LWN.net Logo

LWN.net Weekly Edition for October 9, 2003

The future of the FUD mill

There's yet another Microsoft-funded analyst study out there; this one, done by VeriTest, compares deployment times for Microsoft Windows Small Business Server and Red Hat Enterprise Linux. No doubt everybody will be surprised to hear that the study (available in PDF format) concludes that Windows is better. Four tasks were set out: install the system with basic services, set up performance monitoring and reporting, set up an intranet web site, and configure the network for remote management. Doing these tasks with Windows took, they say, 4 1/2 hours and 125 steps. Linux required 7 1/2 hours and 555 steps.

It is not hard to poke holes in the study, of course. Somehow it was possible to set up an intranet server on Windows with zero steps - but it still took seven minutes. Somehow the report didn't comment on the discouraging time per step required to accomplish this task on Windows. Errors made by the (Microsoft-hired) consultants performing the Linux installation were counted as steps. Tasks like checking the system with nmap were also counted. Setting up remote administration took 100 steps; we could suggest a shorter way of doing that:

  1. Enable sshd.

The VeriTest people, instead, set out on a series of tasks involving installing the kernel source, setting up PPTP, and carrying out several tasks on the Windows client - all of which counted as steps, of course.

One could go on about this report for a long time; see, for example, the letter from Leon Brooks on this week's Letters Page. The more interesting development, however, is that Forrester Research has, after having Microsoft trumpet one of its studies, issued this statement on the integrity of its reports.

Recently, in two isolated and unrelated cases, we conducted privately sponsored studies for two vendor clients. We stand by the integrity of both studies. However, we erred in allowing those clients to publicize the research findings. In response to these two isolated events, Forrester has taken immediate steps to tighten our internal process and clarify our Integrity Policy. As part of this clarification, the company will no longer accept projects that involve paid-for, publicized product comparisons. This move revalidates and strengthens Forrester's research integrity.

Forrester, in other words, is getting out of the analyst-for-hire FUD business. Given that this business can only be lucrative, Forrester's decision to leave it behind is worthy of note.

FUD-for-hire has long been an important business tool in the technology world. Analysts have been happy to have the business, and they have been able to live with the fact that their output always seems to support the sponsor's agenda. Technical journalists have long liked these reports; they can easily be cast into a story without requiring much in the way of creative or critical thought. The whole system worked smoothly as a way of shaping public perception of technology products.

Something has happened over the last decade or so, however. The net has made it easy for interested parties to rip apart biased or poorly-done studies. And the rise of free software has greatly increased the number of people who feel some sort of ownership interest in the systems they use. As a result, anybody publishing a report critical of free software had better be very sure of his ground, because that report will be subjected to intense scrutiny. Some of the people performing that scrutiny will know far more about the subject manner than the analysts who wrote the text, and they will not be afraid to say, in public, what they think. Shoddy research and skewed studies do not fare well in the modern environment.

It has been noted for years that FUD attacks on Linux tend to backfire; even Microsoft has commented on this fact. The combination of the net and the Linux community has managed to neutralize - or at least strongly diminish the effect of - FUD. Analyst companies which are seen as taking part in outright FUD attempts have seen their own credibility suffer; remember MindCraft? Now some analyst companies, concerned about the perception of their integrity, are realizing that the FUD business is a poor place to be in the long run. That is a victory for the Linux community, and for the level of technology industry discourse in general.

Comments (5 posted)

An Evening with Bruce Perens

October 8, 2003

This article was contributed by Joe 'Zonker' Brockmeier.

Bruce Perens was in Denver this week for IBM's Linux strategy briefing and offered to speak to the Colorado Linux Users and Enthusiasts (CLUE) Linux User Group the night before the IBM event. The talk was billed as "The Future of GNU/Linux and Free Software," but Perens talked a great deal about the history of free software as well.

After covering his history with Linux and the open source movement, Perens turned to current events. He talked a little bit about how many companies doing Linux-related business suffer from multiple personality disorder. On the one hand companies like HP are looking to push Linux and are trying to embrace Linux and do the right thing for the Linux community. On the other hand, these companies have to maintain relationships with companies like SCO and Microsoft and participate in groups like CompTIA that actively work against open source. Perens cautions the community to pay attention to everything a company does, not just its support for open source.

We know that both Hewlett-Packard and the other members of CompTIA were sponsors of the so-called Software Choice Initiative, which works against open source. So, it's important to watch our friends.

Perens also noted that the next likely legal attack against open source would be via software patents, and said he thinks its unlikely that corporations like HP or IBM would help the community in that event.

Though Perens says he hasn't made up his mind yet, he indicated he was thinking seriously about trying to form a community-driven answer to Red Hat's enterprise products.

