LWN.net Logo

Advertisement

E-Commerce & credit card processing - the Open Source way!

Advertise here

Novell acquires Ximian

[This article was contributed by Joe 'Zonker' Brockmeier]

Advertisement

Every time there's a trade show, there's also a flurry of predictable press releases. New products, product upgrades, new partnerships and so on. But sometimes, a company manages to sneak in a surprise. Novell managed to throw the community a curve during the first day of LinuxWorld Expo by announcing that it had acquired Ximian. Novell executives have also hinted that the company may stop developing NetWare to focus on Linux in the future.

Earlier this year, Novell announced that it would be expanding its Linux offerings, but the announcement was met with some skepticism and concern that Novell's committment to Linux was half-hearted, particularly after an early flub where Novell CEO Jack Messman called Linux "immature." Messman soon apologized, and it would appear that Novell is quite earnest in its committment to Linux.

On Tuesday, I spoke to Miguel de Icaza of Ximian about the acquisition and plans going forward. De Icaza said that Ximian and Novell had already been working together as partners on some projects before Novell made the offer to buy Ximian.

For the time being, expect Ximian to pretty much stay the same course as it was on before the acquisition was announced. De Icaza says that Ximian will operate as an independent subsidiary of Novell and continue with its existing schedule, and deliver the products that were in the pipeline before the acquisition. Evolution, Ximian Connector, Red Carpet, Mono and Ximian Desktop will continue to be developed. Long term, he indicated that there would be tighter integration between Novell's offerings and Ximian's.

Though it wasn't mentioned in Novell's press release, de Icaza says that Novell will also be developing its own Linux distribution in addition to making its products available for other Linux distributions. Few details are available about this new Linux distribution, and de Icaza said that they had not yet established a timeline for the first release. Obviously, users can expect to see the Ximian desktop and tight integration with Ximian's Red Carpet, but details about the remainder of the distribution are sketchy at the moment.

According to de Icaza, one advantage of a Novell Linux distribution is that it would give Ximian the opportunity to delve deeper into the operating system. He noted that Ximian has been somewhat limited in the features they could implement, since Ximian Desktop and other Ximian products had to integrate with other distributions whose development wasn't under Ximian's control. Making modifications to the kernel, for example, wasn't really an option.

Novell will also give Ximian's product line a shot with customers that the company found it difficult to reach before teaming with Novell. The enterprise channel is tough to break into, and de Icaza indicated that Ximian had previously found that larger companies to be nervous about deploying Ximian solutions. As part of Novell, Ximian's products are now considered less risky because customers know Novell.

The fact you have a company the size of Novell that's going to be around, from that perspective that's what gets a lot of people interested. You have a great product, the problem is getting the product into the hands of people...getting access to that channel is very important to us.

Overall, the merger looks to be a good deal for Ximian, Novell and the Linux community as a whole. While Novell's influence has been waning, the company still maintains a respectable presence in the enterprise market. The addition of Novell services to Linux's bag of tricks will definitely help spur Linux adoption on both the desktop and the server in larger companies. On the other side, the acquisition of Ximian may help give Novell a little more credibility with the existing Linux community and help them to get up to speed with Linux more quickly.

Comments (7 posted)

Red Hat strikes back

Last week, we wrote that SCO's anti-Linux campaign was not just IBM's problem, and that others needed to get into the fight. Red Hat, clearly, was thinking along the same lines; on August 4 the company announced the filing of a lawsuit against SCO in U.S. District Court in Delaware. Also announced was the creation of a fund (with a $1 million contribution from Red Hat) to defend Linux developers against infringement suits. Red Hat, seeing a threat to its business, decided to act. SCO, indeed, is not just IBM's problem.

The lawsuit alleges unfair competition, trade libel, deceptive trade practices, false advertising, and interference with business opportunities. It asks for a declaratory judgement that Red Hat has not violated SCO's copyright or trade secrets, and asks for an unspecified amount of damages. LWN has published a look at Red Hat's complaint; for those wanting to go to the source, the complaint itself is available in small, easily-read text format or huge, hard-to-read PDF format.

There is one interesting omission from the complaint. SCO continues to distribute a 2.4 kernel. This action is a clear violation of the GPL (SCO claims that kernel cannot be redistributed, or even run without a special license - see below), and thus an infringement of the kernel developers' copyrights. Red Hat (along with its employees) holds copyrights to a substantial amount of kernel code, but no allegations of infringement appear in Red Hat's complaint. Red Hat told us it was "unable to comment" about this omission. The GPL and SCO's continued distribution of the disputed code (whatever it is) under a GPL license will almost certainly play a role in this whole affair before it is done, but the time has apparently not yet come.

