Happenings on the DMCA front
It has been a busy week for those who watch the Digital Millennium
Copyright Act and its effects. Here's a quick summary of what has been
happening.
Every three years, the Librarian of Congress must consider applications for
exemptions to the DMCA's anti-circumvention provisions. The decisions for
this cycle have just been posted; they may be downloaded in PDF
format. Four applications were granted this time:
- Compilations consisting of lists of Internet locations blocked
by commercially marketed filtering software applications...
Interestingly, the exemption explicitly does not extend to anti-spam
blacklists.
- Computer programs protected by dongles that prevent access due to
malfunction or damage and which are obsolete.
- Computer programs and video games distributed in formats that have
become obsolete and which require the original media or hardware as a
condition of access.
- Literary works distributed in ebook format when all existing ebook
editions of the work ... contain access controls that prevent the
enabling of the ebook's read-aloud function and that prevent the
enabling of screen readers to render the text into a specialized
format.
Many other proposals were turned down. As Ed Felten notes,
"My own exemption request, asking for exemptions for information
security researchers, was denied as expected." Blanket exemptions
for (otherwise) non-infringing uses, or for fair use were turned down as
not properly specifying which works should be exempted. A requested
exemption for making backup copies of DVDs went down because it did not
show, to the Librarian's satisfaction, that DVDs are fragile or that making
a backup copy is a noninfringing use.
Static Control Components has been engaged in a DMCA fight with Lexmark
over printer cartridges. SCC makes toner cartridges which work in
Lexmark's printers; Lexmark has made the claim that SCC's products, by
circumventing a printer "feature" that causes it to not function with
cartridges manufactured by others, violate the DMCA. As part of its fight,
SCC asked for an exemption specific to printers that would make its
products unambiguously legal. The proposed exemption was turned down
because, according to the Librarian, the existing interoperability
exemption covers this case. Thus, in losing its exemption, SCC appears to
have won its case with Lexmark; the company lost no time in issuing
a press release to that effect.
Speaking of press releases, 321 Studios, a company which sells a
DVD-copying program, has announced
that it will be appealing the ruling on the making of backup copies of
DVDs.
Finally, there is a growing case involving numerous people - mostly college
students in the U.S. - who are fighting DMCA takedown notices from Diebold
Election Systems. Diebold is a manufacturer of computerized voting
machines. These students came into possession of some internal
Diebold correspondence which shows a distressingly cavalier attitude toward
the accuracy of election votes and the integrity of the election process in
general. Diebold, rather than facing up to its problems, is simply trying
to suppress the incriminating memos. For those who understand the net, the
results of this effort have been entirely predictable: copies of the
correspondence have now been distributed worldwide. The organizers of this
effort are calling for help, however, in the
form of additional mirrors and publicity. This effort deserves support;
transparent and accurate management of elections is too important to be
pushed aside by the DMCA.
Comments (6 posted)
A look at Fedora Core 1
With the first stable release of the Fedora Core scheduled for early next week,
we thought we'd take a look at the
final test
release to
see what users could expect from Fedora.
This release ("Severn") looks and feels like recent Red Hat releases, which
is not
entirely surprising. The default desktop is still GNOME with Metacity as
the window manager.
For the most part, if you're familiar with the Red Hat 9 release, Fedora
will contain few surprises. The installation procedure is mostly the
same as Red Hat 9, though users now have a few
additional install options. Fedora 0.95 includes the ability
to perform a graphical install via FTP, HTTP and the ability to perform
an install via VNC.
We installed the Severn release on two machines to see how well it
fared. On one machine we installed the "Server" package set, and
performed a "Custom" install on the second machine. The entire install
took less than thirty minutes on an Athlon 2600+ XP machine with 1 GB of
RAM, and about forty-five minutes on an Athlon 1GHz machine with 1 GB
of RAM.
