| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for July 24, 2003
The new Red Hat Linux
It's official: the Red Hat Linux product is no more. The changes announced by the company can be found discussed, in detail, on the Red Hat Linux Project page. In summary, the changes that have been announced are:
- The Red Hat Linux product will no longer be available as a box on
store shelves. Not even in virtual stores. The various Red Hat
enterprise products remain, but the low-end distribution as a
commercial product from Red Hat is done.
- Development of Red Hat Linux will continue, but the company is trying
to move the development of the distribution into a more
community-oriented mode. The internal development mailing lists will be opened
up, and there will eventually be a way for external maintainers to
contribute fixes and packages.
- Red Hat Linux will become more volatile. There will be a six-month release cycle, with no real distinction between major and minor releases. Red Hat will stop backporting security fixes to the version of the relevant package shipped with the distribution release; instead, applying a security fix will mean upgrading to the latest version of the affected program. Red Hat will also work harder at pushing fixes back "upstream," rather than carrying patches themselves.
There are a few implications of this change for Red Hat Linux users. Essentially, if you use Red Hat Linux, you will have to pay more. Either you pay more cash by moving up to the enterprise offerings, or you pay more in effort by finding bugs in the distribution, and, if you can, helping to fix them. A Red Hat Linux box has traditionally been a great bargain: a relatively small amount of money for a stable, well-engineered distribution containing millions of dollars worth of software. Red Hat Linux will remain a good deal, but the terms of the bargain are changing a bit.
For high-clue users who would like to be a part of the distribution development process, the changes will certainly be a good thing. Red Hat has traditionally been developed in a relatively closed mode. Every now and then a new release would show up, but the process by which the development came together was distant and opaque. This distance is one of the reasons why many hackers have preferred more community oriented distributions, such as Debian, Mandrake, or, more recently, Gentoo. Red Hat clearly hopes to tap into the development community by opening things up in this way. If things go well, the result could well be a better, more quickly evolving distribution.
Other users will have to think about whether they want to download and manage new releases themselves, buy a boxed copy from some other retailer (the number of such products is certain to increase), or switch to a different distribution. All three are good options, including the last one. One of the great benefits of using Linux is that you can switch to a different vendor if you don't like where your current vendor is going.
This change is a big step for Red Hat; the company did, after all, get its start by selling boxed Linux distributions at retail. As Linux and the market have evolved, it has become clear that the retail channel is not where the real money is to be made. Red Hat, being a public company needing to bring in serious revenue, is focusing on the markets that, it hopes, will keep it going. So retail sales are out. But Red Hat cannot afford to lose its base distribution and the many people who help test it. Thus the Red Hat Linux Project. With luck, Red Hat can have it both ways: serious revenue from the enterprise market while building a larger development community.
SCO's new offensive
[This article was contributed by Joe 'Zonker' Brockmeier]
As expected, SCO trotted out a new licensing program today that would give Linux users a license from SCO to what SCO claims is their intellectual property in the Linux kernel from 2.4 on. SCO also announced that they had received copyrights for the Unix System V source code.
I sat in on the teleconference that SCO held to announce the new licensing program. McBride did most of the talking during the call, with David Boies adding just a few comments and clarifications, and answering a few questions that were directly addressed to him. I tried to get in the queue to ask a few questions about the impact of the GPL on their plans to offer a license relating to the Linux kernel, but I was not called on. Don Marti, of Linux Journal did get a question in about whether SCO would offer any additional evidence to substantiate their claims, but it was mostly ducked by McBride, though he did affirm that they were not talking about code coming from BSD.
During the call, McBride claimed that "hundreds" of files related to SMP, NUMA and read-copy update (RCU) were infringing on SCO IP either directly or indirectly. According to McBride, if the Linux community were to remove the offending code there would be "little non-infringing code" left in the areas that SCO is claiming rights to. Essentially, SCO seems to be basically claiming ownership of most of the advancements in scalability whether they are directly taken from SCO's codebase or not. Also, McBride noted that some of the code that they claim infringes on their IP was not contributed by IBM, though he did not specify which vendor(s) he believed to be responsible.
