| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for November 20, 2003
Sun's Linux rising in China
The biggest news for Linux this week, surprisingly, comes from Sun Microsystems. Sun has reached an agreement with the China Standard Software Company (CSSC) that is aimed at putting Sun's Linux solution, the Java Desktop System (JDS), on up to 200 million desktops throughout China. The agreement is set to begin towards the end of this year, with an initial goal of 500,000 to one million seats per year. There is no specific timeline for the ultimate goal of 200 million desktops, and CSSC will need to improve adoption rates significantly beyond 500,000 per year to achieve that figure in a meaningful time frame.CSSC is made up of a group of Chinese high-tech companies, with the backing of the Chinese government and a mandate to create a standard Linux desktop system for the Chinese market. We spoke to Peder Ulander, Director of Marketing for Sun Microsystems Desktop Solutions, about the deal with CSSC and Sun's JDS in general. He tells us that CSSC's final product will be based on JDS, but customized for the Chinese market. Ulander didn't specify how CSSC's version might differ, but noted that it will be running on x86-based computers. At the moment, specific information on CSSC's deployment of a desktop Linux system is fairly sketchy. Ulander said that CSSC will be issuing announcements of its own in the near future.
Why not Solaris for x86? Sun has been touting its x86 Solaris offering pretty heavily lately, and it hasn't exactly shown enthusiasm for Linux despite the fact that the company has a number of Linux offerings. Ulander said that Sun made the decision based on time to market. Though Ulander did not say so, another way to read that would be that Solaris for x86 isn't ready for deployment on existing x86 desktop hardware, while Linux is.
Indeed, JDS has relatively minimal hardware requirements. According to Sun, a recommended minimum configuration for JDS is a Pentium II 266MHz or better, 128 MB of RAM and a 4GB hard disk. While some Linux distributions still run on 386s with 8MB of RAM (or less), the target for JDS seems to be computers originally outfitted with Windows 95 or 98. Ulander noted that Microsoft will be discontinuing support for Windows 95 and Office 95 this year, with Windows NT 4 and OS/2 also losing support in the near future. Companies looking for supported solutions now need to look to newer versions of Windows that will likely require newer hardware as well -- or a migration path to a supported Linux distribution.
Sun's distribution uses the GNOME desktop, Mozilla, StarOffice, Evolution and (not surprisingly) includes a Java Runtime Environment (JRE) for Linux. Ulander said that Sun settled on GNOME rather than KDE because of GNOME's focus on accessibility. From what Sun has revealed about JDS so far, there is little to distinguish their Linux desktop solution from other vendors' solutions. Ulander confirmed that JDS consists of the same components that make up most distributions, but said that Sun's "integration" of the software will set it apart from other distributions.
Of course, Sun's offering is different from other vendors in that it isn't branded "Linux." Ulander said that the name "Java Desktop System" was not meant to obscure the Linux underpinnings of the system, but rather to fit in with the rest of Sun's rebranded product line. According to Ulander, Sun has consolidated 248 individual products into six product lines, including the Java Enterprise System, Java Desktop System and so on.
Sun's published prices are $100 per desktop user, or $50 per employee for existing customers of Sun's Java Enterprise System, but CSSC will be paying less to license JDS. Ulander declined to specify how much less CSSC would be paying, but said that Sun was giving CSSC a deal similar to a typical OEM agreement where the company would pay less than list.
In fact, the deal brings a lot of credibility to Linux in general. But it does give bragging rights to Sun as the company to score the largest Linux desktop deal, at least to date, and may give the company leverage to sell other (more profitable) solutions to companies that make the switch. Ulander called JDS "a door-opener," but said that organizations deploying JDS were in no way dependent on Sun solutions on the server side.
Sun's JDS will be generally available in December of this year. Though Sun has secured a significant spot in the Chinese market with JDS, it will be interesting to see how well Sun fares with the rest of the Linux market.
