LWN.net Logo

LWN.net Weekly Edition for November 20, 2003

Sun's Linux rising in China

November 19, 2003

This article was contributed by Joe 'Zonker' Brockmeier.

The biggest news for Linux this week, surprisingly, comes from Sun Microsystems. Sun has reached an agreement with the China Standard Software Company (CSSC) that is aimed at putting Sun's Linux solution, the Java Desktop System (JDS), on up to 200 million desktops throughout China. The agreement is set to begin towards the end of this year, with an initial goal of 500,000 to one million seats per year. There is no specific timeline for the ultimate goal of 200 million desktops, and CSSC will need to improve adoption rates significantly beyond 500,000 per year to achieve that figure in a meaningful time frame.
Advertisement

CSSC is made up of a group of Chinese high-tech companies, with the backing of the Chinese government and a mandate to create a standard Linux desktop system for the Chinese market. We spoke to Peder Ulander, Director of Marketing for Sun Microsystems Desktop Solutions, about the deal with CSSC and Sun's JDS in general. He tells us that CSSC's final product will be based on JDS, but customized for the Chinese market. Ulander didn't specify how CSSC's version might differ, but noted that it will be running on x86-based computers. At the moment, specific information on CSSC's deployment of a desktop Linux system is fairly sketchy. Ulander said that CSSC will be issuing announcements of its own in the near future.

Why not Solaris for x86? Sun has been touting its x86 Solaris offering pretty heavily lately, and it hasn't exactly shown enthusiasm for Linux despite the fact that the company has a number of Linux offerings. Ulander said that Sun made the decision based on time to market. Though Ulander did not say so, another way to read that would be that Solaris for x86 isn't ready for deployment on existing x86 desktop hardware, while Linux is.

Indeed, JDS has relatively minimal hardware requirements. According to Sun, a recommended minimum configuration for JDS is a Pentium II 266MHz or better, 128 MB of RAM and a 4GB hard disk. While some Linux distributions still run on 386s with 8MB of RAM (or less), the target for JDS seems to be computers originally outfitted with Windows 95 or 98. Ulander noted that Microsoft will be discontinuing support for Windows 95 and Office 95 this year, with Windows NT 4 and OS/2 also losing support in the near future. Companies looking for supported solutions now need to look to newer versions of Windows that will likely require newer hardware as well -- or a migration path to a supported Linux distribution.

Sun's distribution uses the GNOME desktop, Mozilla, StarOffice, Evolution and (not surprisingly) includes a Java Runtime Environment (JRE) for Linux. Ulander said that Sun settled on GNOME rather than KDE because of GNOME's focus on accessibility. From what Sun has revealed about JDS so far, there is little to distinguish their Linux desktop solution from other vendors' solutions. Ulander confirmed that JDS consists of the same components that make up most distributions, but said that Sun's "integration" of the software will set it apart from other distributions.

Of course, Sun's offering is different from other vendors in that it isn't branded "Linux." Ulander said that the name "Java Desktop System" was not meant to obscure the Linux underpinnings of the system, but rather to fit in with the rest of Sun's rebranded product line. According to Ulander, Sun has consolidated 248 individual products into six product lines, including the Java Enterprise System, Java Desktop System and so on.

Sun's published prices are $100 per desktop user, or $50 per employee for existing customers of Sun's Java Enterprise System, but CSSC will be paying less to license JDS. Ulander declined to specify how much less CSSC would be paying, but said that Sun was giving CSSC a deal similar to a typical OEM agreement where the company would pay less than list.

We're making money on the deal, but when you look at it this deal is not about, "cool we closed a deal," it's a market-tipping deal, setting the standard... This is a landmark deal. A fairly large region investing in this space, it brings a lot more credibility to what we're doing...

In fact, the deal brings a lot of credibility to Linux in general. But it does give bragging rights to Sun as the company to score the largest Linux desktop deal, at least to date, and may give the company leverage to sell other (more profitable) solutions to companies that make the switch. Ulander called JDS "a door-opener," but said that organizations deploying JDS were in no way dependent on Sun solutions on the server side.

Sun's JDS will be generally available in December of this year. Though Sun has secured a significant spot in the Chinese market with JDS, it will be interesting to see how well Sun fares with the rest of the Linux market.

Meanwhile, it's hard to see how adoption of Linux on such a wide scale anywhere in the world could be a bad thing for the community. Sun was not the only company having talks with CSSC, indicating that CSSC had already settled on Linux, but hadn't decided on a vendor. While Sun may tout this as a success for their business, and it is, it really emphasizes the maturity of Linux as a desktop solution.

Comments (6 posted)

SCO update

It has been a busy week or so in the SCO case. Time to catch up with all that has been happening.

