LWN.net Logo

Advertisement

E-Commerce & credit card processing - the Open Source way!

Advertise here

LWN.net Weekly Edition for December 11, 2003

SCO Weekly News

It has been a busy week for those of us watching the SCO case. Here's a summary of all that has been going on...

The fun started with an even more than usually bizarre open letter from Darl McBride (actually written by his brother Kevin, about whom we will hear more shortly, and a SCO technical writer) on the evils of the General Public License. The letter makes for difficult reading, but the core of its argument is this:

SCO argues that the authority of Congress under the U.S. Constitution to "promote the Progress of Science and the useful arts..." inherently includes a profit motive, and that protection for this profit motive includes a Constitutional dimension. We believe that the "progress of science" is best advanced by vigorously protecting the right of authors and inventors to earn a profit from their work.

By SCO's reasoning, the GPL, being a mechanism by which the owner of a copyrighted work can allow others to distribute that work without paying a license fee, interferes with the profit motive SCO has read into the constitution and, thus, is unconstitutional. Needless to say, this novel line of constitutional reasoning is finding few defenders outside of SCO. See, for example, responses by Lawrence Lessig, Linus Torvalds (who did some interesting research into copyright law himself), and on Groklaw.

The real purpose of the open letter appears to have been to distract attention from some other events, the first of which being the hearing on IBM's motions to compel discovery on December 5. As most readers will have seen by now, IBM won a complete victory in that hearing. Both motions to compel were upheld, while SCO's motion was tabled and all further SCO discovery has been suspended until SCO has satisfied IBM's questions. SCO now has 30 days to specify exactly which code it claims IBM has stolen, and it will not be able to go fishing through AIX for its answers.

The December 5 hearing was also interesting in that David Boies, SCO's brand-name lawyer, didn't see fit to show up. Instead, SCO was represented by Kevin McBride, Darl's brother. This was Kevin McBride's first public appearance in this case, and he appears to have impressed few people - certainly not the judge presiding over the hearing. He started by sitting at the defendants' table, and had to be told to move to the other side of the court. His arguments were generally described as incoherent and unconvincing; he talked a lot about what a complex case it was. And, of course, he lost.

For those seeking further information, there are a few postings on Groklaw: transcripts of the hearing (scroll down to the second version, which is more complete), a list of what SCO must now provide to IBM, and a guest article on where things go from here (mostly downhill).

SCO was supposed to announce its fourth quarter earnings on December 8, but that announcement has been delayed until the 22nd. The stated reason is that the company needs more time to finish accounting for the BayStar investment. Others have speculated that the quarter will look so bad that the company hopes that, by delaying the announcement to just before Christmas, it can escape notice.

Some of the truth, perhaps, came out in a three-part SEC filing on December 9. This filing provides some interesting insights into how SCO deals with its investors and lawyers. It also, perhaps, gives the real reason for the earnings delay: SCO was still negotiating with BayStar and the Royal Bank of Canada (RBC). It would appear that these investors got a little nervous about SCO's agreement with its lawyers giving those lawyers 20% of any settlement, investment in, or sale of the company. As a result, SCO has filed a statement that it will not take any action which triggers the 20% fee unless 2/3 of the preferred stockholders (BayStar and RBC) agree. The investors, in other words, have established a veto power over the lawyers.

The second part of the filing is a letter from Boies, Schiller & Flexner to SCO describing the arrangement between the two companies. This letter is dated February 26, 2003, but is only being released now. The letter states that Boies et al. will be paid on an hourly rate - not the pure contingency deal that SCO has claimed in the past. SCO was also required to put up a $1 million retainer, and to top it up whenever it gets spent down to $250,000.

Also stated in this letter is:

It is hereby recognized and acknowledged that Kevin McBride, the brother of SCO's Chief Executive Officer, Darl McBride, is an attorney at Angelo, Barry & Boldt who will be working on this matter. By signing below, Darl McBride acknowledges that full disclosure of Kevin McBride's involvement in the matter and the terms and conditions of the fee letter has been made to and approved by the Board of Directors of Client.

In other words, Boies was not entirely comfortable with Kevin McBride's presence and required assurance that SCO's board of directors understood what was going on.

The letter also notes that efforts to sell licenses to Microsoft and Sun were already underway last February.

