| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for May 29, 2003
MySQL and SAP
Corporate code releases are always an uncertain prospect. The contribution of a large body of code is always welcomed, but only time will tell what sort of development and user community will eventually develop around that code. SAP released its relational database management system (SAP-DB) to great fanfare in October, 2000. Compared to some of that month's other events (Atipa acquires OpenNMS, VA Linux hires the Debian project leader, the PostgreSQL hackers to go work for Great Bridge, EBIZ and the Linux Mall merge, Turbolinux gets $30 million in venture funding, LynuxWorks files for its IPO, Progeny Linux ships its first beta distribution, Linus claims "no show-stopper bugs" in 2.4.0-test10), SAP-DB has been a raging success. Still, relative to the other free database systems (PostgreSQL, MySQL, and perhaps even Interbase/Firebird), SAP-DB has not pulled in a particularly large community.Nobody can say the same thing about MySQL. This free relational database manager, despite a lingering reputation for lacking the features that "real" database systems have, claims some four million installed systems. MySQL's user community is large and strong, and MySQL AB, the copyright holder for MySQL, is apparently thriving. But MySQL's "fast, reliable, but still a toy" reputation (at least in some circles) is probably not helping MySQL AB win those really big contracts.
So the announcement of a partnership between MySQL AB and SAP makes a fair amount of sense for both sides. Under this deal, MySQL AB gets the right to sell commercial versions of SAP-DB, which will be relicensed entirely under the GPL and renamed. SAP-DB will thus become a product much like the current MySQL offerings, but one aimed at "enterprise" deployments.
MySQL AB gets a new product to sell which has a lengthy large-deployment track record and which should prove easier to market to large companies. SAP's sales force and existing large company customer base should also prove most helpful in that regard. And, of course, MySQL gets to mix together the best of both systems to create "the next-generation MySQL open source enterprise database."
SAP, meanwhile, gets access to a brand with great respect in the free software community. MySQL AB has a proven ability to create an active developer and user community around a free database system; this skill will come to great use in reviving interest in the database formerly known as SAP-DB. More significantly, however, is the fact that MySQL AB has figured out how to sell proprietary licenses to a free software product, pleasing its customers while simultaneously avoiding alienating the developer community. The company's ability to walk that fine line bodes well for SAP-DB's future.
If there is a down side to this deal, it is that the SAP-DB client libraries, which were formerly licensed under the LGPL, will, in the future, only be available under the GPL. That change is crucial to the entire strategy, of course; it is the lever that will force proprietary software vendors to buy a commercial license. But it is a change which will upset users who were making use of the previous LGPL licensing; a look at the sapdb-general mailing list shows a handful of messages from users who are unhappy with the new state of affairs.
Of course, those users have not really lost anything; the current SAP-DB release cannot and will not be taken away from them. They simply will not have the same access to future releases. SAP-DB users have the right to fork the code base and maintain the code independently, and they might just do so. But it is hard to see a forked SAP-DB attracting a larger community than SAP-DB has now, especially when the folks over at MySQL appear to be having all the fun.
The SCO case gets weirder
We were planning to keep SCO off the front page this week. Really. But no such luck.This week's fun centers around a press release issued by Novell. But first some background: SCO, recall, has been trumpeting its ownership rights in the Unix source and patents for some time. The main "SCOsource" page states:
The patent claim was effectively debunked by Don Marti back in March, but the ownership claim has gotten an easier ride. Until now. Novell, the company which obtained Unix from ATT, has issued a press release taking issue with SCO's claims. In particular, Novell is asserting that it still owns the copyrights on the Unix code base:
Novell's claim notwithstanding, SCO has been quoted reiterating its claim to the Unix copyright (and threatening to sue Linus Torvalds for patent infringement as well). But SCO's annual report, as filed with the U.S. Securities and Exchange Commission, includes an interesting disclosure:
SCO, it would seem, is not the copyright owner; it is simply the paperwork shuffler, working for a 5% cut. That is not quite the picture that the company has been trying to present.
Whether this turn of events weakens SCO's case against IBM remains to be seen. SCO rushed out a response stating that it doesn't matter:
In fact, the original complaint does talk mostly about trade secrets and breach of contract. It does also, however, assert (once again) ownership of Unix and claim that IBM's actions have caused a reduction in the value of its Unix assets. Novell's claim challenges SCO's standing in the case; it may also be used by IBM's lawyers to question SCO's truthfulness and good faith in general.
