LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

LinuxCon: FreedomBox update and plans

By Jake Edge
August 24, 2011

Bdale Garbee is well-known in the free software world for a number of different things: his work with Debian (including a term as project leader), his work as HP's open source and Linux chief technologist, membership on several boards (the Linux Foundation among them), and a lot more. He's also known for giving talks at various conferences about another passion of his, model rocketry, and specifically how open hardware and software can be used to control and track those rockets. So when he said that his LinuxCon talk was a rare example of a "talk I would rather give than a rocket talk", it's a pretty good indicator of how important he thinks the topic, FreedomBox, is.

[Bdale Garbee]

The FreedomBox project is an effort to create personal servers that will run on cheap, "plug computer" hardware. While the software will be designed to run on hardware installed in the home or elsewhere, the focus is on in-home use. In some jurisdictions, Garbee said, there is a big difference between how data stored on a computer in the home vs. one elsewhere is treated in a legal sense.

The project also wants to "contribute to privacy-respecting alternatives to social networking". In today's world, people are uploading personal data to services like Facebook without any real guarantees that the data will still be there in the future, and that they will always have access to it. In addition, the terms of service can change over time, as do the privacy settings and policies. Garbee was careful to point that the project (and the FreedomBox Foundation) would not necessarily be creating these social networking alternatives, but would be collaborating with those who are.

Another important part of the FreedomBox idea is to support mesh networking. As we have seen in the news recently, activists and political protestors in various places are too dependent on centralized services, especially communications services. We already have the technology to build mesh networks that could be used to route around repressive governments, or just repressive ISPs, he said. If two neighbors have different ISPs, with different filtering policies, a mesh network between them could potentially avoid those problems.

Debian and FreedomBox

There is a "high correlation" between the goals of the Debian distribution and those of the FreedomBox, Garbee said. There is also "no better place to find a strong technical infrastructure" than in Debian. In something of an aside, he also noted that while Linux was celebrating its 20th anniversary at the conference, Debian is celebrating its 18th anniversary, which is truly "mind-boggling", he said. There is no Debian company or corporation, it is made up of individual volunteers. It also runs on all of the relevant architectures. All of these things explain why the FreedomBox software is Debian-based.

In addition to all of that, there is a fair amount of truth to the statement that "all free software gets packaged for Debian", he said, which gives the project a good base. It can use the same bug tracker and build environment that Debian uses as well. Many of the pieces that are needed for FreedomBox are already packaged or being worked on within the distribution.

But FreedomBox does not plan to be a Debian derivative, and will instead do all of its work within the distribution. One of the goals is that every stable release of Debian will have "everything needed to create FreedomBoxes", Garbee said. So users can either buy a plug computer and install FreedomBox themselves, buy an off-the-shelf plug computer with the software pre-installed, or find a cast-off computer and install it there. One of the big advantages of that approach, he said, is that no matter how successful the FreedomBox project ends up being, all of the work and code will always be available in Debian.

The foundation

The FreedomBox Foundation (FBF) was founded by Eben Moglen, who has "done a great job articulating the need" for such a device. Moglen asked Garbee to join the board of the foundation in order to establish and chair a technical advisory committee (TAC). The TAC exists "to make the board understand what the technical issues are", he said, and it is not a "top-down design group". That work will be done in the soon-to-be-established working groups.

The FBF is not a large organization with "a lot of resources and an army of coders", Garbee said. The technology is not really the hard part, he said, at least for most of the people in the room. The much harder part will be the user experience because the FreedomBox has a "much broader audience than just those who are building it". If those others can't understand how to use it, "we will have failed". So far, that's an area where, unfortunately, not a lot of work has been done yet, he said.

There are other tasks that the FBF is taking on, such as fund-raising, outreach, and publicity. Those things are important and are a persistent problem for any non-profit organization, he said. Another non-obvious thing that the FBF can do is "industry relations". At some point, hardware vendors should be willing to build and ship products with FreedomBox pre-installed. That may require NDAs, which is not something that most free software developers want to deal with.