Meanwhile, it's hard to see how adoption of Linux on such a wide scale anywhere in the world could be a bad thing for the community. Sun was not the only company having talks with CSSC, indicating that CSSC had already settled on Linux, but hadn't decided on a vendor. While Sun may tout this as a success for their business, and it is, it really emphasizes the maturity of Linux as a desktop solution.
SCO update
It has been a busy week or so in the SCO case. Time to catch up with all that has been happening.The company has filed a new Form S-3 as part of the BayStar deal. That deal allows for a conversion of BayStar's preferred stock to the regular variety, so SCO had to go through the motions to register another 3.85 million shares for sale. As usual, these filings give a rare window into what is happening inside a company.
In this filing, SCO revealed (though not in so many words) that its fourth quarter results are going to be horrible. The company did (as was disclosed previously) get another $8 million from Microsoft for a "broader" Unix license. But the company will have to record a charge of $8.7 million related to the BayStar deal. The company also will take a $9 million hit to account for the $1 million in cash and 400,000 shares of stock that it has given to its lawyers. As a result, the company's income will be $17 million lower than it would otherwise have been. It does not look like a profitable quarter for The SCO Group.
SCO's law firm (Boies, Schiller & Flexner LLP) will be taking on the company's defense in the Red Hat case, and in IBM's countersuit as well. There was a great effort to put a positive spin on things at SCO's November 18 conference call (transcript available here); it is claimed that SCO will be setting Boies et al. on Linux end users within "the next 90 days." These, it is claimed, will be direct copyright suits, based on a whole new pile of "directly copied" code that has been found lurking somewhere in the Linux kernel. Of course, they can't tell us where that code would be.
The conference call hinted that, if SCO does really decide that it needs more legal battles, it is likely to go after HP customers. There was much satisfied talk of HP's indemnification offer, and speculation as to whether HP would pay license claims directly or choose, instead, to defend a lawsuit. As had been predicted months ago, HP's indemnification offer may well have just served to turn that company - and its customers - into low-hanging fruit for an SCO legal offensive.
SCO has finally spoken out on Novell's acquisition of SUSE. That deal, says SCO, would violate Novell's non-compete agreement with SCO. If the acquisition goes forward, SCO claims it plans to take action against Novell. Happily for us, the agreement in question is available on the net; the relevant text (section 1.6) reads:
If you buy SCO's argument that Linux is Unix with the serial numbers filed off, then SCO might actually have a leg to stand on here. If, instead, you believe that Linux is Linux and SCO has no right to steal it, SCO's non-compete argument makes no sense. The non-compete agreement only applies to what Novell does with Unix.
In the Red Hat case, SCO continues to try to get the suit thrown out, or, at least, to delay things. Given the "90 days" discussion in the teleconference, SCO's position that it has not threatened to sue anybody appears to be even shakier than before. This case is now waiting for a ruling from the judge on the various motions.
In the IBM case, the November 21 conference before the judge looms. If it still appears that SCO is failing to respond to IBM's discovery requests, oral arguments will happen on December 5. Sometime thereafter, SCO could find itself compelled by the judge to put forward its evidence or shut up. SCO may try to draw its own motion to compel discovery into the discussion as well.
SCO's supplemental responses to IBM's requests included some amusement in the form of a list of files that, according to SCO, contain its property. The file list looks like:
arch.i386.kernel.i8259.c arch.i386.kernel.timers.timer_tsc.c arch.i386.mach-default.topology.c arch.i386.mach-pc9800.topology.c arch.i386.mm.discontig.c
And so on. Many people wondered why the files were listed in this sort of "flattened" form until it was pointed out that SCO's Unix offerings lack a version of "grep" which can do recursive searches. They had to have some poor intern rename all of the files into a single directory so that they could search through them.
Their searches were simplistic, to say the least. One of the files listed was (in standard Linux naming format) include/asm-m68k/spinlock.h, the entire contents of which are:
#ifndef __M68K_SPINLOCK_H
#define __M68K_SPINLOCK_H
#error "m68k doesn't do SMP yet"
#endif
One does, indeed, wonder how Linux was able to compete before IBM stole all that nice SCO technology. Seriously, though, it appears that SCO did a simple grep for "SMP" and listed every file that popped up with no regard to what was contained therein. Thus we see the quality of SCO's evidence.
