As the founder of the ownCloud project, Frank Karlitschek has spent a fair amount of time
considering the issues surrounding internet privacy. The recent
revelations of widespread internet surveillance embodied in the PRISM program (and other related efforts largely revealed by
Edward Snowden) have, essentially, broken the internet, he said.
Karlitschek came to LinuxCon
North America in New Orleans to talk about that
serious threat to the internet—one that he believes the free and
open source software communities have a responsibility to help fix.
A longtime open source developer, Karlitschek has worked with KDE,
opendesktop.org, along with the KDE-Look
and GNOME-Look sites. After starting
the ownCloud project, he also helped found an ownCloud company in 2012. OwnCloud is
"both a company and a community", he said.
But Karlitschek wasn't there to talk about ownCloud. Instead, he turned to
the news to highlight the problem facing the internet, noting a few
headlines from the last few
months on
surveillance-related topics: the NSA circumventing internet encryption, "full
take" (storing all data gathered), and
XKeyscore. The latter
is a program that collects "nearly everything a user
does on the internet", and because of the "full take" strategy used, the
data all gets stored. The NSA doesn't have the capacity to analyze all that
data now, so it stores it for later analysis—whenever it somehow becomes
"interesting". It turns out that if the
budget is high enough, one can essentially "store the internet", he said.
![[Frank Karlitschek]](/images/2013/lcna-karlitschek-sm.jpg)
While XKeyscore only gathers metadata, that metadata is still quite
privacy invasive. It can include things like the locations of people, who is
"friends" with whom, what search terms people use, what they buy, and so on.
If an agency puts it all together in the context of a single person, it can
lead to surprisingly revealing conclusions.
In other news, Karlitschek noted that man-in-the-middle attacks are
increasing, at least partly due to the brokenness of the SSL certificate
authority scheme. He also pointed to the shutdowns of Lavabit and Groklaw
as recent events of note. And, "news from yesterday" that he had seen in
the European press (and not really in the US press, at least yet) indicated
that much of the worldwide credit card
transaction data had been compromised and collected by secret services.
The surveillance is not just a problem for one country, he said, as there
are secret
services all over the world that are reading our data. It is not just a
problem of the
NSA or the US—everyone who uses the internet anywhere is affected. These
agencies are
not just reading the data either, as man-in-the-middle attacks can also
be used to change the data that is being sent if that is of interest. It
is important
to realize that this surveillance covers all of the communication on
the internet, which increasingly is data that is coming from our devices.
The data collected by those devices is sometimes surprising, including
phones that never turn off their microphones—or, sometimes, their cameras.
He asked the audience to raise their hands if they used various internet
services (banking, search, ...) and got majorities for them all, until he
came to the last question. "Who thinks private data on the internet is
still private?", he asked—to zero raised hands.
"The internet is under attack", Karlitschek said. This network and
infrastructure that "we all love" and have used for years is being
threatened. This is a huge problem, he said, because it is "not just a fun
tool", the internet is "one of the most important inventions" ever
created. It enables a free flow of knowledge, which makes it the best
communication tool invented so far. It is an "awesome
collaboration tool" that enables projects like, for example, Linux.
Without the internet, there would be no Linux today, he said. Many
companies have been able to build businesses on top of the internet, but
all of that is now threatened.
There are various possible responses to this threat. One could decide to
no longer transmit or store private information on the internet, but there
is a problem with that approach. More and more things are tied to the
internet every day, so it is more than just the web browser. Smartphones,
gaming consoles, and regular phone conversations all use the internet even
without the user directly accessing it through the browser. "Not using the
internet for private data is not really an option these days", Karlitschek
said.
Another response would be to use ssh, rsync, GPG, and "super awesome
encrypted Linux tools". There are a few problems with that idea. For one
thing, we don't know that ssh and others are safe as there are "new
problems popping up
every day". In addition, the transmission may be encrypted successfully,
but the endpoints are still vulnerable; either the client or server end
could be compromised. Another problem is that regular users can't
really use those tools because they aren't targeted at those who are not
technically savvy.
One could also just decide not to care about the surveillance that is going
on, but privacy is very important. He is from Germany, which has some
experience with both right- and left-wing secret services that were
unconstrained, he said—it leads to "bad things".
Who invented and built the internet, he asked. The answer is that "we
invented it". There would be no internet in its current form without
Linux, he said. If users had to buy a Sun system to run a web server, it
would have greatly changed things. Beyond Linux itself, we created
languages like Java, PHP, and JavaScript; and free databases, open
protocols, and many
applications. Because we built it, "we also have to fix it".