Finally, this letter from SCO to Boies confirms recent payments to the law firm: $2.6 million, plus the 400,000 shares of stock. SCO has until the beginning of March to deliver the stock (SEC formalities must be cleared first). The letter notes that Boies et al. will be taking on, in addition to the IBM suit, defense against the Red Hat suit and IBM's counterclaims. Boies will also be helping in "pursuing our potential claims against third parties arising out of the USL/BSDI settlement." Exactly what that means remains to be seen.

Comments (6 posted)

Interview: Dan Ravicher on derived works

December 10, 2003

By Pamela Jones, Editor of Groklaw

What is a derivative work when it comes to software? Between SCO's attempts to define it as "anything that ever breathed the same air as Unix" and the recent discussions on linux-kernel about the status of closed-source modules (see this week's Kernel Page), it is only natural to wonder if there is any way, short of going before a judge, to know. Is there a standard rule a programmer can measure his work by and know whether he has produced a derived work or not?

Dan Ravicher, Esq., Senior Counsel, Free Software Foundation, and Executive Director, Public Patent Foundation, was kind enough to grant me an interview and explain. Note that he is discussing the situation in the US, because that is where he practices. However, his ultimate advice applies to international copyright issues as well, namely: ask a lawyer who practices where you live for an opinion. Get it in writing.

PJ: Is there one definition, The Definition, as it were, of derivative works that applies to everyone?

The definition of derivative work is an issue under copyright law, which is exclusively a federal question (state courts are forbidden from addressing the issue). Therefore, there could conceivably be 94 different "derivative work" definitions, as there are 94 different federal district courts (the trial level of the federal court system). [Note: There could be even more, as there are several judges within each district, who could each have different opinions on the law.]

Although district court judges are supposed to give deference to one another's opinions, they often do not. As such, above those 94 district courts, there are 13 circuit courts of appeals, which each attempt to unify the law as between all the district courts within their jurisdiction. Here's a map showing which districts fall into which circuits. Again, like the district court judges, the circuit court judges are supposed to give deference to one another's opinions, but they often do not. So, above the 13 circuits, is the Supreme Court, which is supposed to unify law amongst the circuits.

Every case has a right to appeal to the Circuit Court, but appeal to the Supreme Court is only by discretion. As of yet, despite the difference in opinions between the circuits regarding the question of what constitutes a derivative work of software, the Supreme Court has not taken any such case. One can speculate why this is so, including that many of the circuits, including two of the most influential to the conservative Supreme Court, the 7th and the 4th, have yet to take an opinion on the issue. Further, the 9th and 2nd Circuits, routinely the most important for copyright law (because NY and CA are home to media companies and Hollywood), are pretty much in agreement on the issue, and several circuits have followed their lead.

If it is circuit by circuit, how does Utah's circuit, where the SCO v. IBM case will be decided, define it?

Utah's District Court is within the 10th Circuit, which has adopted the Abstraction, Filtration, and Comparison test of the 2nd Circuit. For a discussion of how that test defines derivative work, you can read a paper I have written on that subject here [PDF format].

[Editor's note: the above paper actually covers a few different tests used by the circuit courts to determine whether one program is a derived product of another. It is recommended reading for anyone who would like a better understanding of the different ways of approaching this problem.]

Please bear with me. This is a long question, but I want to be sure you cover the complete question, and I know you are a programmer as well as an attorney: The Linux kernel is, of course, licensed under the GPL. There is a continuing controversy over the legal status of closed-source kernel modules. Nobody really likes them, but they have been tolerated so far. There are kernel hackers who have threatened to eventually take a binary module vendor to court for infringing their copyrights, however.

Is a kernel module a derived product or not? Some people claim that there are precedents saying that anything which can be unplugged and replaced falls on the other side of the boundary and cannot be considered a derived product. Others point out the substantial amount of inline function code used by Linux modules, along with the deep knowledge of kernel internals required, and say that modules are necessarily derived products.

One can point to a continuum of modules to see that the situation is not simple. LSM security modules can hook into almost every part of the kernel and fundamentally change its operation; almost everybody agrees that they are derived products. On the other hand, modules exist which allow the loading of Windows NDIS drivers into a Linux kernel; few people would claim that the Windows driver has become a derived product.

Is there any way to figure out where the boundary really is short of asking a judge?

The intuition that there is no bright line answer regarding modules is correct. The test of derivative work is a very fact-specific one; meaning that minor differences can substantially impact the result. In practice, highly factual issues are typically resolved by both sides in litigation having representative experts testify that the facts lead to one conclusion or the other.

