LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Security news
A different kind of bad week
Another week, another email worm. Your editor initially wondered how he had managed to get put on a Microsoft security mailing list, but it didn't take too long to figure out what was really going on. A quick tweak to a SpamAssassin rule made the visible part of the problem go away; after all, very few messages of interest contain Microsoft executables anyway. But, of course, the "Swen" worm continues to chew up bandwidth.Swen seems to have two ways of attacking a system:
- a
two-year-old Internet Explorer bug, which allows code execution
through malicious HTML mail.
- Convincing users to run the attached executable.
As we have warned many times in this space, Linux is not immune to worms and viruses. We will almost certainly have a bad security day sooner or later. But Swen is a classic Microsoft worm, and, perhaps, Linux users have the right to feel just a little smug.
Exposed Linux systems with two-year-old vulnerabilities are rare. Fixing problems is sufficiently easy, and Linux administrators are sufficiently aware that vulnerabilities tend to be closed quickly. Keeping patching levels high as Linux expands into more desktop and consumer-oriented uses will be a challenge, however. We have all the tools we need to keep such systems current; it's mostly a matter of ensuring that those tools get used.
Imagine, however, that a widespread bug exists which, when exploited, could allow the running of arbitrary code from malicious email. The variety of mail user agents in the Linux world will restrict any such exploit to a fraction of the deployed Linux systems. The number of distributions in use will also make a universal exploit difficult. But, even if the attacker succeeds in running code on a target system, that code will be unable to kill the system's defensive processes, make "registry" (i.e. configuration file) changes, or engage in most of the other unpleasant activities carried out by Swen. To obtain that level of access to the system, the exploit code would have to find and take advantage of another, different vulnerability.
Then, there is the issue of convincing users to run a malicious executable sent to them in the mail. One of the real strengths of the Linux development model is that it is highly unlikely to result in the creation of mail utilities which allow the direct execution of programs received as email attachments. Any developer or distributor who tried to release a tool with that sort of vulnerability would not soon forget the reception they would get on the net. There is simply no excuse for extending such trust to the world as a whole. A Linux utility that was so trusting would be fixed within hours. Microsoft systems have remained vulnerable - in the face of overwhelming proof of the damage caused - for years.
Linux systems suffer from a constant stream of vulnerabilities, like other systems out there. The real difference, perhaps, is that our problems get fixed - almost always before they ever reach a point where they can be widely exploited. As a happy result, it is, once again, not Linux systems which are spamming the net with worm-laden email.
New vulnerabilities
gopherd: buffer overflow
| Package(s): | gopher | CVE #(s): | CAN-2003-0805 | |||
| Created: | September 24, 2003 | Updated: | September 24, 2003 | |||
| Description: | The University of Minnesota gopherd daemon has a set of remotely exploitable buffer overflows which can allow an attacker to execute code as the "gopher" user. Both remaining gopher servers are advised to upgrade in the near future. | |||||
| Alerts: |
| |||||
hztty: buffer overflow vulnerability
| Package(s): | hztty | CVE #(s): | CAN-2003-0783 | |||
| Created: | September 24, 2003 | Updated: | September 24, 2003 | |||
| Description: | hztty (a program for translating Chinese character encodings) has a pair of buffer overflow vulnerabilities which can be exploited by a local attacker. This problem is compounded on Debian systems by the fact that hztty is (unnecessarily) installed setuid root. Version 2.0-6 has the fix. | |||||
| Alerts: |
| |||||
ipmasq: insecure packet filtering rules
| Package(s): | ipmasq | CVE #(s): | CAN-2003-0785 | |||
| Created: | September 22, 2003 | Updated: | September 24, 2003 | |||
| Description: | ipmasq is a package which simplifies configuration of Linux IP masquerading, a form of network address translation which allows a number of hosts to share a single public IP address. Due to use of certain improper filtering rules, traffic arriving on the external interface addressed for an internal host would be forwarded, regardless of whether it was associated with an established connection. This vulnerability could be exploited by an attacker capable of forwarding IP traffic with an arbitrary destination address to the external interface of a system with ipmasq installed. | |||||