I'm wondering if it's time for a grass-roots enterprise Linux, and the way I figured I would do this... is first of all take Debian, why is there a Fedora project when there's Debian, a ten-year-old project with all its policies done...with over a thousand developers? That is what the Fedora project should be. Take that, and get together the community of enterprise users who depend on Linux and really want a zero-cost enterprise distribution.

After the talk, we caught up with Bruce for a few minutes one-on-one to ask about issues not covered during his talk, and to get further information on the grass-roots enterprise Linux effort. The first question was about the disagreement between the Free Software Foundation and the Debian Project over the GNU Free Documentation License (FDL). Perens has helped mediate between the groups, and says that they're on their way to working it out.

I wanted to take the emotion out of the whole thing, and it looks like we're succeeding at that. I'm not tremendously happy to have coverage of Debian and FSF bickering, we have a lot more important things going on.

I think that it's going to take care of itself more or less now. You probably will have some conference calls that are exciting... I'm not asking either organization to compromise with each other, I'm asking each organization to follow their own rules. I feel that it's not permissible for Debian to compromise its ethos for FSF nor is it permissible for the FSF to compromise its ethos for Debian and resolution of this issue does not call for either.

Perens also clarified his thoughts on a possible "grass-roots" enterprise-ready Linux distribution:

It's something I'm still thinking about. I think I will go ahead and do a call for people to work on it. Obviously I'm open for people who want to discuss it. The project is not yet announced. I really debated this in my own head for weeks now, and part of the reason was that, I feel that it's a big personal expense to me to do any large project. On the other side every open source thing I've ever done has paid back much more than I've put into it... I feel that I must participate because I'm one of the few people in the community with the cachet to pull this off, who can talk to all the people on the executive side and all the people on the community side and has reasonable credibility with both of them. That doesn't mean I have to run it, definitely doesn't mean I want to be its CTO, it does mean I would be evangelizing it publically for quite some time.

I'm thinking about whether it is time for the community... to provide directly a Linux distro certified to LSB and to proprietary software providers that are willing to do so, guaranteed to be free software and free beer, free speech and free beer. A certified distribution that is zero cost, free software... and I'm convinced that creating a Linux distribution is a expense-sharing system rather than a profit-making system, even Red Hat now admits this as they attempt to offload production of their distribution to the community.

We also asked Perens how he felt about companies that use open source software, but do not contribute substantially to the projects they use.

I have a scale for commercial collaborators with the community. It has four points. It runs benefactor, partner, user, parasite. Benefactor: NASA's a great example. They funded most of Linux's Ethernet drivers at one time. At that time they were not able yet to make extensive use of Linux, now they are. They put in more than they got out. Most companies would not want to be benefactors, it looks bad to your stockholders.

Partner is what companies should be if they expect the cooperation of the free software community. At Hewlett-Packard, we could not get them to help us with the IA-64 kernel until we made the printers work. Very good lesson for companies, we put out 60 printer drivers on Linux because of that.

User is a company that makes use of Linux and open source that complies with the licensing, but does not make any contribution unless they just can't avoid it. The usual GPL. I put Linksys in the user category if they finish resolving the issues they're working on with the FSF right now. Linksys is a division of Cisco, a very big company, that's important.

Parasite, SCO comes to mind. They're making fraudulent claims to get value out of the Linux and open source community by kiting their stock and you can quote me on "fraudulent," "libelous," "slanderous," no problem with that. Other parasites, well who sold Linksys and Cisco that wireless access point? A chip company with a "B"... a number of engineering companies that seem to be in Taiwan and Korea, transfered intellectual property that was not theirs to Linksys and Cisco, in ways that did not comply with the licensing, leaving these companies whose goodwill we want out of compliance with our licenses and they don't know how to resolve the problem. So I don't like it because those Taiwanese or Korean companies made us enemies with Cisco when we want those guys to put Linux in their next product, we just want them to comply with the licenses and they should have been given full directions for doing so when they bought those WAP designs.

Finally, we asked Perens if he had any thoughts on Eric Raymond's prediction that Sun is doomed.

Yeah, I wish Eric hadn't written that, actually. At least not quite the way he wrote it, because first of all not having worked at HP as I have, Eric doesn't understand how long a company can run on a legacy product which is an extremely long time. And, secondarily, I think Eric was angered by things Sun has been saying about Linux not belonging in the data center and Sun's explicit collaboration with SCO spreading FUD. However, Sun also helps us. Remember what I said about corporate multiple personality disorders. They've done $70 million dollar investment in OpenOffice, and I don't see where it paid off for them. They bungled the strategic aspect of it, they need help with it, but it was a very large contribution to Linux and open source. So, first of all, Sun's not going away, they're not dying. If anything, they'll be acquired. They're still a company with some value, and obviously their price is becoming more attractive. Who will acquire them? I think it's either Microsoft or IBM.

