LWN.net Logo

Advertisement

E-Commerce & credit card processing - the Open Source way!

Advertise here

LWN.net Weekly Edition for September 18, 2003

Whose Internet is it?

Verisign is, of course, the company that once had a monopoly in the registration of .com and .net domain names. That monopoly has been broken, but Verisign is still the maintainer of the underlying database. This job is a nice cash cow for Verisign; all it needs to do is keep the database running, and it can extract an annual rent from every .com and .net domain out there. Many people would be happy with such a business.

Verisign, it would seem, wants more than that. So, at the beginning of this week, the company slipped a little "wild card" entry into the databases for .com and .net. The wild card entry provides an answer for any domain query that does not otherwise appear in the database; it is a default answer which now appears instead of the "no such domain" response that came before.

What does this wild card do? If you look up something that doesn't exist, say "scolinuxlicense.com", you'll get back an IP address (currently 64.94.110.11). If you send mail to that address, you get the world's stupidest SMTP server (if you're bored, try a command like "telnet bogusverisignhost.net smtp" and type five lines of random junk at it). Web queries, however, go to the company's "sitefinder" service. There, the user is confronted with a search engine and paid links aimed to help said user find what they were really after. Note that, according to the terms of use:

The information provided through the VeriSign Services is not necessarily complete and may be supplied by VeriSign's commericial [sic] licensors, advertisers or others.

In other words, it's really just another low-class domain hijacking scam.

In this case, however, there is more to it. Verisign has, by making this change, fundamentally altered the way the Internet operates. A whole class of diagnostic information - the fact that a given domain lookup has failed - is no longer part of the DNS protocol when .com and .net are involved. This change was not discussed with any of the affected users or other responsible parties, it was simply done. Verisign may have lost its monopoly on front-line domain name registration, but it still seems to think it owns the underlying domains.

The change has had real consequences. For example, spam filtering which relies on domain name existence tests no longer works. Bouncing spam with fake return addresses now has to go through a discussion with Sitefinder's SMTP server. The change is a generally bad idea; to have simply made such a change without so much as a "by your leave" is an act of great arrogance.

The internet, however, is built on free software. There is already a patch available from ISC for BIND 9 which defeats the new wildcard entries. Linux users can find a program on this page which uses netfilter to fix Sitefinder replies; that page also has pointers to patches for a number of DNS servers and mail transfer agents. Verisign may or may not decide to back down on this "service," but, since we own the infrastructure of our net, we can fix the problem regardless - this time, at least. Verisign's next move may not be so easy to counter.

Comments (19 posted)

SCO's quarterly filing

SCO's quarterly 10Q filing is now available. These filings can often give some insight into the internals of a company. Since SCO's actions are, currently, somewhat relevant to the Linux community, this filing is worth a look. What follows is our summary of the current quarterly state of SCO.

The company claims a profitable quarter, of course. Total revenue is reported at $20 million, of which $11 million came from products, $2 million from services, and $7 million from SCOsource. As a result of this revenue, the company's claimed assets have gone from $21 million at the beginning of the fiscal year (October, 2002) to $26 million now; of that, almost $15 million is cash in the bank. $15 million is also, of course, what the company has received in licensing revenue from Microsoft and Sun this year.

The company has spent almost $4 million ($1.7 million in the quarter) on SCOsource. This figure includes internal SCOsource staff along with external legal fees. Most other expenditures are in decline; the company spent 31% less in research and development than it did last year. SCO laid off 35 employes - about 10% of its staff - over the quarter. It also shut down SCO Group Ltd., a subsidiary in the UK.

Litigation

Not surprisingly, ongoing litigation is an important topic in this filing. It mentions the Red Hat suit, stating:

On or about September 15, 2003, the Company filed a motion to dismiss the Red Hat complaint. The motion to dismiss asserts that Red Hat lacks standing and that no case or controversy exists with respect to the claims seeking a declaratory judgment of non-infringement. The motion to dismiss further asserts that Red Hat's claims under the Lanham Act and related state laws are barred by the First Amendment to the U.S. Constitution and the common law privilege of judicial immunity.