The only real glitch we encountered was that Severn had a little trouble
setting up the Matrox G450 dual-head video card. Though it offered the
option of performing a dual-head setup that spanned both monitors, it
kept producing a cloned display. A quick hand-edit of our XF86Config
file solved the problem.
The firewall configuration during installation is somewhat simpler than
the configuration that was present in Red Hat 9. Red Hat 9 offered
"High," "Medium," and "No Firewall." The option with Fedora is to turn
the firewall on or off. The user is also able to specify specific ports
that should be passed through the firewall. The installer offers the
options of passing through SSH, HTTP, FTP, Telnet, SMTP or specifying
their own protocol that can be passed through.
Though it's a small thing, one also notices a difference in attitude
during the installation. Instead of seeing Red Hat promotions during the
install, the user is told that Fedora has a new graphical boot feature
("Who understood all that text scrolling by anyway?") and is encouraged
to sign up for Fedora user and developer lists ("Hey! It's better than
spam!").
There is a full list of packages for Severn test 3 release here. It may
change slightly for the final release. Most of the packages have been
updated since Red
Hat 9, of course, but the package list hasn't changed that much.
One new inclusion in Fedora is Yum, an APT-like package
installer/updater. Yum is not installed by default,
but it is included on the Severn CDs.
Yum has a command set similar to apt-get. One striking difference,
however, is when using "yum check-update" to retrieve information on
changed packages. The apt-get update command simply retrieves an index
file for each package repository, which is fairly fast. Yum, on the
other hand, retrieves RPM header information for every installed RPM,
which can be very time-consuming.
Some packages have not made the cut from Red Hat 9 to Fedora. The LPRng
print system is no longer supported or included with Fedora. CUPS is now
the official, and only, print spooler for Red Hat/Fedora systems.
According to the Fedora 0.95 release notes, LPRng will be replaced
by CUPS even if the user decides to upgrade an existing Red Hat system with
Fedora.
Galeon is out, replaced by Epiphany. Users no longer have the option of
using the LILO bootloader. Pine has been kicked due to licensing issues
and "long-term maintenance concerns." Zebra has been replaced by the Quagga Routing Suite, and Tripwire has
been removed as well.
Another interesting change is the inclusion of the Native POSIX Thread Library
(NPTL). The Severn release ships with a 2.4.22 kernel with NPTL
replacing the user-space LinuxThreads implementation. This means that some
applications, notably Sun's Java Runtime Environment (JRE) prior to
1.4.1 and IBM's JRE will have issues. For applications that need the old
implementation, there is a workaround described in the release notes.
The Fedora kernel also includes "exec shield," a kernel patch that we
covered last May. By
default exec shield is turned on for programs that are "marked" for this
functionality. For the Fedora release, this pretty much means that the
program needs to have been built with the Fedora toolchain.
Fedora Core 1 is still very much a Red Hat product, even if the "Red Hat
Linux" name has been filed off. There has not, as yet, been time for a
true development community to form; traffic on the Fedora mailing lists is
tiny relative to those of, say, Debian or Mandrake's Cooker. So it is hard
to guess what Fedora will look like in the future.
But, if Fedora 0.95 is any indication, the first "stable"
release looks to be shaping up well. If all goes as planned,
Fedora Core 1.0 will be released on Monday, November 3.
Comments (17 posted)
SCO responds to IBM's counterclaims
The SCO Group has filed its response to IBM's counterclaims; the full text may be
found
in
PDF format. Since this document is structured as a set of direct
responses to the claims made by IBM, much of what's there must be read in
the context of
IBM's
amended filing to make sense.
SCO's responses come down to a relatively small set of points, however,
which we will examine here.
One area of dispute has to do with exactly what rights were bought from
Novell in 1995. Novell claims the right to veto some of SCO's actions,
such as the yanking of IBM's AIX license. SCO disputes that claim.
Without access to the actual agreement between the two companies, it is
impossible to come to any conclusion here; this will be a job for the
court.
IBM's claim #16 reads:
16. Linux is an operating system that stems from a rich history of
collaborative development. Linux is a dynamic and versatile
operating system and is, for many, the operating system of choice.