Other than announcing the new plan and the copyright registration, very little information was forthcoming. Essentially, they intend to offer a license of some kind that would idemnify companies from possible suits for copyright violations. Pricing was not disclosed, though McBride hinted that it would be equitable or similar to UnixWare 7.1.3 licensing. It will also likely be a per-server, per-CPU situation.
Though SCO did not disclose all of the license terms today, it doesn't seem possible that the company would be able to abide by the terms of the GPL while charging for licenses to run their IP in conjunction with Linux. Even if SCO actually legitimately holds claim over code that's being used in the kernel, the voluntary act of licensing that code should require SCO to allow distribution of the same code under the GPL. According to Section 2b of the GNU GPL:
And, if that weren't enough, Section 4 enjoins anyone from sublicensing programs under the GPL:
Even "hundreds of files" would still be considered a derivative of the Linux kernel -- the majority of which is still uncontestedly free and clear of SCO's IP. If you take the folks from SCO at their word, and assume that they really do own claim to these "hundreds of files," they're ultimately useless without the remainder of the Linux kernel -- which is still under the GPL.
And it's far from clear that SCO has legitimate claim over any code being used in the Linux kernel. Unfortunately, but not surprisingly, SCO did not directly address the issue of how they could license code that's already been distributed as part of the Linux kernel as a separate component that would not fall under the terms of the GNU General Public License.
McBride also made a point of emphasizing that the SCO license would be for "binary format." Which is puzzling, since SCO does not seem to be offering to distribute any kind of new code or new kernel -- simply a license that would give SCO's blessing to using code already available in the Linux kernel. McBride made the point several times that SCO would not be offering source code licenses.
While SCO's antics have most of the Linux community seeing red, someone out there is responding well. SCO's share price has jumped more than a dollar today, and looks likely to close above $13 for the first time in a year.
On the IBM front, Boies was asked whether there were any new developments in SCO's case against IBM. Boies said that he had "nothing to add" and that "as a litigator, I assume cases are going to court resolution." Boies also noted that a lack of resolution in the IBM case will not stop SCO from going forward with other plans based on claiming IP infringement in Linux.
In a nutshell, SCO is formalizing a plan to try to charge companies for the privilege of using Linux or sue them for not doing so. Whether companies will be willing to do so remains to be seen. If they do so, it will basically be on SCO's say-so that they own the rights that they are trying to sell.
The end of the road revisited
It has now been one year since we posted, in the July 25, 2002 Weekly Edition, the notice that LWN.net was to be shut down as a result of its financial problems. The staff had been working without salaries for months, and nothing we had tried seemed to work. It was a hard thing to face, but the only option we seemed to have was to pull the plug. As we said:
What happened then, of course, can only be described as a last-minute miracle. LWN readers started making donations at levels we had never seen before, and we decided to rethink things one more time. What we came up with is the subscription scheme which has supported LWN over the last year.
It is hard not to feel good about how far LWN has come. It is paying its bills (as long as we keep the bills small), and we are answerable directly to our readers. We have managed to make a number of improvements to our content and to the site; traffic is at an all-time high. In some ways, LWN looks more healthy than it has ever been. Certainly, we are glad that LWN did not shut down after all.
That said, it is important to note that the problem is still not completely solved. Salaries remain low, and money for things like travel to trade shows (important in this line of work) remains scarce. We also very much need to bring in one more editor to fill out the content and make it possible for the rest of us to take an occasional vacation. That editor remains a distant dream for now, however.
What we need to do, of course, is bring in more subscriptions. Recent changes have helped in that regard; the number of subscribers has been going up after a few months of little change. We are working at actively promoting the site - for the first time in its history - as a way of bringing in more readers. We'll get there. Meanwhile, we are glad to still be here. Many thanks to all of LWN's readers; your support for us over the last five and a half years has been amazing. Miraculous, even.
Page editor: Jonathan Corbet
Security
Security news
Honeytokens
A "honeypot" is a digital system whose purpose is to attract and identify illegal activity. Traditionally, honeypots are sacrificial computers placed on a network. The honeypot system serves no useful purpose; no legitimate user will have any reason to access it. As a result, any accesses which actually happen are likely to be somebody attempting something nasty. The honeypot can thus serve as a sort of early warning system, as well as a laboratory in which cracker techniques can be studied in real time.A new paper by Lance Spitzner points out that the honeypot concept can be applied in other contexts. One such application is "honeytokens," a bit of information which should never be accessed. An example might be login information placed in a message in a senior manager's mail spool; anybody attempting to actually log in using that information is almost guaranteed to be an attacker. A properly setup system could initiate a trace and catch the attacker before he gets into something truly useful.
