| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for August 7, 2003
Novell acquires Ximian
[This article was contributed by Joe 'Zonker' Brockmeier]
Every time there's a trade show, there's also a flurry of predictable press releases. New products, product upgrades, new partnerships and so on. But sometimes, a company manages to sneak in a surprise. Novell managed to throw the community a curve during the first day of LinuxWorld Expo by announcing that it had acquired Ximian. Novell executives have also hinted that the company may stop developing NetWare to focus on Linux in the future.
Earlier this year, Novell announced that it would be expanding its Linux offerings, but the announcement was met with some skepticism and concern that Novell's committment to Linux was half-hearted, particularly after an early flub where Novell CEO Jack Messman called Linux "immature." Messman soon apologized, and it would appear that Novell is quite earnest in its committment to Linux.
On Tuesday, I spoke to Miguel de Icaza of Ximian about the acquisition and plans going forward. De Icaza said that Ximian and Novell had already been working together as partners on some projects before Novell made the offer to buy Ximian.
For the time being, expect Ximian to pretty much stay the same course as it was on before the acquisition was announced. De Icaza says that Ximian will operate as an independent subsidiary of Novell and continue with its existing schedule, and deliver the products that were in the pipeline before the acquisition. Evolution, Ximian Connector, Red Carpet, Mono and Ximian Desktop will continue to be developed. Long term, he indicated that there would be tighter integration between Novell's offerings and Ximian's.
Though it wasn't mentioned in Novell's press release, de Icaza says that Novell will also be developing its own Linux distribution in addition to making its products available for other Linux distributions. Few details are available about this new Linux distribution, and de Icaza said that they had not yet established a timeline for the first release. Obviously, users can expect to see the Ximian desktop and tight integration with Ximian's Red Carpet, but details about the remainder of the distribution are sketchy at the moment.
According to de Icaza, one advantage of a Novell Linux distribution is that it would give Ximian the opportunity to delve deeper into the operating system. He noted that Ximian has been somewhat limited in the features they could implement, since Ximian Desktop and other Ximian products had to integrate with other distributions whose development wasn't under Ximian's control. Making modifications to the kernel, for example, wasn't really an option.
Novell will also give Ximian's product line a shot with customers that the company found it difficult to reach before teaming with Novell. The enterprise channel is tough to break into, and de Icaza indicated that Ximian had previously found that larger companies to be nervous about deploying Ximian solutions. As part of Novell, Ximian's products are now considered less risky because customers know Novell.
Overall, the merger looks to be a good deal for Ximian, Novell and the Linux community as a whole. While Novell's influence has been waning, the company still maintains a respectable presence in the enterprise market. The addition of Novell services to Linux's bag of tricks will definitely help spur Linux adoption on both the desktop and the server in larger companies. On the other side, the acquisition of Ximian may help give Novell a little more credibility with the existing Linux community and help them to get up to speed with Linux more quickly.
Red Hat strikes back
Last week, we wrote that SCO's anti-Linux campaign was not just IBM's problem, and that others needed to get into the fight. Red Hat, clearly, was thinking along the same lines; on August 4 the company announced the filing of a lawsuit against SCO in U.S. District Court in Delaware. Also announced was the creation of a fund (with a $1 million contribution from Red Hat) to defend Linux developers against infringement suits. Red Hat, seeing a threat to its business, decided to act. SCO, indeed, is not just IBM's problem.The lawsuit alleges unfair competition, trade libel, deceptive trade practices, false advertising, and interference with business opportunities. It asks for a declaratory judgement that Red Hat has not violated SCO's copyright or trade secrets, and asks for an unspecified amount of damages. LWN has published a look at Red Hat's complaint; for those wanting to go to the source, the complaint itself is available in small, easily-read text format or huge, hard-to-read PDF format.
There is one interesting omission from the complaint. SCO continues to distribute a 2.4 kernel. This action is a clear violation of the GPL (SCO claims that kernel cannot be redistributed, or even run without a special license - see below), and thus an infringement of the kernel developers' copyrights. Red Hat (along with its employees) holds copyrights to a substantial amount of kernel code, but no allegations of infringement appear in Red Hat's complaint. Red Hat told us it was "unable to comment" about this omission. The GPL and SCO's continued distribution of the disputed code (whatever it is) under a GPL license will almost certainly play a role in this whole affair before it is done, but the time has apparently not yet come.