SCO's response to Red Hat's suit was unyielding, to say the least.

SCO has not been trying to spread fear, uncertainty and doubt to end users. We have been educating end users on the risks of running an operating system that is an unauthorized derivative of UNIX. Linux includes source code that is a verbatim copy of UNIX and carries with it no warranty or indemnification. SCO's claims are true and we look forward to proving them in court.

The response includes a letter sent back to Red Hat; quoting from there:

Of course, we will prepare our legal response as required by your complaint. Be advised that our response will likely include counterclaims for copyright infringement and conspiracy.

I must say that your decision to file legal action does not seem conducive to the long-term survivability of Linux.

Remember, as you read the above, that SCO "has not been trying to spread fear, uncertainty, and doubt."

If things go well, Red Hat's suit has the potential to force SCO to put its cards on the table and point out the code that, it claims, infringes upon its copyrights. At that point, it would be possible to actually evaluate those claims and determine the true origins of the disputed code. If SCO has no real claim to that code, the issue can be put to rest. If SCO's copyrights have truly been violated, the parties responsible can be identified and the stolen code excised. Of course, SCO has no interest in either of those scenerios, and will continue to fight any sort of public disclosure. It would not be possible, after all, for SCO to try to collect a tax on a system known to be free of its copyrights. But that's the subject for the next article...

Comments (4 posted)

The SCO tax

SCO did not content itself with threatening the "long-term survivability of Linux" after Red Hat filed suit. The following day, the company announced its latest product: an "intellectual property license for Linux" (license text here). Why, one might ask? From the SCO License FAQ:

Customers have come to SCO asking what they can do to respect and help protect the rights of the SCO intellectual property in Linux. SCO has created the Intellectual Property License for Linux in response to these customer needs.

It is encouraging that SCO is such a concerned, customer-oriented company. In fact, the company is even kind enough to offer a special "promotional" pricing arrangement for those who buy their licenses before October. Prices vary; a "desktop" license is $199, for a single-CPU server it's $699; for eight processors it goes up to $4999. Embedded devices get a special $32 price - but that's still enough to hurt when added to your wireless access point or video recorder.

After the promotional period ends, prices will double.

Of course, certain questions come to mind. Questions like "why the hell should I pay off a company to use my nicely GPL-licensed software when that company refuses to show me any proof that it has any claim on said software?" Strangely enough, this question does not appear in the SCO licensing FAQ.

For what it's worth, even the Gartner Group has been quoted as recommending that potential licensees not bother until the Red Hat suit plays out.

SCO, perhaps, thinks it is sitting on some sort of gold mine. All it has to do is make a tax on every Linux installation stick, and enough gold will flow to Utah to fill Canyonlands. There's only one little problem: if it were ever to become clear that Linux users actually had to pay this tax, all distribution of Linux would have to immediately stop. Distribution of a non-free Linux kernel would be a clear GPL violation, and there is little doubt that some holders of Linux copyrights would sue, if necessary, to prevent their code from being distributed as part of a proprietary product. Even SCO acknowledges this fact in its FAQ:

The IP License for Linux does not grant distribution rights, nor does it grant any rights associated with source code. SCO doesn't offer a license to cure the infringement on the part of the Linux distributor because SCO's source license agreement directly conflicts with the GPL.

So, if SCO somehow makes its license stick, it kills the whole game. Linux distribution would cease, and companies, seeing no future in Linux, would switch to something else rather than pay exorbitant fees for a dead-end system. Given that scenario, it is hard to come up with reasons why SCO would attempt this licensing program in the first place. With the application of sufficient imagination, however, a few possibilities can be found:

  • The purpose of the licensing program may just be to attract attention and, with luck, a bit of short-term cash. Perhaps it is not expected to last very long.

  • Perhaps SCO thinks that the momentum and installed base of Linux are big enough that a way around the GPL problems would have to be found.

  • Or, perhaps, the death of Linux is the real goal.

In the short term, however, it's a fairly safe prediction that this licensing program will not go very far. Most users are far from convinced by SCO's claims, to say the least. And SCO has very limited resources to direct toward new legal battles; the company is, after all, fighting two high-profile cases already. Of course, if you are concerned about the issue, you should get your advice from a lawyer, not from web publications like LWN.

