Whose Internet is it?
Verisign is, of course, the company that once had a monopoly in the
registration of
.com and
.net domain
names. That monopoly has been broken, but Verisign is still the maintainer
of the underlying database. This job is a nice cash cow for Verisign; all
it needs to do is keep the database running, and it can extract an annual
rent from every
.com and
.net domain out there. Many
people would be happy with such a business.
Verisign, it would seem, wants more than that. So, at the beginning of
this week, the company slipped a little "wild card" entry into the
databases for .com and .net. The wild card entry
provides an answer for any domain query that does not otherwise appear in
the database; it is a default answer which now appears instead of the "no
such domain" response that came before.
What does this wild card do? If you look up something that doesn't exist,
say "scolinuxlicense.com", you'll get back an IP address (currently
64.94.110.11). If you send mail to that address, you get the world's
stupidest SMTP server (if you're bored, try a command like "telnet
bogusverisignhost.net smtp" and type five lines of random junk at it).
Web queries, however, go to the company's "sitefinder" service. There, the
user is confronted with a search engine and paid links aimed to help said
user find what they were really after. Note that, according to the terms of use:
The information provided through the VeriSign Services is not
necessarily complete and may be supplied by VeriSign's commericial
[sic] licensors, advertisers or others.
In other words, it's really just another low-class domain hijacking scam.
In this case, however, there is more to it. Verisign has, by making this
change, fundamentally altered the way the Internet operates. A whole class
of diagnostic information - the fact that a given domain lookup has failed
- is no longer part of the DNS protocol when .com and
.net are involved. This change was not discussed with any of the
affected users or other responsible parties, it was simply done. Verisign
may have lost its monopoly on front-line domain name registration, but it
still seems to think it owns the underlying domains.
The change has had real consequences. For example, spam filtering which
relies on domain name existence tests no longer works. Bouncing spam with
fake return addresses now has to go through a discussion with Sitefinder's
SMTP server. The change is a generally bad idea; to have simply made such
a change without so much as a "by your leave" is an act of great arrogance.
The internet, however, is built on free software. There is already a patch
available from ISC for BIND 9 which defeats the new wildcard entries.
Linux users can find a program on this page which
uses netfilter to fix Sitefinder replies; that page also has pointers to
patches for a number of DNS servers and mail transfer agents. Verisign may
or may not decide to back down on this "service," but, since we own the
infrastructure of our net, we can fix the problem regardless - this time,
at least. Verisign's next move may not be so easy to counter.
Comments (19 posted)
SCO's quarterly filing
SCO's
quarterly
10Q filing is now available. These filings can often give some insight
into the internals of a company. Since SCO's actions are, currently,
somewhat relevant to the Linux community, this filing is worth a look.
What follows is our summary of the current quarterly state of SCO.
The company claims a profitable quarter, of course. Total revenue is
reported at $20 million, of which $11 million came from products,
$2 million from services, and $7 million from SCOsource. As a
result of this revenue, the company's claimed assets have gone from
$21 million at the beginning of the fiscal year (October, 2002) to
$26 million now; of that, almost $15 million is cash in the
bank. $15 million is also, of course, what the company has received
in licensing revenue from Microsoft and Sun this year.
The company has spent almost $4 million ($1.7 million in the quarter) on
SCOsource. This figure includes internal SCOsource staff along with
external legal fees. Most other expenditures are in decline; the company
spent 31% less in research and development than it did last year.
SCO laid off 35 employes - about 10% of its staff - over the quarter. It
also shut down SCO Group Ltd., a subsidiary in the UK.
Litigation
Not surprisingly, ongoing litigation is an important topic in this filing.
It mentions the Red Hat suit, stating:
On or about September 15, 2003, the Company filed a motion to
dismiss the Red Hat complaint. The motion to dismiss asserts that
Red Hat lacks standing and that no case or controversy exists with
respect to the claims seeking a declaratory judgment of
non-infringement. The motion to dismiss further asserts that Red
Hat's claims under the Lanham Act and related state laws are barred
by the First Amendment to the U.S. Constitution and the common law
privilege of judicial immunity.
It is interesting to hear that "no case or controversy exists" with Red
Hat. SCO may well be restricting its options with regard to the creation
of future cases against Red Hat. The first amendment defense is
interesting; the first amendment rights of companies in the U.S. is
currently a topic of much debate - and an ongoing Supreme Court case.
Things are happening in other parts of the world:
The Australian Competition and Consumer Commission (the "ACCC") has
contacted the Company and requested information regarding
complaints it has received regarding the Company's intellectual
property claims and the Company's statements regarding the need for
commercial Linux users to obtain a UNIX license. [...]
