| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for November 6, 2003
Will the real Linux Gazette please stand up?
The Linux Gazette has been a fixture of the Linux community since its beginnings in 1995. The first issue, published entirely by John Fisk, introduced itself in this way:
The Gazette grew quickly, attracting new readers and new authors. By the fifth issue, mirrors were necessary; these were contributed by Phil Hughes (of SSC, the publisher of the Linux Journal) and Alan Cox. Putting out the Linux Gazette took time, however, and the project lapsed for some months in early 1996. When Issue 8 came out in August of that year, it carried the following announcement:
Once it came under the Linux Journal's wing, the Linux Gazette thrived. Over 80 issues were produced, on an approximately monthly basis, and the range of authors and topics seemed to increase every month. The Linux Gazette carried early articles by a number of well known community authors, including Joe Barr, Miguel de Icaza Chris DiBona, Jon 'maddog' Hall, Michael J. Hammel, Dwight Johnson, Evan Leibovitch, Dave Phillips, Alessandro Rubini, Doc Searls, Jamie Zawinski, and many others. And, of course, the infamous "Answer Gang" - though the Gang started small with Jim Dennis as the Answer Guy. Over the years, the Linux Gazette has remained true to its roots, providing high-quality, noncommercial information aimed at making Linux more fun.
The Linux Gazette has reached a fork in the road, however, which threatens to make things somewhat less fun for a while. The volunteer core which puts together the Gazette has announced that the publication is leaving SSC's embrace, and is striking out on its own. This group has put out an Issue 96 which includes a fairly strongly-worded editorial:
The dissidents have set up shop at LinuxGazette.net. Meanwhile, SSC continues to operate LinuxGazette.com, which has published an Issue 96 of its own. There are, in other words, two competing publications using the same name and even the same issue numbering scheme.
The core of the dispute is a decision by SSC to move the Linux Gazette to a modern content management system with reader forums, a constant stream of articles, etc. Phil Hughes explained the reasoning for this change to us:
To many in the Linux Gazette organization, the changes to the site went against everything the Gazette had always been: a high-quality, edited, carefully-selected, monthly publication which can be mirrored worldwide. Rather than be part of a publication which, from their point of view, has been thoroughly compromised, these people decided to leave SSC - and to take the Linux Gazette with them.
What will happen now is unclear. Having two publications each claiming to be the "real" Linux Gazette seems unlikely to be good for either one of them. The departing contributors have asked that the LinuxGazette.com domain name be transferred to them, but that seems unlikely to happen. According to Phil Hughes, "SSC will continue to run Linux Gazette and it will continue to appear at www.linuxgazette.com." SSC does own that domain name, and it has a seven-year history of publishing the Linux Gazette (and employing its editor for most of that time); it could be hard to find anybody with a stronger legal claim to the right to use that name if it came down to a fight.
There have been signs that this disagreement could turn nasty, and some accusations have started to fly. These include stripped copyrights (since fixed, apparently) and censorship issues: the LinuxGazette.net Issue 95 mailbag contains a couple of letters which are missing from the LinuxGazette.com version. SSC has, by its own admission, been deleting posts on LinuxGazette.com that reference LinuxGazette.net, and has started making noises about trademark violations. Even so, most of the people involved seem to understand that neither the Linux community nor the Linux Gazette (either version) needs an ugly public feud. One can only hope that the relevant parties are able to keep that idea in mind as they carry their respective projects forward.
On Novell's acquisition of SUSE
As most readers will know by now, Novell has announced a deal to acquire SUSE Linux. Many of the details can be found in the associated press release; others came out during the press conference and afterward.SUSE was bought for $210 million in cash. The deal thus values SUSE at less than one tenth the market capitalization of Red Hat ($2.4 billion as of this writing, down somewhat after Novell's announcement). Since SUSE has never been a public company, information on its finances has been hard to come by; at the press conference, however, SUSE's revenues for this year were estimated to be between $35 and $40 million. Red Hat's revenue will be on the order of three times that figure. So SUSE truly is a smaller company, deserving of a lower valuation. The magnitude of the difference is striking, however.