This would seem like a relatively uncontroversial thing for IBM to say.
Even SCO, in the end, has embarked on all this litigation because Linux has
become "the operating system of choice" for many of its former customers.
Here's SCO's response, however:
16. Denies the allegations of ¶16 and alleges that Linux is,
in actuality, an unauthorized version of Unix that is structured,
assembled, and designed to be technologically indistinguishable
from Unix, and practically is distinguishable only in that Linux is
a "free" version of Unix designed to destroy proprietary operating
system software.
This is, of course, the company that made a go at developing and selling
Linux for years, even after it obtained its rights, whatever they may be to
the Unix code base.
Much of SCO's response, however, is aimed in a different direction: SCO is,
once again, claiming that the GPL is not an enforceable license. Thus, for
example, when IBM claims:
25. Whereas the licenses for most software are programs designed
to limit or restrict a licensee's freedom to share and change
it, the GPL is intended to guarantee a licensee's freedom to
share and change free software--to make sure the software is
free for all its users. The GPL applies to any program whose
authors commit to using it.
SCO responds with:
25. Admits that the GPL purports to guarantee the right to freely
share and change free software, but denies that the GPL
applies to any program whose authors commit to using it,
denies enforceability or applicability of the GPL, and is
without information sufficient to admit or deny the remaining
allegations of ¶25 not specifically admitted herein, and
therefore denies the same.
In other words, according to SCO, those who write code are not entitled to
attach a license to it, and even if they were, the GPL is not a valid
license.
This anti-GPL rhetoric reaches its peak in the "affirmative defenses" at the
end of the filing:
- The General Public License ("GPL") is unenforceable, void
and/or voidable, and IBM's claims based thereon or related thereto
are barred.
- The GPL is selectively enforced by the Free Software
Foundation such that the enforcement of the GPL by IBM or others is
waived, estopped, or otherwise barred as a matter of equity.
- The GPL violates the U.S. Constitution, together with
copyright, antitrust, and export control laws, and IBM's claims
based thereon, or related thereto, are barred.
The counterclaims offer no evidence for any of the above claims; they are
simply put out there to stand on their own. The first claim will,
eventually, depend on what a court finds, but many are confident that the
GPL will hold up just fine. The second is ridiculous; whether or not the
FSF is selective in its enforcement of the GPL has no relevance to
how IBM enforces its own copyright rights. Bringing the Constitution and
antitrust law into
it (with the third claim) is new, but SCO's previous reasoning on the GPL
and copyright law has been humorous at best.
In other details, SCO denies that its "letter to Linux users" threatened
any sort of litigation. Strangely enough, SCO has removed that letter from
its web site, making it harder for anybody who might want to check for
themselves. Happily, this SCO v. IBM
site has kept a
copy handy.
SCO also goes to some lengths to try to fight off IBM's patent claims. The
response even alleges that IBM might not own the patents at all.
Most of the defenses seem like a sideshow, however, compared to SCO's
sustained attacks on the GPL. Clearly, the company sees the GPL as an
obstacle that must be overcome. Just why SCO is so eager to see the GPL
defeated is still not entirely clear, however. Perhaps the company simply
wishes to destroy the Linux ecology outright so that there might yet be
room for its outmoded, failing proprietary offerings. Or perhaps SCO is
trying to find a way that it can apply a tax to all Linux shipments. Or
maybe it is all a simply set of delay and FUD tactics while the real goal
is pursued elsewhere. Given that we are facing a concerted attack on one
of the pillars of the free software community - an attack now funded with
another $50 million in investment money - it is proper to be
concerned. Unless the attackers can come up with some better arguments,
however, the GPL looks set to stand for a long time yet.
Comments (25 posted)
Page editor: Jonathan Corbet
Security
Security news
Weblog Comments - A New Frontier for Spam
October 29, 2003
This article was contributed by Jake Edge.