It is interesting to hear that "no case or controversy exists" with Red Hat. SCO may well be restricting its options with regard to the creation of future cases against Red Hat. The first amendment defense is interesting; the first amendment rights of companies in the U.S. is currently a topic of much debate - and an ongoing Supreme Court case.

Things are happening in other parts of the world:

The Australian Competition and Consumer Commission (the "ACCC") has contacted the Company and requested information regarding complaints it has received regarding the Company's intellectual property claims and the Company's statements regarding the need for commercial Linux users to obtain a UNIX license. [...]

Several entities in Germany have obtained temporary restraining orders in Germany precluding SCO GmbH, the Company's German subsidiary, in substance, from making statements in Germany that disparage Linux, or entities involved in the Linux business, or implicate Linux as infringing the Company's intellectual property rights. SCO GmbH has received an administrative fine of 10,000 Euro for a technical violation of one of the temporary restraining orders. [...]

Informal letter complaints similar to those raised in Germany have been received from companies in Austria and Poland. [...]

Pursuit and defense of the above-mentioned matters will be costly, and management expects the costs for legal fees and related expenses may be substantial. The ultimate outcome or potential effect of the Company's results of operations or financial position as a result of the above-mentioned matters is not currently known or determinable.

The end result is that the limited countermeasures taken against the company so far are being felt. The "risk factors" section of the filing also has this statement:

We are informed that participants in the Linux industry have attempted to influence participants in the markets in which we sell our products to reduce or eliminate the amount of our products and services that they purchase. They have been somewhat successful in those efforts and will likely continue.

In other words, SCO is discovering the costs involved in angering its customers.

Sun and Microsoft

Of course, SCO's customer base is shifting; a large part of its revenue comes from exactly two companies: Sun Microsystems and Microsoft.

SCO's previous quarterly filing had noted that the "second SCOsource licensee" (being Sun Microsystems) had received, as part of its deal, a warrant allowing it to buy 210,000 shares of SCO stock at $1.83 each. Subsequently, a second warrant for 12,500 shares has been issued to Sun, at the same $1.83 price. There is still no explanation of why SCO stock is being issued to Sun. Most software licensing agreements do not include this sort of equity component.

Sun, which was responsible for 12% of SCO's revenue over the quarter, still owes $2.5 million on its licensing deal. That money is to be paid by the end of November.

Microsoft contributed 25% of SCO's revenue over the quarter. "On July 31, 2003, Microsoft exercised an option to acquire expanded licensing rights. Upon delivery, we expect to recognize additional revenue related to this option." There is no further discussion of what these "expanded licensing rights" are, or what Microsoft is paying for said rights. Chances are, however, that this is the "Fortune 500" customer for SCO's "Linux license" that we heard about in early August.

Vultus and Vista

The quarterly filing gives a few details with regard to SCO's dealings with a couple of other Canopy-funded companies. In June, SCO acquired Vultus, Inc., which is a web services business. The purchase itself required the issuance of 167,590 shares of SCO stock, of which almost 37,000 went to Canopy. But Vultus also owed Canopy a little over $1 million, so another 138,000 shares of stock (worth over $2.5 million now) went in Canopy's direction to take care of that little problem. This deal is a significant transfer of resources from SCO to Canopy; the benefit to SCO remains unclear, however.

We've previously looked at SCO's dealings with Vista, which included the acquisition of $1 million in the company's debt for 800,000 shares of company stock, now worth many times that amount. The company has also fed the company $200,000 in other financing. The current state of that debt?

As of July 31, 2003, the $1,000,000 convertible note receivable discussed above as well as both $100,000 notes receivable were outstanding and in technical default; however, the Company had not demanded repayment. No allowance for the past due notes receivable was recorded as of July 31, 2003 since the Company and Vista continue to work together under the license agreement discussed above and the Company is evaluating its option to convert the notes receivable to equity in Vista.

Vista is fortunate to have such an understanding creditor.