Regardless of how the IBM suit goes, however, it now seems clearer than ever that the 1500 or so recipients of SCO's "Letter to Linux customers" can simply file that letter next to their AOL disks. SCO's case is not about patents or copyrights; the company has no standing to go after random Linux users. This letter was pure FUD and possibly libelous.
Novell does not stop with its copyright assertion. The company's press release challenges SCO to produce its evidence, and hints at legal moves to come:
It is also interesting to note that LinuxTag's lawyers have given notice to SCO Group GmbH that SCO must cease its "unfair competitive practices" as embodied in its attacks against Linux. If SCO can't produce some convincing evidence for its claims soon, it may well find itself dealing with lawsuits from the other side of the courtroom.
Open source content management systems roundup
[This article was contributed by Joe 'Zonker' Brockmeier]
The third Open Source Content Management (OSCOM) Conference this week has all eyes on Open Source Content Management Systems (CMS). Well, maybe not all eyes, but Open Source CMS are certainly getting quite a bit of attention this week.
There are far, far too many Open Source CMS projects under development to touch on all of them here, so consider this an overview of some of the more popular, interesting and/or capable CMS projects being used today. Note that this includes actual CMS systems, not Content Management Framework (CMF) projects like Midgard, Mason or Zope, which typically require significant assembly work before they can be deployed for any particular application.
Almost all Open Source CMS projects support features like RSS feeds, threaded comments, user authentication, templates, integrated search engines or support for external engines, version control, in-browser editing, scheduled publishing, support for multiple languages and so on. Perhaps the most important feature for most developers is which language the project is written in, and how easily extensible it is.
Slashcode, more frequently referred to as just Slash, is arguably the best-known CMS out there. Slash is pretty much aimed at news/Weblog-type sites, so it may not be best for general purpose sites. Slashcode is written in Perl, uses a MySQL backend and is available under the GNU General Public License (GPL). Slashcode is owned by OSDN.
In a similar vein, there's Scoop, the code that powers kuro5hin and a slew of other news sites and weblogs. Like Slashcode, Scoop is written in Perl with a MySQL backend and is available under the GPL. If you're looking to run a news site or Weblog, but prefer PHP to Perl, there's PHP-Nuke, PostNuke and PHPSlash.
For more of a "professional" approach to running a news site, there's Cofax. Cofax ("Content Object Factory") was mostly developed by staff at KnightRidder.com and Philly.com with participation from other Knight Ridder newspapers. Cofax is designed to help simplify the presentation of newspaper content on a Website, and to speed up real-time Web publication. One example of Cofax in action is the Silicon Valley site; it is also used to power more than 30 Knight Ridder newspaper sites. The Cofax CMS is written in Java, uses MySQL or Microsoft SQL Server for data storage, and is licensed under the GNU Lesser General Public License. The instructions on the Cofax site are Windows-specific, but it has also been tested under Sun OS 5.8, and could probably be coaxed to work on a Linux server as well.
There are a number of CMS projects for more general sites. Though Red Hat is best known for its Linux distribution, it also offers an Enterprise Content Management System. Red Hat's CMS is written in Java, requires PostgreSQL or Oracle and a J2EE servlet container and is supported on Red Hat, Solaris, Windows, AIX or HP-UX. Unlike most of Red Hat's offerings, the Red Hat CMS is available under the IBM Public License rather than the GPL.
Another all-purpose CMS is OpenACS. OpenACS is a little different, in that it is written in Tcl rather than Perl, Java or PHP. OpenACS has a number of applications such as bug trackers, chat, e-commerce features and much more. The OpenACS code is distributed under the terms of the GPL, and requires AOLserver and an Oracle or PostgreSQL backend. The Creative Commons site is just one example of a site powered by OpenACS.
Where would we be without Wiki-type sites? There are a number of Wiki-inspired packages out there, but tikiwiki may be the most full-featured. Tiki is PHP-based and offers LDAP authentication, webmail, tasks and notepad features, image galleries, games and a slew of other features not normally found in Wiki implementations. If you'd like to get a feel for Tiki, check out the demo site.