SCO's response to Red Hat's suit was unyielding, to say the least.
The response includes a letter sent back to Red Hat; quoting from there:
I must say that your decision to file legal action does not seem conducive to the long-term survivability of Linux.
Remember, as you read the above, that SCO "has not been trying to spread fear, uncertainty, and doubt."
If things go well, Red Hat's suit has the potential to force SCO to put its cards on the table and point out the code that, it claims, infringes upon its copyrights. At that point, it would be possible to actually evaluate those claims and determine the true origins of the disputed code. If SCO has no real claim to that code, the issue can be put to rest. If SCO's copyrights have truly been violated, the parties responsible can be identified and the stolen code excised. Of course, SCO has no interest in either of those scenerios, and will continue to fight any sort of public disclosure. It would not be possible, after all, for SCO to try to collect a tax on a system known to be free of its copyrights. But that's the subject for the next article...
The SCO tax
SCO did not content itself with threatening the "long-term survivability of Linux" after Red Hat filed suit. The following day, the company announced its latest product: an "intellectual property license for Linux" (license text here). Why, one might ask? From the SCO License FAQ:
It is encouraging that SCO is such a concerned, customer-oriented company. In fact, the company is even kind enough to offer a special "promotional" pricing arrangement for those who buy their licenses before October. Prices vary; a "desktop" license is $199, for a single-CPU server it's $699; for eight processors it goes up to $4999. Embedded devices get a special $32 price - but that's still enough to hurt when added to your wireless access point or video recorder.
After the promotional period ends, prices will double.
Of course, certain questions come to mind. Questions like "why the hell should I pay off a company to use my nicely GPL-licensed software when that company refuses to show me any proof that it has any claim on said software?" Strangely enough, this question does not appear in the SCO licensing FAQ.
For what it's worth, even the Gartner Group has been quoted as recommending that potential licensees not bother until the Red Hat suit plays out.
SCO, perhaps, thinks it is sitting on some sort of gold mine. All it has to do is make a tax on every Linux installation stick, and enough gold will flow to Utah to fill Canyonlands. There's only one little problem: if it were ever to become clear that Linux users actually had to pay this tax, all distribution of Linux would have to immediately stop. Distribution of a non-free Linux kernel would be a clear GPL violation, and there is little doubt that some holders of Linux copyrights would sue, if necessary, to prevent their code from being distributed as part of a proprietary product. Even SCO acknowledges this fact in its FAQ:
So, if SCO somehow makes its license stick, it kills the whole game. Linux distribution would cease, and companies, seeing no future in Linux, would switch to something else rather than pay exorbitant fees for a dead-end system. Given that scenario, it is hard to come up with reasons why SCO would attempt this licensing program in the first place. With the application of sufficient imagination, however, a few possibilities can be found:
- The purpose of the licensing program may just be to attract attention
and, with luck, a bit of short-term cash. Perhaps it is not expected
to last very long.
- Perhaps SCO thinks that the momentum and installed base of Linux are
big enough that a way around the GPL problems would have to be found.
- Or, perhaps, the death of Linux is the real goal.
In the short term, however, it's a fairly safe prediction that this licensing program will not go very far. Most users are far from convinced by SCO's claims, to say the least. And SCO has very limited resources to direct toward new legal battles; the company is, after all, fighting two high-profile cases already. Of course, if you are concerned about the issue, you should get your advice from a lawyer, not from web publications like LWN.
The indemnification issue
SCO has, in recent days, made a big issue out of the fact that IBM and Red Hat do not indemnify their customers against any sort of intellectual property infringement committed by use of Linux. This refusal is, it is said, is a clear indication that these companies know they are on thin legal ice. Indemnification is a distraction from the main issue (being that SCO claims its code was stolen and put into Linux), but it deserves a closer look anyway.A number of articles in the press have portrayed the refusal to indemnify as a strange thing, out of line with usual software industry practice. The authors of those articles clearly have not read the license agreements for the software they used to do their writing. It is a rare product indeed that comes with an indemnity agreement. Consider Sun, for example. This company has made indemnity an issue, but if you go read the Solaris binary code license agreement, you find this text:
(Emphasis added). Sun clearly is not interested in exposing itself to infringement claims. Microsoft's licenses are just as explicit, as are just about everybody else's. In fact, SCO's intellectual property compliance license for Linux contains the following language:
SCO, it seems, is even more explicit than Sun in this regard. When SCO criticises another company for refusing to indemnify its customers, its behavior can only be described as cynical and hypocritical.