Several entities in Germany have obtained temporary restraining
orders in Germany precluding SCO GmbH, the Company's
German subsidiary, in substance, from making statements in Germany
that disparage Linux, or entities involved in the Linux business,
or implicate Linux as infringing the Company's
intellectual property rights. SCO GmbH has received an
administrative fine of 10,000 Euro for a technical violation of one
of the temporary restraining orders. [...]
Informal letter complaints similar to those raised in Germany have
been received from companies in Austria and Poland. [...]
Pursuit and defense of the above-mentioned matters will be costly,
and management expects the costs for legal fees and related
expenses may be substantial. The ultimate outcome or potential
effect of the Company's results of operations or
financial position as a result of the above-mentioned matters is
not currently known or determinable.
The end result is that the limited countermeasures taken against the
company so far are being felt. The "risk factors" section of the filing
also has this statement:
We are informed that participants in the Linux industry have
attempted to influence participants in the markets in which we sell
our products to reduce or eliminate the amount of our products and
services that they purchase. They have been somewhat successful in
those efforts and will likely continue.
In other words, SCO is discovering the costs involved in angering its
customers.
Sun and Microsoft
Of course, SCO's customer base is shifting; a large part of its revenue
comes from exactly two companies: Sun Microsystems and Microsoft.
SCO's previous quarterly filing had noted that the "second SCOsource
licensee" (being Sun Microsystems) had received, as part of its deal, a
warrant allowing it to buy 210,000 shares of SCO stock at $1.83 each.
Subsequently, a second warrant for 12,500 shares has been issued to Sun, at
the same $1.83 price. There is still no explanation of why SCO stock is
being issued to Sun. Most software licensing agreements do not include
this sort of equity component.
Sun, which was responsible for 12% of SCO's revenue over the quarter, still
owes $2.5 million on its licensing deal. That money is to be paid by
the end of November.
Microsoft contributed 25% of SCO's revenue over the quarter. "On
July 31, 2003, Microsoft exercised an option to acquire expanded licensing
rights. Upon delivery, we expect to recognize additional revenue related
to this option." There is no further discussion of what these
"expanded licensing rights" are, or what Microsoft is paying for said
rights. Chances are, however, that this is the "Fortune 500" customer for
SCO's "Linux license" that we heard about in early August.
Vultus and Vista
The quarterly filing gives a few details with regard to SCO's dealings with
a couple of other Canopy-funded companies. In June, SCO acquired Vultus,
Inc., which is a web services business. The purchase itself required the
issuance of 167,590 shares of SCO stock, of which almost 37,000 went to
Canopy. But Vultus also owed Canopy a little over $1 million, so
another 138,000 shares of stock (worth over $2.5 million now) went in
Canopy's direction to take care of that little problem. This deal is a
significant transfer of resources from SCO to Canopy; the benefit to SCO
remains unclear, however.
We've previously looked at SCO's dealings with Vista, which included the
acquisition of $1 million in the company's debt for 800,000 shares of
company stock, now worth many times that amount. The company has also fed
the company $200,000 in other financing. The current state of that debt?
As of July 31, 2003, the $1,000,000 convertible note receivable
discussed above as well as both $100,000 notes receivable were
outstanding and in technical default; however, the Company had not
demanded repayment. No allowance for the past due notes receivable
was recorded as of July 31, 2003 since the Company and Vista
continue to work together under the license agreement discussed
above and the Company is evaluating its option to convert the notes
receivable to equity in Vista.
Vista is fortunate to have such an understanding creditor.
Summary
This filing describes a company whose regular product and service offerings
continue to decline in market share and revenue. The filing mentions new
initiatives ("web services") but lacks specifics and does not go so far as
to predict any sort of revenue from those initiatives. SCO's great hope
for the future remains SCOsource. In that context, it is interesting to
note that the
company's "Linux license" is not mentioned in any significant way here.
The first public announcement of this license came after the close of the
quarter, but it was clearly in the works at that time. If SCO thought it
would get any kind of real revenue from this license, it would not have
hesitated to say so. Instead, we continue to hear about exactly two
companies - Sun and Microsoft - which are keeping SCO on life support and,
apparently, intend to continue doing so. Meanwhile, attacks through the
courts and the market are making themselves felt; SCO is finding itself
fighting an increasingly defensive battle.
Anybody who is considering investing in SCO would be well advised to read
this filing in its entirety.