There are political aspects to the problem that the politicians are,
supposedly, working on, but Karlitschek doesn't hold out much hope for that
kind of solution. Technologists have to work on it so that the internet "works
like it is supposed to". To try to define how the internet should
work, he and others have come up with a list of eight user rights that are
meant to help define "how a good internet works".
Those rights range from things like "own the data"—taking a photo and
uploading it to some service shouldn't change the ownership, the same goes
for texts, emails, and so on—to "control access"—the user decides on when
and with whom to share data, not the service. The other rights are in the
same vein;
the idea is to put users firmly in control of their data and the access to it.
Karlitschek then looked at four areas of internet use (email/messaging, the web, social
networking, and file sync/share/collaboration) to see how they stack up on
a few different "open data" criteria. Email and the web have
similar scores. Both are decentralized, people can host their own or
fairly easily migrate to a new service, they
use open protocols, and have open source implementations available. All of
that is very good, but both fail in the encryption area. Email has
encryption using GPG,
but regular users don't use it (and many technical people don't either),
while SSL encryption is largely broken because of a certificate model that
places too much trust in large governments and organizations.
Social networking is "very bad" on these criteria, he said. It is
centralized (there is just one Facebook or G+ provider), it can't be
self-hosted, migration is nearly impossible (and friends may not migrate
even if the data does), open protocols aren't used, open source
implementations don't really exist (Diaspora didn't really solve that
problem as was hoped), and so on.
Things are a bit better in the file
sharing realm, but that is still mostly centralized without open protocols
(there are APIs, but that isn't enough) and with no encryption (or it is done on
the server side, which is hopeless from a surveillance-avoidance
perspective). On the plus side, migration is relatively easy (just moving
files), and there
are some open source implementations (including ownCloud).
Overall, that paints a fairly bleak picture, so what can we do about it, he asked.
For regular users, starting to use GPG encryption and hoping that it is safe
is one step. Stopping reliance on SSL for internet traffic encryption and using a
VPN instead is another, he said. VPNs are hard for regular users to set
up, however.
Using Linux and open source as much as possible is important because "open
source is very good protection against back doors". He noted that there
were two occasions when someone tried to insert a back door into KDE and
that both were noticed immediately during code review. He strongly
recommends on-premises file-sharing facilities rather than relying on the
internet. Beyond that, users need to understand the risks and costs as
security is never really black or white, it is "all gray".
Developers "have a responsibility here", he said. They need to build
security into the core of all software, and to put encryption into
everything. Looking at SSL and the certificate system should be a
priority. Another area of focus should be to make secure software that is
usable for
consumers—it needs to be so easy to use that everyone does so. He showed
two examples of how not to do it: a Windows GPG dialog for key management
with many buttons, choices, and cryptic options and the first
rsync man page, which is just a mass of options. Those are not solutions
for consumers, he said.
He would like to have an internet that is "safe and secure", one that can
be used to transfer private data. Two groups have the power to make that
happen, but one, politicians, is unlikely to be of help as they are
beholden to the secret services and their budgets. So it is up to us, "we
have to fix the internet".
Two audience questions touched on the efficacy of current cryptographic
algorithms. Karlitschek said that he was no expert in the area, but was
concerned that the NSA and others are putting several thousand people to
work on breaking today's crypto. It is tough to battle against so many
experts, he said. It is also difficult to figure out what to fix when we
don't know
what is broken. That makes it important to support efforts like that of the
Electronic Frontier Foundation to find out what the NSA and others are
actually doing, so that we can figure out where to focus our efforts.
Outside of Karlitschek's talk,
there is some debate over how the "broken internet" will ever get fixed—if,
indeed, it does. Technical solutions to the problem seem quite attractive,
and Karlitschek is not the only one advocating that route. Whether well-funded
privacy foes, such as governments and their secret services, can ultimately
overwhelm those technical solutions remains to be seen. Outlawing
encryption might be seen as stunningly good solution by some, but the
unintended side effects of that would be equally stunning. E-commerce without
encryption seems likely to fail miserably, for example. Hopefully saner
heads will prevail, but those who prey on fear, while spreading uncertainty
and doubt along the way, are legion.
