By Jonathan Corbet
July 28, 2010
There are both good and bad things that come from LWN's use of its own
content management system; one strong "good" point has always been our
relative freedom from comment spam problems. Many comment spammers seem to
rely on automated tools written for commonly-used publication platforms;
these tools don't work on LWN, so spammers have to do their work by hand.
That said, some
readers may have noticed that spammers have been making occasional
appearances here.
The biggest offender appears to be associated with a shady-looking apparel
store. Even though it's shady-looking, though, we know it's a legitimate
business, because the site's FAQ tells us so:
Is this a legit website? Yes.We are selling the items displayed on
our website. We have sent many packages to different countries.This
is James,a real Person,working for you now,not machine.Thank you.
However, we would like it to be known that even businesses as proper,
upstanding, and trustworthy as this one are not welcome to post their spam
on LWN. We have spent years building this site and even convincing people
that it is something worth paying for. How these people might think that
we would allow them to destroy it is beyond imagining. Comment spam, for
us, is truly a security issue.
Our recent discovery that nearly 3,000 LWN accounts had been created from a
single site known as the origin of much comment spam has also helped to
focus our minds on this issue. We don't know what the intended use of all
those accounts was, but we doubt it was anything good.
Thus far, we have responded to spam by deleting it immediately on discovery
and blocking the accounts and site it came from. The problem appears to be
growing, though, to the point that the manual deletion approach will
eventually run into scalability problems. Besides, we would rather be
writing useful stuff than scrubbing graffiti from the site. But options
for dealing with comment spam appear to be somewhat limited.
We could, of course, moderate all comments, but that approach, too, scales
poorly; it also delays and distorts conversations. Full-scale moderation
is just not a business we want to get into. There are blacklists
out there which identify known sources of spam, but they are far from
complete. One could try content-based filtering approaches, but they have
their own hazards.
What we are likely to do, in the plausible scenario that this problem
persists, is to impose some sort of moderation on comments from new
accounts. After a legitimate comment or two, the moderation block will be
removed and comments will be posted immediately; existing accounts would
not be affected. We might also automatically remove the block if a
subscription is purchased - spammers have shown a surprising reluctance to
support LWN, for some reason.
Nothing is decided yet, so plans could change. We'd be more than
interested in any ideas that readers might have; please post them as
(non-spam) comments on this article. One thing that won't change, though,
is our absolute determination that we will not allow LWN to be used as a
platform for the spamming of our readers.
Comments (51 posted)
Brief items
FWIW, security by obscurity has a bad rep in some circles, but it
is an essential component of any serious security policy. It just
should never be the *only* component.
--
Guido van Rossum
[I]t appears to be a packet of pork product, combined with a big
sign saying something like: "Warning. If you blow up a bomb right
here, you'll get pork stuff all over you before you die -- which
might be suboptimal from a religious point of view."
This appears to not be a joke.
--
Bruce
Schneier
Comments (7 posted)
New vulnerabilities
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2010-0213
|
| Created: | July 23, 2010 |
Updated: | November 3, 2010 |
| Description: |
From the Internet Systems Consortium advisory:
If a query is made explicitly for a record of type 'RRSIG' to a validating recursive server running BIND 9.7.1 or 9.7.1-P1, and the server has one or more trust anchors configured statically and/or via DLV, then if the answer is not already in cache, the server enters a loop which repeatedly generates queries for RRSIGs to the authoritative servers for the zone containing the queried name. This rarely occurs in normal operation, since RRSIGs are already included in responses to queries for the RR types they cover, when DNSSEC is enabled and the records exist.
|
| Alerts: |
|
Comments (none posted)
bogofilter: denial of service
| Package(s): | bogofilter |
CVE #(s): | CVE-2010-2494
|
| Created: | July 27, 2010 |
Updated: | January 23, 2013 |
| Description: |
From the CVE entry:
Multiple buffer underflows in the base64 decoder in base64.c in (1) bogofilter and (2) bogolexer in bogofilter before 1.2.2 allow remote attackers to cause a denial of service (heap memory corruption and application crash) via an e-mail message with invalid base64 data that begins with an = (equals) character. |
| Alerts: |
|
Comments (none posted)
firefox: arbitrary code execution
| Package(s): | firefox |
CVE #(s): | CVE-2010-2755
|
| Created: | July 26, 2010 |
Updated: | August 17, 2010 |
| Description: |
From the Red Hat advisory:
An invalid free flaw was found in Firefox's plugin handler. Malicious web
content could result in an invalid memory pointer being freed, causing
Firefox to crash or, potentially, execute arbitrary code with the
privileges of the user running the Firefox application. |
| Alerts: |
|
Comments (none posted)
gnupg: code execution
| Package(s): | gnupg2 |
CVE #(s): | CVE-2010-2547
|
| Created: | July 28, 2010 |
Updated: | October 24, 2011 |
| Description: |
GnuPG 2 suffers from a use-after-free vulnerability which could possibly be exploited (via a signature or certificate) to execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde: privacy compromise
| Package(s): | horde |
CVE #(s): | CVE-2010-0463
|
| Created: | July 27, 2010 |
Updated: | July 27, 2010 |
| Description: |
From the CVE entry:
Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. |
| Alerts: |
|
Comments (none posted)
iputils: denial of service
| Package(s): | iputils |
CVE #(s): | CVE-2010-2529
|
| Created: | July 23, 2010 |
Updated: | March 15, 2013 |
| Description: |
From the Mandriva advisory:
Ovidiu Mara reported a vulnerability in ping.c (iputils) that
could cause ping to hang when responding to a malicious echo reply.
|
| Alerts: |
|
Comments (none posted)
libvirt: multiple vulnerabilities
| Package(s): | libvirt |
CVE #(s): | CVE-2010-2242
CVE-2010-2237
CVE-2010-2238
CVE-2010-2239
|
| Created: | July 27, 2010 |
Updated: | November 9, 2010 |
| Description: |
From the Red Hat bugzilla:
Jeremy Nickurak reported an issue with how libvirt creates iptables rules when
guest systems are setup for masquerading. (CVE-2010-2242)
From the Red Hat bugzilla:
It was found that libvirt did not honour the user defined main disk format
in guest XML when looking up disk backing stores in the security drivers.