The TAC has been formed with Garbee as the chair. Five others are on the committee as well: Jacob Appelbaum, who is security researcher and core member of the Tor project; Sam Hartman, a Debian developer and security consultant; Sascha Meinrath, author and mesh networking researcher; Rob Savoye, GNU toolchain hacker and embedded systems developer; and Matt Zimmerman, who is a Debian developer and former CTO at Canonical.

Over the coming weeks, Garbee said, various working groups will be established to work on the disparate pieces that make up FreedomBox. There are a lot of different conversations going on in the mailing list, and they are often getting derailed by people who are focusing on a different piece of the problem. These working groups will likely be "instantiated as separate mailing lists" and will be tasked with a specific piece of the problem. The output may be code, packages, or recipes, he said. Garbee is "looking forward to getting them going".

DreamPlug reference platform

The DreamPlug has been chosen as the initial reference platform for FreedomBox. Part of the requirements for the FBF's Kickstarter fundraising campaign was to deliver hardware to some donors, and the DreamPlug will fill that role. While the hardware is reasonable overall, he said, there are still some frustrating things from a free software perspective. Marvell created most of the hardware inside the DreamPlug, and has generally worked well with the community, but there were still some driver and source availability problems. Most of those have been resolved except for a firmware blob that is required to run the Marvell wireless uAP device.

The idea behind the choice of the DreamPlug is to pick a specific target, and the hardware is fairly capable. It has a 1.2 GHz ARM processor, with 512M of RAM, 2M flash for u-boot, and 2G of flash for filesystems. There are also lots of IO ports, including two gigabit Ethernet interfaces, two USB 2.0 ports, an eSATA 2.0 port, an SD socket, and more. It also has audio inputs which didn't seem useful at first, he said, until someone pointed out that they could be used for random number generation.

Technical progress

One of the areas that has been extensively discussed within the project is the idea of "establishing trust". OpenPGP keys are "about as good as it gets" in terms of storing public/private key pairs, he said, but the trust relationship problem still isn't solved. Noting that the target audience may be more likely to have smartphones, the project is narrowing in on solutions that would allow an initial key exchange using the display and cameras of smartphones. A phone app could gather these keys up when people meet face-to-face and then allow them to be installed on the FreedomBox.

In addition, lots of work on the FreedomBox went on at the hackfest that preceded DebConf11 in Banja Luka, Bosnia and Herzegovina at the end of July. The focus was on assembling an initial development image for the DreamPlug and identifying and integrating an application into that image. While lots of progress was made, and an application was identified (an XMPP-based secure chat client), they didn't quite get there during the hackfest. There were also several FreedomBox talks at the conference itself and Garbee recommended viewing the videos of those talks.

Going forward, he said the team is "single-digit days" from releasing initial development images for both the DreamPlug and for x86 virtualization for those who don't have the hardware. There is ongoing work to use Monkeysphere for identity management with OpenPGP keys. Work on selecting and integrating specific applications that deliver "functionality implied by our vision" is underway, starting with the secure XMPP-based chat stack. The plan is to do periodic releases until "we achieve 1.0", Garbee said, but he won't say when that will happen, "Debian-style".

There are a number of ways for interested folks to get involved, starting with being "conscious about privacy and other freedoms in all that you do", he said. Experimenting with the software and helping to refine the list of alternatives to the proprietary cloud services would be helpful. Joining a working group or helping to select Debian packages (and determine the right configuration for them) are additional ways to help. Of course, financial contributions to the FBF are always welcome.

In answer to audience questions, Garbee reiterated that Debian was chosen for pragmatic reasons and there is no reason that others couldn't put the FreedomBox stack on top of other distributions. He did not want the FBF to have to set up distribution infrastructure or be saddled with long-term security updates, and basing on Debian avoided that. He also said that off-the-shelf FreedomBoxes are "at least a year away", and it could be longer than that.

