only serve to make
it bigger and slower. So a processor with native 32-bit support is a good
thing.
There are situations, however, where only 64 bits will do. In particular,
applications which need to address vast amounts of memory (e.g., big
scientific crankers, large databases, emacs) will benefit from 64-bit
pointers. So good 64-bit support matters too.
Of course, the thing that really matters for Linux users is Linux
support. AMD has worked with the free software community for years to
ensure that its processor would be supported. The end result is that you
can buy an Opteron server running a stable Linux port (choosing from
multiple distributors) today. Windows support, instead, will show up in
beta form only later this year, and Apple's support remains a rumor. In
some areas, hardware support in Linux still lags behind other systems; with
the Opteron, however, Linux got there first. If Opteron lives up to its
PR, it could be a platform which brings Linux into many more machine rooms
in the next few years.
Comments (16 posted)
Page editor: Jonathan Corbet
Security
Security news
The other security problem
People who deal with systems security spend a lot of time worrying about
buffer overflows, format string vulnerabilities, file creation races, and
so on. These problems can all lead to the compromise of an important
system, with the usual array of unpleasant consequences. So conscientious
administrators pay attention to new vulnerabilities, apply their patches,
and so on.
This Register
article, however, serves as a good reminder that there are other
aspects to the security problem:
Nine in ten (90 per cent) of office workers at London's Waterloo
Station gave away their computer password for a cheap pen, compared
with 65 per cent last year.
What a pain; all that patching and careful administration, then the users
hand their passwords over to a stranger when asked. Unfortunately, patches
for loose-lipped users are hard to come by. The security advantages of
free software also fail to offer much help in the way of blabbermouth
mitigation.
Lack of security consciousness is a real problem. Careless users will not
increase your exposure to the next Internet worm. But an attacker who has
set his sites on a specific target may well want to have a little
discussion with your users. Pens are cheap, after all.
Comments (6 posted)
New vulnerabilities
gkrellm-newsticker - multiple vulnerabilities
| Package(s): | gkrellm-newsticker |
CVE #(s): | CAN-2003-0205
CAN-2003-0206
|
| Created: | April 23, 2003 |
Updated: | April 23, 2003 |
| Description: |
gkrellm-newsticker has two vulnerabilities: a denial of service problem and a failure to filter shell metacharacters which can allow an attacker to run arbitrary commands by way of a hostile (or compromised) news feed. |
| Alerts: |
|
Comments (none posted)
mime-support: insecure temporary file creation
| Package(s): | mime-support |
CVE #(s): | |
| Created: | April 22, 2003 |
Updated: | April 30, 2003 |
| Description: |
Colin Phipps discovered several problems in mime-support, that contains
support programs for the MIME control files 'mime.types' and 'mailcap'.
When a temporary file is to be used it is created insecurely, allowing
an attacker to overwrite arbitrary under the user id of the person
executing run-mailcap, most probably root. Additionally the program did
not properly escape shell escape characters when executing a command.
