| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for July 3, 2003
An interview with Linus Torvalds
LWN has been reporting on the Linux and free software community for well over five years now, but, during that time, we've never gotten around to interviewing Linus Torvalds, the creator and maintainer of the Linux kernel. That oversight has now been rectified. In the following interview, Linus talks about 2.5, 2.6, and 2.7, SCO, and how the kernel development process works.
Kernel releases
What are, in your opinion, the most significant accomplishments from the 2.5 development series?
During 2.5.x, the things I thought were most noticeable are a nicer and better VM subsystem, a better block IO layer, and the improved threading support. All of them do help performance in various circumstances, but more importantly (to me) they were all fairly central cleanups and help keep the code maintainable.
Any regrets or things you wish had come out differently in 2.5?
Looking forward to 2.7, do you have any particular goals in mind for that development series?
But inevitably, new needs and uses will come up, and I'm not worried about running out of stuff to do. I just don't plan much ahead, I much prefer to take a reactionary stance and see what people actually complain and care about, rather than having a "5-year plan".
Do you have any particular expectations or hopes for the upcoming kernel summit in Ottawa?
It took the better part of a year - after 2.4.0 - for the 2.4 series to stabilize sufficiently for the 2.5 fork to happen. Do you foresee doing anything differently to stabilize 2.6 more quickly?
Development process
Over the course of 2.5, a number of developers, some of whom have contributed useful stuff, bowed out of the kernel project after facing too much criticism that was too harsh. Do you think this is a "if you can't stand the heat, get out of the kitchen" sort of situation, or could the process perhaps change to be a little more friendly?
I'll see what I can do about it, if anything.
There have been complaints that recent development has been strongly oriented toward large-system scalability at the expense of the rest of us with "normal" systems. Over the longer term, however, a high priority has been placed on not allowing support for high-end systems to compromise performance for everybody else. How do you feel about the balance between the kernel's support for large and small systems? Does anything need to be done to ensure scalability to the low end?
And yes, scalability has improved a lot, but at the same time you should realize that 99% of all Linux development is still done on basic desktop machines. So most developers still care mostly about that kind of hardware, and so while the "big iron" thing gets most attention and is most visible, it's not where most of the action _really_ is.
I personally, for example, always just work with a "high end desktop" system, expecting that what is high end today will be pretty much regular in another year or two.
In many ways, the kernel development process appears to be working better than it ever has. The flow of patches into the mainline is astounding, and most of the major developers seem to be relatively happy. Things appeared rather rougher at the beginning of 2.5; to what do you attribute the improvement? Is it all due to BitKeeper, or are there other things going on?
The lawsuit
SCO has finally fingered some specific contributions to the kernel as, they say, infringing on their rights. Do you think there's a chance that things like RCU and JFS will have to come out before 2.6 can be released? How do you think you might respond if SCO demands their removal?
I'd find it very unlikely that IBM had given exclusive licenses to SCO for the thing, especially as IBM apparently used some of the same technology for other projects earlier (ie OS/2). So from what I can tell, SCO really doesn't have a case - at least on the IP side of things.
Whether SCO has a case on the contract side, I just don't know. I'd be surprised. But I don't even have to care, since any contractual issues are clearly between IBM and SCO, and have nothing to do with me or the kernel (and contract law is a whole different area from IP rights, so SCO's blathering about Linux not respecting IP rights seems to be just a rabid rat frothing at the mouth, as far as I can see).
Do you foresee any changes to the kernel development process in the future to avoid the possibility of proprietary code being incorporated?
Miscellaneous topics
You've just announced a move over to OSDL, to work full-time on the kernel. Do you have any great plans for your extra time?
Recently you have been peppering the kernel with __user annotations which can be used by the "sparse" tool to find improper use of user-space pointers. I've always wondered why the kernel doesn't simply define a "userptr" type which would allow mistakes to be caught by the compiler?
I mentioned that to some gcc people, and nothing ever appeared, so I decided to do it myself.
Would it not make sense to make a similar distinction between physical and kernel virtual addresses?
Thank you, Linus, for taking the time to answer these questions.
[This article was contributed by Joe 'Zonker' Brockmeier]
The Gentoo project is experiencing a few growing pains. The Gentoo project announced some major management changes for the project itself last week, while Zachary Welch has announced his intention to form a non-profit called the Zynot Foundation and a plan to fork the Gentoo distribution.