Comments (10 posted)

The indemnification issue

SCO has, in recent days, made a big issue out of the fact that IBM and Red Hat do not indemnify their customers against any sort of intellectual property infringement committed by use of Linux. This refusal is, it is said, is a clear indication that these companies know they are on thin legal ice. Indemnification is a distraction from the main issue (being that SCO claims its code was stolen and put into Linux), but it deserves a closer look anyway.

A number of articles in the press have portrayed the refusal to indemnify as a strange thing, out of line with usual software industry practice. The authors of those articles clearly have not read the license agreements for the software they used to do their writing. It is a rare product indeed that comes with an indemnity agreement. Consider Sun, for example. This company has made indemnity an issue, but if you go read the Solaris binary code license agreement, you find this text:

UNLESS SPECIFIED IN THIS AGREEMENT, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT THESE DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

(Emphasis added). Sun clearly is not interested in exposing itself to infringement claims. Microsoft's licenses are just as explicit, as are just about everybody else's. In fact, SCO's intellectual property compliance license for Linux contains the following language:

ALL WARRANTIES, TERMS, CONDITIONS, REPRESENTATIONS, INDEMNITIES AND GUARANTEES WITH RESPECT TO THE SOFTWARE, WHETHER EXPRESS OR IMPLIED, ARISING BY LAW, CUSTOM, PRIOR ORAL OR WRITTEN STATEMENTS BY ANY PARTY OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR ANY IMPLIED WARRANTY OF NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS) ARE HEREBY OVERRIDDEN, EXCLUDED AND DISCLAIMED.

SCO, it seems, is even more explicit than Sun in this regard. When SCO criticises another company for refusing to indemnify its customers, its behavior can only be described as cynical and hypocritical.

So why the big push on indemnification? The issue is clearly a useful distraction from the main issue: SCO's refusal to provide evidence for its claims. There is also a darker possibility, however. Imagine, for a moment (and the following is pure speculation), that SCO's pressure convinces one or more deep-pocketed companies to offer indemnity for its increasingly nervous customers. If SCO were then to put those customers at the top of its lawyers' "to hassle" list, said customers would go immediately to their vendor, asking for relief under the promised indemnity. SCO could then, perhaps, collect a hefty sum from the company involved; said company, under pressure from its customers, may well capitulate in that situation.

In SCO's teleconference this week, CEO Darl McBride said "IBM and Red Hat have painted a Linux liability target on the backs of their customers." (Do remember, hard though it may be, that SCO is not trying to spread fear, uncertainty, and doubt). A real possibility exists that the customers who are targeted first will be those whose vendor has been pushed into offering some sort of indemnity. Linux users may well be better off with the standard "no warranty" language.

Comments (1 posted)

UCITA runs out of steam

LWN first reported on UCC-2B, a proposal for a uniform law on software licensing (and other intellectual property issues), over five years ago. UCC-2B proposed to legitimize "shrink-wrap" licenses - even if the license is hidden within the box and unavailable to the customer until after the product is purchased. Some of the worst abuses of software licensing, such as prohibitions on the publication of benchmark results or "unauthorized" product reviews and bans on reverse engineering, would have, in theory, been legalized by UCC-2B.

Things got more interesting in 1999, when UCC-2B evolved into UCITA. At this point, the drafting committee added nice features like the (legal) ability to disable software remotely, non-transferability of licenses, and more. UCITA was eventually passed (in modified form) in two U.S. states, but appeared to stall otherwise. It was, after all, not a very good law.

In 2002, the UCITA folks tried again with a series of amendments to the law. Remote shutdowns were taken out, and the provisions allowing the prohibition of public criticism of the software were watered down slightly. But the new version also changed the terms on warranties, to the point that it would be impossible for a free software product to ship with a warranty disclaimer. UCITA remained a bad law.

Things took a turn for the worse (from the point of view of those backing UCITA) in early 2003, when the American Bar Association (the professional association for lawyers in the U.S.) refused to endorse UCITA. Versions of the law were introduced into several state legislatures, but made no real progress. UCITA, it seemed, wasn't going anywhere.

This week, it would appear that UCITA has hit the end of the road: the National Conference of Commissioners on Uniform State Laws has voted to shut down the UCITA committee. UCITA has ceased to be an active effort in the U.S.

There is a worthwhile lesson in this development: it is possible to defeat bad laws, at least some of the time. We should not forget another, hard-learned lesson, however: this sort of proposal tends to come back, over and over again. Consider the words of the NCCUSL president:

Clearly our efforts to find consensus and to bring all of the interested parties together has been extraordinary. Unfortunately in the real world, sometimes doing the right thing at the right time is not enough.