The company has filed a new Form S-3 as part of the BayStar deal. That deal allows for a conversion of BayStar's preferred stock to the regular variety, so SCO had to go through the motions to register another 3.85 million shares for sale. As usual, these filings give a rare window into what is happening inside a company.

In this filing, SCO revealed (though not in so many words) that its fourth quarter results are going to be horrible. The company did (as was disclosed previously) get another $8 million from Microsoft for a "broader" Unix license. But the company will have to record a charge of $8.7 million related to the BayStar deal. The company also will take a $9 million hit to account for the $1 million in cash and 400,000 shares of stock that it has given to its lawyers. As a result, the company's income will be $17 million lower than it would otherwise have been. It does not look like a profitable quarter for The SCO Group.

SCO's law firm (Boies, Schiller & Flexner LLP) will be taking on the company's defense in the Red Hat case, and in IBM's countersuit as well. There was a great effort to put a positive spin on things at SCO's November 18 conference call (transcript available here); it is claimed that SCO will be setting Boies et al. on Linux end users within "the next 90 days." These, it is claimed, will be direct copyright suits, based on a whole new pile of "directly copied" code that has been found lurking somewhere in the Linux kernel. Of course, they can't tell us where that code would be.

The conference call hinted that, if SCO does really decide that it needs more legal battles, it is likely to go after HP customers. There was much satisfied talk of HP's indemnification offer, and speculation as to whether HP would pay license claims directly or choose, instead, to defend a lawsuit. As had been predicted months ago, HP's indemnification offer may well have just served to turn that company - and its customers - into low-hanging fruit for an SCO legal offensive.

SCO has finally spoken out on Novell's acquisition of SUSE. That deal, says SCO, would violate Novell's non-compete agreement with SCO. If the acquisition goes forward, SCO claims it plans to take action against Novell. Happily for us, the agreement in question is available on the net; the relevant text (section 1.6) reads:

Seller [Novell] agrees that it shall use the Licensed Technology [Unix] only (1) for internal purposes without restriction, or (2) for resale in bundled or integrated products sold by Seller which are not directly competitive with the core products of Buyer [SCO] and in which the Licensed Technology does not constitute a primary portion of the value of the actual bundled or integrated product.

If you buy SCO's argument that Linux is Unix with the serial numbers filed off, then SCO might actually have a leg to stand on here. If, instead, you believe that Linux is Linux and SCO has no right to steal it, SCO's non-compete argument makes no sense. The non-compete agreement only applies to what Novell does with Unix.

In the Red Hat case, SCO continues to try to get the suit thrown out, or, at least, to delay things. Given the "90 days" discussion in the teleconference, SCO's position that it has not threatened to sue anybody appears to be even shakier than before. This case is now waiting for a ruling from the judge on the various motions.

In the IBM case, the November 21 conference before the judge looms. If it still appears that SCO is failing to respond to IBM's discovery requests, oral arguments will happen on December 5. Sometime thereafter, SCO could find itself compelled by the judge to put forward its evidence or shut up. SCO may try to draw its own motion to compel discovery into the discussion as well.

SCO's supplemental responses to IBM's requests included some amusement in the form of a list of files that, according to SCO, contain its property. The file list looks like:

	arch.i386.kernel.i8259.c
	arch.i386.kernel.timers.timer_tsc.c
	arch.i386.mach-default.topology.c
	arch.i386.mach-pc9800.topology.c
	arch.i386.mm.discontig.c

And so on. Many people wondered why the files were listed in this sort of "flattened" form until it was pointed out that SCO's Unix offerings lack a version of "grep" which can do recursive searches. They had to have some poor intern rename all of the files into a single directory so that they could search through them.

Their searches were simplistic, to say the least. One of the files listed was (in standard Linux naming format) include/asm-m68k/spinlock.h, the entire contents of which are:

    #ifndef __M68K_SPINLOCK_H
    #define __M68K_SPINLOCK_H

    #error "m68k doesn't do SMP yet"

    #endif

One does, indeed, wonder how Linux was able to compete before IBM stole all that nice SCO technology. Seriously, though, it appears that SCO did a simple grep for "SMP" and listed every file that popped up with no regard to what was contained therein. Thus we see the quality of SCO's evidence.

Recent rhetoric from SCO has brought with it an interesting change: the company is now, repeatedly, talking about the old USL v. BSDI settlement. For those who have not yet seen it, taking some time to read the ruling which led to that settlement may be worthwhile. The introduction in the "statement of facts" is eerily familiar:

The central issue here is whether Defendants BSDI and Regents appropriated parts of Plaintiff's allegedly proprietary program "UNIX," and then used and distributed these parts without authorization in violation of Plaintiff's copyrights and trade secrets.