The press conference was full of upbeat "forward looking statements" on how this acquisition positions SUSE as a proper competitor for Red Hat. Novell's large, global support and training operation was mentioned several times; indeed, having a business on that scale behind the distribution might just help nervous CIOs sleep better at night. Novell and SUSE also have high hopes for Novell's large sales (and reseller) channel. Of course, Caldera/SCO was also supposed to succeed based on its channel... Novell also wastes no opportunity to point out that it now has "the whole stack" of offerings, from the base operating system through its proprietary enterprise products.
SUSE currently has 399 employees. It appears that Novell plans, for now, to keep the technical staff around; there may be some reductions in the administrative area, however. Novell has stated that it is committed to maintaining SUSE's presence in Nuremberg.
Novell's management has learned to say the right things with regard to the open source community - though they accepted no questions from community publications at the conference. Novell, says CEO Jack Messman, "expects to learn a lot" from the SUSE engineers, and plans to continue to be a leader in the development community.
After the conference, we asked about Novell's plans in a couple of areas. Unlike Red Hat, Novell/SUSE does not plan to drop its retail distribution; instead, it will fire up its sales channels and try to create a much larger presence for all of SUSE's products, especially in the U.S. The situation with desktops is a little less clear. SUSE has long been a supporter of the KDE desktop, but Novell owns Ximian, which is rather firmly in the GNOME camp. Novell, apparently, doesn't yet know how it will resolve that difference; PR person Kevan Barney told us "We'll be evaluating how to proceed on the desktop front in the coming months."
The same press release announced that IBM is investing $50 million into Novell. The two companies will be negotiating other deals in the future for the continued support of SUSE Linux on IBM's platforms.
The long-term consequences of this deal could be large. Red Hat is no longer the biggest Linux distributor; it will now be competing with an established, large company with a huge installed base of customers. The upper end of the Linux distribution market looks increasingly like a duopoly controlled by two giants. Despite the wealth of distributions available to Linux users, only a very few of those distributions will ever develop the mass to be successful in the commercial arena.
It's also worth noting that, for the first time, one of the core Linux distributions is owned by something other than a community-based company. It is certainly possible for a large company like Novell to handle such a resource properly and not ruin SUSE's relationship with the development community that supports it. Novell does seem to be trying to do the right thing in this regard. This acquisition might just work, and it could turn out to be a good thing for everybody involved, but the Linux commercial landscape has a different look than it did last week.
Red Hat Linux ends - now what?
Red Hat's announcement earlier this week that it would be ending the Red Hat Linux product line should not be too surprising for those who have been reading the tea leaves -- or LWN. Red Hat announced the end of the Red Hat Linux product line in July, and merged the Red Hat Linux Project and Fedora Project in September. Still, the end-of-life announcement sent to Red Hat Network (RHN) subscribers this week seemed to catch some by surprise:
While Red Hat will continue to sell and support its enterprise line of products, users who have grown accustomed to the (relatively) inexpensive Red Hat Linux line and RHN support are now looking for other options. Users have about six months to decide what direction they want to go. RHN channels with updates for discontinued versions will remain available for at least six months after the end-of-life, but the April 30 date will be the end of new errata for regular Red Hat Linux products. RHN subscribers who are paid-up past April 30 will receive an evaluation ISO for Red Hat Enterprise Linux WS and channel access to updates for that distribution until their subscription expires. Red Hat is no longer allowing subscribers to extend their subscription past April 30, though subscribers can renew up until April 30 for $20.
The first option for Red Hat loyalists is Red Hat Enterprise Linux. Red Hat is offering introductory pricing for Red Hat Enterprise Linux WS or Red Hat Enterprise Linux ES; the deal is 50% off either product for up to two years, putting annual cost of the workstation product (WS) at $89.50 per system and the server product (ES) at $174.50 per system. This pricing structure, while not overly expensive for a single system, may not be popular with Red Hat users who have been maintaining multiple systems with Red Hat Linux.
Another likely choice for hobbyists and users who have grown fond of Red Hat Linux is the Red Hat Linux Project's successor: Fedora (which has just made its first core release). Fedora will likely replace Red Hat on many systems as Red Hat Linux 9 approaches end-of-life. However, many users are likely to be a bit wary about adopting Fedora as the project is still in its infancy and it has yet to be seen how well the project will evolve. Fedora will will also be a more volatile distribution, with each release being, essentially, a "dot-zero" version.