So why the big push on indemnification? The issue is clearly a useful distraction from the main issue: SCO's refusal to provide evidence for its claims. There is also a darker possibility, however. Imagine, for a moment (and the following is pure speculation), that SCO's pressure convinces one or more deep-pocketed companies to offer indemnity for its increasingly nervous customers. If SCO were then to put those customers at the top of its lawyers' "to hassle" list, said customers would go immediately to their vendor, asking for relief under the promised indemnity. SCO could then, perhaps, collect a hefty sum from the company involved; said company, under pressure from its customers, may well capitulate in that situation.
In SCO's teleconference this week, CEO Darl McBride said "IBM and Red Hat have painted a Linux liability target on the backs of their customers." (Do remember, hard though it may be, that SCO is not trying to spread fear, uncertainty, and doubt). A real possibility exists that the customers who are targeted first will be those whose vendor has been pushed into offering some sort of indemnity. Linux users may well be better off with the standard "no warranty" language.
UCITA runs out of steam
LWN first reported on UCC-2B, a proposal for a uniform law on software licensing (and other intellectual property issues), over five years ago. UCC-2B proposed to legitimize "shrink-wrap" licenses - even if the license is hidden within the box and unavailable to the customer until after the product is purchased. Some of the worst abuses of software licensing, such as prohibitions on the publication of benchmark results or "unauthorized" product reviews and bans on reverse engineering, would have, in theory, been legalized by UCC-2B.Things got more interesting in 1999, when UCC-2B evolved into UCITA. At this point, the drafting committee added nice features like the (legal) ability to disable software remotely, non-transferability of licenses, and more. UCITA was eventually passed (in modified form) in two U.S. states, but appeared to stall otherwise. It was, after all, not a very good law.
In 2002, the UCITA folks tried again with a series of amendments to the law. Remote shutdowns were taken out, and the provisions allowing the prohibition of public criticism of the software were watered down slightly. But the new version also changed the terms on warranties, to the point that it would be impossible for a free software product to ship with a warranty disclaimer. UCITA remained a bad law.
Things took a turn for the worse (from the point of view of those backing UCITA) in early 2003, when the American Bar Association (the professional association for lawyers in the U.S.) refused to endorse UCITA. Versions of the law were introduced into several state legislatures, but made no real progress. UCITA, it seemed, wasn't going anywhere.
This week, it would appear that UCITA has hit the end of the road: the National Conference of Commissioners on Uniform State Laws has voted to shut down the UCITA committee. UCITA has ceased to be an active effort in the U.S.
There is a worthwhile lesson in this development: it is possible to defeat bad laws, at least some of the time. We should not forget another, hard-learned lesson, however: this sort of proposal tends to come back, over and over again. Consider the words of the NCCUSL president:
The clearest thing here is that the people behind UCITA have learned little from its defeat; UCITA is "the right thing at the right time." UCITA is gone for now, but it shall certainly be back.
Page editor: Jonathan Corbet
Security
Security news
SuSE and IBM get Common Criteria certified
One of the more highly hyped LinuxWorld announcements this week has been this press release from IBM and SuSE. It seems that the two have worked together to achieve Common Criteria "Evaluation Assurance Level 2+" certification for SuSE Linux Enterprise Server 8 running on the IBM eServer xSeries server. This is a significant development - it is the first Common Criteria certified Linux distribution. Obtaining this certification is said to be expensive (several hundred thousand dollars), but it should make it easier to sell Linux solutions to certain kinds of customers.An EAL2 certification, however, does not actually mean a whole lot. The Common Criteria is an extensive standard; those who are curious can find it documented on commoncriteria.org; bear in mind that it's several hundred pages of grim technical text in PDF format; print it out and take it to bed. Those documents describe seven evaluation assurance levels. EAL1 is the lowest, described by Jonathan Shapiro as "the vendor showed up for the meeting." EAL7 requires formal designs, proofs that the implementation match the design, independent verification of all test results, etc. EAL2, the level achieved by IBM and SuSE, is described as follows:
EAL2 is applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems, or where access to the developer may be limited.