[ I would like to thank LWN subscribers for travel assistance to New
Orleans for LinuxCon North America. ]
Comments (25 posted)
Brief items
At the end of the day, there is no real replacement for a real HWRNG
[Hardware Random Number Generator].
And I've never had any illusions that the random driver could be a
replacement for a real HWRNG. The problem is though is that most
HWRNG can't be audited, because they are not open, and most users
aren't going to be able to grab a wirewrap gun and make their own ---
and even if they did, it's likely they will screw up in some
embarrassing way. Really, the best you can do is [hopefully] have
multiple sources of entropy. RDRAND, plus the random number generator
in the TPM, etc. and hope that mixing all of this plus some OS-level
entropy, that this is enough to frustrate the attacker enough that
it's no longer the easiest way to compromise your security.
—
Ted Ts'o
The NSA's belief that more data is always good, and that it's worth doing anything in order to collect it, is wrong. There are diminishing returns, and the NSA almost certainly passed that point long ago. But the idea of trade-offs does not seem to be part of its thinking.
The NSA missed the Boston Marathon bombers, even though the suspects left a really sloppy Internet trail and the older brother was on the terrorist watch list. With all the NSA is doing eavesdropping on the world, you would think the least it could manage would be keeping track of people on the terrorist watch list. Apparently not.
I don't know how the CIA measures its success, but it failed to predict the end of the Cold War.
More data does not necessarily mean better information. It's much easier to look backward than to predict. Information does not necessarily enable the government to act. Even when we know something, protecting the methods of collection can be more valuable than the possibility of taking action based on gathered information. But there's not a lot of value to intelligence that can't be used for action. These are the paradoxes of intelligence, and it's time we started remembering them.
—
Bruce
Schneier
Comments (12 posted)
This
ars technica article predicts some nasty security problems for
Java 6 users. "
The most visible sign of deterioration are
in-the-wild attacks exploiting unpatched vulnerabilities in Java version 6,
Christopher Budd, threat communications manager at antivirus provider Trend
Micro, wrote in a blog post published Tuesday. The version, which Oracle
stopped supporting in February, is still used by about half of the Java
user base, he said. Malware developers have responded by reverse
engineering security patches issued for Java 7, and using the insights to
craft exploits for the older version. Because Java 6 is no longer
supported ... those same flaws will never be fixed."
See
the
original blog post for more information.
Comments (58 posted)
New vulnerabilities
graphite-web: unspecified vulnerability
| Package(s): | graphite-web |
CVE #(s): | CVE-2013-5093
|
| Created: | September 18, 2013 |
Updated: | September 18, 2013 |
| Description: |
From the Fedora advisory:
Version 0.9.12 fixes an unspecified vulnerability. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2013-2888
CVE-2013-2889
CVE-2013-2891
CVE-2013-2892
CVE-2013-2893
CVE-2013-2894
CVE-2013-2895
CVE-2013-2896
CVE-2013-2897
CVE-2013-2899
CVE-2013-0343
|
| Created: | September 13, 2013 |
Updated: | September 26, 2013 |
| Description: |
From the CVE entries:
Linux kernel built with the Human Interface Device bus (CONFIG_HID) support
is vulnerable to a memory corruption flaw. It could occur if an HID device
sends malicious HID report with the Report_ID of greater than 255. A local user with physical access to the system could use this flaw to crash
the system resulting in DoS or, potentially, escalate their privileges on the system. (CVE-2013-2888)
Linux kernel built with the Human Interface Device(HID) Bus support(CONFIG_HID)
along with the Zeroplus based game controller support(CONFIG_HID_ZEROPLUS) is
vulnerable to a heap overflow flaw. It could occur when an HID device sends
malicious output report to the kernel driver.
A local user with physical access to the system could use this flaw to crash the
kernel resulting in DoS or potential privilege escalation to gain root access via
arbitrary code execution. (CVE-2013-2889)
Linux kernel built with the Human Interface Device Bus support(CONFIG_HID)
along with a driver for the Steelseries SRW-S1 steering wheel
(CONFIG_HID_STEELSERIES) is vulnerable to a heap overflow flaw. It could occur
when an HID device sends malicious output report to the kernel driver.
A local user with physical access to the system could use this flaw to crash
the kernel resulting in DoS or potential privilege escalation to gain root
access via arbitrary code execution. (CVE-2013-2891)
Linux kernel built with the Human Interface Device(CONFIG_HID) bus support
along with the Pantherlord/GreenAsia game controller(CONFIG_HID_PANTHERLORD)
driver, is vulnerable to a heap overflow flaw. It could occur when an HID
device sends malicious output report to the kernel driver.