We thank Bruce for taking the time to talk with us.

Comments (27 posted)

VeriSign backs down - for now

The September 18 LWN Weekly Edition asked "whose Internet is it?" in response to VeriSign's deployment of its "SiteFinder" service. SiteFinder is an attempt to profit from mistyped domain names; it is implemented as a set of wildcard entries in .com and .net which direct the user to VeriSign's paid index pages. VeriSign's unilateral change broke a number of network services, modified how DNS works with no input from anybody else involved, and raised a great many privacy concerns. Nonetheless, VeriSign seemed determined to weather the storm and keep its changes in place. That is not a surprising position, given that the company expected SiteFinder to generate a revenue stream in the millions of dollars.

Among other things, VeriSign had ignored a request from the Internet Corporation for Assigned Names and Numbers (ICANN) to suspend the service. It would seem, however, that ICANN is not entirely without clout - or value. On October 3, ICANN sent a more strongly written letter to VeriSign:

In addition, our review of the .com and .net registry agreements between ICANN and VeriSign leads us to the conclusion that VeriSign's unilateral and unannounced changes to the operation of the .com and .net Top Level Domains are not consistent with material provisions of both agreements....

Given these conclusions, please consider this a formal demand to return the operation of the .com and .net domains to their state before the 15 September changes, pending further technical, operational and legal evaluation. A failure to comply with this demand will require ICANN to take the steps necessary under those agreements to compel compliance with them.

In response, VeriSign grumbled a little, then removed its wildcard entries and turned off the service. However, anybody who thinks that VeriSign has seen the light and realized that, as the steward of a public resource, it needs to act in a more responsible manner would be well advised to read this column by Mark McLaughlin, a VeriSign VP.

ICANN appears to have bought into claims that the Internet has broken or will break. Anyone who has used it in the last three weeks knows that claim to be false. More likely, ICANN caved under the pressure from some in the Internet community for whom this is a technology-religion issue about whether the Internet should be used for these purposes.

The company also had some strong words at the special ICANN meeting held on October 7. Among other things, it said that it may have other surprises to spring on the net in the future. VeriSign, in other words, is absolutely unrepentant. This company's history suggests that it will not give up on the SiteFinder idea anytime soon. At the moment, it appears that the net's governance mechanisms have brought about the right result. But it would be a mistake to assume that this particular episode is over.

Comments (5 posted)

Quick SCO update

Many people have wondered how it could be that SCO's stock price continues to increase even as the company's claims are publicly torn to pieces. A partial answer to that question came to light this week, in the form of this SEC filing. It would seem that Royce & Associates, the manager of the "Royce Technology Value Fund," now owns over 1.4 million shares of SCO. That is, as it turns out, over 10% of all the outstanding shares in the company, and almost 20% of the shares in active circulation. For whatever reason, Royce has made a huge bet on SCO, and has managed to keep the price high in the process.

This fund is managed by Jonathan Cohen; some information about Mr. Cohen and SCO can be found on this page. Among other things, he has been talking up SCO stock in a number of forums; see, for example, this posting on MSN/CNBC. "Cohen said the company's stock has done well this year on the back of solid fundamentals. It has an enormous base of intellectual property rights, he added." Solid fundamentals indeed.

Meanwhile, more documents on the IBM case, and, in particular, the pre-trial discovery process have come to light; they can be found on the always useful Groklaw site. There's some fun stuff there. Consider the following from "Exhibit E," SCO's response to IBM's discovery demands:

Please identify, with specificity (by product, file, and line of code, where appropriate) all of the alleged trade secrets and any confidential or proprietary information that plaintiff alleges or contends IBM misappropriated or misused...

...SCO notes that discovery has just begin and it has not yet received responsive discovery from IBM that would allow it to fully answer this question because part of this information is peculiarly within the knowledge of IBM.

SCO responds to a number of questions in this way. One way of translating this response into English would be something like "we don't know, we were hoping IBM would tell us." It is hard to imagine a judge being impressed.

IBM also asked for information on "any person on whom plaintiff intends to rely as a witness, declarant, or affiant in this action." SCO's response was "None at this time." Could the company really have no witnesses at all?

IBM has filed a motion with the court attempting to compel SCO to back up its claims. The company has also asked for an oral argument before the judge on the issue.