"Allegedly proprietary" is the judge's wording. This judge concluded that USL had failed to show that any copyrights or trade secrets in Unix could be enforced. The subsequent settlement freed the BSD code base for distribution. SCO is the successor to USL; why it wants to reopen this case at this time is currently a mystery. There have been occasional hints from SCO that it plans to go after BSD in the future; perhaps they are trying to tell us that this attack is getting closer. One publication quoted Darl McBride as saying that suits against BSD could happen in the first half of next year.

Where things will go from here is anybody's guess. The motions to compel in Utah and Red Hat's suit in Delaware could bring things to a head relatively quickly. Counting on the U.S. justice system to bring this situation to a quick conclusion is risky, however. We may be fighting this battle for some time yet.

Comments (14 posted)

Governmental open source directives in Italy

At the end of October, the Italian Dipartimento per l'Innovazione e le Technologie ("Department of Innovation and Technology") issued a press release (in Italian) regarding a new set of directives for the use of open source software in the public sector. The actual directives are not yet available - they will not be released until officially published by the government - but the press release gives an overview of what will be there. Italy, it seems, is trying to put itself at the forefront of governments adopting free software.

The following are the key points, painfully translated by your editor:

Comparative analysis of solutions: The "Stanca Open Source Directive" [Lucio Stanca is the minister responsible for all this] requires that public administrations must acquire software based on comparative technical and economic evaluation of the various solutions available in the market, taking into account the administration's needs, but also taking into account the possibility of developing specific programs in-house (or under contract) and the reuse of special-purpose programs developed in other agencies.

The evaluation must consider also the total cost of ownership and the cost of exit from each solution, but it must also consider the possible interests of other agencies in reusing the chosen solution. In cases where proprietary software is to be licensed, the administration must obtain a contractual guarantee that, if the vendor becomes unable to support the software, the source code and relevant documentation will be made available.

Technical criteria: public agencies, when acquiring software, must favor solutions which:

  • Assure interoperability and cooperation between the various computing systems of the public administration, with the exception of situations requiring particular security or secrecy.
  • Render information systems independent of a single vendor or a single proprietary technology.
  • Guarantee the availability of source code for inspection and traceability by the public administration.
  • Export data and documents in multiple formats, of which at least one is an open format.

Ownership of software: In the case of programs developed for a specific purpose, the commissioning agency will acquire the ownership of the software given that it has contributed out of its own resources to the identification of the requirements, the functional analysis, the control, and testing of the software implemented by the vendor.

Transferability of software licenses: Public administrations will obtain contractual assurance of their ability to transfer software licenses in case that agency replaces the program with another performing the same function.

Reuse: In order to encourage reuse of software owned by the administration, the project goals and specifications must allow for portability to other platforms. Contracts for software developed at public expense must include clauses that commit the vendor to making available services to enable the reuse of the software.

Interestingly, this "open source directive" says almost nothing about open source licensing; it is more focused on specific goals: software reuse, ability to inspect the code, ability to switch to a different solution. This is a good thing, of course; wiring specific licenses into the law is probably not the right way to go. The directive also says nothing about open source licensing for software developed for the government; as long as the software can be reused within the government, the rules will be satisfied.

There is little consensus on how strongly governmental bodies should be encouraged - or forced - to use free software. But it is hard to argue against criteria that call for interoperability, software reuse, and the ability to avoid being bound to a single vendor. It will be interesting to see what sort of software mix the Italian government ends up with after these rules have been in force for a few years.

Comments (3 posted)

On comment abuse

We resisted the idea of allowing reader comments on the site for years out of concern that some people would post things which detracted from the quality of LWN. A year and a half ago, we decided that we could trust our readers to do the right thing, and our experience since then has largely verified that decision. More recently, however, we have begun to have problems with comment spammers and trolls. The problem is small, for now, and a bit of carefully targeted firewalling appears to have slowed the latest troll down considerably. We have been on the net for long enough to know, however, that problems of this sort rarely get better by themselves. Instead, they tend to get steadily worse until the signal is drowned out by the noise. We do not intend to let that happen to LWN.

So we are going to have to do something; it's just a matter of figuring out what. There are a few options under consideration; we would appreciate feedback from our readers on which idea seems best.

  • One option is manual moderation of comments by the LWN editors, perhaps augmented by a small number of trusted readers. The problem with this approach is that we really do not want to get into the business of censoring comments. It is an unpleasant occupation, and active control of comments might open us up to interesting liability issues.

  • We could implement a reader moderation mechanism which would allow the trolls and spam to sift to the bottom of the pile. In the long term, this might be the best solution. It will require some significant site hacking to implement, however, and it will put strains on the database that will force a server upgrade (which is increasingly necessary anyway).