Summary

This filing describes a company whose regular product and service offerings continue to decline in market share and revenue. The filing mentions new initiatives ("web services") but lacks specifics and does not go so far as to predict any sort of revenue from those initiatives. SCO's great hope for the future remains SCOsource. In that context, it is interesting to note that the company's "Linux license" is not mentioned in any significant way here. The first public announcement of this license came after the close of the quarter, but it was clearly in the works at that time. If SCO thought it would get any kind of real revenue from this license, it would not have hesitated to say so. Instead, we continue to hear about exactly two companies - Sun and Microsoft - which are keeping SCO on life support and, apparently, intend to continue doing so. Meanwhile, attacks through the courts and the market are making themselves felt; SCO is finding itself fighting an increasingly defensive battle.

Anybody who is considering investing in SCO would be well advised to read this filing in its entirety.

Comments (17 posted)

OSDL hires analyst Stacey Quandt

[This article was contributed by Joe 'Zonker' Brockmeier]

The Open Source Development Labs (OSDL) have been on a bit of a high-profile hiring spree this year. First OSDL managed to sign Linus Torvalds to their roster, then followed quickly with kernel maintainer Andrew Morton. Now OSDL is bringing on open source analyst Stacey Quandt as Principal Analyst.

Quandt has worked for Giga Information Group, where she started Giga's Open Source Research program, and for Forrester after Giga was acquired by Forrester. As an analyst that specializes in open source, Quandt has been widely quoted in the tech press and she has been a longtime proponent of Linux and open source -- even on the desktop, judging by this quote from a June story on Ximian on Newsfactor: "The desktop is Microsoft's last stand for near dominance, which will gradually erode with greater awareness of the maturity of Linux desktop offerings."

Unlike many analysts, Quandt has not been willing to parrot the party line that Microsoft solutions are cheaper. After IDC released a study last year saying that Windows 2000 was more cost-effective, Quandt questioned the numbers cited by IDC according to this article in PC World:

...the acquisition costs for hardware and software that IDC cites are suspect, according to Stacey Quandt, an analyst with Giga Information Group. She said Windows systems would seem to account for more than 10 percent of the total cost due to ongoing licensing fees.

Quandt is also one of the analysts who refused to take SCO's word that Linux contains misappropriated intellectual property at face value. While Laura DiDio of the Yankee Group and several other analysts bought SCO's line, Quandt called for SCO to show its cards, and refused to sign SCO's NDA, calling the offer a publicity stunt.

We wanted to ask Quandt about her new role with OSDL, but she was unavailable to answer questions for this story, as she's on the Linux Lunacy cruise. Nelson Pratt, Director of Marketing, was available. Pratt says that Quandt's job will be working with research firms doing work on Linux:

Our members have consistently cited the lack of extensive Linux ROI, TCO and Migration Cost research as a problem for them. Several existing research companies are starting to address this, and many are interested in having OSDL participate in some way. Stacey's research background makes her the right person to represent OSDL in its work with industry research firms. Original research is also a possibility in the future depending on our members' needs.

The release also notes that Quandt will be principal speaker for OSDL at conferences and tradeshows. Pratt declined to comment on any other Linux luminaries that may be joining OSDL in the near future.

Comments (2 posted)

Page editor: Jonathan Corbet

Security

Security news

A bad week

As a quick perusal of this week's "new vulnerabilities" section will confirm, this has not been a good week for the security of Linux systems. New holes have turned up in KDE, MySQL, OpenSSH (twice), pine, sendmail, XFree86, and more. Almost every Linux system out there will be affected by at least one of these problems.

The OpenSSH and sendmail vulnerabilities are of particular concern. Almost every system of interest runs OpenSSH, and vast portions of the net still run sendmail. Any vulnerability in those programs automatically opens up large numbers of systems to exploitation. These are the sorts of problems that will, someday, be used for the creation of a virulent worm which attacks Linux systems. If we are lucky, no such event will strike us this time around, but let there be no doubt about it: as long as software which is so widely deployed has remotely exploitable holes, we are vulnerable to that sort of mass attack.

