|
|
| |
|
| |
Security
February 15, 2012
This article was contributed by Nathan Willis
On February 10, the Tor project posted reports from users inside Iran that the country's government had begun blocking all SSL/TLS traffic, a major escalation of firewall policies that had already cut off users from specific services. Tor responded by pointing readers to obfsproxy, its comparatively-little-known project that can disguise SSL traffic to evade detection by the deep packet inspection (DPI) filters used to flag and shut down encrypted connections.
Word from users in Iran was that the government SSL-blocking effort
appeared to be DPI-based, because of the fact that connections were being terminated only after the first few steps of the SSL handshake. Other methods to bypass the firewall, including VPNs, were still functional, although they are an impractical (and sometimes expensive) solution for the majority of Iranian Internet users. However, the block prevents standard Tor usage in particular, because the system relies on an encrypted connection between the user's machine and the first relay in the Tor network.
Earlier filtering techniques, such as blocking access to specific IP
addresses, had been bypassed by using bridges —
Tor relays that ran on unpublished IPs. Reports indicated that the
SSL-block varies by ISP, and had not affected the entire country, but the
project's metrics showed a sharp decline in the number of Tor users
originating from Iran, starting around February 9. Alongside the
announcement of obfsproxy, the Tor project asked users to help restore
connectivity for
people in the region by setting up obfuscated bridges — but cautioned
that drawing too much public attention to the project could prompt
authorities to implement countermeasures.
It rolls right off the tongue: "obfsproxy"
Obfsproxy — which, although just announced to the public, has been in development since early 2011 — offers relief from DPI filtering. It is a transport proxy that encapsulates protocol traffic between endpoints within an "innocent-looking" wrapper. The system is modular enough that the project says it can be used with a variety of protocols, but the default usage is designed to wrap SSL traffic between a Tor client and Tor bridge inside another application-layer connection. Furthermore, within those faux application-layer packets, the genuine SSL packets are encrypted by a stream cipher, making their contents immune to detection by DPI filters (which catch protocols by matching characteristic strings or regular expressions in the TCP stream).
Obfsproxy's default module is called obfs2, and merely disguises SSL traffic as unencrypted SOCKS traffic. It does not itself provide authentication, confidentiality, or guarantee data integrity. Those features must be provided by the traffic being obfuscated (e.g., SSL and Tor). Nor does it protect against protocol fingerprinting using other means (such as timing or packet size), nor against attackers looking specifically for obfsproxy itself. The threat model document in the project's Git repository outlines the assumptions and characteristics in specific detail, and argues that although the scope is limited: it "protects against many real-life Tor traffic detection methods currently deployed, since most of them currently use static SSL handshake strings as signatures."
Tor executive director Andrew Lewman told Forbes magazine that other protocol wrappers are a possibility for future releases, including XMPP and vanilla HTTP, and described a simpler client-side interface. At the moment, however, he described the project as "very much a work in progress, and the
various pluggable transports are still in design and development."
The anatomy of obfs2
Obfsproxy is a recent addition to Tor, and although the project has released updated Tor Browser Bundle binaries pre-configured to use it, for most existing Tor users it requires compiling and running the client code — as well as knowledge of a Tor bridge also configured to run obfsproxy. Still, Tor reports that users in Iran are taking advantage of the code to successfully restore their lost connectivity.
Masking a Tor connection between client and bridge requires both participants to be running obfsproxy, but the client-bridge connection is the only one involved in the obfuscation — no general-purpose Tor nodes (including exit nodes) are required to install obfsproxy or need to alter their configuration.
Interested client and bridge users should fetch obfsproxy from the Tor project's Git repository and compile it with Autogen and GNU make. All versions of Tor newer than 0.2.3.11 can be configured to use obfsproxy simply by editing the Tor configuration file. Clients must add the IP address and port number of an obfsproxy-aware bridge and path to the obfsproxy executable. Bridge operators must start Tor and watch their logs, because Tor randomly selects an open, higher-numbered TCP port for obfsproxy to listen on the first time it is run. Older versions of Tor can use obfsproxy, too, using additional steps to configure a localhost-only relay between Tor and the obfsproxy program.
Whichever setup is involved, the obfs2 protocol operates in the same manner. It is based on Bruce Leidl's older work to obfuscate SSH handshakes. The client and the bridge first exchange session keys with each other, after which they "superencipher" their SSL session by encrypting it with 128-bit AES.