Good cause for oral argument exists because of the nature of the discovery issued upon SCO and the significance of its refusal to respond. SCO has the burden to prove the existence of a trade secret or misappropriation by IBM of confidential or proprietary information, and there is no presumption in SCO's favor in this regard... As a result, SCO's apparent inability to respond to IBM's interrogatories as required under the Federal Rules of Civil Procedure has potentially outcome determinative consequences.

In other words, if SCO can't back up its charges, it's time to call the show over. Nobody ever thought IBM's lawyers would make it easy for SCO.

Finally, Drew Streib is still trying to buy an SCO "Linux license," but still has not succeeded. "I can't believe that a sales force is this incompetent, or instead of that possibility, that SCO could be so blatantly outright in their lying about license availability." SCO also continues to state that it will not be sending out invoices because the "response has been adequate." One might conclude that the company is having second thoughts about its licensing program.

Comments (1 posted)

Authors wanted

It has been the better part of a year since we first started taking externally written articles for LWN. That effort has had its ups and downs, but, overall, we have been pleased with the result. Externally contributed material has allowed us to bring new content and viewpoints to LWN. We have convinced ourselves that we can bring in more content and maintain the quality of our publication.

So, the time has come to expand our external author program. Writing for LWN will not be easy; as editors, we are fussy and difficult to please. And it certainly will not be a path to riches, or even away from the day job. But it is a way to get your byline out there and help us make a better LWN. If you think you might be interested, please take a moment to look at our author guide. If you're still interested afterward, we would like to hear from you.

Comments (none posted)

Page editor: Jonathan Corbet

Security

Security news

The EFF's report on trusted computing

The Electronic Frontier Foundation has released, to a fair amount of fanfare, its report on trusted computing. The report's author (Seth Schoen) has concluded that, while trusted computing architectures offer a number of security benefits, there are also potential problems that need to be addressed.

The report mentions four different technologies that make up current trusted computing efforts:

  • Memory curtaining. Modern operating systems already go to considerable lengths to keep one process from being able to mess with another process's memory. Memory curtaining takes things further by improving memory isolation support in the hardware, so that even the kernel cannot modify one process's memory while working on behalf of another process.

  • Secure I/O is the creation of a data path from the keyboard (or other input devices) to the application, and from the application to the screen which cannot be seen or modified by other processes. It is an attempt to stop software keystroke loggers, screen readers, and other eavesdropping tools.

  • Sealed storage works by hiding encryption keys within the system hardware, so that encrypted data cannot be read anywhere else.

  • Remote attestion is a hardware-supported mechanism for ensuring that the software running on a system has not been modified. The technology allows the generation of certificates that can allow a remote application (a web server, say) to be sure of the software it is talking to.

The report acknowledges that all of these technologies can help to improve the security of computer systems. With a trusted computing architecture in place, a worm which is able to exploit a hole in one program will find its ability to do anything interesting on the system much reduced. The EFF does not have any real problem with most of the technologies discussed.

That is not true, however, for remote attestation:

TCG attestation conspicuously fails to distinguish between applications that protect computer owners against attack and applications that protect a computer against its owner. In effect, the computer's owner is sometimes treated as just another attacker or adversary who must be prevented from breaking in and altering the computer's software.

A few cases where the remote attestation feature could backfire on users are mentioned. One is web servers which refuse to talk to anything other than the One Chosen Browser. There are sites which do that now, but most modern browsers are capable of masquerading as something else, so these techniques are not effective. Remote attestion would change that. Other examples include software interoperability (i.e. eliminating Samba forevermore), forced upgrades, and forced use of digital rights management schemes.

As a solution, the EFF suggests an "owner override" feature. The owner of a system could, while physically present at the machine, force it to produce an attestation for software that the owner has modified or replaced, making it look like something else. This feature would solve the problem for suitably capable users. It is hard to imagine users developing a widespread ability to safely perform overrides, however.

The real conclusion to be taken from this report is that the owners and users of computers need to maintain control over their machines. When your own computer treats you like an attacker, it has ceased to be truly yours, and it becomes a tool for controlling your behavior. Free software users have understood this point for years, of course. We have built a system that allows us to stay in control. But we need to be careful that the hardware platforms of the future do not take that control away from us.