The war over spam has
erupted recently in a new arena: weblog comments.
The parallels to the battles that have been fought on the email spam
front are considerable, but unlike email spam, weblog spam is targeted
at Google (and other search engines that use number of links to derive
page rankings) to increase the visibility of the sites that are being
advertised via spam. Comment spam seems to be on the rise with weblog
owners noticing a large increase in the number of incidents over the last
month or two.
Weblogs are sites that allow the owner to post articles and essays of
whatever happens to strike their fancy that day and most weblog software
enables readers to post comments on the stories. LWN's comment system provides
the same feature for this site but, unlike LWN comments, many weblogs allow
(and even encourage) anonymous comments. That openness, like the lack
of sender authentication for email, provides an avenue for abuse. Requiring
registration before allowing comments does not eliminate the problem
entirely (LWN has had a small amount of comment spam), but it does increase
the amount of work the spammer must do.
The basic mode of attack uses a program to automatically post comments
on multiple articles throughout the weblog. These unwanted messages include
the URL of a website that
will give you the opportunity to buy one or more of the usual items:
diplomas, prescription drugs, porn,
etc. The program then moves on to other sites using the same software,
aided, no doubt, by the various directories of weblogs using a particular
software package that are available. Eventually, Google and other search
engines visit the weblog sites; thereafter, the
spammer's site gains a high ranking due to all of the links to it that are
found.
One of the more popular (though not entirely free) packages for running a
weblog is
Movable Type; its user
community has been the most active so far in combating comment spam.
For example,
one set of tips
(described by Yoz Grahame)
attempts to thwart the way the current spam programs work by changing
the default behavior of the software. Something as simple as changing the
"post a comment" link can be sufficient to confuse most automated comment
posting scripts. These techniques will only help until
enough people implement them and it makes it worth the effort for a
spammer to write more adaptable code to circumvent them.
Many of the other comment spam handling techniques will seem very familiar
to anyone who has been dealing with the deluge of email spam:
bayesian filtering
and
blacklisting
based on the URLs in the comment and/or user profile are two of the more
popular techniques.
Bayesian filtering uses the frequency of words in
a message and a database of word counts
from previous messages that have been categorized as spam or non-spam
(often called "ham") to determine a probability that the new message is
spam. If the probability is too high, the message is rejected.
The blacklisting patch collects the URLs that are advertised in the offending
messages and rejects any comments that refer to any of those URLs.
Both of these techniques can be worked around by a spammer with enough
incentive, but it does make it much more difficult.
Another technique that is becoming more popular is email and web-based
challenge-response systems which generate a blurry graphic that is (presumably)
only readable by humans. Such systems require that the text in the graphic be typed
into a form to ensure that a human, and not a program, is initiating the
action. This technique, too, has made its way into the arsenal of webloggers
via
this plug-in
for Movable Type.
This scheme does have a number of downsides because it requires a graphical
browser to post messages and may be unusable by the visually impaired.
Other weblogging software developers may have run into this problem and come up
with their own sets of fixes, but the Movable Type community appears to be
the at the forefront of this particular battle. Perhaps the spammers have
yet to target other systems
in an automated way. If (or more likely when) they do, newly targeted weblogging software can
use one or more of the techniques above to combat the spam.
Both weblog comment and email spam fighters are running into the same issues
and producing similar solutions in many cases and cooperation between the
two groups will lead to better spam fighting.
One of the future plans for Jay Allen's blacklist
(above) is to create a distributed list of URLs that are being advertised
via spam and with proper controls one can imagine that list being useful
to the email spam fighting crowd. A filter using the rules for email
message bodies in
SpamAssassin might be useful
for folks confronting spam in their weblog comments as well.
Comments (12 posted)
New vulnerabilities
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache |
CVE #(s): | CAN-2003-0542
CAN-2003-0789
|
| Created: | October 28, 2003 |
Updated: | February 13, 2004 |
| Description: |
André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's
mishandling of CGI redirect paths could result in CGI output going to the
wrong client when a threaded MPM is used.