By default the protocol uses a relatively weak key-exchange method that
could be compromised by an eavesdropper listening to both sides of the
conversation — although the use of a pre-shared secret to strengthen
this step is supported as well. It may sound as if the weak key exchange method undermines the whole process, but the important thing to remember is that the obfuscation protocol's only goal is to defeat automatic detection by pattern-matching DPI filters. Furthermore, the seed values that the client and bridge exchange are concatenated with constants and then hashed with SHA256, a step that does not make them unrecoverable, but that is computationally expensive to perform on the class of high-throughput networking hardware generally used to do DPI traffic analysis.
Obfuscation for all
To the paranoid, obfs2 may sound like an imperfect solution to the
filtering crisis. After all, it could be defeated by closer inspection of
packets or filtering out SOCKS traffic. In that sense, obfsproxy might be
likened to steganography — its goal is to hide the traffic of estimated tens-of-thousands of Tor users in a censored region like Iran among the connections of millions.
The Tor project reports that it has performed experiments of its own,
and found obfsproxy to be effective "in all censored
countries" when used as-is. However, as Jacob Appelbaum mentioned
in the call for obfsproxy bridges, "it might even only last
for a few days at the rate the arms race is progressing, if you could call it progress." Then
again, thanks to the modular design of obfsproxy, the obfs2 module itself
can be replaced or upgraded in future releases, both to disguise traffic
better, or to implement completely different security features. The sudden
crackdown on all SSL traffic in Iran might have hit before a perfect system
was in place, but obfsproxy is still a welcome relief for those who are
affected, and have no other practical options.
Comments (8 posted)
Brief items
Sorry, that was not correct. The "1" was actually an upper-case, sans-serif
"I." Please try again by typing the following letters and numbers, this
time using your nondominant hand and with one eye closed:
[...] Sorry, the second "X" was also lowercase. It looked larger because it was closer to the screen than the first. Please try again by retyping the words you see in this box:
-- The New York Times has some fun with CAPTCHA
As shown in the movie, the tool has a database that contains city profiles
including Paris, Berlin, Amsterdam, Brussels, and Geneva. The tool runs on
the right and on the left is the browser accessing Google Maps over SSL. In
the first attempt, I load the city of Paris and zoom in a couple of
times. On the second attempt I navigate to Berlin and zoom in a few
times. On both occasions the tool manages to correctly guess the locations
that the browser is accessing.
Please note that it is a shoddy proof of concept, but it shows the concept
of SSL traffic analysis pretty well. It also might be easier to understand
for less technically inclined people, as in "An attacker can still figure
out what you're looking at on Google Maps" (with the addendum that it's
never going to be a 100% perfect and that my shoddy proof of concept has
lots of room for improvement).
-- Vincent
Berg
The publication, citing a former 19-year Nortel employee who oversaw the
investigation into the hack, said Nortel did nothing to keep out the
hackers except to change seven compromised passwords that belonged to the
CEO and other executives. The company "made no effort to determine if its
products were also compromised by hackers," the WSJ [Wall Street Journal] said. Nortel, which sold off parts of its business as part of a 2009 bankruptcy filing, spent about six months investigating the breach and didn't disclose it to prospective buyers.
-- ars
technica reports on a 2000 infiltration of Nortel
Comments (8 posted)
Here's a variant on the "untrustworthy SSL certificate authority" theme: this
ComputerWorld story describes how Trustwave issued a "subordinate root"
certificate to a private company. That allowed said company to stamp out
certificates for any domains it liked and conduct man-in-the-middle attacks
against SSL traffic from its internal network. " Trustwave defended
itself by saying that the issuing of subordinate roots to private
companies, so they can inspect the SSL-encrypted traffic that passes
through their networks, is a common practice in the industry."
Comments (40 posted)
The H is reporting that a backdoor was inserted into installation packages of the Horde groupware. The affected versions are " Horde 3.3.12, Groupware 1.2.10 and the webmail edition of the groupware product". An intrusion into the FTP server back in November led to the problem. " Users who have installed a hacked version onto a server have thrown their systems wide open to the hackers – the backdoor enables them to execute arbitrary PHP code. By exploiting additional vulnerabilities, attackers could use this to gain complete control of the server."