  • Comment posting privileges could be restricted to subscribers. This one is trivial to implement. It would have the effect of silencing non-subscribers, however. Currently about 1/3 of the comments on the site are posted by non-subscribers, and almost none of those are abusive. Closing out non-subscribers would deprive us of a lot of good comments to get rid of a small number of bad ones.

  • A preference flag could be added to allow readers to filter out comments by non-subscribers. This would be less draconian than silencing non-subscribers outright, but it still punishes a large community of readers for the behavior of a very small number of people.

The decision we make here will affect the feel of LWN.net into the future; we want to do the right thing. If you have any thoughts on the matter, we encourage you to post them as a comment to this article (no trolls or spam please).

Comments (88 posted)

Come back early next week

Next week's LWN.net Weekly Edition will be published on Wednesday, November 26 (one day earlier than usual) so that we can enjoy the Thanksgiving holiday. LWN is important, but pumpkin pie wins every time.

Comments (2 posted)

Page editor: Jonathan Corbet

Security

Security news

Security updates for old Red Hat releases

Sites which have deployed Red Hat Linux have a difficult choice ahead of them. In the near future, Red Hat will cease providing security updates for these releases. If you have a Red Hat Linux system exposed to the net, you should be thinking about how you will keep it secure once the official updates stop coming. There are a number of choices available, none of which is perfect:

  • Move over to Fedora core. Updates will be available for Fedora Core releases, but only until the next version comes out. The update policy for Fedora also differs from that of Red Hat Linux; rather than backport fixes to the version of the affected program which was originally distributed, Fedora will simply move to the current version. That change will make security updates potentially more disruptive. Updating the full system to a new Fedora Core release twice a year may not be a viable option for many applications.

  • Switch to a Red Hat Enterprise Linux release. RHEL will offer long-term support and relative stability; all you have to do is pay the price. Given that (as reported on News.com) over 90% of RHEL customers are renewing their subscriptions, it would appear that Red Hat is offering services with a real value. Not everybody will be willing or able to pay that price tag, however.

  • Switch to another distribution entirely. The nice thing about Linux is that you can switch to another vendor when the need arises. That still does not imply that changing distributions is a fun or easy process, however.

  • Maintain security-critical packages in-house, from source. This approach would work, assuming there is somebody with enough technical expertise available who can also find the time to do that sort of maintenance.

Red Hat Linux users are lucky; users of a proprietary system would not have such a wealth of choices available to them. Even so, these users can be forgiven for occasionally wishing that a "go on as if nothing had changed" option existed as well.

That could yet happen. The Fedora Legacy Project is forming with the goal of supporting Red Hat Linux and Fedora Core releases past their official end of life. This project is still in its organizational stages (the inevitable press release is still in draft form) but its volunteers intend to start producing security updates for (at least) Red Hat Linux 7.3 by the beginning of 2004, when support for that release ends. Whether support for the 8.0 release will be offered remains unclear; it depends on whether volunteers show up to produce the updates. There are plans to support Red Hat Linux 9, however.

Continuing to use a deployed Red Hat Linux system with the expectation that the Fedora Legacy Project will supply security updates is a bit of a risky option. The project is new and still organizing; there is no way to know whether it will put together the necessary mass of sufficiently talented and motivated engineers to produce reliable security updates in a timely manner. There is no doubt that a volunteer project can perform this sort of task with high-quality results, however, and there should be enough deployed Red Hat Linux systems to motivate a large pool of potential contributors.

Comments (11 posted)

Strange web server traffic

If you run a web server, and you pay any attention at all to its logs, you may be seeing many entries that look like:

    SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02...

(Though the actual lines are very long). If you think it looks like an attack, you are correct. It is, however, an exploit for an old IIS vulnerability. Thus, most readers of this site need not be too worried about this one.

Comments (none posted)

New vulnerabilities

glibc: local DoS vulnerability

Package(s):glibc CVE #(s):CAN-2003-0859
Created:November 14, 2003 Updated:November 18, 2003
Description: Herbert Xu reported that various applications can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The glibc function getifaddrs uses netlink and could therefore be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0859 to this issue.
Alerts:
Fedora FEDORA-2003-002 2003-11-14

Comments (none posted)

minimalist: unsanitized input

Package(s):minimalist CVE #(s):CAN-2003-0902
Created:November 17, 2003 Updated:November 18, 2003
Description: A security-related problem has been discovered in minimalist, a mailing list manager, which allows a remote attacker to execute arbitrary commands.
Alerts:
Debian DSA-402-1 2003-11-17

Comments (none posted)

pstack: Buffer overflow

Package(s):pstack CVE #(s):
Created:November 13, 2003 Updated:November 18, 2003
Description: pstack dumps a stack trace for a process, given the pid of that process. Versions prior to 1.2.3 contain a potential buffer overflow vulnerability.
Alerts:
Fedora FEDORA-2003-010 2003-11-12

Comments (none posted)

zebra: denial of service vulnerability

Package(s):zebra CVE #(s):CAN-2003-0795 CAN-2003-0858
Created:November 13, 2003 Updated:January 7, 2004
Description: Zebra an open source implementation of TCP/IP routing software.