Now that the obligatory scary talk is done, let's take a look at the better news here. It is not clear that the bugs in either OpenSSH or sendmail are exploitable in any large-scale way. Even if they are, once again the problems have been found first by the good guys and fixes have been made quickly available by the Linux distributors. The patches being released are small and relatively non-disruptive; administrators can apply them quickly and with confidence. So most systems will be patched in a relatively short period of time. These vulnerabilities were a scary warning, but it does not appear that there will be any great consequences this time around.

Nonetheless, this episode is a warning. Our security, while arguably better than that of the competition, is nowhere near good enough. We are still encountering bugs in crucial, highly-audited code; one can only imagine what lurks in programs which get less attention. And the network environment we are creating is still too monocultural. The network as a whole will be safer when there are multiple, interoperable programs capable of performing the basic infrastructural tasks.

Comments (11 posted)

New vulnerabilities

KDE: Two issues in KDM

Package(s):kde, xfree86 CVE #(s):CAN-2003-0690 CAN-2003-0692
Created:September 16, 2003 Updated:December 19, 2003
Description: According to this advisory two issues have been discovered in KDM:
  • CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
  • CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:
Mandrake MDKSA-2003:118 2003-12-19
Gentoo 200311-01 2003-11-15
Debian DSA-388-1 2003-09-19
Conectiva CLA-2003:747 2003-09-19
Mandrake MDKSA-2003:091 2003-09-16
Red Hat RHSA-2003:269-01 2003-09-16

Comments (none posted)

mysql: arbitrary code execution

Package(s):mysql CVE #(s):CAN-2003-0780
Created:September 15, 2003 Updated:October 9, 2003
Description: Frank Denis reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users are stored in the "Password" field of the "User" table, part of the "mysql" database. The passwords are hashed and stored as a 16 characters long hexadecimal value. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0780 to the problem.
Alerts:
Red Hat RHSA-2003:281-01 2003-10-09
SuSE SuSE-SA:2003:042 2003-10-01
Mandrake MDKSA-2003:094 2003-09-18
Conectiva CLA-2003:743 2003-09-18
EnGarde ESA-20030918-025 2003-09-18
Trustix 2003-0034 2003-09-17
Gentoo 200309-08 2003-09-15
OpenPKG OpenPKG-SA-2003.038 2003-09-15
Debian DSA-381-1 2003-09-13

Comments (none posted)

OpenSSH: buffer management error

Package(s):OpenSSH CVE #(s):CAN-2003-0693
Created:September 16, 2003 Updated:September 30, 2003
Description: All versions of OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete. See the second advisory for details.

CAN-2003-0693

Alerts:
SCO Group CSSA-2003-027.0 2003-10-02
Debian DSA-383-2 2003-09-21
Debian DSA-382-3 2003-09-21
SuSE SuSE-SA:2003:039 2003-09-18
EnGarde ESA-20030918-024 2003-09-18
Yellow Dog YDU-20030917-1 2003-09-17
Conectiva CLA-2003:741 2003-09-17
Debian DSA-383-1 2003-09-17
Sorcerer SORCERER2003-09-17 2003-09-17
Slackware SSA:2003-260-01 2003-09-17
Red Hat RHSA-2003:279-02 2003-09-17
Mandrake MDKSA-2003:090-1 2003-09-17
Trustix 2003-0033 2003-09-17
OpenPKG OpenPKG-SA-2003.040 2003-09-17
Immunix IMNX-2003-7+-020-02 2003-09-16
Gentoo 200309-12 2003-09-16
Debian DSA-382-2 2003-09-17
SuSE SuSE-SA:2003:038 2003-09-16
Slackware SSA:2003-259-01 2003-09-16
Mandrake MDKSA-2003:090 2003-09-16
Immunix IMNX-2003-7+-020-01 2003-09-16
Debian DSA-382-1 2003-09-16
Red Hat RHSA-2003:279-01 2003-09-16
EnGarde ESA-20030916-023 2003-09-16
Conectiva CLA-2003:739 2003-09-16

Comments (none posted)

pine: remote exploits

Package(s):pine CVE #(s):CAN-2003-0720 CAN-2003-0721
Created:September 11, 2003 Updated:September 17, 2003
Description: Pine, developed at the University of Washington, is a tool for reading, sending, and managing electronic messages (including mail and news).