Comments (none posted)
Matthew Garrett clears up
some Secure Boot myths on his blog:
It's only a problem for hobbyist Linux, not the real Linux market:
Untrue. It's unclear whether even the significant Linux vendors can
implement Secure Boot in a way that meets the needs of their customers and
still allows them to boot on commodity hardware. A naive implementation
removes many of the benefits of Linux for enterprise customers, such as the
ability to use local modifications to micro-optimise systems for specific
workloads. One of the key selling points of Linux is the ability to make
use of local expertise when adapting the product for your needs. Secure
Boot makes that more difficult.
Comments (2 posted)
New vulnerabilities
apr: denial of service
| Package(s): | apr |
CVE #(s): | CVE-2012-0840
|
| Created: | February 14, 2012 |
Updated: | March 1, 2012 |
| Description: |
From the Mandriva advisory:
tables/apr_hash.c in the Apache Portable Runtime (APR) library through
1.4.5 computes hash values without restricting the ability to trigger
hash collisions predictably, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via crafted input to
an application that maintains a hash table. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2012-0440
CVE-2012-0448
|
| Created: | February 13, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the CVE entries:
Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 allows remote attackers to hijack the authentication of arbitrary users for requests that use the JSON-RPC API. (CVE-2012-0440)
Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address. (CVE-2012-0448)
|
| Alerts: |
|
Comments (none posted)
cvs: remote code execution
| Package(s): | cvs |
CVE #(s): | CVE-2012-0804
|
| Created: | February 9, 2012 |
Updated: | March 29, 2012 |
| Description: |
From the Debian advisory:
It was discovered that a malicious CVS server could cause a heap
overflow in the CVS client, potentially allowing the server to execute
arbitrary code on the client. |
| Alerts: |
|
Comments (none posted)
devscripts: multiple vulnerabilities
| Package(s): | devscripts |
CVE #(s): | CVE-2012-0210
CVE-2012-0211
CVE-2012-0212
|
| Created: | February 15, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the Debian advisory:
CVE-2012-0210:
Paul Wise discovered that due to insufficient input sanitising when
processing .dsc and .changes files, it is possible to execute
arbitrary code and disclose system information.
CVE-2012-0211:
Raphael Geissert discovered that it is possible to inject or modify
arguments of external commands when processing source packages with
specially-named tarballs in the top-level directory of the .orig
tarball, allowing arbitrary code execution.
CVE-2012-0212:
Raphael Geissert discovered that it is possible to inject or modify
arguments of external commands when passing as argument to debdiff
a specially-named file, allowing arbitrary code execution. |
| Alerts: |
|
Comments (none posted)
ettercap: insecure settings file
| Package(s): | ettercap |
CVE #(s): | CVE-2010-3843
|
| Created: | February 9, 2012 |
Updated: | April 9, 2013 |
| Description: |
From the Red Hat bugzilla entry:
The GTK version of ettercap uses a global settings file
at /tmp/.ettercap_gtk and does not verify ownership of this
file. When parsing this file for settings in gtkui_conf_read()
(src/interfaces/gtk/ec_gtk_conf.c), an unchecked sscanf() call allows a
maliciously placed settings file to overflow a statically-sized buffer
on the stack. Stack-smashing protection catches it, but it still should
be fixed.
Verify with:
$ perl -e 'print "A"x500' > /tmp/.ettercap_gtk && ettercap -G
Firstly, the settings file should not be globally accessible without
checking ownership, which still gets hairy because an attacker could
create a symlink or hard link to a victim-controlled file (unless you're
using YAMA :p). The best thing would probably be to keep this file in
the user's home directory instead.
Secondly, parsing configuration files should be robust against malformed
input and not susceptible to trivial buffer overflows. |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | MozillaFirefox |
CVE #(s): | CVE-2012-0443
CVE-2012-0445
CVE-2012-0446
CVE-2012-0447
CVE-2012-0450
|
| Created: | February 9, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the openSUSE advisory:
CVE-2012-0443: Ben Hawkes, Christian Holler, Honza Bombas,
Jason Orendorff, Jesse Ruderman, Jan Odvarko, Peter Van Der
Beken, and Bill McCloskey reported memory safety problems
that were fixed in Firefox 10.
MFSA 2012-03/CVE-2012-0445: Alex Dvorov reported that an
attacker could replace a sub-frame in another domain's
document by using the name attribute of the sub-frame as a
form submission target. This can potentially allow for
phishing attacks against users and violates the HTML5 frame
navigation policy.