The clearest thing here is that the people behind UCITA have learned little from its defeat; UCITA is "the right thing at the right time." UCITA is gone for now, but it shall certainly be back.

Comments (3 posted)

Page editor: Jonathan Corbet

Security

Security news

SuSE and IBM get Common Criteria certified

One of the more highly hyped LinuxWorld announcements this week has been this press release from IBM and SuSE. It seems that the two have worked together to achieve Common Criteria "Evaluation Assurance Level 2+" certification for SuSE Linux Enterprise Server 8 running on the IBM eServer xSeries server. This is a significant development - it is the first Common Criteria certified Linux distribution. Obtaining this certification is said to be expensive (several hundred thousand dollars), but it should make it easier to sell Linux solutions to certain kinds of customers.

An EAL2 certification, however, does not actually mean a whole lot. The Common Criteria is an extensive standard; those who are curious can find it documented on commoncriteria.org; bear in mind that it's several hundred pages of grim technical text in PDF format; print it out and take it to bed. Those documents describe seven evaluation assurance levels. EAL1 is the lowest, described by Jonathan Shapiro as "the vendor showed up for the meeting." EAL7 requires formal designs, proofs that the implementation match the design, independent verification of all test results, etc. EAL2, the level achieved by IBM and SuSE, is described as follows:

EAL2 requires the cooperation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of the developer than is consistent with good commercial practice. As such it should not require a substantially increased investment of cost or time.

EAL2 is applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems, or where access to the developer may be limited.

In other words, EAL2 requires the developers to have actually thought a little bit about security, but "should not require a substantially increased investment of cost or time." It does require that the system be tested (by the developer) against known vulnerabilities. But, in the end, EAL2 certification says that the developers thought about security, generated a big pile of paper, and spent a chunk of money. Not much more.

IBM and SuSE are aiming for EAL3 certification later this year. The requirement for EAL3 is:

EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices... An EAL3 evaluation provides an analysis supported by "grey box" testing, selective confirmation of the developer test results, and evidence of a developer search for obvious vulnerabilities.

For what it's worth, some versions of Windows and most proprietary Unix systems are certified at EAL4. Red Hat (with Oracle's help) submitted Red Hat Enterprise Linux AS 2.1 for EAL2 certification last February. According to the press release, they planned to be the first CC-certified Linux. Looks like SuSE won that race.

Comments (1 posted)

New vulnerabilities

atari800: buffer overflows

Package(s):atari800 CVE #(s):CAN-2003-0630
Created:August 1, 2003 Updated:September 2, 2003
Description: Steve Kemp discovered multiple buffer overflows in atari800, an Atari emulator. In order to directly access graphics hardware, one of the affected programs is setuid root. A local attacker could exploit this vulnerability to gain root privileges.
Alerts:
Debian DSA-359-1 2003-07-31
Gentoo 200309-07 2003-09-02

Comments (none posted)

gallery: cross-site scripting

Package(s):gallery CVE #(s):CAN-2003-0614
Created:July 31, 2003 Updated:September 2, 2003
Description: Larry Nguyen discovered a cross site scripting vulnerability in gallery, a web-based photo album written in php. This security flaw can allow a malicious user to craft a URL that executes Javascript code on your website.
Alerts:
Debian DSA-355-1 2003-07-30
Gentoo 200309-06 2003-09-02

Comments (none posted)

man-db: buffer overflow, command execution

Package(s):man-db CVE #(s):CAN-2003-0620 CAN-2003-0645
Created:August 5, 2003 Updated:August 18, 2003
Description: man-db 2.4.1 and earlier contains two separate vulnerabilities. There are several buffer overflows which could perhaps be locally exploited, and some directives in ~/.manpath are executed when they should not be. These vulnerabilities only matter if the package has been installed in the setuid mode.
Alerts:
Debian DSA-364-1 2003-08-04
Debian DSA-364-2 2003-08-08
Debian DSA-364-3 2003-08-18

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Debian DSA-363-1 2003-08-03
Red Hat RHSA-2003:251-01 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Conectiva CLA-2003:717 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
Trustix 2003-0029 2003-08-04
Mandrake MDKA-2004:028 2004-05-26

Comments (none posted)

wget: buffer overflow

Package(s):wget CVE #(s):CAN-2003-1565
Created:August 5, 2003 Updated:December 10, 2003
Description: The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution.
Alerts:
Conectiva CLA-2003:716 2003-08-04
SCO Group CSSA-2003-025.0 2003-10-03
Red Hat RHSA-2003:372-01 2003-12-10