A buffer overflow exists in the way unpatched versions of Pine prior to 4.57 handle the 'message/external-body' type. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0720 to this issue.

An integer overflow exists in the Pine MIME header parsing in versions prior to 4.57. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0721 to this issue.

Both of these flaws could be exploited by a remote attacker sending a carefully crafted email to the victim that will execute arbitrary code when the email is opened using Pine.

Alerts:
Gentoo 200309-10 2003-09-16
Conectiva CLA-2003:738 2003-09-12
Slackware SSA:2003-253-01 2003-09-10
EnGarde ESA-20030911-022 2003-09-11
SuSE SuSE-SA:2003:037 2003-09-11
Red Hat RHSA-2003:273-01 2003-09-11

Comments (1 posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 2004-02-19
SuSE SuSE-SA:2003:046 2003-11-18
Conectiva CLA-2003:769 2003-10-22
Mandrake MDKSA-2003:099 2003-10-09
Red Hat RHSA-2003:278-01 2003-10-07
Debian DSA-379-1 2003-09-11

Comments (none posted)

sendmail: remotely exploitable buffer overflow

Package(s):sendmail CVE #(s):CAN-2003-0694 CAN-2003-0681
Created:September 17, 2003 Updated:November 18, 2003
Description: Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix.
Alerts:
SCO Group CSSA-2003-036.0 2003-11-17
SuSE SuSE-SA:2003:040 2003-09-20
OpenPKG OpenPKG-SA-2003.041 2003-09-19
Conectiva CLA-2003:742 2003-09-18
Yellow Dog YDU-20030917-2 2003-09-17
Immunix IMNX-2003-7+-021-01 2003-09-17
Mandrake MDKSA-2003:092 2003-09-17
Debian DSA-384-1 2003-09-17
Red Hat RHSA-2003:283-01 2003-09-17
Slackware SSA:2003-260-02 2003-09-17
Gentoo 200309-13 2003-09-17

Comments (none posted)

XFree86 4.3.0 integer overflows in font libraries

Package(s):XFree86 CVE #(s):CAN-2003-0730
Created:September 12, 2003 Updated:November 25, 2003
Description: Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details.
Alerts:
Red Hat RHSA-2003:286-01 2003-11-25
Red Hat RHSA-2003:287-01 2003-11-25
Red Hat RHSA-2003:288-01 2003-11-17
Debian DSA-380-1 2003-09-12
Mandrake MDKSA-2003:089 2003-09-11

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 23, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:408-00 2003-12-19
Gentoo 200308-01 2003-08-14
Debian DSA-358-4 2003-08-13
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-2 2003-08-05
Debian DSA-358-3 2003-08-04
Debian DSA-358-1 2003-07-31
EnGarde ESA-20032407-018 2003-07-24
Red Hat RHSA-2003:238-01 2003-07-21

Comments (none posted)

apache: multiple vulnerabilities in Apache HTTP server

Package(s):apache CVE #(s):CAN-2003-0192 CAN-2003-0253 CAN-2003-0254
Created:July 11, 2003 Updated:September 22, 2003
Description: The Apache Software Foundation and the Apache HTTP Server Project have announced the release of the Apache HTTP Server 2.0.47. This release fixes four security vulnerabilities:
  • Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [CAN-2003-0192]

  • Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]

  • Denial of service was caused when target host is IPv6 but ftp proxy server can't create IPv6 socket. [CAN-2003-0254]

  • The server would crash when going into an infinite loop due to too many subsequent internal redirects and nested subrequests. [VU#379828]
Alerts:
Red Hat RHSA-2003:243-01 2003-09-22
Red Hat RHSA-2003:240-01 2003-09-04
Mandrake MDKSA-2003:075-1 2003-08-28
Mandrake MDKSA-2003:075 2003-07-21
Conectiva CLA-2003:698 2003-07-21
Trustix 2003-0025 2003-07-11

Comments (none posted)

autorespond: buffer overflow

Package(s):autorespond CVE #(s):CAN-2003-0654
Created:August 18, 2003 Updated:September 30, 2003
Description: Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply.