[ I would like to thank the Linux Foundation for assistance with travel costs for LinuxCon. ]

Comments (4 posted)

Brief items

Security quotes of the week

Google are wrong about the root cause of online trolling and other forms of sociopathic behaviour. It's nothing to do with anonymity. Rather, it's to do with the evanescence of online identity. People who have long term online identities (regardless of whether they're pseudonymous or not) tend to protect their reputations. Trolls, in contrast, use throw-away identities because it's not a real identity to them: it's a sock puppet they wave in the face of their victim to torment them. Forcing people to use their real name online won't magically induce civility: the trolls don't care. Identity, to them, is something that exists in the room with the big blue ceiling, away from the keyboard. Stuff in the glowing screen is imaginary and of no consequence.
-- Charlie Stross looks at technical and social problems with the Google+ name policy

Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn't work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you think about your average ATM trip, that's a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.
-- Gizmodo (via Bruce Schneier)

It's basically like having root on the device, and that's like having root on the chemistry of the human body.
-- Jerome Radcliffe in a Dark Reading report of attacking a wireless insulin pump

Comments (none posted)

Nasty Apache denial of service vulnerability

The Apache project has sent out an advisory warning of an easily-exploited denial of service vulnerability in all versions of the Apache server. "An attack tool is circulating in the wild. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. The default Apache HTTPD installation is vulnerable. There is currently no patch/new version of Apache HTTPD which fixes this vulnerability. This advisory will be updated when a long term fix is available." A fix is expected "within 48 hours"; a number of workarounds are provided in the advisory for those who cannot wait.

Full Story (comments: 12)

New vulnerabilities

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2011-2379 CVE-2011-2380 CVE-2011-2979 CVE-2011-2381 CVE-2011-2978 CVE-2011-2977
Created:August 22, 2011 Updated:October 10, 2011
Description: From the CVE entries:

Cross-site scripting (XSS) vulnerability in Bugzilla 2.4 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3, when Internet Explorer before 9 or Safari before 5.0.6 is used for Raw Unified mode, allows remote attackers to inject arbitrary web script or HTML via a crafted patch, related to content sniffing. (CVE-2011-2379)

Bugzilla 2.23.3 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to determine the existence of private group names via a crafted parameter during (1) bug creation or (2) bug editing. (CVE-2011-2380)

Bugzilla 4.1.x before 4.1.3 generates different responses for certain assignee queries depending on whether the group name is valid, which allows remote attackers to determine the existence of private group names via a custom search. NOTE: this vulnerability exists because of a CVE-2010-2756 regression. (CVE-2011-2979)

CRLF injection vulnerability in Bugzilla 2.17.1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 allows remote attackers to inject arbitrary e-mail headers via an attachment description in a flagmail notification. (CVE-2011-2381)

Bugzilla 2.16rc1 through 2.22.7, 3.0.x through 3.3.x, 3.4.x before 3.4.12, 3.5.x, 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 does not prevent changes to the confirmation e-mail address (aka old_email field) for e-mail change notifications, which makes it easier for remote attackers to perform arbitrary address changes by leveraging an unattended workstation. (CVE-2011-2978)

Bugzilla 3.6.x before 3.6.6, 3.7.x, 4.0.x before 4.0.2, and 4.1.x before 4.1.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files. NOTE: this issue exists because of a regression in 3.6. (CVE-2011-2977)

Alerts:
Gentoo 201110-03 2011-10-10
Debian DSA-2322-1 2011-10-10
Fedora FEDORA-2011-10413 2011-08-05
Fedora FEDORA-2011-10426 2011-08-05

Comments (none posted)

crypt_blowfish: crackable password hashing

Package(s):crypt_blowfish CVE #(s):CVE-2011-2483
Created:August 19, 2011 Updated:December 19, 2011
Description: From the openSUSE advisory:

The implementation of the blowfish based password hashing method had a bug affecting passwords that contain 8bit characters (e.g. umlauts). Affected passwords are potentially faster to crack via brute force methods.