Jonny Robertson reported that Zebra can be remotely crashed if a Zebra password has been enabled and a remote attacker can connect to the Zebra telnet management port. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0795 to this issue.

Herbert Xu reported that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue.

Alerts:
Red Hat RHSA-2003:307-01 2003-11-13
Conectiva CLA-2003:786 2003-11-20
OpenPKG OpenPKG-SA-2003.049 2003-11-25
Debian DSA-415-1 2004-01-06

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 23, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:238-01 2003-07-21
EnGarde ESA-20032407-018 2003-07-24
Debian DSA-358-1 2003-07-31
Debian DSA-358-3 2003-08-04
Debian DSA-358-2 2003-08-05
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-4 2003-08-13
Gentoo 200308-01 2003-08-14
Red Hat RHSA-2003:408-00 2003-12-19

Comments (none posted)

CUPS: denial of service

Package(s):CUPS CVE #(s):CAN-2003-0788
Created:November 3, 2003 Updated:March 4, 2004
Description: Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
Red Hat RHSA-2003:275-01 2003-11-03
Mandrake MDKSA-2003:104 2003-11-05
Conectiva CLA-2003:779 2003-11-07
SCO Group CSSA-2004-012.0 2004-03-03

Comments (none posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
Debian DSA-208-1 2002-12-12
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Trustix 2002-0087 2002-12-19
Gentoo 200212-6 2002-12-20
SCO Group CSSA-2004-007.0 2004-02-20

Comments (none posted)

XFree86 4.3.0 integer overflows in font libraries

Package(s):XFree86 CVE #(s):CAN-2003-0730
Created:September 12, 2003 Updated:November 25, 2003
Description: Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details.
Alerts:
Mandrake MDKSA-2003:089 2003-09-11
Debian DSA-380-1 2003-09-12
Red Hat RHSA-2003:288-01 2003-11-17
Red Hat RHSA-2003:287-01 2003-11-25
Red Hat RHSA-2003:286-01 2003-11-25

Comments (none posted)

apache: buffer overflows in mod_alias, mod_rewrite

Package(s):apache CVE #(s):CAN-2003-0542 CAN-2003-0789
Created:October 28, 2003 Updated:February 13, 2004
Description: André Malo discovered buffer overflows in the mod_alias and mod_rewrite modules of the Apache webserver. These occurred if a regular expression with more than 9 capturing parenthesis was configured. To exploit this, an attacker would need to be able to locally create a carefully crafted configuration file (.htaccess or httpd.conf). CAN-2003-0542

Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789.

Alerts:
OpenPKG OpenPKG-SA-2003.046 2003-10-28
Immunix IMNX-2003-7+-025-01 2003-10-28
Gentoo 200310-04 2003-10-31
Mandrake MDKSA-2003:103 2003-11-03
EnGarde ESA-20031105-030 2003-11-05
Slackware SSA:2003-308-01 2003-11-03
Conectiva CLA-2003:775 2003-11-05
Trustix 2003-0041 2003-11-15
Gentoo 200310-03 2003-10-28
Red Hat RHSA-2003:360-01 2003-12-10
Red Hat RHSA-2003:320-01 2003-12-16
Red Hat RHSA-2003:405-00 2003-12-18
Fedora FEDORA-2003-004 2004-01-08
Whitebox WBSA-2004:015-01 2004-02-12

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Mandrake MDKSA-2003:096 2003-09-26
Mandrake MDKSA-2003:096-1 2003-10-24
Netwosix NW-2004-0006 2004-03-25
Gentoo 200403-04 2004-03-22

Comments (none posted)

conquest: buffer overflow

Package(s):conquest CVE #(s):CAN-2003-0933
Created:November 10, 2003 Updated:November 12, 2003
Description: Steve Kemp discovered a buffer overflow in the environment variable handling of conquest, a curses based, real-time, multi-player space warfare game, which could lead a local attacker to gain unauthorized access to the group conquest.
Alerts:
Debian DSA-398-1 2003-11-10

Comments (none posted)

epic4: buffer overflow

Package(s):epic4 CVE #(s):CAN-2003-0328
Created:November 10, 2003 Updated:November 25, 2003
Description: Jeremy Nelson discovered a remotely exploitable buffer overflow in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft a reply which triggers the client to allocate a negative amount of memory. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user.
Alerts:
Debian DSA-399-1 2003-11-10
Fedora FEDORA-2003-008 2003-11-12
Red Hat RHSA-2003:342-01 2003-11-17