MFSA 2012-05/CVE-2012-0446: Mozilla security researcher
moz_bug_r_a4 reported that frame scripts bypass XPConnect
security checks when calling untrusted objects. This allows
for cross-site scripting (XSS) attacks through web pages
and Firefox extensions. The fix enables the Script Security
Manager (SSM) to force security checks on all frame scripts.
MFSA 2012-06/CVE-2012-0447: Mozilla developer Tim Abraldes
reported that when encoding images as
image/vnd.microsoft.icon the resulting data was always a
fixed size, with uninitialized memory appended as padding
beyond the size of the actual image. This is the result of
mImageBufferSize in the encoder being initialized with a
value different than the size of the source image. There is
the possibility of sensitive data from uninitialized memory
being appended to a PNG image when converted fron an ICO
format image. This sensitive data may then be disclosed in
the resulting image.
MFSA 2012-09/CVE-2012-0450: magicant starmen reported that
if a user chooses to export their Firefox Sync key the
"Firefox Recovery Key.html" file is saved with incorrect
permissions, making the file contents potentially readable
by other users on Linux and OS X systems. |
| Alerts: |
|
Comments (none posted)
glpi: file inclusion vulnerability
| Package(s): | glpi |
CVE #(s): | CVE-2012-1037
|
| Created: | February 13, 2012 |
Updated: | February 20, 2012 |
| Description: |
GLPI v 0.78 to 0.80.61 fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file. This has been fixed in GLPI 0.80.7.
See this post on the Full Disclosure mailing list for additional details. |
| Alerts: |
|
Comments (none posted)
gnutls: denial of service
| Package(s): | gnutls |
CVE #(s): | CVE-2011-4128
|
| Created: | February 9, 2012 |
Updated: | March 30, 2012 |
| Description: |
From the openSUSE advisory:
Large server tickets could crash gnutls clients. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk |
CVE #(s): | CVE-2011-3563
CVE-2011-3571
CVE-2011-5035
CVE-2012-0497
CVE-2012-0501
CVE-2012-0502
CVE-2012-0503
CVE-2012-0505
CVE-2012-0506
|
| Created: | February 15, 2012 |
Updated: | February 6, 2013 |
| Description: |
From the Red Hat advisory:
It was discovered that Java2D did not properly check graphics rendering
objects before passing them to the native renderer. Malicious input, or an
untrusted Java application or applet could use this flaw to crash the Java
Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497)
It was discovered that the exception thrown on deserialization failure did
not always contain a proper identification of the cause of the failure. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions. (CVE-2012-0505)
The AtomicReferenceArray class implementation did not properly check if
the array was of the expected Object[] type. A malicious Java application
or applet could use this flaw to bypass Java sandbox restrictions.
(CVE-2011-3571)
It was discovered that the use of TimeZone.setDefault() was not restricted
by the SecurityManager, allowing an untrusted Java application or applet to
set a new default time zone, and hence bypass Java sandbox restrictions.
(CVE-2012-0503)
The HttpServer class did not limit the number of headers read from HTTP
requests. A remote attacker could use this flaw to make an application
using HttpServer use an excessive amount of CPU time via a
specially-crafted request. This update introduces a header count limit
controlled using the sun.net.httpserver.maxReqHeaders property. The default
value is 200. (CVE-2011-5035)
The Java Sound component did not properly check buffer boundaries.
Malicious input, or an untrusted Java application or applet could use this
flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion
of its memory. (CVE-2011-3563)
A flaw was found in the AWT KeyboardFocusManager that could allow an
untrusted Java application or applet to acquire keyboard focus and possibly
steal sensitive information. (CVE-2012-0502)
It was discovered that the CORBA (Common Object Request Broker
Architecture) implementation in Java did not properly protect repository
identifiers on certain CORBA objects. This could have been used to modify
immutable object data. (CVE-2012-0506)
An off-by-one flaw, causing a stack overflow, was found in the unpacker for
ZIP files. A specially-crafted ZIP archive could cause the Java Virtual
Machine (JVM) to crash when opened. (CVE-2012-0501)
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2011-4087
|
| Created: | February 9, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the openSUSE advisory:
CVE-2011-4087: A local denial of service when using bridged
networking via a flood ping was fixed.