Alerts:
Mandriva MDVSA-2011:180 2011-11-28
Mandriva MDVSA-2011:179 2011-11-25
Mandriva MDVSA-2011:178 2011-11-25
CentOS CESA-2011:1377 2011-11-09
Debian DSA-2340-1 2011-11-07
Oracle ELSA-2011-1423 2011-11-03
Oracle ELSA-2011-1423 2011-11-03
Scientific Linux SL-NotF-20111102 2011-11-02
Mandriva MDVSA-2011:165 2011-11-03
CentOS CESA-2011:1423 2011-11-03
Red Hat RHSA-2011:1423-01 2011-11-02
Mandriva MDVSA-2011:161 2011-10-24
Gentoo 201110-22 2011-10-25
Scientific Linux SL-post-20111017 2011-10-17
Scientific Linux SL-post-20111017 2011-10-17
CentOS CESA-2011:1378 2011-10-18
CentOS CESA-2011:1377 2011-10-18
Ubuntu USN-1231-1 2011-10-18
Red Hat RHSA-2011:1378-01 2011-10-17
Red Hat RHSA-2011:1377-01 2011-10-17
openSUSE openSUSE-SU-2011:1138-1 2011-10-17
openSUSE openSUSE-SU-2011:1137-1 2011-10-17
Ubuntu USN-1229-1 2011-10-13
Gentoo 201110-06 2011-10-10
Fedora FEDORA-2011-11537 2011-08-26
Fedora FEDORA-2011-11528 2011-08-26
Fedora FEDORA-2011-11537 2011-08-26
Fedora FEDORA-2011-11528 2011-08-26
Fedora FEDORA-2011-11537 2011-08-26
Fedora FEDORA-2011-11528 2011-08-26
openSUSE openSUSE-SU-2011:0972-1 2011-08-30
openSUSE openSUSE-SU-2011:0970-1 2011-08-30
openSUSE openSUSE-SU-2011:0921-2 2011-08-26
Slackware SSA:2011-237-01 2011-08-25
SUSE SUSE-SA:2011:035 2011-08-23
openSUSE openSUSE-SU-2011:0921-1 2011-08-19
Debian DSA-2399-1 2012-01-31
openSUSE openSUSE-SU-2012:0480-1 2012-04-11
Mandriva MDVSA-2012:071 2012-05-10
Oracle ELSA-2012-0677 2012-05-22
Oracle ELSA-2012-1046 2012-06-30

Comments (none posted)

ecryptfs-utils: denial of service

Package(s):ecryptfs-utils CVE #(s):CVE-2011-3145
Created:August 23, 2011 Updated:January 19, 2012
Description: From the Ubuntu advisory:

It was discovered that eCryptfs incorrectly handled permissions when modifying the mtab file. A local attacker could use this flaw to manipulate the mtab file, and possibly unmount arbitrary locations, leading to a denial of service.

Alerts:
CentOS CESA-2011:1241 2011-09-22
Fedora FEDORA-2011-11936 2011-09-02
Fedora FEDORA-2011-11979 2011-09-02
Scientific Linux SL-ecry-20110831 2011-08-31
Red Hat RHSA-2011:1241-01 2011-08-31
Ubuntu USN-1196-1 2011-08-23
Debian DSA-2382-1 2012-01-07
openSUSE openSUSE-SU-2012:0106-1 2012-01-19

Comments (none posted)

gimp: heap corruption

Package(s):gimp CVE #(s):CVE-2011-2896
Created:August 22, 2011 Updated:September 28, 2012
Description: From the Red Hat bugzilla:

GIF image file format readers in various open source projects are based on the GIF decoder implementation written by David Koblas. This implementation contains a bug in the LZW decompressor, causing it to incorrectly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in this GIF reading code allows code words not only matching, but also exceeding the first free entry.