Comments (1 posted)

wu-ftpd: off-by-one bug

Package(s):wu-ftpd CVE #(s):CAN-2003-0466
Created:July 31, 2003 Updated:October 5, 2003
Description: An off-by-one bug has been discovered in versions of wu-ftpd up to and including 2.6.2. On a vulnerable system, a remote attacker would be able to exploit this bug to gain root privileges. See this advisory for more details.
Alerts:
Red Hat RHSA-2003:245-01 2003-07-31
Mandrake MDKSA-2003:080 2003-07-31
SuSE SuSE-SA:2003:032 2003-07-31
Debian DSA-357-1 2003-07-31
Conectiva CLA-2003:715 2003-08-01
Immunix IMNX-2003-7+-019-01 2003-08-06
SCO Group CSSA-2003-024.0 2003-09-26

Comments (none posted)

xconq: buffer overflows

Package(s):xconq CVE #(s):CAN-2003-0607
Created:July 31, 2003 Updated:August 5, 2003
Description: Steve Kemp discovered a buffer overflow in xconq, in processing the USER environment variable. In the process of fixing this bug, a similar problem was discovered with the DISPLAY environment variable. This vulnerability could be exploited by a local attacker to gain gid 'games'.
Alerts:
Debian DSA-354-1 2003-07-29

Comments (none posted)

xfstt: remote exploits

Package(s):xfstt CVE #(s):CAN-2003-0581 CAN-2003-0625
Created:August 1, 2003 Updated:August 5, 2003
Description: xfstt, a TrueType font server for the X window system was found to contain two classes of vulnerabilities:
  • CAN-2003-0581: a remote attacker could send requests crafted to trigger any of several buffer overruns, causing a denial of service or possibly executing arbitrary code on the server with the privileges of the "nobody" user.

  • CAN-2003-0625: certain invalid data sent during the connection handshake could allow a remote attacker to read certain regions of memory belonging to the xfstt process. This information could be used for fingerprinting, or to aid in exploitation of a different vulnerability.
Alerts:
Debian DSA-360-1 2003-08-01

Comments (none posted)

xtokkaetama: buffer overflows

Package(s):xtokkaetama CVE #(s):CAN-2003-0611
Created:July 31, 2003 Updated:August 8, 2003
Description: Steve Kemp discovered two buffer overflows in xtokkaetama, a puzzle game, when processing the -display command line option and the XTOKKAETAMADIR environment variable. These vulnerabilities could be exploited by a local attacker to gain gid 'games'.
Alerts:
Debian DSA-356-1 2003-07-30
Debian DSA-367-1 2003-08-08

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 23, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:238-01 2003-07-21
EnGarde ESA-20032407-018 2003-07-24
Debian DSA-358-1 2003-07-31
Debian DSA-358-3 2003-08-04
Debian DSA-358-2 2003-08-05
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-4 2003-08-13
Gentoo 200308-01 2003-08-14
Red Hat RHSA-2003:408-00 2003-12-19

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
SuSE SuSE-SA:2002:041 2002-11-05
Gentoo 200211-001 2002-11-06
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200302-01 2003-02-02
Debian DSA-386-1 2003-09-18

Comments (none posted)

PHP: Cross site scripting vulnerability

Package(s):PHP CVE #(s):CAN-2003-0442
Created:July 2, 2003 Updated:August 13, 2003
Description: In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack.
Alerts:
Red Hat RHSA-2003:204-01 2003-07-02
OpenPKG OpenPKG-SA-2003.032 2003-07-07
Conectiva CLA-2003:691 2003-07-08
Debian DSA-351-1 2003-07-16
Yellow Dog YDU-20030710-2 2003-07-10
Mandrake MDKSA-2003:082 2003-08-04
Mandrake MDKSA-2003:082-1 2003-08-12

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
Debian DSA-208-1 2002-12-12
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Trustix 2002-0087 2002-12-19
Gentoo 200212-6 2002-12-20
SCO Group CSSA-2004-007.0 2004-02-20

Comments (none posted)

apache: multiple vulnerabilities in Apache HTTP server

Package(s):apache CVE #(s):CAN-2003-0192 CAN-2003-0253 CAN-2003-0254
Created:July 11, 2003 Updated:September 22, 2003
Description: The Apache Software Foundation and the Apache HTTP Server Project have announced the release of the Apache HTTP Server 2.0.47. This release fixes four security vulnerabilities:
  • Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [CAN-2003-0192]

  • Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]

  • Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. [CAN-2003-0254]

  • The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828]
Alerts:
Trustix 2003-0025 2003-07-11
Conectiva CLA-2003:698 2003-07-21
Mandrake MDKSA-2003:075 2003-07-21
Mandrake MDKSA-2003:075-1 2003-08-28
Red Hat RHSA-2003:240-01 2003-09-04
Red Hat RHSA-2003:243-01 2003-09-22

Comments (none posted)

Apache: denial of service vulnerabilities

Package(s):apache CVE #(s):CAN-2003-0460
Created:July 24, 2003 Updated:July 30, 2003
Description: The Apache Software Foundation and The Apache Server Project released a new version of the Apache webserver which addresses the following security vulnerabilities:

Denial of service (VU #379828) Ryan O'Neill reported that it is possible to make the httpd server enter infinite loops and crash under certain circumstances. A new configuration directive has been created (LimitInternalRecursion) to avoid these infinite loops and abort the request which caused them if the configured limit has been reached.

File descriptor leak Leaks of several file descriptors to child processes, such as CGI scripts, were fixed.

Alerts:
Conectiva CLA-2003:704 2003-07-24

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
OpenPKG OpenPKG-SA-2002.006 2002-07-04
SuSE SuSE-SA:2002:026 2002-07-09
Conectiva CLA-2002:507 2002-07-11
Gentoo glibc-20020713 2002-07-13
Trustix 2002-0061 2002-07-15
Mandrake MDKSA-2002:043 2002-07-16
EnGarde ESA-20020724-018 2002-07-24
Red Hat RHSA-2002:139-10 2002-07-22
Eridani ERISA-2002:028 2002-07-25
Yellow Dog YDU-20020801-2 2002-08-01
SCO Group CSSA-2002-034.0 2002-08-05
Red Hat RHSA-2002:133-13 2002-08-08
Eridani ERISA-2002:035 2002-08-09
Yellow Dog YDU-20020810-3 2002-08-10
Mandrake MDKSA-2002:050 2002-08-13

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:October 1, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
Red Hat RHSA-2002:246-18 2002-12-04
Gentoo 200212-8 2002-12-20
Debian DSA-224-1 2002-01-08
SCO Group CSSA-2003-005.0 2003-01-21

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
Mandrake MDKSA-2003:070 2003-06-23
Conectiva CLA-2003:662 2003-06-25
Gentoo 200306-13 2003-06-25
Red Hat RHSA-2003:203-01 2003-07-03
Yellow Dog YDU-20030718-2 2003-07-18
SCO Group CSSA-2003-030.0 2003-11-07

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Debian DSA-154-1 2002-08-15
Red Hat RHSA-2005:005-01 2005-01-05

Comments (none posted)

fdclone: insecure temporary directory

Package(s):fdclone CVE #(s):CAN-2003-0596
Created:July 23, 2003 Updated:October 1, 2003
Description: fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control.

CAN-2003-0596

Alerts:
Debian DSA-352-1 2003-07-22

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Conectiva CLA-2002:554 2002-12-16
Red Hat RHSA-2002:293-09 2002-12-17
Debian DSA-216-1 2002-12-24
SuSE SuSE-SA:2003:001 2003-01-02
SCO Group CSSA-2003-001.0 2003-01-09
EnGarde ESA-20030127-002 2003-01-27
Mandrake MDKSA-2003:011 2003-01-27
Immunix IMNX-2003-7+-023-01 2003-10-17

Comments (3 posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Red Hat RHSA-2002:197-06 2002-10-03
Red Hat RHSA-2002:197-09 2002-11-06
Mandrake MDKSA-2004:009 2004-02-04

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 15, 2003 Updated:November 17, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
EnGarde ESA-20030515-016 2003-05-15
OpenPKG OpenPKG-SA-2003.029 2003-05-16
Gentoo 200305-04 2003-05-16
Red Hat RHSA-2003:175-01 2003-05-20
Slackware ssa:2003-141-04 2003-05-22
Mandrake MDKSA-2003:061 2003-05-22
Yellow Dog YDU-20030602-4 2003-06-02
Conectiva CLA-2003:694 2003-07-11
SCO Group CSSA-2003-034.0 2003-11-17

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Red Hat RHSA-2003:126-01 2003-04-14
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:264-01 2003-09-09
Conectiva CLA-2003:737 2003-09-12
Mandrake MDKSA-2003:093 2003-09-18
Debian DSA-710-1 2005-04-18