Comments (none posted)

ethereal: multiple remote and local vulnerabilities

Package(s):ethereal CVE #(s):CAN-2003-0925 CAN-2003-0926 CAN-2003-0927
Created:November 10, 2003 Updated:December 17, 2003
Description: Multiple vulnerabilities have been found in ethereal versions below 0.9.16. Remote attackers can craft packets, and local users can build corrupt trace files, resulting denial of service and remote code execution.
Alerts:
Conectiva CLA-2003:780 2003-11-07
Red Hat RHSA-2003:323-01 2003-11-10
Gentoo 200311-04 2003-11-22
Fedora FEDORA-2003-022 2003-11-25
Mandrake MDKSA-2003:114 2003-12-10

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Debian DSA-154-1 2002-08-15
Red Hat RHSA-2005:005-01 2005-01-05

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 16, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
Mandrake MDKSA-2003:101 2003-10-16
Slackware SSA:2003-300-02 2003-10-22
SCO Group CSSA-2004-004.0 2004-02-19
Netwosix NW-2004-0002 2004-02-20
Gentoo 200403-10 2004-03-30
OpenPKG OpenPKG-SA-2004.012 2004-04-08

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
Conectiva CLA-2003:768 2003-10-22
Conectiva CLA-2003:771 2003-10-24
Immunix IMNX-2003-7+-026-01 2003-10-31
Red Hat RHSA-2003:309-01 2003-11-03
Mandrake MDKSA-2003:106 2003-11-12
Trustix 2003-0042 2003-11-15
SCO Group CSSA-2004-006.0 2004-03-01

Comments (none posted)

glibc - buffer overflow

Package(s):glibc CVE #(s):CAN-2003-0689
Created:October 15, 2003 Updated:November 25, 2003
Description: The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun.
Alerts:
Conectiva CLA-2003:762 2003-10-14
Red Hat RHSA-2003:325-01 2003-11-12
Trustix 2003-0039 2003-11-15
Mandrake MDKSA-2003:107 2003-11-18
Gentoo 200311-05 2003-11-22

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Red Hat RHSA-2002:197-06 2002-10-03
Red Hat RHSA-2002:197-09 2002-11-06
Mandrake MDKSA-2004:009 2004-02-04

Comments (none posted)

gnupg: key validation

Package(s):gnupg CVE #(s):CAN-2003-0255
Created:May 15, 2003 Updated:November 17, 2003
Description: A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID.
Alerts:
EnGarde ESA-20030515-016 2003-05-15
OpenPKG OpenPKG-SA-2003.029 2003-05-16
Gentoo 200305-04 2003-05-16
Red Hat RHSA-2003:175-01 2003-05-20
Slackware ssa:2003-141-04 2003-05-22
Mandrake MDKSA-2003:061 2003-05-22
Yellow Dog YDU-20030602-4 2003-06-02
Conectiva CLA-2003:694 2003-07-11
SCO Group CSSA-2003-034.0 2003-11-17

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Red Hat RHSA-2003:126-01 2003-04-14
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:264-01 2003-09-09
Conectiva CLA-2003:737 2003-09-12
Mandrake MDKSA-2003:093 2003-09-18
Debian DSA-710-1 2005-04-18

Comments (none posted)

hylafax: remote code execution

Package(s):hylafax CVE #(s):CAN-2003-0886
Created:November 10, 2003 Updated:November 20, 2003
Description: Hylafax is an Open Source fax server which allows sharing of fax equipment among computers by offering its service to clients by a protocol similar to FTP. The SuSE Security Team found a format bug condition during a code review of the hfaxd server. It allows remote attackers to execute arbitrary code as root. However, the bug can not be triggered in hylafax's default configuration. The "capi4hylafax" packages also need to be updated as a dependency where they are available. Upgrading to version 4.1.8 fixes the problem; see this advisory for details.
Alerts:
SuSE SuSE-SA:2003:045 2003-11-10
Mandrake MDKSA-2003:105 2003-11-11
Conectiva CLA-2003:783 2003-11-12
Debian DSA-401-1 2003-11-17
Gentoo 200311-03 2003-11-10

Comments (none posted)

KDE: Two issues in KDM

Package(s):kde, xfree86 CVE #(s):CAN-2003-0690 CAN-2003-0692
Created:September 16, 2003 Updated:December 19, 2003
Description: According to this advisory two issues have been discovered in KDM:
  • CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
  • CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:
Red Hat RHSA-2003:269-01 2003-09-16
Mandrake MDKSA-2003:091 2003-09-16
Conectiva CLA-2003:747 2003-09-19
Debian DSA-388-1 2003-09-19
Gentoo 200311-01 2003-11-15
Mandrake MDKSA-2003:118 2003-12-19