Recent rhetoric from SCO has brought with it an interesting change: the company is now, repeatedly, talking about the old USL v. BSDI settlement. For those who have not yet seen it, taking some time to read the ruling which led to that settlement may be worthwhile. The introduction in the "statement of facts" is eerily familiar:
"Allegedly proprietary" is the judge's wording. This judge concluded that USL had failed to show that any copyrights or trade secrets in Unix could be enforced. The subsequent settlement freed the BSD code base for distribution. SCO is the successor to USL; why it wants to reopen this case at this time is currently a mystery. There have been occasional hints from SCO that it plans to go after BSD in the future; perhaps they are trying to tell us that this attack is getting closer. One publication quoted Darl McBride as saying that suits against BSD could happen in the first half of next year.
Where things will go from here is anybody's guess. The motions to compel in Utah and Red Hat's suit in Delaware could bring things to a head relatively quickly. Counting on the U.S. justice system to bring this situation to a quick conclusion is risky, however. We may be fighting this battle for some time yet.
Governmental open source directives in Italy
At the end of October, the Italian Dipartimento per l'Innovazione e le Technologie ("Department of Innovation and Technology") issued a press release (in Italian) regarding a new set of directives for the use of open source software in the public sector. The actual directives are not yet available - they will not be released until officially published by the government - but the press release gives an overview of what will be there. Italy, it seems, is trying to put itself at the forefront of governments adopting free software.The following are the key points, painfully translated by your editor:
Comparative analysis of solutions: The "Stanca Open Source Directive" [Lucio Stanca is the minister responsible for all this] requires that public administrations must acquire software based on comparative technical and economic evaluation of the various solutions available in the market, taking into account the administration's needs, but also taking into account the possibility of developing specific programs in-house (or under contract) and the reuse of special-purpose programs developed in other agencies.
The evaluation must consider also the total cost of ownership and the cost of exit from each solution, but it must also consider the possible interests of other agencies in reusing the chosen solution. In cases where proprietary software is to be licensed, the administration must obtain a contractual guarantee that, if the vendor becomes unable to support the software, the source code and relevant documentation will be made available.
Technical criteria: public agencies, when acquiring software, must favor solutions which:
- Assure interoperability and cooperation between the various computing systems of the public administration, with the exception of situations requiring particular security or secrecy.
- Render information systems independent of a single vendor or a single proprietary technology.
- Guarantee the availability of source code for inspection and traceability by the public administration.
- Export data and documents in multiple formats, of which at least one is an open format.
Ownership of software: In the case of programs developed for a specific purpose, the commissioning agency will acquire the ownership of the software given that it has contributed out of its own resources to the identification of the requirements, the functional analysis, the control, and testing of the software implemented by the vendor.
Transferability of software licenses: Public administrations will obtain contractual assurance of their ability to transfer software licenses in case that agency replaces the program with another performing the same function.
Reuse: In order to encourage reuse of software owned by the administration, the project goals and specifications must allow for portability to other platforms. Contracts for software developed at public expense must include clauses that commit the vendor to making available services to enable the reuse of the software.
Interestingly, this "open source directive" says almost nothing about open source licensing; it is more focused on specific goals: software reuse, ability to inspect the code, ability to switch to a different solution. This is a good thing, of course; wiring specific licenses into the law is probably not the right way to go. The directive also says nothing about open source licensing for software developed for the government; as long as the software can be reused within the government, the rules will be satisfied.
There is little consensus on how strongly governmental bodies should be encouraged - or forced - to use free software. But it is hard to argue against criteria that call for interoperability, software reuse, and the ability to avoid being bound to a single vendor. It will be interesting to see what sort of software mix the Italian government ends up with after these rules have been in force for a few years.