| Alerts: |
| |||||
openssh: multilple PAM vulnerabilities in Portable OpenSSH versions 3.7p1 and 3.7.1p1
| Package(s): | openssh | CVE #(s): | |||||||||||||
| Created: | September 23, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). See this advisory for details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
proftpd: remote root shell
| Package(s): | proftpd | CVE #(s): | CAN-2003-0831 | |||||||||||||||||||||
| Created: | September 24, 2003 | Updated: | January 2, 2004 | |||||||||||||||||||||
| Description: | The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
OpenSSH: buffer management error
| Package(s): | OpenSSH | CVE #(s): | CAN-2003-0693 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 16, 2003 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | All versions of OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete. See the second advisory for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 | CVE #(s): | CAN-2003-0730 | |||||||||||||||
| Created: | September 12, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: multiple vulnerabilities in Apache HTTP server
| Package(s): | apache | CVE #(s): | CAN-2003-0192 CAN-2003-0253 CAN-2003-0254 | ||||||||||||||||||
| Created: | July 11, 2003 | Updated: | September 22, 2003 | ||||||||||||||||||
| Description: | The Apache Software Foundation and
the Apache HTTP Server Project have announced
the release of the Apache HTTP Server 2.0.47. This release fixes four
security vulnerabilities:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
autorespond: buffer overflow
| Package(s): | autorespond | CVE #(s): | CAN-2003-0654 | |||
| Created: | August 18, 2003 | Updated: | October 1, 2003 | |||
| Description: | Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply. | |||||
| Alerts: |
| |||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
eroaster: insecure temporary file
| Package(s): | eroaster | CVE #(s): | CAN-2003-0656 | |||||||||
| Created: | August 19, 2003 | Updated: | October 1, 2003 | |||||||||
| Description: | A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster. | |||||||||||
| Alerts: |
| |||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
exim: buffer overflows
| Package(s): | exim exim-tls | CVE #(s): | CAN-2003-0743 | ||||||||||||
| Created: | September 4, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | A buffer overflow exists in exim, which is the standard mail transport agent in Debian. By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fdclone: insecure temporary directory
| Package(s): | fdclone | CVE #(s): | CAN-2003-0596 | |||
| Created: | July 23, 2003 | Updated: | October 1, 2003 | |||
| Description: | fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control. | |||||
| Alerts: |
| |||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
KDE: Two issues in KDM
| Package(s): | kde, xfree86 | CVE #(s): | CAN-2003-0690 CAN-2003-0692 | ||||||||||||||||||
| Created: | September 16, 2003 | Updated: | December 19, 2003 | ||||||||||||||||||
| Description: | According to this advisory two issues have
been discovered in KDM:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpam-smb: exploitable buffer overflow
| Package(s): | libpam-smb, pam-smb | CVE #(s): | CAN-2003-0686 | |||||||||||||||
| Created: | August 26, 2003 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | libpam-smb is a PAM authentication module which makes it possible to authenticate users against a password database managed by Samba or a Microsoft Windows server. If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. See this advisory for more information. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mindi: insecure file creations
| Package(s): | mindi | CVE #(s): | CAN-2003-0617 | ||||||
| Created: | September 2, 2003 | Updated: | October 1, 2003 | ||||||
| Description: | Mindi versions prior to 0.86 creates files in /tmp which could allow local user to overwrite arbitrary files. | ||||||||
| Alerts: |
| ||||||||
mpg123 - buffer overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0577 | |||||||||
| Created: | July 16, 2003 | Updated: | September 30, 2003 | |||||||||
| Description: | The mpg123 utility contains a buffer overflow vulnerability which can allow an attacker to execute arbitrary code by way of a malicious MP3 file. | |||||||||||
| Alerts: |
| |||||||||||
mysql: arbitrary code execution
| Package(s): | mysql | CVE #(s): | CAN-2003-0780 | |||||||||||||||||||||||||||