A local user with physical access to the system could use this flaw to crash
the kernel resulting in DoS or potential privilege escalation to gain root
access via arbitrary code execution. (CVE-2013-2892)
Linux kernel built with the Human Interface Device(CONFIG_HID) support along
with the Logitech force feedback drivers is vulnerable to a heap overflow flaw.
- CONFIG_LOGITECH_FF
- CONFIG_LOGIG940_FF
- CONFIG_LOGIWHEELS_FF
- CONFIG_LOGIRUMBLEPAD2_FF
It could occur when the HID device sends malicious output report to the kernel
drivers.
A local user with physical access to the system could use this flaw to crash
the kernel resulting in DoS or potential privilege escalation to gain root
access via arbitrary code execution. (CVE-2013-2893)
Linux kernel built with the Human Interface Device support(CONFIG_HID), along
with the Lenovo ThinkPad USB Keyboard with TrackPoint(CONFIG_HID_LENOVO_TPKBD)
driver is vulnerable to a heap overflow flaw. It could occur when an HID device
sends malicious output report to the kernel driver.
A local user with physical access to the system could use this flaw to crash
the kernel resulting in DoS or potential privilege escalation to gain root
access via arbitrary code execution. (CVE-2013-2894)
Linux kernel built with the Human Interface Device(CONFIG_HID) support along
with the Logitech Unifying receivers(CONFIG_HID_LOGITECH_DJ) driver is
vulnerable to a heap overflow flaw. It could occur when the HID device sends
malicious output report to the kernel driver.
A local user with physical access to the system could use this flaw to crash
the kernel resulting in DoS or potential privilege escalation to gain root
acess via arbitrary code execution. (CVE-2013-2895)
Linux kernel built with the Human Interface Device bus(CONFIG_HID) along with
the N-Trig touch screen driver(CONFIG_HID_NTRIG) support is vulnerable to a
NULL pointer dereference flaw. It could occur when an HID device sends
malicious output report to the ntrig kernel driver.
A local user with physical access to the system could use this flaw to crash
the kernel resulting in DoS or potential privilege escalation to gain root
access via arbitrary code execution. (CVE-2013-2896)
Linux kernel built with the Human Interface Device bus(CONFIG_HID) along with
the generic support for the HID Multitouch panels(CONFIG_HID_MUTLTITOUCH)
driver is vulnerable to a heap overflow flaw. It could occur when an HID device
sends malicious feature report the kernel driver.
A local user with physical access to the system could use this flaw to crash
the kernel resulting in DoS or potential privilege escalation to gain root
access via arbitrary code execution. (CVE-2013-2897)
Linux kernel built with the Human Interface Device(CONFIG_HID) support along
with the Minibox PicoLCD devices(CONFIG_HID_PICOLCD) driver is vulnerable to
a NULL pointer dereference flaw. It could occur when the HID device sends
malicious output report to the kernel driver.
A local user with physical access to the system could use this flaw to crash
the kernel resulting in DoS or potential privilege escalation to gain root
access via arbitrary code execution. (CVE-2013-2899) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel-rt |
CVE #(s): | CVE-2013-2058
|
| Created: | September 18, 2013 |
Updated: | September 18, 2013 |
| Description: |
From the Red Hat advisory:
A flaw was found in the Linux kernel's Chipidea USB driver. A local,
unprivileged user could use this flaw to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
libvirt: group updating error
| Package(s): | libvirt |
CVE #(s): | CVE-2013-4291
|
| Created: | September 12, 2013 |
Updated: | October 2, 2013 |
| Description: |
From the Red Hat bug:
Upstream Commit 29fe5d7 (released in 1.1.1) introduced a latent problem for any caller of virSecurityManagerSetProcessLabel and where the domain already had a uid:gid label to be parsed. Such a setup would collect the list of supplementary groups during virSecurityManagerPreFork, but then ignores that information, and thus fails to call setgroups() to adjust the supplementary groups of the process. |
| Alerts: |
|
Comments (none posted)
libzypp: key verification bypass
| Package(s): | libzypp |
CVE #(s): | CVE-2013-3704
|
| Created: | September 12, 2013 |
Updated: | September 18, 2013 |
| Description: |
From the openSUSE advisory:
libzypp was adjusted to enhance the RPM GPG key import/handling to avoid a problem with multiple key blobs. Attackers able to supplying a repository could let the packagemanager show another keys fingerprint while a second one was actually used to sign the repository (CVE-2013-3704). |
| Alerts: |
|
Comments (none posted)
lightdm: information leak
| Package(s): | lightdm |
CVE #(s): | CVE-2013-4331
|
| Created: | September 13, 2013 |
Updated: | September 19, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that Light Display Manager created .Xauthority files with incorrect permissions. A local attacker could use this flaw to bypass access restrictions. |
| Alerts: |
|
Comments (none posted)
mediawiki: information leak
| Package(s): | mediawiki |
CVE #(s): | CVE-2013-4302
|
| Created: | September 13, 2013 |
Updated: | September 23, 2013 |
| Description: |
From the Debian advisory:
It was discovered that in Mediawiki, a wiki engine, several API modules allowed anti-CSRF tokens to be accessed via JSONP. These tokens protect against cross site request forgeries and are confidential. |
| Alerts: |
|
Comments (none posted)
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CVE-2013-4301
CVE-2013-4303
|
| Created: | September 16, 2013 |
Updated: | September 23, 2013 |
| Description: |
From the Mandriva advisory:
Full path disclosure in MediaWiki before 1.20.7, when an invalid
language is specified in ResourceLoader (CVE-2013-4301).