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libnids: remotely exploitable buffer overflow

Package(s):libnids CVE #(s):CAN-2003-0850
Created:October 29, 2003 Updated:January 6, 2004
Description: libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem.
Alerts:
Conectiva CLA-2003:773 2003-10-29
Gentoo 200311-07 2003-11-22
Debian DSA-410-1 2004-01-05

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Debian DSA-213-1 2002-12-19
Red Hat RHSA-2003:006-06 2003-01-09
SuSE SuSE-SA:2003:0004 2003-01-14
Yellow Dog YDU-20030114-2 2002-01-14
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Mandrake MDKSA-2003:008 2003-01-20
Conectiva CLA-2003:564 2003-01-23
Red Hat RHSA-2004:249-01 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-176 2004-06-18
Whitebox WBSA-2004:249-01 2004-06-21
Mandrake MDKSA-2004:063 2004-06-29
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Gentoo 200407-06 2004-07-08

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Debian DSA-320-1 2003-06-13
Gentoo 200307-01 2003-07-02
Fedora FEDORA-2005-404 2005-06-09
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-405 2005-06-16

Comments (none posted)

mpg123: heap overflow

Package(s):mpg123 CVE #(s):CAN-2003-0865
Created:November 12, 2003 Updated:February 19, 2004
Description: Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.
Alerts:
Conectiva CLA-2003:781 2003-11-12
Debian DSA-435-1 2004-02-06
SCO Group CSSA-2004-002.0 2004-02-19

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Gentoo 200309-15 2003-09-27
Mandrake MDKSA-2003:097 2003-09-30
Conectiva CLA-2003:760 2003-10-06
Gentoo 200403-13 2004-03-31
Mandrake MDKSA-2004:026 2004-04-05

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Red Hat RHSA-2003:206-01 2003-07-14
Debian DSA-349-1 2003-07-14
Slackware SSA:2003-195-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
Slackware SSA:2003-195-01b 2003-07-15
Yellow Dog YDU-20030718-1 2003-07-18
Gentoo 200307-07 2003-07-19
Mandrake MDKSA-2003:076 2003-07-21
Conectiva CLA-2003:700 2003-07-22
SCO Group CSSA-2003-037.0 2003-11-17
Trustix TSLSA-2004-0009 2004-03-05

Comments (none posted)

omega-rpg: buffer overlow

Package(s):omega-rpg CVE #(s):CAN-2003-0932
Created:November 11, 2003 Updated:November 12, 2003
Description: Steve Kemp discovered a buffer overflow in the commandline and environment variable handling of omega-rpg, a text-based rogue-style game of dungeon exploration, which could lead a local attacker to gain unauthorized access to the group games.
Alerts:
Debian DSA-400-1 2003-11-11

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Gentoo 200305-01 2002-03-05
Gentoo 200305-02 2003-05-13
Red Hat RHSA-2003:222-01 2003-07-29
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Ubuntu USN-34-1 2004-11-30

Comments (1 posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Debian DSA-363-1 2003-08-03
Red Hat RHSA-2003:251-01 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Conectiva CLA-2003:717 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
Trustix 2003-0029 2003-08-04
Mandrake MDKA-2004:028 2004-05-26

Comments (none posted)

postgresql: remote code execution

Package(s):postgresql CVE #(s):CAN-2003-0901
Created:October 30, 2003 Updated:November 17, 2003
Description: Two bugs leading to a buffer overflow in the PostgreSQL RDBMS, versions 7.2.x and 7.3.x prior to 7.3.4, were discovered. The vulnerability exists in the PostgreSQL abstract data type (ADT) to ASCII conversion functions.

It has been conjectured that excessive data passed to the involved to_ascii_xxx() functions may overrun the bounds of an insufficient buffer reserved in heap memory, resulting in the corruption of heap based memory management structures that are adjacent to it. It is currently believed that under the correct circumstances an attacker may use this to execute arbitrary instructions in the context of the PostgreSQL server.

The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0901 to the problem.