|
| Alerts: |
|
Comments (none posted)
kernel: memory corruption
| Package(s): | kernel |
CVE #(s): | CVE-2011-4604
|
| Created: | February 9, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the openSUSE advisory:
CVE-2011-4604:
If root does read() on a specific socket, it's possible to
corrupt (kernel) memory over network, with an ICMP packet,
if the B.A.T.M.A.N. mesh protocol is used. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2011-4086
CVE-2012-0028
|
| Created: | February 9, 2012 |
Updated: | June 1, 2012 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way the Linux kernel's journal_unmap_buffer()
function handled buffer head states. On systems that have an ext4 file
system with a journal mounted, a local, unprivileged user could use this
flaw to cause a denial of service. (CVE-2011-4086, Moderate)
A flaw was found in the way the Linux kernel handled robust list pointers
of user-space held futexes across exec() calls. A local, unprivileged user
could use this flaw to cause a denial of service or, eventually, escalate
their privileges. (CVE-2012-0028, Important) |
| Alerts: |
|
Comments (none posted)
kernel: unauthorized file access
| Package(s): | kernel |
CVE #(s): | CVE-2012-0055
|
| Created: | February 13, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the Ubuntu advisory:
Andy Whitcroft discovered a that the Overlayfs filesystem was not doing the
extended permission checks needed by cgroups and Linux Security Modules
(LSMs). A local user could exploit this to by-pass security policy and
access files that should not be accessible. |
| Alerts: |
|
Comments (none posted)
mozilla: code execution
| Package(s): | mozilla-thunderbird, firefox |
CVE #(s): | CVE-2012-0452
|
| Created: | February 13, 2012 |
Updated: | February 16, 2012 |
| Description: |
From the Mandriva advisory:
Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1,
Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote
attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via vectors that trigger failure of
an nsXBLDocumentInfo::ReadPrototypeBindings function call, related
to the cycle collector's access to a hash table containing a stale
XBL binding |
| Alerts: |
|
Comments (none posted)
mysql: multiple unspecified vulnerabilities
| Package(s): | mysql |
CVE #(s): | CVE-2012-0117
CVE-2012-0486
CVE-2012-0487
CVE-2012-0488
CVE-2012-0489
CVE-2012-0491
CVE-2012-0493
CVE-2012-0494
CVE-2012-0495
CVE-2012-0496
|
| Created: | February 13, 2012 |
Updated: | February 16, 2012 |
| Description: |
From the CVE entries:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0117)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0486)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0487)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0488)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0489)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0491)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, and CVE-2012-0495. (CVE-2012-0493)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows local users to affect availability via unknown vectors. (CVE-2012-0494)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, and CVE-2012-0493. (CVE-2012-0495)
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors. (CVE-2012-0496) |
| Alerts: |
|
Comments (1 posted)
mysql: multiple unspecified vulnerabilities
| Package(s): | mysql |
CVE #(s): | CVE-2011-2262
CVE-2012-0075
CVE-2012-0087
CVE-2012-0101
CVE-2012-0102
CVE-2012-0112
CVE-2012-0113
CVE-2012-0114
CVE-2012-0115
CVE-2012-0116
CVE-2012-0118
CVE-2012-0119
CVE-2012-0120
CVE-2012-0484
CVE-2012-0485
CVE-2012-0490
CVE-2012-0492
|
| Created: | February 9, 2012 |
Updated: | August 13, 2012 |
| Description: |
From the Red Hat advisory:
CVE-2011-2262 mysql: Unspecified vulnerability allows remote attackers to affect
availability
CVE-2012-0075 mysql: Unspecified vulnerability allows remote authenticated users to affect
integrity
CVE-2012-0087 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0101 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0102 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0112 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0113 mysql: Unspecified vulnerability allows remote authenticated users to affect
confidentiality and availability
CVE-2012-0114 mysql: Unspecified vulnerability allows local users to affect
confidentiality and integrity
CVE-2012-0115 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0116 mysql: Unspecified vulnerability allows remote authenticated users to affect
confidentiality and integrity
CVE-2012-0118 mysql: Unspecified vulnerability allows remote authenticated users to affect
confidentiality and availability
CVE-2012-0119 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0120 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0484 mysql: Unspecified vulnerability allows remote authenticated users to affect
confidentiality