CAN-2003-0789. |
| Alerts: |
|
Comments (none posted)
libnids: remotely exploitable buffer overflow
| Package(s): | libnids |
CVE #(s): | CAN-2003-0850
|
| Created: | October 29, 2003 |
Updated: | January 6, 2004 |
| Description: |
libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem. |
| Alerts: |
|
Comments (none posted)
thttpd: multiple vulnerabilities
| Package(s): | thttpd |
CVE #(s): | CAN-2002-1562
CAN-2003-0899
|
| Created: | October 29, 2003 |
Updated: | November 6, 2003 |
| Description: |
The thttpd web server has a pair of vulnerabilities which can lead to information disclosure and arbitrary code execution; both are remotely exploitable. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel |
CVE #(s): | CAN-2003-0461
CAN-2003-0462
CAN-2003-0464
CAN-2003-0476
CAN-2003-0501
CAN-2003-0550
CAN-2003-0551
CAN-2003-0552
|
| Created: | July 21, 2003 |
Updated: | December 23, 2003 |
| Description: |
Several security issues have been discovered affecting the Linux kernel:
-
CAN-2003-0461: /proc/tty/driver/serial reveals the exact character
counts for serial links. This could be used by a local attacker to infer
password lengths and inter-keystroke timings during password entry.
-
CAN-2003-0462: Paul Starzetz discovered a file read race condition
existing in the execve() system call, which could cause a local crash.
-
CAN-2003-0464: A recent change in the RPC code set the reuse flag on
newly-created sockets. Olaf Kirch noticed that his could allow normal
users to bind to UDP ports used for services such as nfsd.
-
CAN-2003-0476: The execve system call in Linux 2.4.x records the file
descriptor of the executable process in the file table of the calling
process, allowing local users to gain read access to restricted file
descriptors.
-
CAN-2003-0501: The /proc filesystem in Linux allows local users to
obtain sensitive information by opening various entries in /proc/self
before executing a setuid program. This causes the program to fail to
change the ownership and permissions of already opened entries.
-
CAN-2003-0550: The STP protocol is known to have no security, which
could allow attackers to alter the bridge topology. STP is now turned
off by default.
-
CAN-2003-0551: STP input processing was lax in its length checking,
which could lead to a denial of service.
-
CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table
could be spoofed by sending forged packets with bogus source addresses
the same as the local host.
|
| Alerts: |
|
Comments (none posted)
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0428
CAN-2003-0429
CAN-2003-0431
CAN-2003-0432
|
| Created: | June 23, 2003 |
Updated: | November 10, 2003 |
| Description: |
Several security problems have been found in Ethereal
0.9.12. "It may be possible to make Ethereal crash or run
arbitrary code by injecting a purposefully malformed packet onto the wire,
or by convincing someone to read a malformed packet trace file." |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 16, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils |
CVE #(s): | CAN-2003-0854
|
| Created: | October 22, 2003 |
Updated: | March 2, 2004 |
| Description: |
There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. |
| Alerts: |
|
Comments (none posted)
gdm: local attacker may crash or freeze gdm
| Package(s): | gdm |
CVE #(s): | CAN-2003-0793
CAN-2003-0794
|
| Created: | October 16, 2003 |
Updated: | October 27, 2003 |
| Description: |
Two vulnerabilities were discovered in gdm by Jarno Gassenbauer that would
allow a local attacker to cause gdm to crash or freeze.