CAN-2003-0654

Alerts:
Debian DSA-373-1 2003-08-16

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:September 30, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:September 30, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

eroaster: insecure temporary file

Package(s):eroaster CVE #(s):CAN-2003-0656
Created:August 19, 2003 Updated:September 30, 2003
Description: A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster.

CAN-2003-0656

Alerts:
Gentoo 200309-04 2003-09-02
Mandrake MDKSA-2003:083 2003-08-19
Debian DSA-366-1 2003-08-05

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
SCO Group CSSA-2003-030.0 2003-11-07
Yellow Dog YDU-20030718-2 2003-07-18
Red Hat RHSA-2003:203-01 2003-07-03
Gentoo 200306-13 2003-06-25
Conectiva CLA-2003:662 2003-06-25
Mandrake MDKSA-2003:070 2003-06-23

Comments (none posted)

exim: buffer overflows

Package(s):exim exim-tls CVE #(s):CAN-2003-0743
Created:September 4, 2003 Updated:September 30, 2003
Description: A buffer overflow exists in exim, which is the standard mail transport agent in Debian. By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code.

CAN-2003-0743

Alerts:
Gentoo 200309-09 2003-09-15
Debian DSA-376-2 2003-09-07
Conectiva CLA-2003:735 2003-09-05
Debian DSA-376-1 2003-09-04

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fdclone: insecure temporary directory

Package(s):fdclone CVE #(s):CAN-2003-0596
Created:July 23, 2003 Updated:September 30, 2003
Description: fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control.

CAN-2003-0596

Alerts:
Debian DSA-352-1 2003-07-22

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 15, 2003 Updated:November 17, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
SCO Group CSSA-2003-034.0 2003-11-17
Conectiva CLA-2003:694 2003-07-11
Yellow Dog YDU-20030602-4 2003-06-02
Mandrake MDKSA-2003:061 2003-05-22
Slackware ssa:2003-141-04 2003-05-22
Red Hat RHSA-2003:175-01 2003-05-20
Gentoo 200305-04 2003-05-16
OpenPKG OpenPKG-SA-2003.029 2003-05-16
EnGarde ESA-20030515-016 2003-05-15

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

inetd: DoS attack

Package(s):inetd CVE #(s):
Created:September 8, 2003 Updated:September 10, 2003
Description: inetd has a hard-coded limit of 256 connections-per-minute, after which the given service is disabled for ten minutes. An attacker could use a quick burst of connections every ten minutes to effectively disable a service.

Once upon a time, this was an intentional feature of inetd, but in today's world it has become a bug. Even having inetd look at the source IP and try to limit only the source of the attack would be problematic since TCP source addresses are so easily faked.

Alerts:
Slackware SSA:2003-251-01 2003-09-08

Comments (3 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpam-smb: exploitable buffer overflow

Package(s):libpam-smb, pam-smb CVE #(s):CAN-2003-0686
Created:August 26, 2003 Updated:September 30, 2003
Description: libpam-smb is a PAM authentication module which makes it possible to authenticate users against a password database managed by Samba or a Microsoft Windows server. If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. See this advisory for more information.

CAN-2003-0686

Alerts:
Conectiva CLA-2003:734 2003-09-05
SuSE SuSE-SA:2003:036 2003-09-03
Gentoo 200309-01 2003-09-01
Red Hat RHSA-2003:261-01 2003-08-26
Debian DSA-374-1 2003-08-26

Comments (1 posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:September 30, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

mah-jong: buffer overflows, denial of service

Package(s):mah-jong CVE #(s):CAN-2003-0705 CAN-2003-0706
Created:September 8, 2003 Updated:September 10, 2003
Description: Nicolas Boullis discovered two vulnerabilities in mah-jong, a network-enabled game.