However, this doesn't mean one needs to necessarily wait for a judge to decide the issue in order to have some guidance. In order to better manage and calculate legal uncertainty, clients often ask their attorneys for a legal opinion regarding a certain situation. In what are called "Opinion Letters", attorneys opine as to the conclusion they think would be reached if a judge addressed at the issue. For instance, a few years back the W3C sought the opinion of its attorneys regarding whether or not one of its standards infringed a patent, which you can read here.

Although such letters are not a guarantee that the issue, if ever presented to a court, would be resolved in that way, they do allow the client or other recipient of the letter to rely on the attorney's opinion in making decisions. That reliance, if reasonable and based on a "competent opinion", may go a long way to help the client prove they did not act in bad faith, which is very important under the law because penalties for copyright infringement can be drastically increased if the infringer is found to have acted in bad faith.

Coming soon: the second half of this interview, which covers free software and patents, especially Microsoft's claimed FAT filesystem patent.

Comments (7 posted)

A Look at the UserLinux Proposal

December 10, 2003

This article was contributed by Joe 'Zonker' Brockmeier.

About two months ago we reported that Bruce Perens was considering the formation of a community-driven "enterprise" Linux distribution. Perens has made up his mind, and has produced a manifesto which serves as a rough outline of what UserLinux would be, and a discussion list for those interested in participating. According to Perens, UserLinux would be "a system for both desktop and server use in businesses of all sizes."

Why would we need another Linux system? It's not as if there's any lack of distributions. We spoke to Perens to get the details on UserLinux. According to him, there's a need for UserLinux because current Linux vendors are too focused on profits, and the needs of users are being neglected. In the last year or so, he noticed "the rise of proprietary open source. Software that is purportedly open source-licensed, but the user is still made to pay in the long run."

This trend is causing problems for Linux. In his white paper, Perens writes:

The very aspects that make Linux desirable, its low cost, Open Source nature, and the way it gives customers more control over their software, are under attack by Linux vendors bent on increasing shareholder value. Businesses are paying more as Linux distributions demand a per-seat cost and service lock-in for software that they didn't develop and that others support.

In creating a community-driven solution for business, UserLinux could provide an alternative for businesses that aren't looking to pay per-seat fees to companies like Red Hat. However, a community-driven project will face problems that Red Hat and other vendors have already (at least to some extent) overcome.

One major obstacle that UserLinux will face is garnering the support of independent system vendors, such as Oracle. Any distribution aimed at the "enterprise" market will need that support. Theodore Ts'o noted that this can be an expensive undertaking for some of the highly desirable ISVs. Perens acknowledges this in the second draft of the UserLinux paper:

It will probably be necessary for us to arrange to have a porting lab for the use of ISVs, where they could come to do their work with the support of an expert in our system, and for them to have free call-in support on issues related to supporting their products on our platform. These things would be paid for by the service provider organization.

The question, of course, is how the organization will pay to support a lab and other endeavors. Perens explained that he would like to see an organization for UserLinux service providers, which could certify providers and serve as a point of contact for the providers and customers. Providers would probably pay some fee for certification "on a sliding scale based on the size of the business" to allow for sole proprietorships. The organization might charge some percentage for business referred to the providers, but he doesn't want the organization to be a mandatory gatekeeper between customers and providers. He also noted that UserLinux could also have uncertified providers, they would simply not be allowed to use the trademark for certification.

The service organization also answers another question that businesses are likely to have: "Who is going to support me?" Perens states in his paper that a organization built around UserLinux would actually be able to support more customers than Red Hat:

Red Hat boasts that it employs 300 engineers, but few of those engineers are in customer-contact positions. Their support organization is surprisingly small. Our multi-company effort has the potential to be able to offer more service, even by simple metrics like head-count, reasonably early in its existence. It can provide better-localized service because of the potential for involvement by service companies in many regions. And we can provide better quality, and lower-cost service, due to the fact that our service providers will compete with each other for business.

This organization may work to provide technical support, though it bears a strong resemblance to Red Hat's early "Support Partner" program, which was never very successful. What may prove harder is convincing potential users that other sorts of support - such as security updates - will be available for several years into the future.

Another obstacle faced by UserLinux is package support. Specifically, which packages to bundle into the distribution. At this point, Linux has several areas where there are a number of competing packages that perform the same general functions. Perens argues that an enterprise project should make choices between various packages and pick a single package rather than be bogged down trying to support a array of packages. This would not prevent users or vendors from adding packages, but the default system would include only one of a given type of package.