CAN-2003-0793
CAN-2003-0794 |
| Alerts: |
|
Comments (none posted)
glibc - buffer overflow
| Package(s): | glibc |
CVE #(s): | CAN-2003-0689
|
| Created: | October 15, 2003 |
Updated: | November 25, 2003 |
| Description: |
The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun. |
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
gnupg: key validation
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0255
|
| Created: | May 15, 2003 |
Updated: | November 17, 2003 |
| Description: |
A key validation bug was discovered in the GNU Privacy Guard (GPG) which
would cause keys with more then one user ID to trust all user ID's with the
amount of trust given to the most-valid user ID. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
ircd: denial of service vulnerability
| Package(s): | ircd |
CVE #(s): | CAN-2003-0864
|
| Created: | October 17, 2003 |
Updated: | October 22, 2003 |
| Description: |
Piotr Kucharski reported a buffer
overflow vulnerability that may allow an attacker to crash the ircd server,
thus causing a denial of service condition. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0864 to this issue. |
| Alerts: |
|
Comments (none posted)
KDE: Two issues in KDM
| Package(s): | kde, xfree86 |
CVE #(s): | CAN-2003-0690
CAN-2003-0692
|
| Created: | September 16, 2003 |
Updated: | December 19, 2003 |
| Description: |
According to this advisory two issues have
been discovered in KDM:
- CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
- CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3
are affected. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
openssl: vulnerabilities in ASN.1 code
| Package(s): | openssl |
CVE #(s): | CAN-2003-0543
CAN-2003-0544
CAN-2003-0545
|
| Created: | September 30, 2003 |
Updated: | November 4, 2003 |
| Description: |
Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate
problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and
all versions of SSLeay.
An attack against other applications that use OpenSSL could result in a
Denial of Service. See
CAN-2003-0543 and
CAN-2003-0544.
It may be possible for an attacker to exploit this issue to execute
arbitrary code. See
CAN-2003-0545.
CERT has an updated OpenSSL advisory
identifying additional OpenSSL vulnerabilities. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
proftpd: remote root shell
| Package(s): | proftpd |
CVE #(s): | CAN-2003-0831
|
| Created: | September 24, 2003 |
Updated: | January 2, 2004 |
| Description: |
The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. |
| Alerts: |
|
Comments (2 posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail |
CVE #(s): | CAN-2003-0694
CAN-2003-0681
|
| Created: | September 17, 2003 |
Updated: | November 18, 2003 |
| Description: |
Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. |
| Alerts: |
|
Comments (none posted)
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel |
CVE #(s): | CAN-2002-1563
|
| Created: | July 25, 2003 |
Updated: | November 25, 2003 |
| Description: |
Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being
invoked by xinetd), stunnel can be configured to either start a thread or a
child process to handle each new connection. If Stunnel is configured to
start a new child process to handle each connection, it will receive a
SIGCHLD signal when that child exits.
Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal
handler which, if interrupted by another SIGCHLD signal, could be unsafe.
This could lead to a denial of service. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
unzip: directory traversal vulnerability
| Package(s): | unzip |
CVE #(s): | CAN-2003-0282
|
| Created: | July 1, 2003 |
Updated: | November 13, 2003 |
| Description: |
A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to
overwrite arbitrary files during archive extraction by placing invalid
(non-printable) characters between two "." characters. These non-printable
characters are filtered, resulting in a ".." sequence. See the full
advisory for further information. |
| Alerts: |
|
Comments (none posted)
vim - modeline vulnerability
| Package(s): | vim |
CVE #(s): | CAN-2002-1377
|
| Created: | January 16, 2003 |
Updated: | February 10, 2004 |
| Description: |
VIM allows a user to set the modeline differently for each edited text file
by placing special comments in the files. Georgi Guninski found that these
comments can be carefully crafted in order to call external programs. This
could allow an attacker to create a text file such that when it is opened
arbitrary commands are executed. |
| Alerts: |
|
Comments (4 posted)
webmin: session ID spoofing
| Package(s): | webmin |
CVE #(s): | CAN-2003-0101
|
| Created: | June 13, 2003 |
Updated: | November 18, 2003 |
| Description: |
miniserv.pl in the webmin package does not properly handle
metacharacters, such as line feeds and carriage returns, in
Base64-encoded strings used in Basic authentication. This
vulnerability allows remote attackers to spoof a session ID, and
thereby gain root privileges. |
| Alerts: |
|
Comments (none posted)
wget: buffer overflow
| Package(s): | wget |
CVE #(s): | CAN-2003-1565
|
| Created: | August 5, 2003 |
Updated: | December 10, 2003 |
| Description: |
The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. |
| Alerts: |
|
Comments (1 posted)
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 |
CVE #(s): | CAN-2003-0730
|
| Created: | September 12, 2003 |
Updated: | November 25, 2003 |
| Description: |
Several vulnerabilities were discovered by blexim(at)hush.com in the font
libraries of XFree86 version 4.3.0 and earlier. These bugs could
potentially lead to execution of arbitrary code or a DoS by a remote user
in any way that calls these functions, which are related to the transfer
and enumeration of fonts from font servers to clients. See the
advisory for additional details.