Why the "Zynot Foundation?" Apparently, because it was available. The project's FAQ says the new name was chosen because the domains were available, and because it's a name that can easily be spoken and spelled. The name of the actual distribution is still up in the air, according to the Zynot FAQ, and will be chosen by the community. Welch's "Reasons for Forking A Linux Distribution" details his reasons to break off from Gentoo and to form a new project. It's a lengthy read, but to put it succinctly, Welch had a number of issues with Gentoo lead Daniel Robbins and the way that the project was being managed -- both from a business perspective, and from a developer's perspective. Welch had hoped to further Gentoo in the embedded market, and eventually decided that it was too risky to move forward using the Gentoo name.
Welch isn't the only developer to express dissatisfaction with Robbins' leadership of the project. Last April, Geert Bevin left the project and wrote up a summary of his reasons for doing so. According to Welch's "Welcome to Zynot" e-mail, the Zynot Foundation will be putting out some kind of release in time for LinuxWorld Expo in August, as well as having a booth at the show.
While the Zynot Foundation is getting started, the Gentoo project will be busy implementing a formalized management structure. The proposal, put forth by Robbins, seems to be fairly straightforward. It establishes a formal management hierarchy and responsibilities, channels of communication and so forth. The document doesn't address process by which one would become a project manager, so it seems they will be granted their position by the "Chief Architect," which would be Robbins himself.
Welch's departure also means that Gentoo will need to find some new hardware and hosting. Apparently, much of Gentoo's infrastructure, including CVS, their Web server, Wiki and Gentoo Bugzilla are hosted on machines owned by Welch and co-located at Oregon State University.
Regardless of Welch's reasons for doing so, it remains to be seen whether many in the Gentoo community will be willing to follow Welch's fork of the project. Gentoo has a fairly devoted user community as well as a fair number of core developers. According to Welch's estimate, Gentoo currently has a user base of about 150,000 people. It will take some doing to achieve the same kind of success with a new project.
Interview with Gaël Duval
LWN editor Jonathan Corbet talks with Gaël Duval, creator of Mandrake Linux and co-founder of MandrakeSoft.____
LWN: You were the creator of the original Mandrake Linux distribution, and a co-founder of MandrakeSoft. What is your current role with the distribution and the company?
GD - I'm officially taking care of MandrakeSoft's communication, but I'm helping for other things and projects as well.
LWN: In an OSNews interview last March, you said "9.1 sales and club subscriptions are going to be key." How are sales and subscriptions going at this point? Are they at the level you need?
GD - The levels of Club subscriptions and 9.1 sales have been very good. That's one of the reasons why our future is becoming better every day. Mandrake 9.1 is an excellent product, that made it successful. On the other hand, the Mandrake Club and all its benefits, in particular the huge application repository that can be interfaced with the Mandrake application manager and dependency solver (URPMI/RPMDrake), has gained popularity among Mandrake users. As a result, the Club is turning into a real business model (in short: a free product plus value-added online services). As the whole Linux retail market has been dramatically and continuously decreasing during the past 3 years (mostly due to high-speed domestic Internet connections), this new business model for selling Free Software products really makes sense, and we certainly are one of the first Linux makers to enter this model.
LWN: The Mandrake Linux distribution has become difficult to find - at least, in U.S. stores. Do you plan to try to get back onto retail shelves (if so, how?), or are retail sales no longer a priority for MandrakeSoft?
GD - There is a simple reason for that: we broke our agreement with distributor Pearson recently. They are not interested in Linux as they have been in the past, and we weren't very happy with the sales. So we made the decision to take time to look for new distributors in the USA, and we encouraged users to come to MandrakeStore.com where our margins are really much more interesting than with traditional retail sales. Anyway Mandrake packs should be back in many US stores with the 9.2 version, with a new distributor. This is important at least for MandrakeSoft's brandname exposure and presence.
LWN: How is the reorganization process going in general? What changes is MandrakeSoft making, and how do you expect them to help the company's long-term survival?
GD - The reorganization is nearly completed. We had to review the company's priorities in term of technology and businesses. We had to scale the structure down to the point where we do not spend more money than we earn. We also had to convince everyone at MandrakeSoft that sales are now the big priority.
LWN: When does MandrakeSoft expect to emerge from the bankruptcy process?
GD - We plan to emerge somewhere by the end of the year. So far this has been a very positive action for us.
LWN: Mandrake Linux tends to be perceived as a desktop-oriented distribution. Is that how you see it internally? Where do you expect to see Mandrake deployed most in the future?