Users might also choose to move to derivative products like Tummy.com's KRUD, or KRUD Server. KRUD is based on Red Hat Linux and users can opt for a monthly subscription with updates via CD-ROM. A one-year subscription to KRUD will run users $65, a one-year subscription to KRUD Server is $190. This may be an attractive option to many users, since Tummy.com does not require a per-machine subscription. Thus, a KRUD subscription is usable on any number of machines, unlike subscriptions to Red Hat Enterprise products.
There are, of course, other distributions which will be more than happy to pick up customers left behind by Red Hat. Red Hat's termination of the "consumer" line of products may be a blessing for other commercial Linux distributions with a strong interest in the retail Linux market. SUSE, Mandrake Linux, Xandros, Lindows and other commercial distributors may pick up some of Red Hat's audience still looking to buy a supported retail product. Non-commercial distributions like Debian might gain users as well; see this week's Distributions page. In the commercial arena, Mandrake is still working to emerge from bankruptcy, leaving SUSE as the strongest contender for the retail market at this point, particularly with the backing of Novell.
Joseph Eckert, SUSE's Vice President of Corporate Communications, told us that he is optimistic about SUSE's prospects in the retail channel. He noted that SUSE has seen a jump in sales with the 9.0 release, though it has not been available for very long. Unlike Red Hat, SUSE's retail products still account for a significant portion of their overall sales. According to Eckert, SUSE expects between €35 million and €40 million in sales this year, with the SUSE's desktop products accounting for more than 50 percent of their business.
Eckert also said that SUSE has no plans to cancel its desktop products. "As Red Hat continues to distance itself [from retail products] we consider it a service to the community to keep the desktop alive...it's not just about the enterprise desktop, it's about making sure that our community of developers and enthusiasts are satisfied."
Indeed, it may be important for any vendor interested in the enterprise to keep developers and enthusiasts happy. Red Hat's decision to abandon retail products and focus solely on its enterprise products may help boost Red Hat's rivals in the enterprise market as well. Red Hat found its way into many organizations because that was what IT staff used at home. With some of Red Hat's user base looking at moving to different distributions, they may decide to bring those distributions into the workplace with them.
FCC "broadcast flag" approved
The U.S. Federal Communications Commission has approved the "broadcast flag" scheme put forth by the MPAA and its associates. Details can be found on the FCC site in the form of a news release and the actual order - both in PDF format.Why do we need a digital broadcast flag? From the order:
So "mass indiscriminate redistribution" is not a problem now, but preemptive action is the way of things in the US these days, so we have to mandate copy protection mechanisms for transmissions on our public spectrum.
The actual broadcast flag rule, as found in page 40 of the order document, states that a digital TV demodulator cannot send unprotected content to any output, except in a set of specific cases:
- Analog output continues to be allowed.
- Specific digital output formats which much maintain the presence of
the broadcast flag.
- Digital outputs are allowed if they are protected by an "Authorized
Digital Output Protection Technology." Encrypted output to devices
which also follow the broadcast flag rules is allowed as well.
- Output to a recording device is allowed - but, of course, that device,
too, must implement an "Authorized Recording Method."
- Digital output from computers is allowed as long as the resolution of the image is reduced to no more than 350,000 pixels per frame.
The FCC repeatedly asserts that home recording will not be affected by the broadcast flag. The rules, however, do place significant constraints on digital recordings. In particular, the resulting recording cannot be transferable to another device, or the recorder must be explicitly "authorized" by the FCC. The MPAA had pushed hard for the "authorization" mechanism to require, among other things, approval by at least two "major studios," but the FCC, at least didn't buy that. Instead, there will be an involved bureaucratic process where manufacturers of recorders have to show the FCC how their product will implement copy protection schemes.
Much debate evidently went into the specification of "robustness rules." The MPAA wanted an extensive set of regulations on things like "how content may be transmitted on data paths within Demodulator Products" and such, an an effort to make circumvention as difficult as possible. The FCC, however, concluded that a level of robustness sufficient to defeat an "ordinary user" would be enough. Interestingly, the FCC uses the CSS scheme used on DVDs as an example:
One might have just as easily concluded that a copy protection (and "region coding" price support) scheme like CSS was unnecessary in the first place, but the FCC wasn't willing to go there.