An issue with the MediaWiki API in MediaWiki before 1.20.7 where an
invalid property name could be used for XSS with older versions of
Internet Explorer (CVE-2013-4303). |
| Alerts: |
|
Comments (none posted)
mozilla: code execution
| Package(s): | firefox thunderbird seamonkey |
CVE #(s): | CVE-2013-1719
|
| Created: | September 18, 2013 |
Updated: | September 27, 2013 |
| Description: |
From the CVE entry:
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
|
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox thunderbird seamonkey |
CVE #(s): | CVE-2013-1718
CVE-2013-1722
CVE-2013-1725
CVE-2013-1730
CVE-2013-1732
CVE-2013-1735
CVE-2013-1736
CVE-2013-1737
|
| Created: | September 18, 2013 |
Updated: | September 30, 2013 |
| Description: |
From the CVE entries:
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2013-1718)
Use-after-free vulnerability in the nsAnimationManager::BuildAnimations function in the Animation Manager in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving stylesheet cloning. (CVE-2013-1722)
Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not ensure that initialization occurs for JavaScript objects with compartments, which allows remote attackers to execute arbitrary code by leveraging incorrect scope handling. (CVE-2013-1725)
Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not properly handle movement of XBL-backed nodes between documents, which allows remote attackers to execute arbitrary code or cause a denial of service (JavaScript compartment mismatch, or assertion failure and application exit) via a crafted web site. (CVE-2013-1730)
Buffer overflow in the nsFloatManager::GetFlowArea function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code via crafted use of lists and floats within a multi-column layout. (CVE-2013-1732)
Use-after-free vulnerability in the mozilla::layout::ScrollbarActivity function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code via vectors related to image-document scrolling. (CVE-2013-1735)
The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to improperly establishing parent-child relationships of range-request nodes. (CVE-2013-1736)
Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not properly identify the "this" object during use of user-defined getter methods on DOM proxies, which might allow remote attackers to bypass intended access restrictions via vectors involving an expando object. (CVE-2013-1737) |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilities
| Package(s): | firefox thunderbird seamonkey |
CVE #(s): | CVE-2013-1720
CVE-2013-1721
CVE-2013-1724
CVE-2013-1728
CVE-2013-1738
|
| Created: | September 18, 2013 |
Updated: | September 27, 2013 |
| Description: |
From the CVE entries:
The nsHtml5TreeBuilder::resetTheInsertionMode function in the HTML5 Tree Builder in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 does not properly maintain the state of the insertion-mode stack for template elements, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer over-read) by triggering use of this stack in its empty state. (CVE-2013-1720)
Integer overflow in the drawLineLoop function in the libGLESv2 library in Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefox before 24.0 and SeaMonkey before 2.21, allows remote attackers to execute arbitrary code via a crafted web site. (CVE-2013-1721)
Use-after-free vulnerability in the mozilla::dom::HTMLFormElement::IsDefaultSubmitElement function in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving a destroyed SELECT element. (CVE-2013-1724)
The IonMonkey JavaScript engine in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21, when Valgrind mode is used, does not properly initialize memory, which makes it easier for remote attackers to obtain sensitive information via unspecified vectors. (CVE-2013-1728)
Use-after-free vulnerability in the JS_GetGlobalForScopeChain function in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code by leveraging incorrect garbage collection in situations involving default compartments and frame-chain restoration. (CVE-2013-1738) |
| Alerts: |
|
Comments (none posted)
perl-Crypt-DSA: improperly secure randomness
| Package(s): | perl-Crypt-DSA |
CVE #(s): | CVE-2011-3599
|
| Created: | September 13, 2013 |
Updated: | September 26, 2013 |
| Description: |
From the Fedora advisory:
As taught by the '09 Debian PGP disaster relating to DSA, the randomness source is extremely important. On systems without /dev/random, Crypt::DSA falls back to using Data::Random. Data::Random uses rand(), about which the perldoc says "rand() is not cryptographically secure. You should not rely on it in security-sensitive situations." In the case of DSA, this is even worse. Using improperly secure randomness sources can compromise the signing key upon signature of a message.