This is likely to cause some heated and unpleasant debates as UserLinux moves forward. There are already some strong objections to Perens' preliminary choices on the UserLinux discuss list. Eventually, these choices have to be made, however. Perens proposes that these and other technical choices be made by a meritocracy, similar to projects like the Linux kernel, the Apache project or the Debian project itself.

UserLinux is, at this point, only a concept. There is much work to be done, and much of it is in uncharted territory. Whether or not it succeeds depends on a number of factors, some of which are obvious now and others will only become apparent with time. But if the success of Linux has taught us anything thus far, it is that the open source community can succeed where many expect failure.

Comments (3 posted)

Page editor: Jonathan Corbet

Security

Security news

Lessons from the Debian compromise

December 10, 2003

This article was contributed by Robert Bernier

It's been said that what doesn't kill you makes you stronger: if so then Debian must be very strong these days. The recent attack on Debian's servers is well known. It has been well documented and explained in detail. What remains to do is to consider the aftermath; have lessons been learned?

Recall the sequence of events. In the month of November, an unknown person developed a crack that exploited that now famous kernel flaw and found his way into a Debian developer's machine. Although it's not known if the attack was focused on the developer's machine in particular, it was quickly understood by the attacker that this PC presented a means to accessing the Debian servers. He installed the requisite tools that took over the machine and sniffed out the passwords. The attacker then obtained the password that enabled him to compromise a Debian project server. In quick succession, he penetrated a number of machines which spanned North-America and Europe.

It must be understood that up to this point the attack had not been detected. The machines were penetrated and had been successfully subverted. The attacks were executed in such a manner that none of the installed security mechanisms caught the activity. So why didn't the archives get compromised? And how was it that the attack, was even discovered?

The hand-crafted kernel exploit was not perfect. According to a group of Debian contributors who were interviewed at a recent Linux User's Group meeting (LUG), the exploit worked on all of the Intel machines but failed against one Sparc system, which is where the archives happen to reside. Another crack imperfection was that it generated strange messages in the log files which led to the attack's discovery. It turns out that one of the system administrators became uneasy as he was looking through the log files of one of his machines. He quickly understood that the messages were not normal and the other machines were checked out in short order. This is how the attack and its point of entry (the developer's compromised machine) were discovered.

What are the lessons learned?

  • Crackers can make bad code: the existence of those log messages indicates a lack of professionalism and sloppiness that eventually led to the attack's discovery.

  • The bio-diversity of mixed environments defeats mono-culture weaknesses: it's easy to criticize the fragility attributed by the dominance of a Microsoft centric work environment. But we seemed to have missed the fact that a Linux-only environment is monoculture too. Things could have been worse if it wasn't for the inherent differences between Intel and Sun System architectures.

  • Good people make a difference: a sharp brain and active curiosity are a great combination. Given the time and resources, all exploits can be caught.

Has anything been learned from this event that can help us formulate a more proactive policy? That answer depends on how much we, the open source community, are willing to work to eliminate these violations. These kinds of people can exploit a hundred machines before they stumble over one that can really hurt us. And that's the irony, for every attack that is noticed there are ten more that are unseen. By increasing the diversity of our systems and the alertness of our administration, we improve our chances of detecting and shutting down this sort of attack before it does real damage.

Comments (17 posted)

Discontinued SuSE Linux Distributions

SuSE has announced an end of life for SuSE Linux 7.3. Vulnerabilities found after December 15, 2003 will not be fixed for SuSE Linux 7.3.

Full Story (comments: none)

New vulnerabilities

cvs: unauthorized file creation

Package(s):cvs CVE #(s):
Created:December 9, 2003 Updated:December 17, 2003
Description: Stable CVS 1.11.10 has been released, fixing a security issue with no known exploits (as of this writing) that could cause previous versions of CVS to attempt to create files and directories in the filesystem root. This release also fixes several issues relevant to case insensitive filesystems and some other bugs.
Alerts:
OpenPKG OpenPKG-SA-2003.052 2003-12-17
Slackware SSA:2003-345-01 2003-12-11
Gentoo 200312-04 2003-12-08
Mandrake MDKSA-2003:112-1 2003-12-10
Mandrake MDKSA-2003:112 2003-12-08

Comments (none posted)