This could be possibly exploited by privileged guest user to access
arbitrary files on the host. (CVE-2010-2237)
From the Red Hat bugzilla:
It was found that libvirt did not extract the defined disk backing store
format when recursing into disk image backing stores in the security
drivers. This could be possibly exploited by privileged guest user to
access arbitrary files on the host. (CVE-2010-2238)
From the Red Hat bugzilla:
It was found that libvirt did not explicitly set the user defined backing store
format when creating new image. This results in images being created with an
potentially insecure configuration, preventing applications from opening backing
stores without resorting to probing. A privileged guest user could use this
flaw
to access arbitrary files on the host. (CVE-2010-2239) |
| Alerts: |
|
Comments (none posted)
likewise-open: unauthorized local access
| Package(s): | likewise-open |
CVE #(s): | CVE-2010-0833
|
| Created: | July 27, 2010 |
Updated: | August 4, 2010 |
| Description: |
From the Ubuntu advisory:
Matt Weatherford discovered that Likewise Open did not correctly check
password expiration for the local-provider account. A local attacker could
exploit this to log into a system they would otherwise not have access to.
|
| Alerts: |
|
Comments (none posted)
lvm2-cluster: privilege escalation
| Package(s): | lvm2-cluster |
CVE #(s): | CVE-2010-2526
|
| Created: | July 28, 2010 |
Updated: | October 7, 2010 |
| Description: |
The cluster logical volume manager deamon (clvmd) in the lvm2-cluster package does not authenticate clients connecting to the Unix-domain societ used for control operations. As a result, local, unprivileged users can perform cluster management operations. |
| Alerts: |
|
Comments (none posted)
lxsession: arbitrary code execution
| Package(s): | lxsession |
CVE #(s): | CVE-2010-2532
|
| Created: | July 23, 2010 |
Updated: | August 2, 2010 |
| Description: |
From the openSUSE advisory:
lxsession-logout did not properly lock the screen before
suspending, hibernating and switching between users which
could allow attackers with physical access to take control
of the system to obtain sensitive information and / or
execute arbitrary code in the context of the user who is
currently logged in. |
| Alerts: |
|
Comments (none posted)
mysql: denial of service
| Package(s): | mysql |
CVE #(s): | CVE-2010-2008
|
| Created: | July 27, 2010 |
Updated: | November 11, 2010 |
| Description: |
From the CVE entry:
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory. |
| Alerts: |
|
Comments (none posted)
openttd: denial of service
| Package(s): | openttd |
CVE #(s): | CVE-2010-2534
|
| Created: | July 27, 2010 |
Updated: | July 27, 2010 |
| Description: |
From the Red Hat bugzilla:
A remote attacker
could use this flaw to conduct denial of service attacks, leading to game
server infinite loop consuming excessive amount of CPU time.
|
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2010-2531
CVE-2010-2484
CVE-2010-2225
|
| Created: | July 27, 2010 |
Updated: | July 5, 2011 |
| Description: |
From the Mandriva advisory:
- Rewrote var_export() to use smart_str rather than output buffering,
prevents data disclosure if a fatal error occurs (CVE-2010-2531).
- Fixed a possible interruption array leak in
strrchr().(CVE-2010-2484)
- Fixed SplObjectStorage unserialization problems (CVE-2010-2225).
|
| Alerts: |
|
Comments (none posted)
pidgin: denial of service
| Package(s): | pidgin |
CVE #(s): | CVE-2010-2528
|
| Created: | July 27, 2010 |
Updated: | August 30, 2010 |
| Description: |
From the Red Hat bugzilla:
Mark Doliner, upstream pidgin/libpurple developer, discovered a NULL pointer
dereference flaw in the way libpurple handled certain malformed X-Status
messages in ICQ/Oscar protocol. This flaw could allow remote attacker to crash the
victim's instant messenger application using libpurple such as pidgin.
|
| Alerts: |
|
Comments (none posted)
samba: multiple vulnerabilities
| Package(s): | samba |
CVE #(s): | CVE-2010-1635
CVE-2010-1642
|
| Created: | July 27, 2010 |
Updated: | July 27, 2010 |
| Description: |
From the Mandriva advisory:
The chain_reply function in process.c in smbd in Samba before 3.4.8 and
3.5.x before 3.5.2 allows remote attackers to cause a denial of service
(NULL pointer dereference and process crash) via a Negotiate Protocol
request with a certain 0x0003 field value followed by a Session Setup
AndX request with a certain 0x8003 field value (CVE-2010-1635).
The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in
Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to
trigger an out-of-bounds read, and cause a denial of service (process
crash), via a \xff\xff security blob length in a Session Setup AndX
request (CVE-2010-1642).
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