Comments (10 posted)

New vulnerabilities

cfengine: stack overflow

Package(s):cfengine CVE #(s):
Created:October 8, 2003 Updated:October 8, 2003
Description: Versions of cfengine prior to 2.0.8 contain a stack overflow in the network I/O code which can be exploited remotely. See this advisory for details.
Alerts:
Gentoo 200310-2 2003-10-04

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 23, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:408-00 2003-12-19
Gentoo 200308-01 2003-08-14
Debian DSA-358-4 2003-08-13
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-2 2003-08-05
Debian DSA-358-3 2003-08-04
Debian DSA-358-1 2003-07-31
EnGarde ESA-20032407-018 2003-07-24
Red Hat RHSA-2003:238-01 2003-07-21

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

autorespond: buffer overflow

Package(s):autorespond CVE #(s):CAN-2003-0654
Created:August 18, 2003 Updated:September 30, 2003
Description: Christian Jaeger discovered a buffer overflow in autorespond, an email autoresponder used with qmail. This vulnerability could potentially be exploited by a remote attacker to gain the privileges of a user who has configured qmail to forward messages to autorespond. This vulnerability is currently not believed to be exploitable due to incidental limits on the length of the problematic input, but there may be situations in which these limits do not apply.

CAN-2003-0654

Alerts:
Debian DSA-373-1 2003-08-16

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:September 30, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
Mandrake MDKSA-2002:050 2002-08-13
Yellow Dog YDU-20020810-3 2002-08-10
Eridani ERISA-2002:035 2002-08-09
Red Hat RHSA-2002:133-13 2002-08-08
SCO Group CSSA-2002-034.0 2002-08-05
Yellow Dog YDU-20020801-2 2002-08-01
Eridani ERISA-2002:028 2002-07-25
Red Hat RHSA-2002:139-10 2002-07-22
EnGarde ESA-20020724-018 2002-07-24
Mandrake MDKSA-2002:043 2002-07-16
Trustix 2002-0061 2002-07-15
Gentoo glibc-20020713 2002-07-13
Conectiva CLA-2002:507 2002-07-11
SuSE SuSE-SA:2002:026 2002-07-09
OpenPKG OpenPKG-SA-2002.006 2002-07-04

Comments (1 posted)

Canna server: exploitable buffer overrun

Package(s):canna CVE #(s):CAN-2002-1158 CAN-2002-1159
Created:December 10, 2002 Updated:September 30, 2003
Description: Canna is a kana-kanji conversion server which is necessary for Japanese language character input.

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Alerts:
SCO Group CSSA-2003-005.0 2003-01-21
Debian DSA-224-1 2002-01-08
Gentoo 200212-8 2002-12-20
Red Hat RHSA-2002:246-18 2002-12-04

Comments (none posted)

eroaster: insecure temporary file

Package(s):eroaster CVE #(s):CAN-2003-0656
Created:August 19, 2003 Updated:September 30, 2003
Description: A vulnerability was discovered in eroaster where it does not take any security precautions when creating a temporary file for the lockfile. This vulnerability could be exploited to overwrite arbitrary files with the privileges of the user running eroaster.

CAN-2003-0656

Alerts:
Gentoo 200309-04 2003-09-02
Mandrake MDKSA-2003:083 2003-08-19
Debian DSA-366-1 2003-08-05

Comments (none posted)

ethereal: security problems in Ethereal 0.9.12

Package(s):ethereal CVE #(s):CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432
Created:June 23, 2003 Updated:November 10, 2003
Description: Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file."
Alerts:
SCO Group CSSA-2003-030.0 2003-11-07
Yellow Dog YDU-20030718-2 2003-07-18
Red Hat RHSA-2003:203-01 2003-07-03
Gentoo 200306-13 2003-06-25
Conectiva CLA-2003:662 2003-06-25
Mandrake MDKSA-2003:070 2003-06-23

Comments (none posted)

exim: buffer overflows

Package(s):exim exim-tls CVE #(s):CAN-2003-0743
Created:September 4, 2003 Updated:September 30, 2003
Description: A buffer overflow exists in exim, which is the standard mail transport agent in Debian. By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code.

CAN-2003-0743

Alerts:
Gentoo 200309-09 2003-09-15
Debian DSA-376-2 2003-09-07
Conectiva CLA-2003:735 2003-09-05
Debian DSA-376-1 2003-09-04

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fdclone: insecure temporary directory

Package(s):fdclone CVE #(s):CAN-2003-0596
Created:July 23, 2003 Updated:September 30, 2003
Description: fdclone creates a temporary directory in /tmp as a workspace. However, if this directory already exists, the existing directory is used instead, regardless of its ownership or permissions. This would allow an attacker to gain access to fdclone's temporary files and their contents, or replace them with other files under the attacker's control.