This is unlikely to be exploitable, though. |
| Alerts: |
|
Comments (none posted)
rinetd: incorrect memory resizing
| Package(s): | rinetd |
CVE #(s): | CAN-2003-0212
|
| Created: | April 17, 2003 |
Updated: | April 23, 2003 |
| Description: |
Sam Hocevar discovered a security problem in rinetd, an IP connection
redirection server. When the connection list is full, rinetd resizes the
list in order to store the new incoming connection. However, this is done
improperly, resulting in a denial of service and potentially execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
snort - multiple vulnerabilities
| Package(s): | snort |
CVE #(s): | CAN-2003-0029
CAN-2003-0033
|
| Created: | April 23, 2003 |
Updated: | May 7, 2003 |
| Description: |
Versions of the snort intrusion detection system through 2.0-rc1 contain buffer and heap overflow vulnerabilities which could lead to remote code execution. Sites running snort are advised to upgrade to 2.0.0 as soon as possible; see this CERT advisory for more information. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
BitchX - denial of service
| Package(s): | BitchX |
CVE #(s): | |
| Created: | February 20, 2003 |
Updated: | May 26, 2003 |
| Description: |
From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed
RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was
reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are
unaware of any patches or workarounds provided by panasync and or any
members of #bitchx |
| Alerts: |
|
Comments (none posted)
EOG: vulnerability in Eye of GNOME
| Package(s): | EOG |
CVE #(s): | CAN-2003-0165
|
| Created: | April 3, 2003 |
Updated: | April 16, 2003 |
| Description: |
A vulnerability was found in EOG version 2.2.0 and earlier. A carefully
crafted filename passed to the program could lead to the execution of
arbitrary code. An attacker could exploit this because various packages
(Mutt, for example) make use of EOG for image viewing. |
| Alerts: |
|
Comments (none posted)
evolution: multiple vulnerabilities
| Package(s): | Evolution |
CVE #(s): | CAN-2003-0128
CAN-2003-0129
CAN-2003-0130
|
| Created: | March 21, 2003 |
Updated: | May 14, 2003 |
| Description: |
Multiple vulnerabilities have been found in Ximian's Evolution Mail User
Agent, according to this
CoreLabs advisory.
"Three vulnerabilities were found that could lead to various forms of
exploitation ranging from denying to users the ability to read email,
provoke system unstability, bypassing security context checks for email
content and possibly execution of arbitrary commands on vulnerable
systems."
Ximian Evolution is a personal and
workgroup information management solution for Linux and UNIX-based
systems. The software integrates email, calendaring, meeting scheduling,
contact management, and task lists, in one application. |
| Alerts: |
|
Comments (1 posted)
LPRng: insecure temporary file
| Package(s): | LPRng |
CVE #(s): | CAN-2003-0136
|
| Created: | April 14, 2003 |
Updated: | June 16, 2003 |
| Description: |
Karol Lewandowski discovered that psbanner, a printer filter that
creates a PostScript format banner and is part of LPRng, insecurely
creates a temporary file for debugging purpose when it is configured
as filter. The program does not check whether this file already
exists or is linked to another place writes its current environment
and called arguments to the file unconditionally with the user id
daemon. |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
NetPBM: math overflow errors
| Package(s): | NetPBM |
CVE #(s): | CAN-2003-0146
|
| Created: | March 17, 2003 |
Updated: | May 27, 2003 |
| Description: |
Al Viro and Alan Cox discovered several maths overflow errors in
NetPBM, a set of graphics conversion tools. These programs are not
installed setuid root but are often installed to prepare data for
processing. These vulnerabilities may allow remote attackers to cause
a denial of service or execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
apache 2.x: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2003-0132
|
| Created: | April 9, 2003 |
Updated: | May 1, 2003 |
| Description: |
Apache 2.0.x (for <= 44) have a denial of service vulnerability; Apache 2.0.45 fixes the problem. |
| Alerts: |
|
Comments (1 posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 21, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | October 1, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
epic: buffer overflows
| Package(s): | epic |
CVE #(s): | |
| Created: | April 15, 2003 |
Updated: | April 16, 2003 |
| Description: |
Timo Sirainen discovered several problems in EPIC, a popular client for
Internet Relay Chat (IRC). A malicious server could craft special reply
strings, triggering the client to write beyond buffer boundaries. This
could lead to a denial of service if the client only crashes, but may also
lead to executing of arbitrary code under the user id of the chatting user. |
| Alerts: |
|
Comments (none posted)
ethereal - format string vulnerability
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0081
|
| Created: | March 10, 2003 |
Updated: | June 12, 2003 |
| Description: |
The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string
overflow. This vulnerability has been present in Ethereal since the SOCKS
dissector was introduced in version 0.8.7. It was discovered by Georgi
Guninski. Additionally, the NTLMSSP code is susceptible to a heap
overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade.