The resulting "robustness requirements" say that the broadcast flag scheme must be implemented in products in a way that can't be defeated or circumvented by "an ordinary user using generally-available tools or equipment." Examples of such tools, as listed in the regulation, include screwdrivers, jumpers, clips, soldiering irons, EEPROM writers, debuggers, and decompilers.
This rule will have an obvious effect on free software - under the broadcast flag provisions, there simply cannot be a free TV demodulator system. Even if somebody wrote a free system which implemented the broadcast flag restrictions, a source-available system clearly would not meet the "robustness requirements." The FCC report does, at least, note this problem:
Given that the FCC seeks further comments, the free software community would be well advised to provide them with those comments. The Electronic comment filing system can be used for this purpose (the docket number for the report is 02-230). The chances of getting any sort of free software exemption to the broadcast flag requirements appear slim, however. The MPAA might not have gotten everything it wanted out of the FCC - thanks to the efforts of the EFF and many others - but that organization remains the driving force behind the FCC's rulemaking.
Page editor: Jonathan Corbet
Security
Security news
Which OpenSSL are you running?
OpenSSL is a well-advanced project developing a free implementation of the Secure Socket Layer and Transport Layer Security protocols. The OpenSSL code can be used in many contexts, but the most prominent use is almost certainly in web servers which need to offer the "https" protocol. When you (hint...) type your credit card number at LWN.net, the OpenSSL code ensures that said number cannot be captured by eavesdroppers lurking between your browser and our server. OpenSSL is, in other words, a critical part of the net's infrastructure.The central role played by OpenSSL makes any security vulnerabilities in that package especially frightening. The software is widely deployed and exposed directly to the net, so holes can open up large numbers of systems to compromise. Sites using OpenSSL are also relatively likely to have something worth protecting, and are thus also relatively likely to be targets for certain types of crackers.
One would thus think that administrators of sites running OpenSSL would tend to stay current on their security updates. According to a survey run by Netcraft, however, one would be wrong. Netcraft looked at the advertised OpenSSL versions running on just over 50,000 web sites. Fully half of those sites were running version 0.9.6d (or earlier), which has vulnerabilities that are fully exploitable by a remote attacker. Only 1,356 out of 50,891 sites were running versions 0.9.6k or 0.9.7c, which were, at the time, free of known vulnerabilities (a vulnerability has since been found which can lead to crashes on Windows platforms). OpenSSL users, it would seem, have not been keeping up with their patches.
As Netcraft acknowledges, the above results are overly pessimistic. Security updates provided by distributors usually just backport the fix for the specific problem(s) to the (older) version of the software that was originally included in the distribution. So numerous sites which appear (to the outside) to be running vulnerable software are, in fact, up to date. Netcraft could have improved its numbers by seeing if an actual exploit worked on each system tested, but that approach to data collection has practical problems of its own.
The bottom line, however, is that there are certainly many vulnerable sites out there. The fact that widespread exploits have not happened suggests that the net is not quite as scary a place as it is sometimes made out to be. But, sooner or later, an opening of this magnitude will certainly be exploited. Whether it is used for some sort of unpleasant worm or for a credit card scam doesn't really matter. Either way, it will impair the trust in Linux, Apache, and network commerce in general. And it is entirely avoidable.
If you have systems running older versions of OpenSSL, it is past time to update them. The LWN vulnerability entry will point you at the relevant distributor updates.
New vulnerabilities
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | ||||
| Created: | November 5, 2003 | Updated: | November 5, 2003 | |||
| Description: | Several new vulnerabilities have been found in bugzilla; these include a pair of SQL injection bugs (usually only exploitable by privileged users) and some information leaks. See this advisory for details; upgrading to versions 2.16.4 or 2.17.5 fixes the problems. | |||||
| Alerts: |
| |||||
CUPS: denial of service
| Package(s): | CUPS | CVE #(s): | CAN-2003-0788 | ||||||||||||
| Created: | November 3, 2003 | Updated: | March 4, 2004 | ||||||||||||
| Description: | Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||
| Alerts: |
| ||||||||||||||
postgresql: remote code execution
| Package(s): | postgresql | CVE #(s): | CAN-2003-0901 | ||||||||||||||||||
| Created: | October 30, 2003 | Updated: | November 17, 2003 | ||||||||||||||||||
| Description: | Two bugs leading to a buffer overflow in the PostgreSQL RDBMS, versions 7.2.x and
7.3.x prior to 7.3.4, were discovered. The vulnerability exists in the
PostgreSQL abstract data type (ADT) to ASCII conversion functions.