Alerts:
OpenPKG OpenPKG-SA-2003.047 2003-10-30
Mandrake MDKSA-2003:102 2003-11-03
OpenPKG OpenPKG-SA-2003.048 2003-11-11
Red Hat RHSA-2003:313-00 2003-11-13
Conectiva CLA-2003:784 2003-11-13
Trustix 2003-0040 2003-11-15

Comments (none posted)

proftpd: remote root shell

Package(s):proftpd CVE #(s):CAN-2003-0831
Created:September 24, 2003 Updated:January 2, 2004
Description: The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information.
Alerts:
Slackware SSA:2003-259-02 2003-09-23
OpenPKG OpenPKG-SA-2003.043 2003-09-25
Mandrake MDKSA-2003:095 2003-09-26
Trustix 2003-0037 2003-09-27
Gentoo 200309-16 2003-09-28
Conectiva CLA-2003:750 2003-09-29
Mandrake MDKSA-2003:095-1 2003-12-31

Comments (2 posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
Debian DSA-379-1 2003-09-11
Red Hat RHSA-2003:278-01 2003-10-07
Mandrake MDKSA-2003:099 2003-10-09
Conectiva CLA-2003:769 2003-10-22
SuSE SuSE-SA:2003:046 2003-11-18
SCO Group CSSA-2004-005.0 2004-02-19

Comments (none posted)

sendmail: remotely exploitable buffer overflow

Package(s):sendmail CVE #(s):CAN-2003-0694 CAN-2003-0681
Created:September 17, 2003 Updated:November 18, 2003
Description: Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix.
Alerts:
Gentoo 200309-13 2003-09-17
Slackware SSA:2003-260-02 2003-09-17
Red Hat RHSA-2003:283-01 2003-09-17
Debian DSA-384-1 2003-09-17
Mandrake MDKSA-2003:092 2003-09-17
Immunix IMNX-2003-7+-021-01 2003-09-17
Yellow Dog YDU-20030917-2 2003-09-17
Conectiva CLA-2003:742 2003-09-18
OpenPKG OpenPKG-SA-2003.041 2003-09-19
SuSE SuSE-SA:2003:040 2003-09-20
SCO Group CSSA-2003-036.0 2003-11-17

Comments (none posted)

stunnel: signal handler reentrancy DoS

Package(s):stunnel CVE #(s):CAN-2002-1563
Created:July 25, 2003 Updated:November 25, 2003
Description: Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over a secure connection (encrypted using SSL or TLS) or to provide a secure means of connecting to services that do not natively support encryption.

When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits.

Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service.

Alerts:
Red Hat RHSA-2003:221-01 2003-07-25
EnGarde ESA-20030806-020 2003-08-06
Trustix 2003-0030 2003-08-07
Conectiva CLA-2003:736 2003-09-05
SCO Group CSSA-2003-026.0 2003-10-03
Red Hat RHSA-2003:296-01 2003-11-24

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 9, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Red Hat RHSA-2002:096-24 2002-09-18
Gentoo tar-20021001 2002-10-01
Gentoo unzip-20021001 2002-10-01
EnGarde ESA-20021003-022 2002-10-03
Mandrake MDKSA-2002:065 2002-10-10
Mandrake MDKSA-2002:066 2002-10-10
Conectiva CLA-2002:538 2002-10-29
Red Hat RHSA-2006:0195-01 2006-02-21
Fedora-Legacy FLSA:183571-1 2006-04-04

Comments (1 posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
SCO Group CSSA-2001-030.0 2001-08-10
Conectiva CLA-2001:413 2001-08-24
Debian DSA-075-1 2001-08-14
Debian DSA-075-2 2001-08-14
HP HPSBTL0202-023 2002-02-12
Mandrake MDKSA-2001:068 2001-08-13
Mandrake MDKSA-2001:093 2001-12-17
Progeny PROGENY-SA-2001-27 2001-08-14
Red Hat RHSA-2001:099-06 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:100-02 2001-08-09
Slackware sl-997726350 2001-08-09
SuSE SuSE-SA:2001:029 2001-09-03
Yellow Dog YDU-20010810-1 2001-08-10
Yellow Dog YDU-20010810-2 2001-08-10
Gentoo 200410-03 2004-10-05

Comments (none posted)

unzip: directory traversal vulnerability

Package(s):unzip CVE #(s):CAN-2003-0282
Created:July 1, 2003 Updated:November 13, 2003
Description: A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information.
Alerts:
Red Hat RHSA-2003:199-01 2003-07-01
Immunix IMNX-2003-7+-017-01 2003-07-02
Conectiva CLA-2003:672 2003-07-02
Mandrake MDKSA-2003:073 2003-07-07
Debian DSA-344-1 2003-07-08
OpenPKG OpenPKG-SA-2003.033 2003-07-10
Gentoo 200307-02 2003-07-11
Yellow Dog YDU-20030710-1 2003-07-10
Red Hat RHSA-2003:199-02 2003-08-15
Conectiva CLA-2003:724 2003-08-18
Mandrake MDKSA-2003:073-1 2003-08-19
Slackware SSA:2003-237-01 2003-08-25
Debian DSA-344-2 2003-08-26
SCO Group CSSA-2003-031.0 2003-11-07

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Red Hat RHSA-2002:297-17 2003-01-15
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Gentoo 200301-13 2003-01-22
Yellow Dog