In other words, EAL2 requires the developers to have actually thought a little bit about security, but "should not require a substantially increased investment of cost or time." It does require that the system be tested (by the developer) against known vulnerabilities. But, in the end, EAL2 certification says that the developers thought about security, generated a big pile of paper, and spent a chunk of money. Not much more.
IBM and SuSE are aiming for EAL3 certification later this year. The requirement for EAL3 is:
For what it's worth, some versions of Windows and most proprietary Unix systems are certified at EAL4. Red Hat (with Oracle's help) submitted Red Hat Enterprise Linux AS 2.1 for EAL2 certification last February. According to the press release, they planned to be the first CC-certified Linux. Looks like SuSE won that race.
New vulnerabilities
atari800: buffer overflows
| Package(s): | atari800 | CVE #(s): | CAN-2003-0630 | ||||||
| Created: | August 1, 2003 | Updated: | September 2, 2003 | ||||||
| Description: | Steve Kemp discovered multiple buffer overflows in atari800, an Atari emulator. In order to directly access graphics hardware, one of the affected programs is setuid root. A local attacker could exploit this vulnerability to gain root privileges. | ||||||||
| Alerts: |
| ||||||||
gallery: cross-site scripting
| Package(s): | gallery | CVE #(s): | CAN-2003-0614 | ||||||
| Created: | July 31, 2003 | Updated: | September 2, 2003 | ||||||
| Description: | Larry Nguyen discovered a cross site scripting vulnerability in gallery, a web-based photo album written in php. This security flaw can allow a malicious user to craft a URL that executes Javascript code on your website. | ||||||||
| Alerts: |
| ||||||||
man-db: buffer overflow, command execution
| Package(s): | man-db | CVE #(s): | CAN-2003-0620 CAN-2003-0645 | |||||||||
| Created: | August 5, 2003 | Updated: | August 18, 2003 | |||||||||
| Description: | man-db 2.4.1 and earlier contains two separate vulnerabilities. There are several buffer overflows which could perhaps be locally exploited, and some directives in ~/.manpath are executed when they should not be. These vulnerabilities only matter if the package has been installed in the setuid mode. | |||||||||||
| Alerts: |
| |||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
wget: buffer overflow
| Package(s): | wget | CVE #(s): | CAN-2003-1565 | |||||||||
| Created: | August 5, 2003 | Updated: | December 10, 2003 | |||||||||
| Description: | The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. | |||||||||||
| Alerts: |
| |||||||||||
wu-ftpd: off-by-one bug
| Package(s): | wu-ftpd | CVE #(s): | CAN-2003-0466 | |||||||||||||||||||||
| Created: | July 31, 2003 | Updated: | October 5, 2003 | |||||||||||||||||||||
| Description: | An off-by-one bug has been discovered in versions of wu-ftpd up to and including 2.6.2. On a vulnerable system, a remote attacker would be able to exploit this bug to gain root privileges. See this advisory for more details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
xconq: buffer overflows
| Package(s): | xconq | CVE #(s): | CAN-2003-0607 | |||
| Created: | July 31, 2003 | Updated: | August 5, 2003 | |||
| Description: | Steve Kemp discovered a buffer overflow in xconq, in processing the USER environment variable. In the process of fixing this bug, a similar problem was discovered with the DISPLAY environment variable. This vulnerability could be exploited by a local attacker to gain gid 'games'. | |||||
| Alerts: |
| |||||
xfstt: remote exploits
| Package(s): | xfstt | CVE #(s): | CAN-2003-0581 CAN-2003-0625 | |||
| Created: | August 1, 2003 | Updated: | August 5, 2003 | |||
| Description: | xfstt, a TrueType font server for the X window system was found to
contain two classes of vulnerabilities:
| |||||
| Alerts: |
| |||||
xtokkaetama: buffer overflows
| Package(s): | xtokkaetama | CVE #(s): | CAN-2003-0611 | ||||||
| Created: | July 31, 2003 | Updated: | August 8, 2003 | ||||||
| Description: | Steve Kemp discovered two buffer overflows in xtokkaetama, a puzzle game, when processing the -display command line option and the XTOKKAETAMADIR environment variable. These vulnerabilities could be exploited by a local attacker to gain gid 'games'. | ||||||||
| Alerts: |
| ||||||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PHP: Cross site scripting vulnerability
| Package(s): | PHP | CVE #(s): | CAN-2003-0442 | |||||||||||||||||||||
| Created: | July 2, 2003 | Updated: | August 13, 2003 | |||||||||||||||||||||
| Description: | In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache | CVE #(s): | CAN-2003-0192 CAN-2003-0253 CAN-2003-0254 | ||||||||||||||||||