Comments (none posted)

konqueror: information disclosure vulnerability

Package(s):kde konqueror CVE #(s):CAN-2003-0459
Created:July 30, 2003 Updated:August 11, 2003
Description: All versions of Konqueror through KDE 3.1.2 contain a vulnerability wherein the browser could (in rare situations) send authentication information on an unrelated web site. See this advisory for details.
Alerts:
Mandrake MDKSA-2003:079 2003-07-31
Debian DSA-361-1 2003-08-01
Slackware SSA:2003-213-01 2003-08-01
Debian DSA-361-2 2003-08-09
Red Hat RHSA-2003:235-01 2003-08-11

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Debian DSA-213-1 2002-12-19
Red Hat RHSA-2003:006-06 2003-01-09
SuSE SuSE-SA:2003:0004 2003-01-14
Yellow Dog YDU-20030114-2 2002-01-14
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Mandrake MDKSA-2003:008 2003-01-20
Conectiva CLA-2003:564 2003-01-23
Red Hat RHSA-2004:249-01 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-176 2004-06-18
Whitebox WBSA-2004:249-01 2004-06-21
Mandrake MDKSA-2004:063 2004-06-29
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Gentoo 200407-06 2004-07-08

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:October 1, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
SCO Group CSSA-2002-049.0 2002-11-18
Debian DSA-210-1 2002-12-13
Trustix 2002-0085 2002-12-19
Red Hat RHSA-2003:029-06 2003-02-12
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Mandrake MDKSA-2003:023 2003-02-24
Conectiva CLA-2003:720 2003-08-11

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Debian DSA-320-1 2003-06-13
Gentoo 200307-01 2003-07-02
Fedora FEDORA-2005-404 2005-06-09
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-405 2005-06-16

Comments (none posted)

mnogosearch: Remote buffer overflow vulnerabilities

Package(s):mnogosearch CVE #(s):CAN-2003-0436 CVE-2002-0789
Created:July 28, 2003 Updated:July 30, 2003
Description: Buffer overflow in the "ul" variable (CAN-2003-0436) pokleyzz <pokleyzz -at- scan-associates.net> reported a buffer overflow vulnerability in mnoGoSearch which can be exploited remotely to execute arbitrary commands with the privileges of the webserver.

Buffer overflow in the query variable ("q") (CVE-2002-0789) qitest1 <qitest1 -at- bespin.org> reported a buffer overflow vulnerability in the query variable ("q") which can be exploited remotely to execute arbitrary commands with the privileges of the webserver.

Alerts:
Conectiva CLA-2003:711 2003-07-28

Comments (none posted)

mpg123 - buffer overflow

Package(s):mpg123 CVE #(s):CAN-2003-0577
Created:July 16, 2003 Updated:September 30, 2003
Description: The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file.
Alerts:
Conectiva CLA-2003:695 2003-07-15
Mandrake MDKSA-2003:078 2003-07-23
Gentoo 200309-17 2003-09-30

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Red Hat RHSA-2002:228-11 2002-12-17
Conectiva CLA-2003:778 2003-11-07

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Red Hat RHSA-2003:206-01 2003-07-14
Debian DSA-349-1 2003-07-14
Slackware SSA:2003-195-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
Slackware SSA:2003-195-01b 2003-07-15
Yellow Dog YDU-20030718-1 2003-07-18
Gentoo 200307-07 2003-07-19
Mandrake MDKSA-2003:076 2003-07-21
Conectiva CLA-2003:700 2003-07-22
SCO Group CSSA-2003-037.0 2003-11-17
Trustix TSLSA-2004-0009 2004-03-05

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Gentoo 200305-01 2002-03-05
Gentoo 200305-02 2003-05-13
Red Hat RHSA-2003:222-01 2003-07-29
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Ubuntu USN-34-1 2004-11-30

Comments (1 posted)

perl: cross site scripting vulnerability in CGI.pm module

Package(s):perl CVE #(s):CAN-2003-0615
Created:July 29, 2003 Updated:October 1, 2003
Description: obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package.