On comment abuse
We resisted the idea of allowing reader comments on the site for years out of concern that some people would post things which detracted from the quality of LWN. A year and a half ago, we decided that we could trust our readers to do the right thing, and our experience since then has largely verified that decision. More recently, however, we have begun to have problems with comment spammers and trolls. The problem is small, for now, and a bit of carefully targeted firewalling appears to have slowed the latest troll down considerably. We have been on the net for long enough to know, however, that problems of this sort rarely get better by themselves. Instead, they tend to get steadily worse until the signal is drowned out by the noise. We do not intend to let that happen to LWN.So we are going to have to do something; it's just a matter of figuring out what. There are a few options under consideration; we would appreciate feedback from our readers on which idea seems best.
- One option is manual moderation of comments by the LWN editors,
perhaps augmented by a small number of trusted readers. The problem
with this approach is that we really do not want to get into the
business of censoring comments. It is an unpleasant occupation, and
active control of comments might open us up to interesting liability
issues.
- We could implement a reader moderation mechanism which would allow the
trolls and spam to sift to the bottom of the pile. In the long term,
this might be the best solution. It will require some significant
site hacking to implement, however, and it will put strains on the
database that will force a server upgrade (which is increasingly
necessary anyway).
- Comment posting privileges could be restricted to subscribers. This
one is trivial to implement. It would have the effect of silencing
non-subscribers, however. Currently about 1/3 of the comments on the
site are posted by non-subscribers, and almost none of those are
abusive. Closing out non-subscribers would deprive us of a lot of
good comments to get rid of a small number of bad ones.
- A preference flag could be added to allow readers to filter out comments by non-subscribers. This would be less draconian than silencing non-subscribers outright, but it still punishes a large community of readers for the behavior of a very small number of people.
The decision we make here will affect the feel of LWN.net into the future; we want to do the right thing. If you have any thoughts on the matter, we encourage you to post them as a comment to this article (no trolls or spam please).
Come back early next week
Next week's LWN.net Weekly Edition will be published on Wednesday, November 26 (one day earlier than usual) so that we can enjoy the Thanksgiving holiday. LWN is important, but pumpkin pie wins every time.
Page editor: Jonathan Corbet
Security
Security news
Security updates for old Red Hat releases
Sites which have deployed Red Hat Linux have a difficult choice ahead of them. In the near future, Red Hat will cease providing security updates for these releases. If you have a Red Hat Linux system exposed to the net, you should be thinking about how you will keep it secure once the official updates stop coming. There are a number of choices available, none of which is perfect:
- Move over to Fedora core. Updates will be available for Fedora Core
releases, but only until the next version comes out. The update
policy for Fedora also differs from that of Red Hat Linux; rather than
backport fixes to the version of the affected program which was
originally distributed, Fedora will simply move to the current
version. That change will make security updates potentially more
disruptive. Updating the full system to a new Fedora Core release
twice a year may not be a viable option for many applications.
- Switch to a Red Hat Enterprise Linux release. RHEL will offer
long-term support and relative stability; all you have to do is pay
the price. Given that (as reported on
News.com) over 90% of RHEL customers are renewing their subscriptions,
it would appear that Red Hat is offering services with a real value.
Not everybody will be willing or able to pay that price tag, however.
- Switch to another distribution entirely. The nice thing about Linux
is that you can switch to another vendor when the need arises.
That still does not imply that changing distributions is a fun or easy
process, however.
- Maintain security-critical packages in-house, from source. This approach would work, assuming there is somebody with enough technical expertise available who can also find the time to do that sort of maintenance.
Red Hat Linux users are lucky; users of a proprietary system would not have such a wealth of choices available to them. Even so, these users can be forgiven for occasionally wishing that a "go on as if nothing had changed" option existed as well.
That could yet happen. The Fedora Legacy Project is forming with the goal of supporting Red Hat Linux and Fedora Core releases past their official end of life. This project is still in its organizational stages (the inevitable press release is still in draft form) but its volunteers intend to start producing security updates for (at least) Red Hat Linux 7.3 by the beginning of 2004, when support for that release ends. Whether support for the 8.0 release will be offered remains unclear; it depends on whether volunteers show up to produce the updates. There are plans to support Red Hat Linux 9, however.