| Created: | September 15, 2003 | Updated: | October 9, 2003 | |||||||||||||||||||||||||||
| Description: | Frank Denis reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users are stored in the "Password" field of the "User" table, part of the "mysql" database. The passwords are hashed and stored as a 16 characters long hexadecimal value. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0780 to the problem. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
netris: buffer overflow
| Package(s): | netris | CVE #(s): | CAN-2003-0685 | |||
| Created: | August 18, 2003 | Updated: | October 1, 2003 | |||
| Description: | Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server. | |||||
| Alerts: |
| |||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pam-pgsql: format string vulnerability
| Package(s): | pam-pgsql | CVE #(s): | CAN-2003-0672 | |||
| Created: | August 11, 2003 | Updated: | October 1, 2003 | |||
| Description: | Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication. | |||||
| Alerts: |
| |||||
perl: cross site scripting vulnerability in CGI.pm module
| Package(s): | perl | CVE #(s): | CAN-2003-0615 | |||||||||||||||||||||
| Created: | July 29, 2003 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
phpgroupware - cross-site scripting and other exploits
| Package(s): | phpgroupware | CVE #(s): | CAN-2003-0504 CAN-2003-0582 | ||||||||||||
| Created: | July 16, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Several vulnerabilities were discovered in all versions of phpgroupware
prior to 0.9.14.006. This latest version fixes an exploitable condition in
all versions that can be exploited remotely without authentication and can
lead to arbitrary code execution on the web server. This vulnerability is
being actively exploited.
Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies. See this Security Corportation report for more information. | ||||||||||||||
| Alerts: |
| ||||||||||||||
pine: remote exploits
| Package(s): | pine | CVE #(s): | CAN-2003-0720 CAN-2003-0721 | ||||||||||||||||||
| Created: | September 11, 2003 | Updated: | September 17, 2003 | ||||||||||||||||||
| Description: | Pine, developed at the University of Washington, is a tool for reading,
sending, and managing electronic messages (including mail and news).
A buffer overflow exists in the way unpatched versions of Pine prior to 4.57 handle the 'message/external-body' type. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0720 to this issue. An integer overflow exists in the Pine MIME header parsing in versions prior to 4.57. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0721 to this issue. Both of these flaws could be exploited by a remote attacker sending a carefully crafted email to the victim that will execute arbitrary code when the email is opened using Pine. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
sane-backends: several vulnerabilities
| Package(s): | sane-backends | CVE #(s): | CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778 | ||||||||||||||||||
| Created: | September 11, 2003 | Updated: | February 20, 2004 | ||||||||||||||||||
| Description: | Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
semi: insecure temporary file
| Package(s): | semi, wemi | CVE #(s): | CAN-2003-0440 | ||||||||||||
| Created: | July 7, 2003 | Updated: | October 1, 2003 | ||||||||||||
| Description: | semi, a MIME library for GNU Emacs, does not take appropriate
security precautions when creating temporary files. This bug could
potentially be exploited to overwrite arbitrary files with the
privileges of the user running Emacs and semi, potentially with
contents supplied by the attacker.
wemi is a fork of semi, and contains the same bug. | ||||||||||||||
| Alerts: |
| ||||||||||||||
sendmail: bad DNS reply causes crash
| Package(s): | sendmail | CVE #(s): | CAN-2003-0688 | |||||||||||||||
| Created: | August 26, 2003 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | There is a potential problem in sendmail 8.12.8 and earlier sendmail 8.12.x versions with respect to DNS maps. The bug did not exist in versions before 8.12 as the DNS map type is new to 8.12. The bug was fixed in 8.12.9, released March 29, 2003. See this advisory for more information. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail | CVE #(s): | CAN-2003-0694 CAN-2003-0681 | |||||||||||||||||||||||||||||||||
| Created: | September 17, 2003 | Updated: | November 18, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel | CVE #(s): | CAN-2002-1563 | ||||||||||||
| Created: | July 25, 2003 | Updated: | November 25, 2003 | ||||||||||||
| Description: | Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. | ||||||||||||||
| Alerts: |
| ||||||||||||||