GD - The mission of MandrakeSoft is to simplify Linux and make it available to all. This means: providing full-featured Linux systems that are easy to install, easy to set up, easy to use. But this doesn't mean that we focus on the desktop, because we ship many server products, including very complex ones such as the Multi Network Firewall or MandrakeClustering... Additionally, simple command line tools such as our package management tool "URPMI", are often as important as graphical wizards or applications. The result is now a large range of MandrakeSoft products, from the "Standard 9.1" which is a desktop OS, to server and dedicated security products such as the Corporate Server 2.1 and the Multi Network Firewall. Such a large offering is perfect for answering companies' needs, and that's good for MandrakeSoft because this is currently a growing market.
LWN: Increasingly, other distributors are coming forward with versions of their products aimed at the desktop. The trickle of reports of companies and governments choosing Linux for desktop use is growing. Do you have a sense of when desktop Linux may take a serious part of the market? How does Mandrake plan to succeed in a larger but more competitive desktop market?
GD - This desktop thing has been the most recent Linux' hype. Currently it's clear that "joe user" is not ready yet to migrate his Windows desktop to a Linux desktop, for many reasons that are not only technical reasons. This doesn't mean that there is not a growing base of users who have definately made the switch to Linux on the desktop (this includes myself). But the point here is that the real market in the desktop field, which is not a big market yet, is inside corporations, and that is the market we are currently interested in.
LWN: You have mentioned that MandrakeSoft will be introducing a clustering product. Clustering seems like an increasingly crowded marketplace - though, perhaps, one in which a fair amount of money should be made. What has drawn Mandrake into this market at this time?
GD - There are two simple answers: 1) we had the chance to get funding for a research project in this area, and this has resulted into a great and powerful Clustering product. 2) We don't plan yet to sell this product everywhere in the world like we do with Mandrake Linux: there are very few actors in the field of Clustering solutions in France, so we are going to sell it in France and Europe first. Additionally, it's not only a product, it's a complete solution that doesn't make sense without the support and knowledge-transfer which are are provided with this solution.
LWN: What is MandrakeSoft's position on the SCO lawsuit? Are you taking any steps in response to SCO's allegations?
GD - Our position is very simple: so far there are mostly FUD and rumours. Let's wait for facts. Anyway, the whole story could possibly impact Linux' image negatively so we have to take care of that. But in the end my guess is that SCO is doing a huge error and is going to suffer much from the situation.
LWN: What enhancements can Mandrake Linux users look forward to in the next release?
GD - Wait and see :-)
LWN: Is there anything else you would like our readers to know?
GD - Producing and selling Free Software products makes sense. It only needs a good business model.
[This article was contributed by Joe 'Zonker' Brockmeier]
A few weeks ago a group of JBoss developers split from The JBoss Group and decided to strike it out on their own as the Core Developers Network (CDN). We spoke with Greg Wilkins, one of the Core Developer Network members as well as the founder and director of Mort Bay Consulting. Mort Bay sponsors development of the Jetty Java HTTP server and servlet container. Marc Fleury, President of the JBoss Group, refused to comment for this story.
Wilkins wrote that his experience with JBoss Group had been less than profitable. "I got 6 hours of support work for being on call for 2 years - I also was not pushing my own Jetty support business to JBG clients so I was loosing sales of my own." Wilkins also said that Fleury demanded a cut of a deal that he had negotiated through Mort Bay for out-source development that used JBoss "among many other things."
Since leaving the project, Wilkins noted that the names of the Core Developers have been removed from the JBoss site as contributors, though they still have CVS access to JBoss and continue to contribute to the project. JBoss has also replaced Jetty with Tomcat as the default Web container. Wilkins says that the Core Developers do not want to fork JBoss, but "we can see situations that may force that to happen." In the end, there are really two main issues, says Wilkins:
But the other is the control of an open source project. It appears that getting control over just the trademark and CVS write access can be used to build a very good control mechanism over an open source community. This can be used to build a near monopoly on commercial services sold for that project and distribution of those benefits.
While Fleury refused to comment for this story, it's interesting to note something he said in an interview on TheOpenEnterprise.com:
As open source continues to grow in popularity, and profitability, this will undoubtably be an increasingly important issue. While the JBoss code is available for anyone to use, distribute and modify, the trademark is controlled by a single party. The ability to contribute code and participate in the direction of the project is also controlled by the same people who are making it a business venture. Certainly these abilities could be abused to give one party an advantage over other companies or individuals seeking to make money from the code. Withholding the ability to use the trademark, for example, could certainly hinder the ability of other parties to build a business that centers around JBoss.