See the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
file - memory allocation problem, stack overflow
| Package(s): | file |
CVE #(s): | CAN-2003-0102
|
| Created: | March 4, 2003 |
Updated: | June 4, 2003 |
| Description: |
Jeff Johnson found a memory allocation problem and David Endler found a
stack overflow corruption problem in the file "Automatic File Content
Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section
and program header handling in file version 3.40. The folks at OpenPKG
believe that file versions without those modifications are vulnerable to
memory allocation and stack overflow problems which put security at risk. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 21, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
glibc: integer overflow in the xdrmem_getbytes() function
| Package(s): | glibc krb5 dietlibc |
CVE #(s): | CAN-2003-0028
|
| Created: | March 21, 2003 |
Updated: | May 27, 2003 |
| Description: |
An integer overflow in the xdrmem_getbytes() function, and possibly other
functions, of XDR (external data representation) libraries derived from
SunRPC, including libnsl, libc, and glibc, allows remote attackers to
execute arbitrary code via certain integer values in length fields
See
CAN-2003-0028 and CERT advisory
CA-2003-10 for more information. |
| Alerts: |
|
Comments (3 posted)
gs-common: insecure temporary file
| Package(s): | gs-common |
CVE #(s): | |
| Created: | April 14, 2003 |
Updated: | April 16, 2003 |
| Description: |
Paul Szabo discovered insecure creation of a temporary file in
ps2epsi, a script that is distributed as part of gs-common which
contains common files for different Ghostscript releases. ps2epsiuses
a temporary file in the process of invoking ghostscript. This file
was created in an insecure fashion, which could allow a local attacker
to overwrite files owned by a user who invokes ps2epsi. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
ircii: buffer overflow vulnerability
| Package(s): | ircii |
CVE #(s): | |
| Created: | March 20, 2003 |
Updated: | April 22, 2003 |
| Description: |
Timo Sirainen audited ircII based clients (see this Bugtraq post) and
found some buffer overflow vulnerabilities in ircii-20020912. |
| Alerts: |
|
Comments (none posted)
kde: arbitrary code execution
| Package(s): | kde |
CVE #(s): | CAN-2003-0204
|
| Created: | April 10, 2003 |
Updated: | June 30, 2003 |
| Description: |
The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF
files in a way that allows for the execution of arbitrary commands that can
be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.
An attacker can provide malicious files remotely to a victim in an e-mail,
as part of a webpage, via an ftp server and possible other means. |
| Alerts: |
|
Comments (none posted)
kerberos - cryptographic weakness
| Package(s): | kerberos, heimdal, openafs |
CVE #(s): | CAN-2003-0138
CAN-2003-0139
|
| Created: | March 26, 2003 |
Updated: | May 27, 2003 |
| Description: |
Version 4 of the Kerberos protocol contains a cryptographic weakness which enables a chosen-plaintext attack. A suitably equipped attacker can impersonate any principal in the realm. Another weakness allows the creation of false Kerberos tickets. Given the weaknesses in the cryptography, cross-realm authentication cannot be performed in a secure way.
OpenAFS
kaserver implements version 4 of the Kerberos protocol, and therefore
is also vulnerable. |
| Alerts: |
|
Comments (none posted)
kernel - ptrace-related vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2003-0127
|
| Created: | March 17, 2003 |
Updated: | June 30, 2003 |
| Description: |
Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in
ptrace() which may be exploited by a local user to obtain root
access. This announcement contains the
details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released
which contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lprold - buffer overflow in lprm
| Package(s): | lprold lpd |
CVE #(s): | CAN-2003-0144
|
| Created: | March 13, 2003 |
Updated: | May 28, 2003 |
| Description: |
The lprm command of the printing package lprold contains a buffer
overflow. This buffer overflow can be exploited by a local user, if the
printer system is set up correctly, to gain root privileges. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | October 1, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
man - code execution vulnerability
| Package(s): | man |
CVE #(s): | CAN-2003-0124
|
| Created: | March 19, 2003 |
Updated: | May 7, 2003 |
| Description: |
Versions of man prior to 1.51 contain a code execution vulnerability which can be exploited by a carefully crafted man file. See this advisory for the details. |
| Alerts: |
|
Comments (none posted)
mgetty spool permission
| Package(s): | mgetty |
CVE #(s): | CAN-2002-1391
CAN-2002-1392
|
| Created: | April 8, 2003 |
Updated: | May 13, 2003 |
| Description: |
mgetty is a getty replacement for use with data and fax modems.