CAN-2003-0596

Alerts:
Debian DSA-352-1 2003-07-22

Comments (none posted)

fetchmail: buffer overflow

Package(s):fetchmail CVE #(s):CAN-2002-1365
Created:December 17, 2002 Updated:October 20, 2003
Description: Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details.
Alerts:
Immunix IMNX-2003-7+-023-01 2003-10-17
Mandrake MDKSA-2003:011 2003-01-27
EnGarde ESA-20030127-002 2003-01-27
SCO Group CSSA-2003-001.0 2003-01-09
SuSE SuSE-SA:2003:001 2003-01-02
Debian DSA-216-1 2002-12-24
Red Hat RHSA-2002:293-09 2002-12-17
Conectiva CLA-2002:554 2002-12-16

Comments (3 posted)

freesweep: buffer overflow

Package(s):freesweep CVE #(s):CAN-2003-0828
Created:October 1, 2003 Updated:October 1, 2003
Description: freesweep contains a buffer overflow vulnerability which may be exploited by a local user to obtain access to the "games" group.
Alerts:
Debian DSA-391-1 2003-09-28

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 15, 2003 Updated:November 17, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
SCO Group CSSA-2003-034.0 2003-11-17
Conectiva CLA-2003:694 2003-07-11
Yellow Dog YDU-20030602-4 2003-06-02
Mandrake MDKSA-2003:061 2003-05-22
Slackware ssa:2003-141-04 2003-05-22
Red Hat RHSA-2003:175-01 2003-05-20
Gentoo 200305-04 2003-05-16
OpenPKG OpenPKG-SA-2003.029 2003-05-16
EnGarde ESA-20030515-016 2003-05-15

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

KDE: Two issues in KDM

Package(s):kde, xfree86 CVE #(s):CAN-2003-0690 CAN-2003-0692
Created:September 16, 2003 Updated:December 19, 2003
Description: According to this advisory two issues have been discovered in KDM:
  • CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
  • CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:
Mandrake MDKSA-2003:118 2003-12-19
Gentoo 200311-01 2003-11-15
Debian DSA-388-1 2003-09-19
Conectiva CLA-2003:747 2003-09-19
Mandrake MDKSA-2003:091 2003-09-16
Red Hat RHSA-2003:269-01 2003-09-16

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpam-smb: exploitable buffer overflow

Package(s):libpam-smb, pam-smb CVE #(s):CAN-2003-0686
Created:August 26, 2003 Updated:September 30, 2003
Description: libpam-smb is a PAM authentication module which makes it possible to authenticate users against a password database managed by Samba or a Microsoft Windows server. If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. See this advisory for more information.

CAN-2003-0686

Alerts:
Conectiva CLA-2003:734 2003-09-05
SuSE SuSE-SA:2003:036 2003-09-03
Gentoo 200309-01 2003-09-01
Red Hat RHSA-2003:261-01 2003-08-26
Debian DSA-374-1 2003-08-26

Comments (1 posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

lsh: remotely exploitable buffer overflow

Package(s):lsh CVE #(s):CAN-2003-0831
Created:October 1, 2003 Updated:October 1, 2003
Description: lsh (an ssh implementation) 1.5.2 and prior has a remotely exploitable buffer overflow vulnerability; see this advisory for details.
Alerts:
SuSE SuSE-SA:2003:041 2003-10-01

Comments (none posted)

lynx: CRLF injection vulnerability

Package(s):lynx CVE #(s):CAN-2002-1405
Created:November 19, 2002 Updated:September 30, 2003
Description: If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts.

CAN-2002-1405

Alerts:
Conectiva CLA-2003:720 2003-08-11
Mandrake MDKSA-2003:023 2003-02-24
OpenPKG OpenPKG-SA-2003.011 2003-02-18
Red Hat RHSA-2003:029-06 2003-02-12
Trustix 2002-0085 2002-12-19
Debian DSA-210-1 2002-12-13
SCO Group CSSA-2002-049.0 2002-11-18

Comments (none posted)

marbles: buffer overflow

Package(s):marbles CVE #(s):CAN-2003-0830
Created:October 1, 2003 Updated:October 1, 2003
Description: The 'marbles' game contains a buffer overflow in its processing of the HOME environment variable. A local user can exploit this vulnerability to obtain access to the "games" group.
Alerts:
Debian DSA-390-1 2003-09-26

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mindi: insecure file creations

Package(s):mindi CVE #(s):CAN-2003-0617
Created:September 2, 2003 Updated:September 30, 2003
Description: Mindi versions prior to 0.86 creates files in /tmp which could allow local user to overwrite arbitrary files.