Continuing to use a deployed Red Hat Linux system with the expectation that the Fedora Legacy Project will supply security updates is a bit of a risky option. The project is new and still organizing; there is no way to know whether it will put together the necessary mass of sufficiently talented and motivated engineers to produce reliable security updates in a timely manner. There is no doubt that a volunteer project can perform this sort of task with high-quality results, however, and there should be enough deployed Red Hat Linux systems to motivate a large pool of potential contributors.
Strange web server traffic
If you run a web server, and you pay any attention at all to its logs, you may be seeing many entries that look like:
SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02...
(Though the actual lines are very long). If you think it looks like an attack, you are correct. It is, however, an exploit for an old IIS vulnerability. Thus, most readers of this site need not be too worried about this one.
New vulnerabilities
glibc: local DoS vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2003-0859 | |||
| Created: | November 14, 2003 | Updated: | November 18, 2003 | |||
| Description: | Herbert Xu reported that various applications can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The glibc function getifaddrs uses netlink and could therefore be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0859 to this issue. | |||||
| Alerts: |
| |||||
minimalist: unsanitized input
| Package(s): | minimalist | CVE #(s): | CAN-2003-0902 | |||
| Created: | November 17, 2003 | Updated: | November 18, 2003 | |||
| Description: | A security-related problem has been discovered in minimalist, a mailing list manager, which allows a remote attacker to execute arbitrary commands. | |||||
| Alerts: |
| |||||
pstack: Buffer overflow
| Package(s): | pstack | CVE #(s): | ||||
| Created: | November 13, 2003 | Updated: | November 18, 2003 | |||
| Description: | pstack dumps a stack trace for a process, given the pid of that process. Versions prior to 1.2.3 contain a potential buffer overflow vulnerability. | |||||
| Alerts: |
| |||||
zebra: denial of service vulnerability
| Package(s): | zebra | CVE #(s): | CAN-2003-0795 CAN-2003-0858 | ||||||||||||
| Created: | November 13, 2003 | Updated: | January 7, 2004 | ||||||||||||
| Description: | Zebra an open source implementation of TCP/IP routing software.
Jonny Robertson reported that Zebra can be remotely crashed if a Zebra password has been enabled and a remote attacker can connect to the Zebra telnet management port. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0795 to this issue. Herbert Xu reported that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
CUPS: denial of service
| Package(s): | CUPS | CVE #(s): | CAN-2003-0788 | ||||||||||||
| Created: | November 3, 2003 | Updated: | March 4, 2004 | ||||||||||||
| Description: | Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||
| Alerts: |
| ||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 | CVE #(s): | CAN-2003-0730 | |||||||||||||||
| Created: | September 12, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache | CVE #(s): | CAN-2003-0542 CAN-2003-0789 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | October 28, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
conquest: buffer overflow
| Package(s): | conquest | CVE #(s): | CAN-2003-0933 | |||
| Created: | November 10, 2003 | Updated: | November 12, 2003 | |||
| Description: | Steve Kemp discovered a buffer overflow in the environment variable handling of conquest, a curses based, real-time, multi-player space warfare game, which could lead a local attacker to gain unauthorized access to the group conquest. | |||||
| Alerts: |
| |||||
epic4: buffer overflow
| Package(s): | epic4 | CVE #(s): | CAN-2003-0328 | |||||||||
| Created: | November 10, 2003 | Updated: | November 25, 2003 | |||||||||
| Description: | Jeremy Nelson discovered a remotely exploitable buffer overflow in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft a reply which triggers the client to allocate a negative amount of memory. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. | |||||||||||
| Alerts: |
| |||||||||||
ethereal: multiple remote and local vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 | |||||||||||||||
| Created: | November 10, 2003 | Updated: | December 17, 2003 | |||||||||||||||