Comments (17 posted)
OSDL hires analyst Stacey Quandt
[This article was contributed by Joe 'Zonker' Brockmeier]
The Open Source Development Labs (OSDL) have been on a bit of a
high-profile hiring spree this year. First OSDL managed to sign Linus
Torvalds to their roster, then followed quickly with kernel maintainer
Andrew Morton. Now OSDL is bringing on open source analyst Stacey Quandt
as Principal Analyst.
Quandt has worked for Giga Information Group, where she started Giga's
Open Source Research program, and for Forrester after Giga was acquired
by Forrester. As an analyst that specializes in open source, Quandt has
been widely quoted in the tech press and she has been a longtime
proponent of Linux and open source -- even on the desktop, judging by
this quote from a June story on Ximian on Newsfactor:
"The desktop is Microsoft's last stand for near dominance, which will
gradually erode with greater awareness of the maturity of Linux desktop
offerings."
Unlike many analysts, Quandt has not been willing to parrot the party
line that Microsoft solutions are cheaper. After IDC released a study
last year saying that Windows 2000 was more cost-effective, Quandt
questioned the numbers cited by IDC according to this
article in PC World:
...the acquisition costs for hardware and software that IDC cites are
suspect, according to Stacey Quandt, an analyst with Giga Information
Group. She said Windows systems would seem to account for more than 10
percent of the total cost due to ongoing licensing fees.
Quandt is also one of the analysts who refused to take SCO's word that
Linux contains misappropriated intellectual property at face value.
While Laura DiDio of the
Yankee Group and several other analysts bought SCO's line, Quandt
called for SCO to show its cards, and
refused to sign SCO's NDA, calling the offer a publicity stunt.
We wanted to ask Quandt about her new role with OSDL, but she was
unavailable to answer questions for this story, as she's on the Linux
Lunacy cruise. Nelson Pratt, Director of Marketing, was available. Pratt
says that Quandt's job will be working with research firms doing work on
Linux:
Our members have consistently cited the lack of extensive Linux ROI, TCO
and Migration Cost research as a problem for them. Several existing
research companies are starting to address this, and many are interested
in having OSDL participate in some way. Stacey's research background
makes her the right person to represent OSDL in its work with industry
research firms. Original research is also a possibility in the future
depending on our members' needs.
The release
also notes that Quandt will be principal speaker for OSDL at conferences
and tradeshows. Pratt declined to comment on any other Linux luminaries
that may be joining OSDL in the near future.
Comments (2 posted)
Page editor: Jonathan Corbet
Security
Security news
A bad week
As a quick perusal of this week's "new vulnerabilities" section will
confirm, this has not been a good week for the security of Linux systems.
New holes have turned up in KDE, MySQL, OpenSSH (twice), pine, sendmail,
XFree86, and more. Almost every Linux system out there will be affected by
at least one of these problems.
The OpenSSH and sendmail vulnerabilities are of particular concern. Almost
every system of interest runs OpenSSH, and vast portions of the net still
run sendmail. Any vulnerability in those programs automatically opens up
large numbers of systems to exploitation. These are the sorts of problems
that will, someday, be used for the creation of a virulent worm
which attacks Linux systems. If we are lucky, no such event will strike us
this time around, but let there be no doubt about it: as long as software
which is so widely deployed has remotely exploitable holes, we are
vulnerable to that sort of mass attack.
Now that the obligatory scary talk is done, let's take a look at the better
news here. It is not clear that the bugs in either OpenSSH or sendmail are
exploitable in any large-scale way. Even if they are, once again the problems
have been found first by the good guys and fixes have been made quickly
available by the Linux distributors. The patches being released are small
and relatively non-disruptive; administrators can apply them quickly and
with confidence. So most systems will be patched in a relatively short
period of time. These vulnerabilities were a scary warning, but it does
not appear that there will be any great consequences this time around.
Nonetheless, this episode is a warning. Our security, while arguably
better than that of the competition, is nowhere near good enough. We are
still encountering bugs in crucial, highly-audited code; one can only
imagine what lurks in programs which get less attention. And the network
environment we are creating is still too monocultural. The network as a
whole will be safer when there are multiple, interoperable programs capable
of performing the basic infrastructural tasks.