mgetty can be configured to run an external program to decide whether or
not to answer an incoming call based on Caller ID information. Unpatched
versions of mgetty prior to 1.1.29 would overflow an internal buffer if the
caller name reported by the modem was too long.
Additionally, the faxspool script supplied with versions of mgetty prior to
1.1.29 used a simple permissions scheme to allow or deny fax transmission
privileges. This scheme was easily circumvented because the spooling
directory used for outgoing faxes was world-writable. |
| Alerts: |
|
Comments (none posted)
micq: Denial of service
| Package(s): | micq |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 24, 2003 |
| Description: |
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash. |
| Alerts: |
|
Comments (none posted)
mutt: buffer overflow in IMAP client code
| Package(s): | mutt |
CVE #(s): | CAN-2003-0140
|
| Created: | March 21, 2003 |
Updated: | April 22, 2003 |
| Description: |
Core
Security Technologies has found a remotely exploitable buffer overflow
in mutt's IMAP client code. This Bugtraq post
contains additional information.
The problem has been fixed in Mutt 1.4.1 (stable) and 1.5.4 (unstable). |
| Alerts: |
|
Comments (none posted)
mysql - configuration file vulnerability
| Package(s): | mysql mysqld |
CVE #(s): | CAN-2003-0150
|
| Created: | March 18, 2003 |
Updated: | May 16, 2003 |
| Description: |
According to a
report on BugTraq, a vulnerability exists in
version 3.23.55 and earlier versions of the MySQL server. If the MySQL server is
launched by root, as it is often done by system startup scripts, any
database users with the "FILE" privilege can write a configuration file
(usually my.cnf) that causes the MySQL server to run under an arbitrary
user id, including the user id of the super-user, on the next restart. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
netscape-flash: buffer overflow
| Package(s): | netscape-flash |
CVE #(s): | |
| Created: | March 10, 2003 |
Updated: | June 20, 2003 |
| Description: |
Potentially exploitable buffer overflows exist in the Macromedia Flash
Player. The full advisory is here.
"The cumulative security patch is available today and addresses the
potential for exploits surrounding buffer overflows (read/write) and
sandbox integrity within the player, which might allow malicious users to
gain access to a user's computer. The possibility of running native code on
a users machine is a theoretical exploit, and extremely difficult to
execute in practice. There are no known examples of running such native
code from Macromedia Flash movies; however, even though this issue is
difficult and theoretical in nature only, we are encouraging users to
upgrade." |
| Alerts: |
|
Comments (none posted)
openssl: local and remote extraction of RSA private key
| Package(s): | openssl, apache, mod_ssl |
CVE #(s): | CAN-2003-0147
|
| Created: | March 18, 2003 |
Updated: | May 22, 2003 |
| Description: |
David Brumley and Dan Boneh of Stanford University have researched and
documented a timing attack on OpenSSL which allows local and remote
attackers to extract the RSA private key of a server. The OpenSSL RSA
implementation is generally vulnerable to these type of attacks unless RSA
blinding has been turned on. See this
paper (pdf format) for additional details.
Typically, RSA blinding is not enabled by OpenSSL based applications,
mainly because it is not obvious how to do so when using OpenSSL to provide
SSL/TLS. This problem affects mostly all applications using OpenSSL and
have to be rebuilded against the fixed OpenSSL version (where RSA blinding
is now enabled by default) or have to enable RSA blinding explicitly their
own.
The performance impact of RSA blinding appears to be small (a few percent
only) and the RSA functionality is still fully compatible. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0147 to the problem. |
| Alerts: |
|