CAN-2003-0705 (buffer overflow): This vulnerability could be exploited by a remote attacker to execute arbitrary code with the privileges of the user running the mah-jong server.

CAN-2003-0706 (denial of service): This vulnerability could be exploited by a remote attacker to cause the mah-jong server to enter a tight loop and stop responding to commands.

Alerts:
Debian DSA-378-1 2003-09-07

Comments (none posted)

perl-MailTools: remote command execution

Package(s):MailTools CVE #(s):CAN-2002-1271
Created:November 5, 2002 Updated:September 19, 2003
Description: The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body.

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

Alerts:
Debian DSA-386-1 2003-09-18
Gentoo 200302-01 2003-02-02
Mandrake MDKSA-2002:076 2002-11-07
Gentoo 200211-001 2002-11-06
SuSE SuSE-SA:2002:041 2002-11-05

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mindi: insecure file creations

Package(s):mindi CVE #(s):CAN-2003-0617
Created:September 2, 2003 Updated:September 30, 2003
Description: Mindi versions prior to 0.86 creates files in /tmp which could allow local user to overwrite arbitrary files.

CAN-2003-0617

Alerts:
Gentoo 200309-05 2003-09-02
Debian DSA-362-1 2003-08-02

Comments (none posted)

mpg123 - buffer overflow

Package(s):mpg123 CVE #(s):CAN-2003-0577
Created:July 16, 2003 Updated:September 30, 2003
Description: The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file.
Alerts:
Gentoo 200309-17 2003-09-30
Mandrake MDKSA-2003:078 2003-07-23
Conectiva CLA-2003:695 2003-07-15

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netris: buffer overflow

Package(s):netris CVE #(s):CAN-2003-0685
Created:August 18, 2003 Updated:September 30, 2003
Description: Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server.

CAN-2003-0685

Alerts:
Debian DSA-372-1 2003-08-16

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

pam-pgsql: format string vulnerability

Package(s):pam-pgsql CVE #(s):CAN-2003-0672
Created:August 11, 2003 Updated:September 30, 2003
Description: Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication.

CAN-2003-0672

Alerts:
Debian DSA-370-1 2003-08-08

Comments (none posted)

perl: cross site scripting vulnerability in CGI.pm module

Package(s):perl CVE #(s):CAN-2003-0615
Created:July 29, 2003 Updated:September 30, 2003
Description: obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package.

CAN-2003-0615

Alerts:
Red Hat RHSA-2003:256-02 2003-10-03
Red Hat RHSA-2003:256-01 2003-09-22
OpenPKG OpenPKG-SA-2003.039 2003-09-15
Mandrake MDKSA-2003:084 2003-08-20
Debian DSA-371-1 2003-08-11
OpenPKG OpenPKG-SA-2003.036 2003-08-06
Conectiva CLA-2003:713 2003-07-29

Comments (none posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:September 30, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):phpgroupware CVE #(s):CAN-2003-0504 CAN-2003-0582
Created:July 16, 2003 Updated:September 30, 2003
Description: Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited.

Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies.

See this Security Corportation report for more information.

CAN-2003-0504
CAN-2003-0582

Alerts:
Debian DSA-365-1 2003-08-05
Conectiva CLA-2003:703 2003-07-23
Mandrake MDKSA-2003:077 2003-07-23
Conectiva CLA-2003:697 2003-07-16

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Debian DSA-397-1 2003-11-07
Immunix IMNX-2003-7+-005-01 2003-04-08
Trustix 2003-0004 2003-02-20
Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:September 30, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.

CAN-2002-1119

Alerts:
Red Hat RHSA-2002:202-33 2003-02-12
OpenPKG OpenPKG-SA-2003.006 2003-01-23
Red Hat RHSA-2002:202-25 2003-01-21
Mandrake MDKSA-2002:082-1 2002-12-09
Mandrake MDKSA-2002:082 2002-11-25
SCO Group CSSA-2002-045.0 2002-11-14
Trustix 2002-0073 2002-10-17
Gentoo python-20021003 2002-10-03
Conectiva CLA-2002:527 2002-10-01
Debian