Comments (11 posted)
New vulnerabilities
KDE: Two issues in KDM
| Package(s): | kde, xfree86 |
CVE #(s): | CAN-2003-0690
CAN-2003-0692
|
| Created: | September 16, 2003 |
Updated: | December 19, 2003 |
| Description: |
According to this advisory two issues have
been discovered in KDM:
- CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
- CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3
are affected. |
| Alerts: |
|
Comments (none posted)
mysql: arbitrary code execution
| Package(s): | mysql |
CVE #(s): | CAN-2003-0780
|
| Created: | September 15, 2003 |
Updated: | October 9, 2003 |
| Description: |
Frank Denis
reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and
earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users
are stored in the "Password" field of the "User" table, part of the "mysql"
database. The passwords are hashed and stored as a 16 characters long
hexadecimal value. Unfortunately, a function involved in password checking
misses correct bounds checking. By filling a "Password" field a value
wider than 16 characters, a buffer overflow will occur. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0780 to the problem. |
| Alerts: |
|
Comments (none posted)
OpenSSH: buffer management error
| Package(s): | OpenSSH |
CVE #(s): | CAN-2003-0693
|
| Created: | September 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
All versions of
OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is
uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete.
See the second advisory for details.
CAN-2003-0693 |
| Alerts: |
|
Comments (none posted)
pine: remote exploits
| Package(s): | pine |
CVE #(s): | CAN-2003-0720
CAN-2003-0721
|
| Created: | September 11, 2003 |
Updated: | September 17, 2003 |
| Description: |
Pine, developed at the University of Washington, is a tool for reading,
sending, and managing electronic messages (including mail and news).
A buffer overflow exists in the way unpatched versions of Pine prior to
4.57 handle the 'message/external-body' type. The Common Vulnerabilities
and Exposures project has assigned the name
CAN-2003-0720 to this issue.
An integer overflow exists in the Pine MIME header parsing in versions
prior to 4.57. The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2003-0721 to this issue.
Both of these flaws could be exploited by a remote attacker sending a
carefully crafted email to the victim that will execute arbitrary code when
the email is opened using Pine. |
| Alerts: |
|
Comments (1 posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0694
CAN-2003-0681
|
| Created: | September 17, 2003 |
Updated: | November 18, 2003 |
| Description: |
Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. |
| Alerts: |
|
Comments (none posted)
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 |
CVE #(s): | CAN-2003-0730
|
| Created: | September 12, 2003 |
Updated: | November 25, 2003 |
| Description: |
Several vulnerabilities were discovered by blexim(at)hush.com in the font
libraries of XFree86 version 4.3.0 and earlier. These bugs could
potentially lead to execution of arbitrary code or a DoS by a remote user
in any way that calls these functions, which are related to the transfer
and enumeration of fonts from font servers to clients. See the
advisory for additional details.
|
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 23, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache |
CVE #(s): | CAN-2003-0192
CAN-2003-0253
CAN-2003-0254
|
| Created: | July 11, 2003 |
Updated: | September 22, 2003 |
| Description: |
The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
- Certain sequences of per-directory renegotiations and the
SSLCipherSuite directive being used to upgrade from a weak ciphersuite to
a strong one could result in the weak ciphersuite being used in place of
the strong one. [CAN-2003-0192]
- Certain errors returned by accept() on rarely accessed ports could
cause temporal denial of service, due to a bug in the prefork MPM. [CAN-2003-0253]
- Denial of service was caused when target host is IPv6 but ftp proxy
server can't create IPv6 socket. [CAN-2003-0254]
- The server would crash when going into an infinite loop due to too
many subsequent internal redirects and nested subrequests. [VU#379828]
|
| Alerts: |
|
Comments (none posted)
autorespond: buffer overflow
| Package(s): | autorespond |
CVE #(s): | CAN-2003-0654
|
| Created: | August 18, 2003 |
Updated: | September 30, 2003 |
| Description: |
Christian Jaeger discovered a buffer overflow in autorespond, an email
autoresponder used with qmail. This vulnerability could potentially
be exploited by a remote attacker to gain the privileges of a user who
has configured qmail to forward messages to autorespond. This
vulnerability is currently not believed to be exploitable due to
incidental limits on the length of the problematic input, but there
may be situations in which these limits do not apply.
CAN-2003-0654 |
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
eroaster: insecure temporary file
| Package(s): | eroaster |
CVE #(s): | CAN-2003-0656
|
| Created: | August 19, 2003 |
Updated: | September 30, 2003 |
| Description: |
A vulnerability was discovered in eroaster where it does not take any
security precautions when creating a temporary file for the lockfile. This
vulnerability could be exploited to overwrite arbitrary files with the
privileges of the user running eroaster.
CAN-2003-0656 |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
exim: buffer overflows
| Package(s): | exim exim-tls |
CVE #(s): | CAN-2003-0743
|
| Created: | September 4, 2003 |
Updated: | September 30, 2003 |
| Description: |
A buffer overflow exists in exim, which is the standard mail transport
agent in Debian. By supplying a specially crafted HELO or EHLO
command, an attacker could cause a constant string to be written past
the end of a buffer allocated on the heap. This vulnerability is not
believed at this time to be exploitable to execute arbitrary code.