CAN-2003-0617

Alerts:
Gentoo 200309-05 2003-09-02
Debian DSA-362-1 2003-08-02

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

mysql: arbitrary code execution

Package(s):mysql CVE #(s):CAN-2003-0780
Created:September 15, 2003 Updated:October 9, 2003
Description: Frank Denis reported a vulnerability in MySQL affecting MySQL3 versions 3.0.57 and earlier and MySQL4 versions 4.0.14 and earlier. Passwords of MySQL users are stored in the "Password" field of the "User" table, part of the "mysql" database. The passwords are hashed and stored as a 16 characters long hexadecimal value. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0780 to the problem.
Alerts:
Red Hat RHSA-2003:281-01 2003-10-09
SuSE SuSE-SA:2003:042 2003-10-01
Mandrake MDKSA-2003:094 2003-09-18
Conectiva CLA-2003:743 2003-09-18
EnGarde ESA-20030918-025 2003-09-18
Trustix 2003-0034 2003-09-17
Gentoo 200309-08 2003-09-15
OpenPKG OpenPKG-SA-2003.038 2003-09-15
Debian DSA-381-1 2003-09-13

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netris: buffer overflow

Package(s):netris CVE #(s):CAN-2003-0685
Created:August 18, 2003 Updated:September 30, 2003
Description: Shaun Colley discovered a buffer overflow vulnerability in netris, a network version of a popular puzzle game. A netris client connecting to an untrusted netris server could be sent an unusually long data packet, which would be copied into a fixed-length buffer without bounds checking. This vulnerability could be exploited to gain the priviliges of the user running netris in client mode, if they connect to a hostile netris server.

CAN-2003-0685

Alerts:
Debian DSA-372-1 2003-08-16

Comments (none posted)

net-snmp: denial of service vulnerability

Package(s):net-snmp CVE #(s):CAN-2002-1170
Created:December 17, 2002 Updated:November 7, 2003
Description: The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet.
Alerts:
Conectiva CLA-2003:778 2003-11-07
Red Hat RHSA-2002:228-11 2002-12-17

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: multilple PAM vulnerabilities in Portable OpenSSH versions 3.7p1 and 3.7.1p1

Package(s):openssh CVE #(s):
Created:September 23, 2003 Updated:October 1, 2003
Description: Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). See this advisory for details.
Alerts:
Trustix 2003-0036 2003-09-27
Slackware SSA:2003-266-01 2003-09-24
OpenPKG OpenPKG-SA-2003.042 2003-09-24
Gentoo 200309-14 2003-09-23

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSH: buffer management error

Package(s):OpenSSH CVE #(s):CAN-2003-0693
Created:September 16, 2003 Updated:September 30, 2003
Description: All versions of OpenSSH's sshd prior to 3.7.1 contain a buffer management error. It is uncertain whether these errors are exploitable. Note that most distributors have issued two updates, since the first fix was found to be incomplete. See the second advisory for details.

CAN-2003-0693

Alerts:
SCO Group CSSA-2003-027.0 2003-10-02
Debian DSA-383-2 2003-09-21
Debian DSA-382-3 2003-09-21
SuSE SuSE-SA:2003:039 2003-09-18
EnGarde ESA-20030918-024 2003-09-18
Yellow Dog YDU-20030917-1 2003-09-17
Conectiva CLA-2003:741 2003-09-17
Debian DSA-383-1 2003-09-17
Sorcerer SORCERER2003-09-17 2003-09-17
Slackware SSA:2003-260-01 2003-09-17
Red Hat RHSA-2003:279-02 2003-09-17
Mandrake MDKSA-2003:090-1 2003-09-17
Trustix 2003-0033 2003-09-17
OpenPKG OpenPKG-SA-2003.040 2003-09-17
Immunix IMNX-2003-7+-020-02 2003-09-16
Gentoo 200309-12 2003-09-16
Debian DSA-382-2 2003-09-17
SuSE SuSE-SA:2003:038 2003-09-16
Slackware SSA:2003-259-01 2003-09-16
Mandrake MDKSA-2003:090 2003-09-16
Immunix IMNX-2003-7+-020-01 2003-09-16
Debian DSA-382-1 2003-09-16
Red Hat RHSA-2003:279-01 2003-09-16
EnGarde ESA-20030916-023 2003-09-16
Conectiva CLA-2003:739 2003-09-16

Comments (none posted)

openssl: vulnerabilities in ASN.1 code

Package(s):openssl CVE #(s):CAN-2003-0543 CAN-2003-0544 CAN-2003-0545
Created:September 30, 2003 Updated:November 4, 2003
Description: Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and all versions of SSLeay.

An attack against other applications that use OpenSSL could result in a Denial of Service. See CAN-2003-0543 and CAN-2003-0544.

It may be possible for an attacker to exploit this issue to execute arbitrary code. See CAN-2003-0545.

CERT has an updated OpenSSL advisory identifying additional OpenSSL vulnerabilities.