Alerts:
Scientific Linux SL-cups-20111206 2011-12-06
Red Hat RHSA-2011:1635-03 2011-12-06
Debian DSA-2354-1 2011-11-28
Mandriva MDVSA-2011:167 2011-11-04
openSUSE openSUSE-SU-2011:1152-1 2011-10-18
Mandriva MDVSA-2011:146 2011-10-11
Ubuntu USN-1214-1 2011-09-22
Ubuntu USN-1207-1 2011-09-14
Fedora FEDORA-2011-11221 2011-08-19
Fedora FEDORA-2011-11318 2011-08-23
Fedora FEDORA-2011-11305 2011-08-23
Fedora FEDORA-2011-11197 2011-08-19
Fedora FEDORA-2011-10782 2011-08-13
Fedora FEDORA-2011-10788 2011-08-13
Red Hat RHSA-2012:0302-03 2012-02-21
Debian DSA-2426-1 2012-03-06
Oracle ELSA-2012-0302 2012-03-07
Scientific Linux SL-cups-20120321 2012-03-21
Red Hat RHSA-2012:1180-01 2012-08-20
Red Hat RHSA-2012:1181-01 2012-08-20
CentOS CESA-2012:1181 2012-08-20
Scientific Linux SL-gimp-20120820 2012-08-20
Scientific Linux SL-gimp-20120820 2012-08-20
CentOS CESA-2012:1180 2012-08-20
Oracle ELSA-2012-1180 2012-08-20
Oracle ELSA-2012-1181 2012-08-20
Gentoo 201209-23 2012-09-28

Comments (none posted)

kernel: arbitrary command execution

Package(s):kernel CVE #(s):CVE-2011-2905
Created:August 18, 2011 Updated:November 28, 2011
Description: From the Red Hat bugzilla:

It was reported that perf would look for configuration files in /etc/perfconfig, ~/.perfconfig, and ./config. If ./config is not a perf configuration file, perf could fail or possibly do unexpected things. If a privileged user was tricked into running perf in a directory containing a malicious ./config file, it could possibly lead to the execution of arbitrary commands.

Alerts:
Ubuntu USN-1285-1 2011-11-29
Oracle ELSA-2011-1465 2011-11-28
Oracle ELSA-2011-2033 2011-11-28
Oracle ELSA-2011-2033 2011-11-28
Ubuntu USN-1281-1 2011-11-24
Ubuntu USN-1279-1 2011-11-24
Scientific Linux SL-kern-20111122 2011-11-22
Red Hat RHSA-2011:1465-01 2011-11-22
Ubuntu USN-1256-1 2011-11-09
Ubuntu USN-1245-1 2011-10-25
Ubuntu USN-1244-1 2011-10-25
Ubuntu USN-1243-1 2011-10-25
Ubuntu USN-1242-1 2011-10-25
Ubuntu USN-1241-1 2011-10-25
Ubuntu USN-1240-1 2011-10-25
Ubuntu USN-1239-1 2011-10-25
Ubuntu USN-1253-1 2011-11-08
Debian DSA-2303-2 2011-09-10
Debian DSA-2303-1 2011-09-08
Fedora FEDORA-2011-11103 2011-08-18
Fedora FEDORA-2011-11019 2011-08-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2011-2695
Created:August 23, 2011 Updated:September 13, 2011
Description: From the CVE entry:

Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer.

Alerts:
Ubuntu USN-1256-1 2011-11-09
openSUSE openSUSE-SU-2011:1222-1 2011-11-08
Ubuntu USN-1246-1 2011-10-25
Ubuntu USN-1245-1 2011-10-25
Ubuntu USN-1244-1 2011-10-25
Ubuntu USN-1243-1 2011-10-25
Ubuntu USN-1242-1 2011-10-25
Ubuntu USN-1241-1 2011-10-25
Ubuntu USN-1240-1 2011-10-25
Ubuntu USN-1239-1 2011-10-25
Scientific Linux SL-kern-20111020 2011-10-20
CentOS CESA-2011:1386 2011-10-21
Red Hat RHSA-2011:1386-01 2011-10-20
Ubuntu USN-1228-1 2011-10-12
Ubuntu USN-1253-1 2011-11-08
Red Hat RHSA-2011:1253-01 2011-09-12
Scientific Linux SL-kern-20110823 2011-08-23
Red Hat RHSA-2011:1189-01 2011-08-23
Fedora FEDORA-2011-11103 2011-08-18
Oracle ELSA-2012-0150 2012-03-07