CAN-2003-0743 |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fdclone: insecure temporary directory
| Package(s): | fdclone |
CVE #(s): | CAN-2003-0596
|
| Created: | July 23, 2003 |
Updated: | September 30, 2003 |
| Description: |
fdclone creates a temporary directory in /tmp as a workspace.
However, if this directory already exists, the existing directory is
used instead, regardless of its ownership or permissions. This would
allow an attacker to gain access to fdclone's temporary files and
their contents, or replace them with other files under the attacker's
control.
CAN-2003-0596 |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 15, 2003 |
Updated: | November 17, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
inetd: DoS attack
| Package(s): | inetd |
CVE #(s): | |
| Created: | September 8, 2003 |
Updated: | September 10, 2003 |
| Description: |
inetd has a hard-coded limit of 256 connections-per-minute, after which the
given service is disabled for ten minutes. An attacker could use a quick
burst of connections every ten minutes to effectively disable a service.
Once upon a time, this was an intentional feature of inetd, but in
today's world it has become a bug. Even having inetd look at the
source IP and try to limit only the source of the attack would be
problematic since TCP source addresses are so easily faked. |
| Alerts: |
|
Comments (3 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpam-smb: exploitable buffer overflow
| Package(s): | libpam-smb, pam-smb |
CVE #(s): | CAN-2003-0686
|
| Created: | August 26, 2003 |
Updated: | September 30, 2003 |
| Description: |
libpam-smb is a PAM authentication module which makes it possible to
authenticate users against a password database managed by Samba or a
Microsoft Windows server. If a long password is supplied, this can cause a
buffer overflow which could be exploited to execute arbitrary code with the
privileges of the process which invokes PAM services. See this advisory for more information.
CAN-2003-0686 |
| Alerts: |
|
Comments (1 posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
mah-jong: buffer overflows, denial of service
| Package(s): | mah-jong |
CVE #(s): | CAN-2003-0705
CAN-2003-0706
|
| Created: | September 8, 2003 |
Updated: | September 10, 2003 |
| Description: |
Nicolas Boullis discovered two vulnerabilities in mah-jong, a
network-enabled game.
CAN-2003-0705 (buffer overflow): This vulnerability could be exploited
by a remote attacker to execute arbitrary code with the privileges of the
user running the mah-jong server.
CAN-2003-0706 (denial of service): This vulnerability could be
exploited by a remote attacker to cause the mah-jong server to enter a
tight loop and stop responding to commands. |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mindi: insecure file creations
| Package(s): | mindi |
CVE #(s): | CAN-2003-0617
|
| Created: | September 2, 2003 |
Updated: | September 30, 2003 |
| Description: |
Mindi versions prior to 0.86 creates files in /tmp which could allow local
user to overwrite arbitrary files.
CAN-2003-0617 |
| Alerts: |
|
Comments (none posted)
mpg123 - buffer overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0577
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netris: buffer overflow
| Package(s): | netris |
CVE #(s): | CAN-2003-0685
|
| Created: | August 18, 2003 |
Updated: | September 30, 2003 |
| Description: |
Shaun Colley discovered a buffer overflow vulnerability in netris, a
network version of a popular puzzle game. A netris client connecting
to an untrusted netris server could be sent an unusually long data
packet, which would be copied into a fixed-length buffer without
bounds checking. This vulnerability could be exploited to gain the
priviliges of the user running netris in client mode, if they connect
to a hostile netris server.
CAN-2003-0685 |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql |
CVE #(s): | CAN-2003-0672
|
| Created: | August 11, 2003 |
Updated: | September 30, 2003 |
| Description: |
Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the
username to be used for authentication is used as a format string when
writing a log message. This vulnerability may allow an attacker to
execute arbitrary code with the privileges of the program requesting
PAM authentication.
CAN-2003-0672 |
| Alerts: |
|
Comments (none posted)
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl |
CVE #(s): | CAN-2003-0615
|
| Created: | July 29, 2003 |
Updated: | September 30, 2003 |
| Description: |
obscure@eyeonsecurity.org reported a
cross site scripting vulnerability in the CGI.pm perl module. This module
is used to facilitate the creation of web forms and is part of the
perl-modules RPM package.
CAN-2003-0615 |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware |
CVE #(s): | CAN-2003-0504
CAN-2003-0582
|
| Created: | July 16, 2003 |
Updated: | September 30, 2003 |
| Description: |
Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site
scripting issues that can be exploited to obtain sensitive information such
as authentication cookies.
See this
Security Corportation report for more information.
CAN-2003-0504
CAN-2003-0582 |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