Bricolage is another general purpose content management and publishing system. Bricolage is written in Perl and uses PostgreSQL to store content. Macworld recently announced that it is using Bricolage to power its site. If you'd like to run Bricolage you'll need Apache with mod_perl and Mason. Bricolage is published under a BSD-style license.
The WebGUI folks call their solution a "application framework" rather than a CMS, but it does the job just as well. WebGUI is written in Perl and can use MySQL or PostgreSQL as a data store. It will run on Linux, Solaris, FreeBSD, and Windows with Apache or IIS. The Law Society of Western Australia is using WebGUI for their site. WebGUI is available under the GPL and is developed by Plain Black Software.
OpenCms, is pretty flexible in that it will run on LAMP platforms with Tomcat or on Windows platforms with Oracle and BEA Weblogic. OpenCms is used on a number of sites, including the Tribeca Film Festival site. OpenCms offers a WYSIWYG editor through a Web browser, but only for folks using Internet Explorer. Development for OpenCms is coordinated by Alkacon Software.
This is, of course, just the tip of the iceberg. There are quite a few other Open Source CMS projects out there, curious readers can start with the OSCOM Matrix of CMS projects.
Finally, OpensourceCMS is another site worth visiting if you're shopping for an Open Source CMS. Especially if you're looking to test-drive Open Souce CMS packages before actually messing with installation. The nice thing about Open Source is that you can always "try before you buy" but the installation process for many CMS packages can be a bit painful, or at least very time-consuming. OpensourceCMS does not have every CMS project available, but they have a pretty good list of demos you can try out.
Page editor: Jonathan Corbet
Security
Security news
Where are the kernel updates?
On April 5, Florian Weimer sent a note to the linux-kernel mailing list describing a hashing vulnerability in the 2.4 kernel. His assessment:
This problem was also described on this page last week.
We are, in other words, going on two months since this vulnerability was publicly disclosed. A quick look at the LWN Vulnerability Database entry for this problem, however, shows that only two distributors (EnGarde and Red Hat) have updated their kernels to close this hole. So all of the other distributors, many of which have a very good history of quick response to security problems, are leaving their users exposed on this one.
This vulnerability may seem less urgent because it cannot be used to gain root access to a target machine. It can, however, be used to take a system off the net. It allows a remote attacker to obtain the results of a distributed denial of service attack without that attacker having to arrange the "distributed" part. It is a serious problem which will certainly be exploited, with unpleasant results. The distributors owe their users a fix.
New vulnerabilities
Apache 2 - denial of service
| Package(s): | apache | CVE #(s): | CAN-2003-0189 CAN-2003-0245 | ||||||||||||||||||
| Created: | May 28, 2003 | Updated: | June 16, 2003 | ||||||||||||||||||
| Description: | A new set of denial of service vulnerabilities has been found in Apache versions 2.0 through 2.0.45. The potential for a remote code exploit apparently exists as well. See the Apache 2.0.46 announcement for more information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups | CVE #(s): | CAN-2003-0195 | ||||||||||||||||||||||||
| Created: | May 27, 2003 | Updated: | July 22, 2003 | ||||||||||||||||||||||||
| Description: | Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
BitchX - denial of service
| Package(s): | BitchX | CVE #(s): | |||||||||||||
| Created: | February 20, 2003 | Updated: | May 26, 2003 | ||||||||||||
| Description: | From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are unaware of any patches or workarounds provided by panasync and or any members of #bitchx | ||||||||||||||
| Alerts: |
| ||||||||||||||
LPRng: insecure temporary file
| Package(s): | LPRng | CVE #(s): | CAN-2003-0136 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | June 16, 2003 | ||||||||||||||||||
| Description: | Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place writes its current environment and called arguments to the file unconditionally with the user id daemon. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
NetPBM: math overflow errors
| Package(s): | NetPBM | CVE #(s): | CAN-2003-0146 | ||||||||||||
| Created: | March 17, 2003 | Updated: | May 27, 2003 | ||||||||||||
| Description: | Al Viro and Alan Cox discovered several maths overflow errors in NetPBM, a set of graphics conversion tools. These programs are not installed setuid root but are often installed to prepare data for processing. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
TCP/IP: inconsistent flag handling
| Package(s): | TCP/IP | CVE #(s): | ||||
| Created: | May 5, 2003 | Updated: | May 20, 2003 | |||
| Description: | Various vendors' TCP/IP implementations handle packets containing unusual
flag combinations in different ways, which may lead to a violation of
implicit or explicit security policies.
See CERT VU#464113 and this BugTraq post for more information. | |||||
| Alerts: |
| |||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Bugzilla: several vulnerabilities.
| Package(s): | bugzilla | CVE #(s): | ||||
| Created: | April 30, 2003 | Updated: | May 21, 2003 | |||
| Description: | The Bugzilla bug tracking system has a new set of vulnerabilities which can lead to cross-site scripting and symlink attacks. Versions 2.16.3 and 2.17.4 contain the necessary fixes; see this advisory for the details. | |||||
| Alerts: |
| |||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
cdrecord: format string vulnerability
| Package(s): | cdrecord | CVE #(s): | CAN-2003-0289 | |||||||||
| Created: | May 15, 2003 | Updated: | May 21, 2003 | |||||||||
| Description: | A format string vulnerability in scsiopen.c of the cdrecord program in cdrtools 2.0 allows local users to gain privileges via format string specifiers in the "dev" parameter. | |||||||||||
| Alerts: |
| |||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
epic4: buffer overflows and arbitrary code execution
| Package(s): | epic4 | CVE #(s): | |||||||
| Created: | May 2, 2003 | Updated: | May 22, 2003 | ||||||
| Description: | Timo Sirainen discovered several problems in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. | ||||||||
| Alerts: |
| ||||||||
ethereal - format string vulnerability
| Package(s): | ethereal | CVE #(s): | CAN-2003-0081 | ||||||||||||||||||
| Created: | March 10, 2003 | Updated: | June 12, 2003 | ||||||||||||||||||
| Description: | The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string overflow. This vulnerability has been present in Ethereal since the SOCKS dissector was introduced in version 0.8.7. It was discovered by Georgi Guninski. Additionally, the NTLMSSP code is susceptible to a heap overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade. See the full advisory for additional information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
file - memory allocation problem, stack overflow
| Package(s): | file | CVE #(s): | CAN-2003-0102 | |||||||||||||||||||||||||||||||||
| Created: | March 4, 2003 | Updated: | June 4, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Jeff Johnson found a memory allocation problem and David Endler found a stack overflow corruption problem in the file "Automatic File Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section and program header handling in file version 3.40. The folks at OpenPKG believe that file versions without those modifications are vulnerable to memory allocation and stack overflow problems which put security at risk. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
glibc: integer overflow in the xdrmem_getbytes() function
| Package(s): | glibc krb5 dietlibc | CVE #(s): | CAN-2003-0028 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 21, 2003 | Updated: | May 27, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | An integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, and glibc, allows remote attackers to execute arbitrary code via certain integer values in length fields See CAN-2003-0028 and CERT advisory CA-2003-10 for more information. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
IMP - SQL injection vulnerability
| Package(s): | imp | CVE #(s): | CAN-2003-0025 | |||||||||
| Created: | January 15, 2003 | Updated: | July 8, 2003 | |||||||||
| Description: | The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem. | |||||||||||
| Alerts: |
| |||||||||||
kde: arbitrary code execution
| Package(s): | kde | CVE #(s): | CAN-2003-0204 | ||||||||||||||||||||||||||||||||||||
| Created: | April 10, 2003 | Updated: | June 30, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files. An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kerberos - cryptographic weakness
| Package(s): | kerberos, heimdal, openafs | CVE #(s): | CAN-2003-0138 CAN-2003-0139 | ||||||||||||||||||||||||||||||
| Created: | March 26, 2003 | Updated: | May 27, 2003 | ||||||||||||||||||||||||||||||
| Description: | Version 4 of the Kerberos protocol contains a cryptographic weakness which enables a chosen-plaintext attack. A suitably equipped attacker can impersonate any principal in the realm. Another weakness allows the creation of false Kerberos tickets. Given the weaknesses in the cryptography, cross-realm authentication cannot be performed in a secure way.