| Description: | Multiple vulnerabilities have been found in ethereal versions below 0.9.16. Remote attackers can craft packets, and local users can build corrupt trace files, resulting denial of service and remote code execution. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
glibc - buffer overflow
| Package(s): | glibc | CVE #(s): | CAN-2003-0689 | |||||||||||||||
| Created: | October 15, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
hylafax: remote code execution
| Package(s): | hylafax | CVE #(s): | CAN-2003-0886 | |||||||||||||||
| Created: | November 10, 2003 | Updated: | November 20, 2003 | |||||||||||||||
| Description: | Hylafax is an Open Source fax server which allows sharing of fax equipment among computers by offering its service to clients by a protocol similar to FTP. The SuSE Security Team found a format bug condition during a code review of the hfaxd server. It allows remote attackers to execute arbitrary code as root. However, the bug can not be triggered in hylafax's default configuration. The "capi4hylafax" packages also need to be updated as a dependency where they are available. Upgrading to version 4.1.8 fixes the problem; see this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
KDE: Two issues in KDM
| Package(s): | kde, xfree86 | CVE #(s): | CAN-2003-0690 CAN-2003-0692 | ||||||||||||||||||
| Created: | September 16, 2003 | Updated: | December 19, 2003 | ||||||||||||||||||
| Description: | According to this advisory two issues have
been discovered in KDM:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libnids: remotely exploitable buffer overflow
| Package(s): | libnids | CVE #(s): | CAN-2003-0850 | |||||||||
| Created: | October 29, 2003 | Updated: | January 6, 2004 | |||||||||
| Description: | libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mpg123: heap overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0865 | |||||||||
| Created: | November 12, 2003 | Updated: | February 19, 2004 | |||||||||
| Description: | Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
omega-rpg: buffer overlow
| Package(s): | omega-rpg | CVE #(s): | CAN-2003-0932 | |||
| Created: | November 11, 2003 | Updated: | November 12, 2003 | |||
| Description: | Steve Kemp discovered a buffer overflow in the commandline and environment variable handling of omega-rpg, a text-based rogue-style game of dungeon exploration, which could lead a local attacker to gain unauthorized access to the group games. | |||||
| Alerts: |
| |||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
postgresql: remote code execution
| Package(s): | postgresql | CVE #(s): | CAN-2003-0901 | ||||||||||||||||||
| Created: | October 30, 2003 | Updated: | November 17, 2003 | ||||||||||||||||||
| Description: | Two bugs leading to a buffer overflow in the PostgreSQL RDBMS, versions 7.2.x and
7.3.x prior to 7.3.4, were discovered. The vulnerability exists in the
PostgreSQL abstract data type (ADT) to ASCII conversion functions.
It has been conjectured that excessive data passed to the involved to_ascii_xxx() functions may overrun the bounds of an insufficient buffer reserved in heap memory, resulting in the corruption of heap based memory management structures that are adjacent to it. It is currently believed that under the correct circumstances an attacker may use this to execute arbitrary instructions in the context of the PostgreSQL server. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0901 to the problem. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
proftpd: remote root shell
| Package(s): | proftpd | CVE #(s): | CAN-2003-0831 | |||||||||||||||||||||
| Created: | September 24, 2003 | Updated: | January 2, 2004 | |||||||||||||||||||||
| Description: | The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
sane-backends: several vulnerabilities
| Package(s): | sane-backends | CVE #(s): | CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778 | ||||||||||||||||||
| Created: | September 11, 2003 | Updated: | February 20, 2004 | ||||||||||||||||||
| Description: | Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail | CVE #(s): | CAN-2003-0694 CAN-2003-0681 | |||||||||||||||||||||||||||||||||
| Created: | September 17, 2003 | Updated: | November 18, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel | CVE #(s): | CAN-2002-1563 | ||||||||||||||||||
| Created: | July 25, 2003 | Updated: | November 25, 2003 | ||||||||||||||||||
| Description: | Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | |||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | |||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | |||||||||||||
| Alerts: |
| |||||||||||||