Alerts:
EnGarde ESA-20031104-029 2003-11-04
Debian DSA-394-1 2003-10-11
Conectiva CLA-2003:759 2003-10-03
EnGarde ESA-20031003-028 2003-10-03
Tawie 2003-0001 2003-10-02
SuSE SuSE-SA:2003:043 2003-10-01
Slackware SSA:2003-273-01 2003-09-30
Mandrake MDKSA-2003:098 2003-09-30
Gentoo 200309-19 2003-10-01
Debian DSA-393-1 2003-10-01
Conectiva CLA-2003:751 2003-09-30
EnGarde ESA-20030930-027 2003-09-30
Immunix IMNX-2003-7+-022-01 2003-09-29
OpenPKG OpenPKG-SA-2003.044 2003-09-30
Red Hat RHSA-2003:292-01 2003-09-30
Red Hat RHSA-2003:291-01 2003-09-30

Comments (none posted)

pam-pgsql: format string vulnerability

Package(s):pam-pgsql CVE #(s):CAN-2003-0672
Created:August 11, 2003 Updated:September 30, 2003
Description: Florian Zumbiehl reported a vulnerability in pam-pgsql whereby the username to be used for authentication is used as a format string when writing a log message. This vulnerability may allow an attacker to execute arbitrary code with the privileges of the program requesting PAM authentication.

CAN-2003-0672

Alerts:
Debian DSA-370-1 2003-08-08

Comments (none posted)

perl: cross site scripting vulnerability in CGI.pm module

Package(s):perl CVE #(s):CAN-2003-0615
Created:July 29, 2003 Updated:September 30, 2003
Description: obscure@eyeonsecurity.org reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package.

CAN-2003-0615

Alerts:
Red Hat RHSA-2003:256-02 2003-10-03
Red Hat RHSA-2003:256-01 2003-09-22
OpenPKG OpenPKG-SA-2003.039 2003-09-15
Mandrake MDKSA-2003:084 2003-08-20
Debian DSA-371-1 2003-08-11
OpenPKG OpenPKG-SA-2003.036 2003-08-06
Conectiva CLA-2003:713 2003-07-29

Comments (none posted)

PHP: vulnerability in mail function

Package(s):php CVE #(s):CAN-2002-0985 CAN-2002-0986
Created:November 13, 2002 Updated:September 30, 2003
Description: Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.

CAN-2002-0985
CAN-2002-0986

Alerts:
SCO Group CSSA-2003-008.0 2003-03-04
Gentoo 200211-005 2002-11-20
EnGarde ESA-20021122-031 2002-11-22
Conectiva CLA-2002:545 2002-11-13
Red Hat RHSA-2002:213-06 2002-11-11

Comments (none posted)

phpgroupware - cross-site scripting and other exploits

Package(s):phpgroupware CVE #(s):CAN-2003-0504 CAN-2003-0582
Created:July 16, 2003 Updated:September 30, 2003
Description: Several vulnerabilities were discovered in all versions of phpgroupware prior to 0.9.14.006. This latest version fixes an exploitable condition in all versions that can be exploited remotely without authentication and can lead to arbitrary code execution on the web server. This vulnerability is being actively exploited.

Version 0.9.14.005 fixed several other vulnerabilities including cross-site scripting issues that can be exploited to obtain sensitive information such as authentication cookies.

See this Security Corportation report for more information.

CAN-2003-0504
CAN-2003-0582

Alerts:
Debian DSA-365-1 2003-08-05
Conectiva CLA-2003:703 2003-07-23
Mandrake MDKSA-2003:077 2003-07-23
Conectiva CLA-2003:697 2003-07-16

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PostgreSQL - more buffer overflows

Package(s):postgresql CVE #(s):
Created:February 12, 2003 Updated:November 7, 2003
Description: A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server.
Alerts:
Debian DSA-397-1 2003-11-07
Immunix IMNX-2003-7+-005-01 2003-04-08
Trustix 2003-0004 2003-02-20
Mandrake MDKSA-2002:062-1 2003-02-11

Comments (1 posted)

proftpd: remote root shell

Package(s):proftpd CVE #(s):CAN-2003-0831
Created:September 24, 2003 Updated:January 2, 2004
Description: The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information.
Alerts:
Mandrake MDKSA-2003:095-1 2003-12-31
Conectiva CLA-2003:750 2003-09-29
Gentoo 200309-16 2003-09-28
Trustix 2003-0037 2003-09-27
Mandrake MDKSA-2003:095 2003-09-26
OpenPKG OpenPKG-SA-2003.043 2003-09-25
Slackware SSA:2003-259-02 2003-09-23

Comments (2 posted)

Local arbitrary code execution vulnerability in Python

Package(s):python CVE #(s):CAN-2002-1119
Created:August 28, 2002 Updated:September 30, 2003
Description: Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2.