Free and open source software licenses only protect access to the code itself. Any business based on an open source project will need to be able to advertise and promote itself -- something that could prove difficult if they are unable to use the name of the project in their advertising or marketing materials. Developers who are contributing to other open source projects may wish to ask the owners of those projects to clarify their long-term intentions for the projects. If nothing else, the JBoss situation may prove a cautionary tale for other business-minded open source developers. According to Wilkins, things would have been much different if they had gotten the business aspects taken care of earlier.
Page editor: Rebecca Sobol
Security
Security news
Email Virus Scanning for Linux: A review of alternatives to RAV Antivirus
[This article was contributed by tummy.com]
With the purchase of RAV by Microsoft, many Linux email providers and ISPs, are looking for an affordable, reliable replacement for RAV Antivirus.
Kevin Fenzi, Senior Member Technical Staff of tummy.com, ltd. and the co-author of the Linux Security HOWTO, has reviewed some of the currently available alternatives.
Kevin evaluated the alternatives on several different criteria, including Pricing policy (unlimited use is better than a per-domain or per-user price), broad support for Mail Transport Agents, and ease of installation and configuration.
Criteria Used:
- Pricing policy: Unlimited use got the highest score. Per-domain pricing
was next best, and per-user pricing was last. Those products that did
not have pricing information on their website received no score in this
category.
- Support for MTAs: A point was awarded for each of the popular Mail
Transport Agents supported (Qmail, Postfix, Exim, SuSE,
Sendmail+Milters, Sendmail, Dmail).
- Ease of Installation: Is the product easy to download and install?
- Ease of Configuration: Is the product easy to configure with your
local MTA?
- Scores are on a 'bad, fair, good, excellent' scale.
Read the full article here.
New vulnerabilities
gtksee: buffer overflow
| Package(s): | gtksee | CVE #(s): | CAN-2003-0444 | ||||||
| Created: | June 29, 2003 | Updated: | July 11, 2003 | ||||||
| Description: | Viliam Holub discovered a bug in gtksee whereby, when loading PNG images of certain color depths, gtksee would overflow a heap-allocated buffer. This vulnerability could be exploited by an attacker using a carefully constructed PNG image to execute arbitrary code when the victim loads the file in gtksee. | ||||||||
| Alerts: |
| ||||||||
imagemagick: insecure temporary file
| Package(s): | imagemagick | CVE #(s): | CAN-2003-0455 | ||||||
| Created: | June 29, 2003 | Updated: | July 10, 2003 | ||||||
| Description: | There are circumstances in which imagemagick's libmagick library creates temporary files without taking appropriate security precautions. This vulnerability could be exploited by a local user to create or overwrite files with the privileges of another user who is invoking a program using this library. | ||||||||
| Alerts: |
| ||||||||
PHP: Cross site scripting vulnerability
| Package(s): | PHP | CVE #(s): | CAN-2003-0442 | |||||||||||||||||||||
| Created: | July 2, 2003 | Updated: | August 13, 2003 | |||||||||||||||||||||
| Description: | In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
phpbb: sql injection
| Package(s): | phpbb | CVE #(s): | CAN-2003-0486 | |||
| Created: | June 28, 2003 | Updated: | July 2, 2003 | |||
| Description: | An SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter. | |||||
| Alerts: |
| |||||
proftpd: SQL injection
| Package(s): | proftpd | CVE #(s): | ||||
| Created: | June 29, 2003 | Updated: | June 29, 2003 | |||
| Description: | runlevel [runlevel@raregazz.org] reported that ProFTPD's PostgreSQL authentication module is vulnerable to a SQL injection attack. This vulnerability could be exploited by a remote, unauthenticated attacker to execute arbitrary SQL statements, potentially exposing the passwords of other users, or to connect to ProFTPD as an arbitrary user without supplying the correct password. | |||||
| Alerts: |
| |||||
tcptraceroute: problems dropping root privileges
| Package(s): | tcptraceroute | CVE #(s): | CAN-2003-0489 | ||||||
| Created: | June 28, 2003 | Updated: | July 10, 2003 | ||||||
| Description: | tcptraceroute 1.4 and earlier does not fully drop privileges after obtaining a file descriptor for capturing packets. This may allow local users to gain access to the descriptor via a separate vulnerability in tcptraceroute. | ||||||||
| Alerts: |
| ||||||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
xgalaga: buffer overflows
| Package(s): | xgalaga | CVE #(s): | CAN-2003-0454 | |||
| Created: | June 29, 2003 | Updated: | July 2, 2003 | |||
| Description: | Steve Kemp discovered several buffer overflows in the game xgalaga, which can be triggered by a long HOME environment variable. This vulnerability could be exploited by a local attacker to gain gid 'games'. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