See: http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
It might seem that this would not affect Linux since /dev/random is always available and so the fall back to Data::Random would never happen. However, if an application is confined using a MAC system such as SELinux then access to /dev/random could be denied by policy and the fall back would be triggered. |
| Alerts: |
|
Comments (1 posted)
pip: code execution
| Package(s): | pip |
CVE #(s): | CVE-2013-1629
|
| Created: | September 13, 2013 |
Updated: | September 18, 2013 |
| Description: |
From the CVE entry:
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a "pip install" operation. |
| Alerts: |
|
Comments (none posted)
python-django: denial of service
| Package(s): | python-django |
CVE #(s): | CVE-2013-1443
|
| Created: | September 18, 2013 |
Updated: | September 27, 2013 |
| Description: |
From the Debian advisory:
It was discovered that python-django, a high-level Python web
development framework, is prone to a denial of service vulnerability
via large passwords. |
| Alerts: |
|
Comments (none posted)
python-OpenSSL: certificate spoofing
| Package(s): | python-OpenSSL |
CVE #(s): | CVE-2013-4314
|
| Created: | September 13, 2013 |
Updated: | September 25, 2013 |
| Description: |
From the Mandriva advisory:
The string formatting of subjectAltName X509Extension instances in pyOpenSSL before 0.13.1 incorrectly truncated fields of the name when encountering a null byte, possibly allowing man-in-the-middle attacks through certificate spoofing (CVE-2013-4314). |
| Alerts: |
|
Comments (none posted)
python-pyrad: predictable password hashing
| Package(s): | python-pyrad |
CVE #(s): | CVE-2013-0294
|
| Created: | September 16, 2013 |
Updated: | September 18, 2013 |
| Description: |
From the Red Hat bugzilla:
Nathaniel McCallum reported that pyrad was using Python's random module in a number of places to generate pseudo-random data. In the case of the authenticator data, it was being used to secure a password sent over the wire. Because Python's random module is not really suited for this purpose (not random enough), it could lead to password hashing that may be predictable. |
| Alerts: |
|
Comments (none posted)
wireshark: multiple vulnerabilities
| Package(s): | wireshark |
CVE #(s): | CVE-2013-5718
CVE-2013-5720
CVE-2013-5722
|
| Created: | September 16, 2013 |
Updated: | September 19, 2013 |
| Description: |
From the CVE entries:
The dissect_nbap_T_dCH_ID function in epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 does not restrict the dch_id value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. (CVE-2013-5718)
Buffer overflow in the RTPS dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. (CVE-2013-5720)
Unspecified vulnerability in the LDAP dissector in Wireshark 1.8.x before 1.8.10 and 1.10.x before 1.10.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. (CVE-2013-5722) |
| Alerts: |
|
Comments (none posted)
wordpress: multiple vulnerabilities
| Package(s): | wordpress |
CVE #(s): | CVE-2013-4338
CVE-2013-4339
CVE-2013-4340
CVE-2013-5738
CVE-2013-5739
|
| Created: | September 16, 2013 |
Updated: | September 27, 2013 |
| Description: |
From the CVE entries:
wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. (CVE-2013-4338)
WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. (CVE-2013-4339)
wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. (CVE-2013-4340)
The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. (CVE-2013-5738)
The default configuration of WordPress before 3.6.1 does not prevent uploads of .swf and .exe files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file, related to the get_allowed_mime_types function in wp-includes/functions.php. (CVE-2013-5739) |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