Comments (none posted)

kiwi: multiple vulnerabilities

Package(s):kiwi CVE #(s):CVE-2011-2225 CVE-2011-2226 CVE-2011-2644 CVE-2011-2645 CVE-2011-2646 CVE-2011-2647 CVE-2011-2648 CVE-2011-2649 CVE-2011-2650 CVE-2011-2651 CVE-2011-2652
Created:August 18, 2011 Updated:December 15, 2011
Description: From the SUSE advisory:

SUSE Studio was prone to several cross-site-scripting (XSS) and shell quoting issues.

  • CVE-2011-2652 - XSS vulnerability in overlay files: bad escaping archive file list
  • CVE-2011-2651 - Remote code execution via crafted filename in file browser
  • CVE-2011-2650 - XSS vulnerability when displaying RPM info (pattern name)
  • CVE-2011-2649 - Unwanted shell expansion when executing commands in FileUtils fix
  • CVE-2011-2648 - Arbitrary code execution via filters in modified files
  • CVE-2011-2647 - studio: Remote code execution via crafted archive name in testdrive's modified files
  • CVE-2011-2646 - studio: Remote code execution via crafted filename in testdrive's modified files
  • CVE-2011-2645 - Remote code execution via crafted custom RPM filename
  • CVE-2011-2644 - XSS vulnerability in displaying RPM info
  • CVE-2011-2226 - XSS vulnerability when displaying pattern listing
  • CVE-2011-2225 - Overlay directory pathes are not properly escaped before inclusion into config.sh
Alerts:
SUSE SUSE-SU-2011:1324-1 2011-12-15
SUSE SUSE-SU-2011:0917-1 2011-08-18

Comments (none posted)

nip2: privilege escalation

Package(s):nip2 CVE #(s):CVE-2010-3364
Created:August 23, 2011 Updated:August 24, 2011
Description: From the CVE entry:

The vips-7.22 script in VIPS 7.22.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.

Alerts:
Fedora FEDORA-2011-10781 2011-08-13
Fedora FEDORA-2011-10808 2011-08-13
Fedora FEDORA-2011-10781 2011-08-13
Fedora FEDORA-2011-10808 2011-08-13

Comments (none posted)

system-config-printer: arbitrary code execution

Package(s):system-config-printer CVE #(s):CVE-2011-2899
Created:August 23, 2011 Updated:September 23, 2011
Description: From the Red Hat advisory:

It was found that system-config-printer did not properly sanitize NetBIOS and workgroup names when searching for network printers. A remote attacker could use this flaw to execute arbitrary code with the privileges of the user running system-config-printer.

Alerts:
openSUSE openSUSE-SU-2011:1331-1 2011-12-16
CentOS CESA-2011:1196 2011-09-22
CentOS CESA-2011:1196 2011-08-29
Scientific Linux SL-syst-20110823 2011-08-23
Red Hat RHSA-2011:1196-01 2011-08-23
openSUSE openSUSE-SU-2011:1331-2 2012-01-16

Comments (none posted)

zabbix: cross-site scripting

Package(s):zabbix CVE #(s):CVE-2011-2904
Created:August 18, 2011 Updated:August 24, 2011
Description: From the Red Hat bugzilla:

A vulnerability was reported in Zabbix where input passed to the "backurl" parameter in acknow.php is improperly sanitized before being returned to the user. This could be used to facilitate a cross-site scripting attack. This flaw is fixed in Zabbix 1.8.6

Alerts:
Fedora FEDORA-2011-10601 2011-08-10
Fedora FEDORA-2011-10618 2011-08-10

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds