LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Security news
Security updates for old Red Hat releases
Sites which have deployed Red Hat Linux have a difficult choice ahead of them. In the near future, Red Hat will cease providing security updates for these releases. If you have a Red Hat Linux system exposed to the net, you should be thinking about how you will keep it secure once the official updates stop coming. There are a number of choices available, none of which is perfect:
- Move over to Fedora core. Updates will be available for Fedora Core
releases, but only until the next version comes out. The update
policy for Fedora also differs from that of Red Hat Linux; rather than
backport fixes to the version of the affected program which was
originally distributed, Fedora will simply move to the current
version. That change will make security updates potentially more
disruptive. Updating the full system to a new Fedora Core release
twice a year may not be a viable option for many applications.
- Switch to a Red Hat Enterprise Linux release. RHEL will offer
long-term support and relative stability; all you have to do is pay
the price. Given that (as reported on
News.com) over 90% of RHEL customers are renewing their subscriptions,
it would appear that Red Hat is offering services with a real value.
Not everybody will be willing or able to pay that price tag, however.
- Switch to another distribution entirely. The nice thing about Linux
is that you can switch to another vendor when the need arises.
That still does not imply that changing distributions is a fun or easy
process, however.
- Maintain security-critical packages in-house, from source. This approach would work, assuming there is somebody with enough technical expertise available who can also find the time to do that sort of maintenance.
Red Hat Linux users are lucky; users of a proprietary system would not have such a wealth of choices available to them. Even so, these users can be forgiven for occasionally wishing that a "go on as if nothing had changed" option existed as well.
That could yet happen. The Fedora Legacy Project is forming with the goal of supporting Red Hat Linux and Fedora Core releases past their official end of life. This project is still in its organizational stages (the inevitable press release is still in draft form) but its volunteers intend to start producing security updates for (at least) Red Hat Linux 7.3 by the beginning of 2004, when support for that release ends. Whether support for the 8.0 release will be offered remains unclear; it depends on whether volunteers show up to produce the updates. There are plans to support Red Hat Linux 9, however.
Continuing to use a deployed Red Hat Linux system with the expectation that the Fedora Legacy Project will supply security updates is a bit of a risky option. The project is new and still organizing; there is no way to know whether it will put together the necessary mass of sufficiently talented and motivated engineers to produce reliable security updates in a timely manner. There is no doubt that a volunteer project can perform this sort of task with high-quality results, however, and there should be enough deployed Red Hat Linux systems to motivate a large pool of potential contributors.
Strange web server traffic
If you run a web server, and you pay any attention at all to its logs, you may be seeing many entries that look like:
SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02...
(Though the actual lines are very long). If you think it looks like an attack, you are correct. It is, however, an exploit for an old IIS vulnerability. Thus, most readers of this site need not be too worried about this one.
New vulnerabilities
glibc: local DoS vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2003-0859 | |||
| Created: | November 14, 2003 | Updated: | November 18, 2003 | |||
| Description: | Herbert Xu reported that various applications can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The glibc function getifaddrs uses netlink and could therefore be vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0859 to this issue. | |||||
| Alerts: |
| |||||
minimalist: unsanitized input
| Package(s): | minimalist | CVE #(s): | CAN-2003-0902 | |||
| Created: | November 17, 2003 | Updated: | November 18, 2003 | |||
| Description: | A security-related problem has been discovered in minimalist, a mailing list manager, which allows a remote attacker to execute arbitrary commands. | |||||
| Alerts: |
| |||||
pstack: Buffer overflow
| Package(s): | pstack | CVE #(s): | ||||
| Created: | November 13, 2003 | Updated: | November 18, 2003 | |||
| Description: | pstack dumps a stack trace for a process, given the pid of that process. Versions prior to 1.2.3 contain a potential buffer overflow vulnerability. | |||||
| Alerts: |
| |||||
zebra: denial of service vulnerability
| Package(s): | zebra | CVE #(s): | CAN-2003-0795 CAN-2003-0858 | ||||||||||||
| Created: | November 13, 2003 | Updated: | January 7, 2004 | ||||||||||||
| Description: | Zebra an open source implementation of TCP/IP routing software.
Jonny Robertson reported that Zebra can be remotely crashed if a Zebra password has been enabled and a remote attacker can connect to the Zebra telnet management port. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0795 to this issue. Herbert Xu reported that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Updated vulnerabilities
2.4 kernel - several vulnerabilities
| Package(s): | 2.4 kernel | CVE #(s): | CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552 | |||||||||||||||||||||||||||
| Created: | July 21, 2003 | Updated: | December 23, 2003 | |||||||||||||||||||||||||||
| Description: | Several security issues have been discovered affecting the Linux kernel:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
CUPS: denial of service
| Package(s): | CUPS | CVE #(s): | CAN-2003-0788 | ||||||||||||
| Created: | November 3, 2003 | Updated: | March 4, 2004 | ||||||||||||
| Description: | Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||
| Alerts: |
| ||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
XFree86 4.3.0 integer overflows in font libraries
| Package(s): | XFree86 | CVE #(s): | CAN-2003-0730 | |||||||||||||||
| Created: | September 12, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | Several vulnerabilities were discovered by blexim(at)hush.com in the font libraries of XFree86 version 4.3.0 and earlier. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user in any way that calls these functions, which are related to the transfer and enumeration of fonts from font servers to clients. See the advisory for additional details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache | CVE #(s): | CAN-2003-0542 CAN-2003-0789 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | October 28, 2003 | Updated: | February 13, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
apache2: Denial of Service vulnerability
| Package(s): | apache2 | CVE #(s): | |||||||||||||
| Created: | September 29, 2003 | Updated: | March 25, 2004 | ||||||||||||
| Description: | A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details. | ||||||||||||||
| Alerts: |
| ||||||||||||||
conquest: buffer overflow
| Package(s): | conquest | CVE #(s): | CAN-2003-0933 | |||
| Created: | November 10, 2003 | Updated: | November 12, 2003 | |||
| Description: | Steve Kemp discovered a buffer overflow in the environment variable handling of conquest, a curses based, real-time, multi-player space warfare game, which could lead a local attacker to gain unauthorized access to the group conquest. | |||||
| Alerts: |
| |||||
epic4: buffer overflow
| Package(s): | epic4 | CVE #(s): | CAN-2003-0328 | |||||||||
| Created: | November 10, 2003 | Updated: | November 25, 2003 | |||||||||
| Description: | Jeremy Nelson discovered a remotely exploitable buffer overflow in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft a reply which triggers the client to allocate a negative amount of memory. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. | |||||||||||
| Alerts: |
| |||||||||||
ethereal: multiple remote and local vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2003-0925 CAN-2003-0926 CAN-2003-0927 | |||||||||||||||
| Created: | November 10, 2003 | Updated: | December 17, 2003 | |||||||||||||||
| Description: | Multiple vulnerabilities have been found in ethereal versions below 0.9.16. Remote attackers can craft packets, and local users can build corrupt trace files, resulting denial of service and remote code execution. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail may crash on specially crafted message
| Package(s): | fetchmail | CVE #(s): | CAN-2003-0792 | ||||||||||||||||||
| Created: | October 16, 2003 | Updated: | April 8, 2004 | ||||||||||||||||||
| Description: | A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils | CVE #(s): | CAN-2003-0854 | |||||||||||||||||||||
| Created: | October 22, 2003 | Updated: | March 2, 2004 | |||||||||||||||||||||
| Description: | There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
glibc - buffer overflow
| Package(s): | glibc | CVE #(s): | CAN-2003-0689 | |||||||||||||||
| Created: | October 15, 2003 | Updated: | November 25, 2003 | |||||||||||||||
| Description: | The GNU C library contains a buffer overflow in the getgrouplist() function. If the user belongs to more groups than the calling application expects, the allocated storage will be overrun. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
hylafax: remote code execution
| Package(s): | hylafax | CVE #(s): | CAN-2003-0886 | |||||||||||||||
| Created: | November 10, 2003 | Updated: | November 20, 2003 | |||||||||||||||
| Description: | Hylafax is an Open Source fax server which allows sharing of fax equipment among computers by offering its service to clients by a protocol similar to FTP. The SuSE Security Team found a format bug condition during a code review of the hfaxd server. It allows remote attackers to execute arbitrary code as root. However, the bug can not be triggered in hylafax's default configuration. The "capi4hylafax" packages also need to be updated as a dependency where they are available. Upgrading to version 4.1.8 fixes the problem; see this advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
KDE: Two issues in KDM
| Package(s): | kde, xfree86 | CVE #(s): | CAN-2003-0690 CAN-2003-0692 | ||||||||||||||||||
| Created: | September 16, 2003 | Updated: | December 19, 2003 | ||||||||||||||||||
| Description: | According to this advisory two issues have
been discovered in KDM:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libnids: remotely exploitable buffer overflow
| Package(s): | libnids | CVE #(s): | CAN-2003-0850 | |||||||||
| Created: | October 29, 2003 | Updated: | January 6, 2004 | |||||||||
| Description: | libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mpg123: heap overflow
| Package(s): | mpg123 | CVE #(s): | CAN-2003-0865 | |||||||||
| Created: | November 12, 2003 | Updated: | February 19, 2004 | |||||||||
| Description: | Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer | CVE #(s): | CAN-2003-0835 | |||||||||||||||
| Created: | September 29, 2003 | Updated: | April 6, 2004 | |||||||||||||||
| Description: | A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils | CVE #(s): | CAN-2003-0252 | ||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2003 | Updated: | March 8, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
omega-rpg: buffer overlow
| Package(s): | omega-rpg | CVE #(s): | CAN-2003-0932 | |||
| Created: | November 11, 2003 | Updated: | November 12, 2003 | |||
| Description: | Steve Kemp discovered a buffer overflow in the commandline and environment variable handling of omega-rpg, a text-based rogue-style game of dungeon exploration, which could lead a local attacker to gain unauthorized access to the group games. | |||||
| Alerts: |
| |||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
postgresql: remote code execution
| Package(s): | postgresql | CVE #(s): | CAN-2003-0901 | ||||||||||||||||||
| Created: | October 30, 2003 | Updated: | November 17, 2003 | ||||||||||||||||||
| Description: | Two bugs leading to a buffer overflow in the PostgreSQL RDBMS, versions 7.2.x and
7.3.x prior to 7.3.4, were discovered. The vulnerability exists in the
PostgreSQL abstract data type (ADT) to ASCII conversion functions.
It has been conjectured that excessive data passed to the involved to_ascii_xxx() functions may overrun the bounds of an insufficient buffer reserved in heap memory, resulting in the corruption of heap based memory management structures that are adjacent to it. It is currently believed that under the correct circumstances an attacker may use this to execute arbitrary instructions in the context of the PostgreSQL server. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0901 to the problem. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
proftpd: remote root shell
| Package(s): | proftpd | CVE #(s): | CAN-2003-0831 | |||||||||||||||||||||
| Created: | September 24, 2003 | Updated: | January 2, 2004 | |||||||||||||||||||||
| Description: | The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
sane-backends: several vulnerabilities
| Package(s): | sane-backends | CVE #(s): | CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778 | ||||||||||||||||||
| Created: | September 11, 2003 | Updated: | February 20, 2004 | ||||||||||||||||||
| Description: | Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe. Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe. The Common Vulnerabilities and Exposures project identifies the following problems:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
sendmail: remotely exploitable buffer overflow
| Package(s): | sendmail | CVE #(s): | CAN-2003-0694 CAN-2003-0681 | |||||||||||||||||||||||||||||||||
| Created: | September 17, 2003 | Updated: | November 18, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Michal Zalewski has reported a buffer overflow in sendmail. This overflow, apparently, may be exploited remotely, but only in certain (non-default) configurations. Sendmail 8.12.10 has the fix. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
stunnel: signal handler reentrancy DoS
| Package(s): | stunnel | CVE #(s): | CAN-2002-1563 | ||||||||||||||||||
| Created: | July 25, 2003 | Updated: | November 25, 2003 | ||||||||||||||||||
| Description: | Stunnel is a wrapper for network connections. It can be used to tunnel an
unencrypted network connection over a secure connection (encrypted using
SSL or TLS) or to provide a secure means of connecting to services that do
not natively support encryption.
When configured to listen for incoming connections (instead of being invoked by xinetd), stunnel can be configured to either start a thread or a child process to handle each new connection. If Stunnel is configured to start a new child process to handle each connection, it will receive a SIGCHLD signal when that child exits. Stunnel versions prior to 4.04 would perform tasks in the SIGCHLD signal handler which, if interrupted by another SIGCHLD signal, could be unsafe. This could lead to a denial of service. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
unzip: directory traversal vulnerability
| Package(s): | unzip | CVE #(s): | CAN-2003-0282 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 1, 2003 | Updated: | November 13, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | A vulnerabilitiy in unzip version 5.50 and earlier allows attackers to overwrite arbitrary files during archive extraction by placing invalid (non-printable) characters between two "." characters. These non-printable characters are filtered, resulting in a ".." sequence. See the full advisory for further information. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
webmin: session ID spoofing
| Package(s): | webmin | CVE #(s): | CAN-2003-0101 | ||||||
| Created: | June 13, 2003 | Updated: | November 18, 2003 | ||||||
| Description: | miniserv.pl in the webmin package does not properly handle metacharacters, such as line feeds and carriage returns, in Base64-encoded strings used in Basic authentication. This vulnerability allows remote attackers to spoof a session ID, and thereby gain root privileges. | ||||||||
| Alerts: |
| ||||||||
wget: buffer overflow
| Package(s): | wget | CVE #(s): | CAN-2003-1565 | |||||||||
| Created: | August 5, 2003 | Updated: | December 10, 2003 | |||||||||
| Description: | The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution. | |||||||||||
| Alerts: |
| |||||||||||
xinetd: Memory leak in xinetd 2.3.10
| Package(s): | xinetd | CVE #(s): | CAN-2003-0211 | |||||||||||||||
| Created: | May 13, 2003 | Updated: | November 12, 2003 | |||||||||||||||
| Description: | Xinetd is a 'master server' that is used to to accept service connection
requests and start the appropriate servers.
Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavailable. In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations. All users of xinetd are advised to update to xinetd-2.3.11 which is not vulnerable to these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Resources
November CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for November is out, with a look at airline security and the "trojan defense." "Some believe that the 'Trojan defense' sets a dangerous precedent, and that computer criminals will claim it every time. I believe that it sets a very good precedent, and will force prosecutors to do more than show that a particular computer was involved in a crime."
Page editor: Jonathan Corbet
Next page: Kernel development>>