OpenAFS kaserver implements version 4 of the Kerberos protocol, and therefore is also vulnerable. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
kernel - ptrace-related vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2003-0127 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2003 | Updated: | June 30, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2003-0244 CAN-2003-0246 | ||||||||||||||||||||||||||||||||||||
| Created: | May 14, 2003 | Updated: | July 25, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
kopete: vulnerabiliy in GnuPG plugin
| Package(s): | kopete | CVE #(s): | CAN-2003-0256 | |||||||||
| Created: | May 8, 2003 | Updated: | June 27, 2003 | |||||||||
| Description: | A vulnerability was discovered in versions of kopete prior to 0.6.2. Kopete is a KDE instant messenger client. This vulnerabiliy is in the GnuPG plugin that allows for users to send each other GPG-encrypted instant messages. The plugin passes encrypted messages to gpg, but does no checking to sanitize the commandline passed to gpg. This can allow remote users to execute arbitrary code, with the permissions of the user running kopete, on the local system. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lprold - buffer overflow in lprm
| Package(s): | lprold lpd | CVE #(s): | CAN-2003-0144 | |||||||||||||||
| Created: | March 13, 2003 | Updated: | May 28, 2003 | |||||||||||||||
| Description: | The lprm command of the printing package lprold contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
lv: privilege escalation
| Package(s): | lv | CVE #(s): | CAN-2003-0188 | ||||||||||||
| Created: | May 15, 2003 | Updated: | June 4, 2003 | ||||||||||||
| Description: | Leonard Stiles discovered that lv, a multilingual file viewer, would read options from a configuration file in the current directory. Because such a file could be placed there by a malicious user, and lv configuration options can be used to execute commands, this represented a security vulnerability. An attacker could gain the privileges of the user invoking lv, including root. | ||||||||||||||
| Alerts: |
| ||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye | CVE #(s): | CAN-2003-0358 CAN-2003-0359 | |||||||||||||||
| Created: | February 18, 2003 | Updated: | July 15, 2003 | |||||||||||||||
| Description: | Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
netscape-flash: buffer overflow
| Package(s): | netscape-flash | CVE #(s): | |||||||
| Created: | March 10, 2003 | Updated: | June 20, 2003 | ||||||
| Description: | Potentially exploitable buffer overflows exist in the Macromedia Flash Player. The full advisory is here. "The cumulative security patch is available today and addresses the potential for exploits surrounding buffer overflows (read/write) and sandbox integrity within the player, which might allow malicious users to gain access to a user's computer. The possibility of running native code on a users machine is a theoretical exploit, and extremely difficult to execute in practice. There are no known examples of running such native code from Macromedia Flash movies; however, even though this issue is difficult and theoretical in nature only, we are encouraging users to upgrade." | ||||||||
| Alerts: |
| ||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
openssl: local and remote extraction of RSA private key
| Package(s): | openssl, apache, mod_ssl | CVE #(s): | CAN-2003-0147 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 18, 2003 | Updated: | May 22, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | David Brumley and Dan Boneh of Stanford University have researched and
documented a timing attack on OpenSSL which allows local and remote
attackers to extract the RSA private key of a server. The OpenSSL RSA
implementation is generally vulnerable to these type of attacks unless RSA
blinding has been turned on. See this
paper (pdf format) for additional details.
Typically, RSA blinding is not enabled by OpenSSL based applications, mainly because it is not obvious how to do so when using OpenSSL to provide SSL/TLS. This problem affects mostly all applications using OpenSSL and have to be rebuilded against the fixed OpenSSL version (where RSA blinding is now enabled by default) or have to enable RSA blinding explicitly their own. The performance impact of RSA blinding appears to be small (a few percent only) and the RSA functionality is still fully compatible. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0147 to the problem. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pam_xauth: root exploit
| Package(s): | pam_xauth | CVE #(s): | CAN-2002-1160 | |||||||||
| Created: | February 13, 2003 | Updated: | July 10, 2003 | |||||||||
| Description: | The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker. | |||||||||||
| Alerts: |
| |||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
PoPTop: remotely exploitable buffer overflow
| Package(s): | pptpd | CVE #(s): | CAN-2003-0213 | |
| Created: | April 28, 2003 | Updated: | June 6, 2003 | |
| Description: | The PoPToP PPTP server contains a remotely exploitable buffer overflow; read the full advisory for more information. | |||
| Alerts: |
| |||