CVE-2012-0485 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0490 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
CVE-2012-0492 mysql: Unspecified vulnerability allows remote authenticated users to affect
availability
|
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php5 |
CVE #(s): | CVE-2011-4153
CVE-2012-0788
CVE-2012-0831
|
| Created: | February 10, 2012 |
Updated: | February 28, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that PHP did not always check the return value of
the zend_strndup function. This could allow a remote attacker to
cause a denial of service. (CVE-2011-4153)
It was discovered that PHP did not properly enforce that PDORow
objects could not be serialized and not be saved in a session. A
remote attacker could use this to cause a denial of service via an
application crash. (CVE-2012-0788)
It was discovered that PHP allowed the magic_quotes_gpc setting to
be disabled remotely. This could allow a remote attacker to bypass
restrictions that could prevent an SQL injection. (CVE-2012-0831) |
| Alerts: |
|
Comments (none posted)
phpldapadmin: cross-site scripting
| Package(s): | phpldapadmin |
CVE #(s): | CVE-2012-0834
|
| Created: | February 14, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the CVE entry:
Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the base parameter in a query_engine action to cmd.php. |
| Alerts: |
|
Comments (none posted)
puppet: unintended access to resources
| Package(s): | Puppet |
CVE #(s): | CVE-2011-0528
|
| Created: | February 14, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that Puppet would allow remote ralsh under certain
circumstances. An attacker on an authenticated puppet node could exploit
this to view or manipulate resources on other Puppet nodes. |
| Alerts: |
|
Comments (none posted)
samba: denial of service
| Package(s): | samba |
CVE #(s): | CVE-2012-0817
|
| Created: | February 9, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the Red Hat bugzilla entry:
A memory leak leading to denial of service (smbd crash) was found in the way
smbd daemon of the Samba suite performed management of file descriptors related
to socket connections. A remote attacker could use this flaw to cause excessive
CPU use, or, potentially denial of service via loop of incoming connections. |
| Alerts: |
|
Comments (none posted)
selinux-policy: policy enhancements
| Package(s): | selinux-policy |
CVE #(s): | |
| Created: | February 14, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the Scientific Linux advisory:
An incorrect SELinux policy prevented the qpidd service from starting.
These selinux-policy packages contain updated SELinux rules, which allow the qpidd service to be started correctly.
With SELinux in enforcing mode, the ssh-keygen utility was prevented from
access to various applications and thus could not be used to generate
SSH keys for these programs. With this update, the "ssh_keygen_t" SELinux domain type has been implemented as unconfined, which ensures the ssh-keygen utility to work correctly. |
| Alerts: |
|
Comments (none posted)
sysconfig: code execution
| Package(s): | sysconfig |
CVE #(s): | CVE-2011-4182
|
| Created: | February 9, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the openSUSE advisory:
sysconfig hook script for NetworkManager did not properly
quote shell meta characters when processing ESSIDs.
Specially crafted network names could therefore lead to
execution of shell code (CVE-2011-4182). |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | |
| Created: | February 9, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the Mandriva advisory:
Multiple file parser and NULL pointer vulnerabilities including a
RLC dissector buffer overflow was found and corrected in Wireshark. |
| Alerts: |
|
Comments (none posted)
xchat-ruby: null pointer dereference, remote DoS
| Package(s): | xchat-ruby |
CVE #(s): | |
| Created: | February 13, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the Red Hat bugzilla:
In src/xchat-ruby.c functions
static_ruby_custom_command_hook(char *word[], char *word_eol[], void *userdata)
static_ruby_custom_server_hook(char *word[], char *word_eol[], void *userdata)
parameter 'word' used in a for cycle without break [1]
for( i = 1; word[i][0] != '\0'; i++ )
The problem is word[PDIWORDS] always set to NULL by xchat. So if the input
contains more words than PDIWORDS (32) [2], the NULL pointer will be
dereferenced.
This bug remote triggerable over IRC networks if one or more ruby plugin uses
hook_server(). |
| Alerts: |
|
Comments (none posted)
znc: denial of service
| Package(s): | znc |
CVE #(s): | CVE-2012-0033
|
| Created: | February 10, 2012 |
Updated: | February 15, 2012 |
| Description: |
From the Red Hat bugzilla:
A denial of service flaw was reported in ZNC versions 0.200 and 0.202. A DCC
RESUME received by znc can cause a crash in the bouncedcc module. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|