xterm: command execution and denial of service
| Package(s): | XFree86 xterm | CVE #(s): | CAN-2001-1409 CAN-2002-1472 CAN-2002-0164 CAN-2003-0063 CAN-2003-0071 | ||||||||||||
| Created: | June 25, 2003 | Updated: | July 2, 2003 | ||||||||||||
| Description: | A couple of new vulnerabilities have been found in the xterm application shipped with XFree86. There is yet another "execute arbitrary commands by setting the window title" vulnerability, along with a bug which can allow an attacker to lock up an exterm window. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Xpdf - command execution vulnerability
| Package(s): | Xpdf | CVE #(s): | CAN-2003-0434 | ||||||||||||||||||||||||
| Created: | June 18, 2003 | Updated: | July 24, 2003 | ||||||||||||||||||||||||
| Description: | Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups | CVE #(s): | CAN-2003-0195 | ||||||||||||||||||||||||
| Created: | May 27, 2003 | Updated: | July 22, 2003 | ||||||||||||||||||||||||
| Description: | Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnocatan: buffer overflows, denial of service
| Package(s): | gnocatan | CVE #(s): | CAN-2003-0433 | ||||||
| Created: | June 12, 2003 | Updated: | June 28, 2003 | ||||||
| Description: | Bas Wijnen discovered that the gnocatan server is vulnerable to several buffer overflows which could be exploited to execute arbitrary code on the server system. | ||||||||
| Alerts: |
| ||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
IMP - SQL injection vulnerability
| Package(s): | imp | CVE #(s): | CAN-2003-0025 | |||||||||
| Created: | January 15, 2003 | Updated: | July 8, 2003 | |||||||||
| Description: | The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem. | |||||||||||
| Alerts: |
| |||||||||||
kde: arbitrary code execution
| Package(s): | kde | CVE #(s): | CAN-2003-0204 | ||||||||||||||||||||||||||||||||||||
| Created: | April 10, 2003 | Updated: | June 30, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files. An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel - ptrace-related vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2003-0127 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2003 | Updated: | June 30, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2003-0244 CAN-2003-0246 | ||||||||||||||||||||||||||||||||||||
| Created: | May 14, 2003 | Updated: | July 25, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
kopete: vulnerabiliy in GnuPG plugin
| Package(s): | kopete | CVE #(s): | CAN-2003-0256 | |||||||||
| Created: | May 8, 2003 | Updated: | June 27, 2003 | |||||||||
| Description: | A vulnerability was discovered in versions of kopete prior to 0.6.2. Kopete is a KDE instant messenger client. This vulnerabiliy is in the GnuPG plugin that allows for users to send each other GPG-encrypted instant messages. The plugin passes encrypted messages to gpg, but does no checking to sanitize the commandline passed to gpg. This can allow remote users to execute arbitrary code, with the permissions of the user running kopete, on the local system. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye | CVE #(s): | CAN-2003-0358 CAN-2003-0359 | |||||||||||||||
| Created: | February 18, 2003 | Updated: | July 15, 2003 | |||||||||||||||
| Description: | Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
noweb: insecure temporary files
| Package(s): | noweb | CVE #(s): | CAN-2003-0381 | ||||||
| Created: | June 17, 2003 | Updated: | June 28, 2003 | ||||||
| Description: | Jakob Lell discovered a bug in the 'noroff' script included in noweb whereby a temporary file was created insecurely. During a review, several other instances of this problem were found and fixed. Any of these bugs could be exploited by a local user to overwrite arbitrary files owned by the user invoking the script. | ||||||||
| Alerts: |
| ||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pam_xauth: root exploit
| Package(s): | pam_xauth | CVE #(s): | CAN-2002-1160 | |||||||||
| Created: | February 13, 2003 | Updated: | July 10, 2003 | |||||||||
| Description: | The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker. | |||||||||||
| Alerts: |
| |||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
radiusd-cistron: possible remote system compromise
| Package(s): | radiusd-cistron | CVE #(s): | CAN-2003-0450 | ||||||||||||
| Created: | June 13, 2003 | Updated: | July 11, 2003 | ||||||||||||
| Description: | The package radiusd-cistron is an implementation of the RADIUS protocol. Unfortunately the RADIUS server handles large NAS numbers incorrectly. This leads to overwriting internal memory of the server process and may be abused to gain remote access to the system the RADIUS server is running on. | ||||||||||||||
| Alerts: |
| ||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | ||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | ||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | ||||
| Alerts: |
| ||||