It has been conjectured that excessive data passed to the involved to_ascii_xxx() functions may overrun the bounds of an insufficient buffer reserved in heap memory, resulting in the corruption of heap based memory management structures that are adjacent to it. It is currently believed that under the correct circumstances an attacker may use this to execute arbitrary instructions in the context of the PostgreSQL server. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0901 to the problem. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 | CVE #(s): | CAN-2003-0730 | |||||||||||||||
| Created: | September 12, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache | CVE #(s): | CAN-2003-0542 CAN-2003-0789 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | October 28, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
ethereal: security problems in Ethereal 0.9.12
| Package(s): | ethereal | CVE #(s): | CAN-2003-0428 CAN-2003-0429 CAN-2003-0431 CAN-2003-0432 | ||||||||||||||||||
| Created: | June 23, 2003 | Updated: | November 10, 2003 | ||||||||||||||||||
| Description: | Several security problems have been found in Ethereal 0.9.12. "It may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
glibc - buffer overflow
| Package(s): | glibc | CVE #(s): | CAN-2003-0689 | |||||||||||||||
| Created: | October 15, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
KDE: Two issues in KDM
| Package(s): | kde, xfree86 | CVE #(s): | CAN-2003-0690 CAN-2003-0692 | ||||||||||||||||||
| Created: | September 16, 2003 | Updated: | December 19, 2003 | ||||||||||||||||||
| Description: | According to this advisory two issues have
been discovered in KDM:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libnids: remotely exploitable buffer overflow
| Package(s): | libnids | CVE #(s): | CAN-2003-0850 | |||||||||
| Created: | October 29, 2003 | Updated: | January 6, 2004 | |||||||||
| Description: | libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
openssl: vulnerabilities in ASN.1 code
| Package(s): | openssl | CVE #(s): | CAN-2003-0543 CAN-2003-0544 CAN-2003-0545 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 30, 2003 | Updated: | November 4, 2003 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Vulnerabilities have been found in OpenSSL ASN.1 code. This advisory contains details of 4 separate
problems in versions of OpenSSL up to and including 0.9.6j and 0.9.7b and
all versions of SSLeay.
An attack against other applications that use OpenSSL could result in a Denial of Service. See CAN-2003-0543 and CAN-2003-0544. It may be possible for an attacker to exploit this issue to execute arbitrary code. See CAN-2003-0545. CERT has an updated OpenSSL advisory identifying additional OpenSSL vulnerabilities. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
proftpd: remote root shell
| Package(s): | proftpd | CVE #(s): | CAN-2003-0831 | |||||||||||||||||||||
| Created: | September 24, 2003 | Updated: | January 2, 2004 | |||||||||||||||||||||
| Description: | The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
sane-backends: several vulnerabilities
| Package(s): | sane-backends | CVE #(s): | CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778 | ||||||||||||||||||
| Created: | September 11, 2003 | Updated: | February 20, 2004 | ||||||||||||||||||
| Description: | Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail | CVE #(s): | CAN-2003-0694 CAN-2003-0681 | |||||||||||||||||||||||||||||||||
| Created: | September 17, 2003 | Updated: | November 18, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel | CVE #(s): | CAN-2002-1563 | ||||||||||||||||||
| Created: | July 25, 2003 | Updated: | November 25, 2003 | ||||||||||||||||||
| Description: | Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
thttpd: multiple vulnerabilities
| Package(s): | thttpd | CVE #(s): | CAN-2002-1562 CAN-2003-0899 | |||||||||
| Created: | October 29, 2003 | Updated: | November 6, 2003 | |||||||||
| Description: | The thttpd web server has a pair of vulnerabilities which can lead to information disclosure and arbitrary code execution; both are remotely exploitable. | |||||||||||
| Alerts: |
| |||||||||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
webmin: session ID spoofing
| Package(s): | webmin | CVE #(s): | CAN-2003-0101 | ||||||
| Created: | June 13, 2003 | Updated: | November 18, 2003 | ||||||
| Description: | miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges. | ||||||||
| Alerts: |
| ||||||||
wget: buffer overflow
| Package(s): | wget | CVE #(s): | CAN-2003-1565 |
| Created: | August 5, 2003 |