This idea is not particularly new; direct (physical) mail companies have long embedded special addresses in their lists to track the use of those lists, for example. The security community has not, until now, made much use of this technique, however. Properly used, honeytokens could become a valuable part of intrusion detection and other security-related systems. Stolen information may not bite, but it may yet manage to strike back at thieves anyway.
New vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
fdclone: insecure temporary directory
| Package(s): | fdclone | CVE #(s): | CAN-2003-0596 | |||
| Created: | July 23, 2003 | Updated: | October 1, 2003 | |||
| Description: | fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control. | |||||
| Alerts: |
| |||||
gnupg: gpg setgid
| Package(s): | gnupg | CVE #(s): | ||||
| Created: | July 21, 2003 | Updated: | July 23, 2003 | |||
| Description: | gpg needs to be setuid to make use of protected memory space, however the setgid bit allowed the gpg user to overwrite files owned by the group root. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Mozilla: heap-based buffer overflow in Mozilla-based browsers
| Package(s): | Mozilla | CVE #(s): | CAN-2002-1308 | ||||||
| Created: | July 15, 2003 | Updated: | July 21, 2003 | ||||||
| Description: | A heap-based buffer overflow in Netscape and Mozilla allows remote
attackers to execute arbitrary code via a jar: URL referencing a
malformed .jar file, which overflows a buffer during decompression.
This has been fixed in Mozilla 1.0.2. | ||||||||
| Alerts: |
| ||||||||
PHP: Cross site scripting vulnerability
| Package(s): | PHP | CVE #(s): | CAN-2003-0442 | |||||||||||||||||||||
| Created: | July 2, 2003 | Updated: | August 13, 2003 | |||||||||||||||||||||
| Description: | In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Xpdf - command execution vulnerability
| Package(s): | Xpdf | CVE #(s): | CAN-2003-0434 | ||||||||||||||||||||||||
| Created: | June 18, 2003 | Updated: | July 24, 2003 | ||||||||||||||||||||||||
| Description: | Xpdf suffers from the same sort of "execute arbitrary code embedded in a malicious document" vulnerability that is so widespread in other PostScript and PDF interpreters. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache | CVE #(s): | CAN-2003-0192 CAN-2003-0253 CAN-2003-0254 | ||||||||||||||||||
| Created: | July 11, 2003 | Updated: | September 22, 2003 | ||||||||||||||||||
| Description: | The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups | CVE #(s): | CAN-2003-0195 | ||||||||||||||||||||||||
| Created: | May 27, 2003 | Updated: | July 22, 2003 | ||||||||||||||||||||||||
| Description: | Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2003-0244 CAN-2003-0246 | ||||||||||||||||||||||||||||||||||||
| Created: | May 14, 2003 | Updated: | July 25, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mpg123 - buffer overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0577 | |||||||||
| Created: | July 16, 2003 | Updated: | September 30, 2003 | |||||||||
| Description: | The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. | |||||||||||
| Alerts: |
| |||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware | CVE #(s): | CAN-2003-0504 CAN-2003-0582 | ||||||||||||
| Created: | July 16, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies. See this Security Corportation report for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
semi: insecure temporary file
| Package(s): | semi, wemi | CVE #(s): | CAN-2003-0440 | ||||||||||||
| Created: | July 7, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug. | ||||||||||||||
| Alerts: |
| ||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
teapop: SQL injection
| Package(s): | teapop | CVE #(s): | CAN-2003-0515 | ||||||
| Created: | July 9, 2003 | Updated: | October 1, 2003 | ||||||
| Description: | teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated. | ||||||||
| Alerts: |
| ||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
traceroute-nanog: integer overflow
| Package(s): | traceroute-nanog | CVE #(s): | CAN-2003-0453 | |||
| Created: | July 16, 2003 | Updated: | July 16, 2003 | |||