CAN-2003-0615

Alerts:
Conectiva CLA-2003:713 2003-07-29
OpenPKG OpenPKG-SA-2003.036 2003-08-06
Debian DSA-371-1 2003-08-11
Mandrake MDKSA-2003:084 2003-08-20
OpenPKG OpenPKG-SA-2003.039 2003-09-15
Red Hat RHSA-2003:256-01 2003-09-22
Red Hat RHSA-2003:256-02 2003-10-03

Comments (none posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:October 1, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
Red Hat RHSA-2002:213-06 2002-11-11
Conectiva CLA-2002:545 2002-11-13
EnGarde ESA-20021122-031 2002-11-22
Gentoo 200211-005 2002-11-20
SCO Group CSSA-2003-008.0 2003-03-04

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):phpgroupware CVE #(s):CAN-2003-0504 CAN-2003-0582
Created:July 16, 2003 Updated:October 1, 2003
Description: Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited.

Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies.

See this Security Corportation report for more information.

CAN-2003-0504
CAN-2003-0582

Alerts:
Conectiva CLA-2003:697 2003-07-16
Mandrake MDKSA-2003:077 2003-07-23
Conectiva CLA-2003:703 2003-07-23
Debian DSA-365-1 2003-08-05

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Mandrake MDKSA-2002:062-1 2003-02-11
Trustix 2003-0004 2003-02-20
Immunix IMNX-2003-7+-005-01 2003-04-08
Debian DSA-397-1 2003-11-07

Comments (1 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:October 1, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Debian DSA-159-1 2002-08-28
Debian DSA-159-2 2002-09-09
Conectiva CLA-2002:527 2002-10-01
Gentoo python-20021003 2002-10-03
Trustix 2002-0073 2002-10-17
SCO Group CSSA-2002-045.0 2002-11-14
Mandrake MDKSA-2002:082 2002-11-25
Mandrake MDKSA-2002:082-1 2002-12-09
Red Hat RHSA-2002:202-25 2003-01-21
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-33 2003-02-12

Comments (none posted)

semi: insecure temporary file

Package(s):semi, wemi CVE #(s):CAN-2003-0440
Created:July 7, 2003 Updated:October 1, 2003
Description: semi, a MIME library for GNU Emacs, does not take appropriate security precautions when creating temporary files. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running Emacs and semi, potentially with contents supplied by the attacker.

wemi is a fork of semi, and contains the same bug.

CAN-2003-0440

Alerts:
Debian DSA-339-1 2003-07-06
Red Hat RHSA-2003:234-01 2003-07-23
Yellow Dog YDU-20030723-2 2003-07-23
Gentoo 200308-02 2003-08-14

Comments (none posted)

stunnel: signal handler reentrancy DoS

Package(s):stunnel CVE #(s):CAN-2002-1563
Created:July 25, 2003 Updated:November 25, 2003
Description: Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over a secure connection (encrypted using SSL or TLS) or to provide a secure means of connecting to services that do not natively support encryption.

When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits.

Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service.

Alerts:
Red Hat RHSA-2003:221-01 2003-07-25
EnGarde ESA-20030806-020 2003-08-06
Trustix 2003-0030 2003-08-07
Conectiva CLA-2003:736 2003-09-05
SCO Group CSSA-2003-026.0 2003-10-03
Red Hat RHSA-2003:296-01 2003-11-24

Comments (none posted)

sup: insecure temporary file

Package(s):sup CVE #(s):CAN-2003-0606
Created:July 29, 2003 Updated:October 1, 2003
Description: sup, a package used to maintain collections of files in identical versions across machines, fails to take appropriate security precautions when creating temporary files. A local attacker could exploit this vulnerability to overwrite arbitrary files with the privileges of the user running sup.

CAN-2003-0606

Alerts:
Debian DSA-353-1 2003-07-29

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 9, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Red Hat RHSA-2002:096-24 2002-09-18
Gentoo tar-20021001 2002-10-01
Gentoo unzip-20021001 2002-10-01
EnGarde ESA-20021003-022 2002-10-03
Mandrake MDKSA-2002:065 2002-10-10
Mandrake MDKSA-2002:066 2002-10-10
Conectiva CLA-2002:538 2002-10-29
Red Hat RHSA-2006:0195-01 2006-02-21
Fedora-Legacy FLSA:183571-1 2006-04-04

Comments (1 posted)

teapop: SQL injection

Package(s):teapop CVE #(s):CAN-2003-0515
Created:July 9, 2003 Updated:October 1, 2003
Description: teapop, a POP-3 server, includes modules for authenticating users against a PostgreSQL or MySQL database. These modules do not properly escape user-supplied strings before using them in SQL queries. This vulnerability could be exploited to execute arbitrary SQL under the privileges of the database user as which teapop has authenticated.

CAN-2003-0515

Alerts:
Debian DSA-347-1 2003-07-08
Gentoo 200309-18 2003-09-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first