| Created: | July 11, 2003 | Updated: | September 22, 2003 | ||||||||||||||||||
| Description: | The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Apache: denial of service vulnerabilities
| Package(s): | apache | CVE #(s): | CAN-2003-0460 | |||
| Created: | July 24, 2003 | Updated: | July 30, 2003 | |||
| Description: | The Apache Software Foundation and The Apache Server Project
released
a new version of the Apache webserver which addresses the
following security vulnerabilities:
Denial of service (VU #379828) Ryan O'Neill reported that it is possible to make the httpd server enter infinite loops and crash under certain circumstances. A new configuration directive has been created (LimitInternalRecursion) to avoid these infinite loops and abort the request which caused them if the configured limit has been reached. File descriptor leak Leaks of several file descriptors to child processes, such as CGI scripts, were fixed. | |||||
| Alerts: |
| |||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fdclone: insecure temporary directory
| Package(s): | fdclone | CVE #(s): | CAN-2003-0596 | |||
| Created: | July 23, 2003 | Updated: | October 1, 2003 | |||
| Description: | fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control. | |||||
| Alerts: |
| |||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
konqueror: information disclosure vulnerability
| Package(s): | kde konqueror | CVE #(s): | CAN-2003-0459 | |||||||||||||||
| Created: | July 30, 2003 | Updated: | August 11, 2003 | |||||||||||||||
| Description: | All versions of Konqueror through KDE 3.1.2 contain a vulnerability wherein the browser could (in rare situations) send authentication information on an unrelated web site. See this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mnogosearch: Remote buffer overflow vulnerabilities
| Package(s): | mnogosearch | CVE #(s): | CAN-2003-0436 CVE-2002-0789 | |||
| Created: | July 28, 2003 | Updated: | July 30, 2003 | |||
| Description: | Buffer overflow in the "ul" variable
(CAN-2003-0436) pokleyzz <pokleyzz -at- scan-associates.net> reported a
buffer overflow vulnerability in mnoGoSearch which can be exploited
remotely to execute arbitrary commands with the privileges of the
webserver.
Buffer overflow in the query variable ("q") (CVE-2002-0789) qitest1 <qitest1 -at- bespin.org> reported a buffer overflow vulnerability in the query variable ("q") which can be exploited remotely to execute arbitrary commands with the privileges of the webserver. | |||||
| Alerts: |
| |||||
mpg123 - buffer overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0577 | |||||||||
| Created: | July 16, 2003 | Updated: | September 30, 2003 | |||||||||
| Description: | The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. | |||||||||||
| Alerts: |
| |||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl | CVE #(s): | CAN-2003-0615 | |||||||||||||||||||||
| Created: | July 29, 2003 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware | CVE #(s): | CAN-2003-0504 CAN-2003-0582 | ||||||||||||
| Created: | July 16, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies. See this Security Corportation report for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
semi: insecure temporary file
| Package(s): | semi, wemi | CVE #(s): | CAN-2003-0440 | ||||||||||||
| Created: | July 7, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug. | ||||||||||||||
| Alerts: |
| ||||||||||||||
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel | CVE #(s): | CAN-2002-1563 | ||||||||||||||||||
| Created: | July 25, 2003 | Updated: | November 25, 2003 | ||||||||||||||||||
| Description: | Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
sup: insecure temporary file
| Package(s): | sup | CVE #(s): | CAN-2003-0606 | |||
| Created: | July 29, 2003 | Updated: | October 1, 2003 | |||
| Description: | sup, a package used to maintain collections of files in identical versions across machines, fails to take appropriate security precautions when creating temporary files. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running sup. | |||||
| Alerts: |
| |||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
teapop: SQL injection
| Package(s): | teapop | CVE #(s): | CAN-2003-0515 | ||||||
| Created: | July 9, 2003 | Updated: | October 1, 2003 | ||||||
| Description: | teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated. | ||||||||
| Alerts: |
| ||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |
| Created: | May 21, 2002 | Updated: | October 5, 2004 |
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first | ||