| Description: | There is an integer overflow vulnerability in traceroute-nanog (an enhanced version of traceroute) which may be exploited to execute arbitrary code. | |||||
| Alerts: |
| |||||
ucd-snmp - heap overflow
| Package(s): | ucd-snmp | CVE #(s): | ||||
| Created: | July 16, 2003 | Updated: | July 16, 2003 | |||
| Description: | The snmpnetstat tool (part of the ucd-snmp package) contains a heap overflow vulnerability which, when confronted with a hostile server, can be exploited to run arbitrary code. | |||||
| Alerts: |
| |||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
vixie-cron: Local vulnerability
| Package(s): | vixie-cron | CVE #(s): | CVE-2001-0559 | |||||||||
| Created: | April 17, 2003 | Updated: | October 3, 2003 | |||||||||
| Description: | From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page. | |||||||||||
| Alerts: |
| |||||||||||
webmin: session ID spoofing
| Package(s): | webmin | CVE #(s): | CAN-2003-0101 | ||||||
| Created: | June 13, 2003 | Updated: | November 18, 2003 | ||||||
| Description: | miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges. | ||||||||
| Alerts: |
| ||||||||
wget:directory traversal bug
| Package(s): | wget | CVE #(s): | CAN-2002-1344 | |||||||||||||||||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||
| Description: | Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine. See also this Bugtraq article from 1997. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle | CVE #(s): | CAN-2002-0818 | |||||||||
| Created: | August 14, 2002 | Updated: | October 1, 2003 | |||||||||
| Description: | The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on." | |||||||||||
| Alerts: |
| |||||||||||
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd | CVE #(s): | CAN-2003-0211 | |||||||||||||||
| Created: | May 13, 2003 | Updated: | November 12, 2003 | |||||||||||||||
| Description: | Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable. In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations. All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Resources
Linux Security Week
The LinuxSecurity.com Linux Security Week for July 21, 2003 is available.
Page editor: Jonathan Corbet
Kernel development
Release status
Kernel release status
The current development kernel is 2.6.0-test1; Linus has been busy and has released no new development kernels over the last week.Linus has put a few things into his BitKeeper tree, including some ACPI fixes, an ia-64 update, a PPC32 update, a number of USB tweaks, a new local_t for cpu-local atomic variables, and various other fixes and updates.
The current stable kernel is 2.4.21. The current 2.4.22 prepatch is 2.4.22-pre7, released by Marcelo on July 18; it includes a Super-H architecture merge, some I/O scheduler work, and various fixes and updates. Marcelo promises the first release candidate within a couple of weeks.
Kernel development news
A slow week for the kernel page
Things have been relatively slow in the kernel development world due to the fact that many kernel hackers are on the road to attend the kernel summit and OLS. Your editor is also on the road, so this week's Kernel Page will be small. For those who haven't yet seen it, our 2003 Kernel Summit coverage will, hopefully, provide a sufficient kernel news fix for the week. This page will return to its regular size next week.
Patches and updates
Kernel trees
- Alan Cox: Linux 2.6.0-test1-ac3. (July 23, 2003)
- Andrew Morton: 2.6.0-test1-mm2. (July 23, 2003)
- Stephen Hemminger: 2.6.0-test1-osdl2. (July 17, 2003)
- Marcelo Tosatti: Linux 2.4.22-pre7. (July 18, 2003)
- Andrea Arcangeli: 2.4.22pre7aa1. (July 19, 2003)
- Alan Cox: Linux 2.4.22-pre6-ac1. (July 18, 2003)
- Andrea Arcangeli: 2.4.22pre6aa1. (July 17, 2003)
- Andrea Arcangeli: 2.4.22pre6aa2. (July 18, 2003)
Core kernel code
- Ingo Oeser: Providing generic pipelines and io routing as Linux service. (July 18, 2003)
- Con Kolivas: O7int for interactivity. (July 18, 2003)
- Pavel Machek: FYI: my current swsusp bigdiff. (July 22, 2003)
Device drivers
- Andrew Vasquez: QLogic qla2xxx driver update available (v8.00.00b4).. (July 18, 2003)
- Greg KH: USB fixes for 2.6.0-test1. (July 18, 2003)
- Erik Andersen: Promise SATA driver GPL'd. (July 23, 2003)
- Jeff Garzik: libata driver update posted. (July 23, 2003)