|
| Alerts: |
|
Comments (none posted)
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd |
CVE #(s): | CAN-2003-0211
|
| Created: | May 13, 2003 |
Updated: | November 12, 2003 |
| Description: |
Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a
connection was refused for any reason. An attacker could exploit this flaw
to crash the xinetd server, rendering all services it controls unavailable.
In addition, other flaws in xinetd could cause incorrect operation in
certain unusual server configurations.
All users of xinetd are advised to update to xinetd-2.3.11 which is not
vulnerable to these issues. |
| Alerts: |
|
Comments (none posted)
Resources
Interview: Brian Hatch (LinuxQuestions)
LinuxQuestions.org
interviews
Brian Hatch, author of
Hacking Linux Exposed. "
So true,
not everyone can read and understand the code that they end up running, and
not anyone can read all of the code that they end up running. There's a
level of trust, and that's no different than when you run proprietary
software. The big difference is the number of individuals who do view that
code."
Comments (4 posted)
Page editor: Jonathan Corbet
Kernel development
Release status
Kernel release status
The current development kernel is 2.6.0-test9,
released by Linus on October 25. It
consists almost entirely of important fixes, of course, but Linus also
threw in Jeff Garzik's "libata" driver. As always,
the long-format changlog has the details.
It seems a real 2.6.0 release
could be getting close:
If this works out, then I'll submit -test10 to Andrew Morton, and
if he takes it we'll probably have a real 2.6.0 after a final
shakedown.
Linus's approach of restricting patches to the most important fixes should
help to stabilize the kernel. It also is likely to mean, however, that
there will be a substantial pile of patches waiting to go in after the
2.6.0 release.
2.6.0-test9 is, perhaps, unique in having its
own press release, something that is not normally done for development
kernels. OSDL, it seems, wants to be sure that the world knows where Linus
and Andrew work these days.
Linus's BitKeeper tree, as of this writing, contains a relatively small
number of fixes.
The current stable kernel is 2.4.22; Marcelo released 2.4.23-pre8 on October 22. Along
with the usual fixes, this patch also includes an ACPI update, some driver
updates, and a set of tmpfs fixes.
Comments (none posted)
The Wonderful World of Linux 2.6
Joe Pranevich has updated the
Wonderful World of Linux 2.6
to cover the -test9 release. This is likely to be the last update until
the official 2.6 release. A
rough list of changes to the
document is
also available.
Comments (1 posted)
Kernel development news
Mandrake Linux 9.2 and self-destructing CD-ROM drives
Upgrading to a new version of an operating system is always a bit of a
mixed experience. The promise of new features, new applications, and
better performance (one hopes) contends with the fear that the upgrade will
break something that used to work. Even the most worried among us,
however, do not normally worry about an upgrade causing hardware to self
destruct. Those who have recent attempted to install Mandrake
Linux 9.2 on a system containing an LG CD drive (shipped by Dell and
numerous others) have gotten just that sort of surprise, however. An
unpatched 9.2 system, it seems, can cause those drives to wipe out their
firmware and cease to function.
This problem has been the centerpiece of a small flood of complaints about
the stability of the 9.2 rele