FreeRADIUS: Denial of service vulnerability

Package(s):FreeRADIUS CVE #(s):CAN-2003-0967
Created:December 10, 2003 Updated:December 10, 2003
Description: Versions of FreeRADIUS through 0.9.2 have a vulnerability wherein a remote attacker can cause the daemon to crash.
Alerts:
Red Hat RHSA-2003:386-01 2003-12-10

Comments (none posted)

rsync - remotely exploitable heap overflow

Package(s):rsync CVE #(s):CAN-2003-0962
Created:December 4, 2003 Updated:March 3, 2004
Description: An advisory has gone out warning of a remotely exploitable heap overflow vulnerability in rsync versions 2.5.6 and prior. If you are running an rsync server, you will want to apply a distributor patch or upgrade to 2.5.7 in the near future.
Alerts:
SCO Group CSSA-2004-010.0 2004-03-02
Immunix IMNX-2003-73-001-01 2003-12-05
Mandrake MDKSA-2003:111 2003-12-04
Red Hat RHSA-2003:399-01 2003-12-04
Red Hat RHSA-2003:398-01 2003-12-04
Fedora FEDORA-2003-030 2003-12-04
Conectiva CLA-2003:794 2003-12-04
Gentoo 200312-03 2003-12-04
EnGarde ESA-20031204-032 2003-12-04
Debian DSA-404-1 2003-12-04
OpenPKG OpenPKG-SA-2003.051 2003-12-04
SuSE SuSE-SA:2003:050 2003-12-04
Trustix 2003-0048 2003-12-04
Slackware SSA:2003-337-01 2003-12-03

Comments (none posted)

Updated vulnerabilities

2.4 kernel - several vulnerabilities

Package(s):2.4 kernel CVE #(s):CAN-2003-0461 CAN-2003-0462 CAN-2003-0464 CAN-2003-0476 CAN-2003-0501 CAN-2003-0550 CAN-2003-0551 CAN-2003-0552
Created:July 21, 2003 Updated:December 23, 2003
Description: Several security issues have been discovered affecting the Linux kernel:
  • CAN-2003-0461: /proc/tty/driver/serial reveals the exact character counts for serial links. This could be used by a local attacker to infer password lengths and inter-keystroke timings during password entry.

  • CAN-2003-0462: Paul Starzetz discovered a file read race condition existing in the execve() system call, which could cause a local crash.

  • CAN-2003-0464: A recent change in the RPC code set the reuse flag on newly-created sockets. Olaf Kirch noticed that his could allow normal users to bind to UDP ports used for services such as nfsd.

  • CAN-2003-0476: The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, allowing local users to gain read access to restricted file descriptors.

  • CAN-2003-0501: The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program. This causes the program to fail to change the ownership and permissions of already opened entries.

  • CAN-2003-0550: The STP protocol is known to have no security, which could allow attackers to alter the bridge topology. STP is now turned off by default.

  • CAN-2003-0551: STP input processing was lax in its length checking, which could lead to a denial of service.

  • CAN-2003-0552: Jerry Kreuscher discovered that the Forwarding table could be spoofed by sending forged packets with bogus source addresses the same as the local host.
Alerts:
Red Hat RHSA-2003:408-00 2003-12-19
Gentoo 200308-01 2003-08-14
Debian DSA-358-4 2003-08-13
SuSE SuSE-SA:2003:034 2003-08-12
Debian DSA-358-2 2003-08-05
Debian DSA-358-3 2003-08-04
Debian DSA-358-1 2003-07-31
EnGarde ESA-20032407-018 2003-07-24
Red Hat RHSA-2003:238-01 2003-07-21

Comments (none posted)

apache: buffer overflows in mod_alias, mod_rewrite

Package(s):apache CVE #(s):CAN-2003-0542 CAN-2003-0789
Created:October 28, 2003 Updated:February 13, 2004
Description: André Malo discovered buffer overflows in the mod_alias and mod_rewrite modules of the Apache webserver. These occurred if a regular expression with more than 9 capturing parenthesis was configured. To exploit this, an attacker would need to be able to locally create a carefully crafted configuration file (.htaccess or httpd.conf). CAN-2003-0542

Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's mishandling of CGI redirect paths could result in CGI output going to the wrong client when a threaded MPM is used. CAN-2003-0789.

Alerts:
Whitebox WBSA-2004:015-01 2004-02-12
Fedora FEDORA-2003-004 2004-01-08
Red Hat RHSA-2003:405-00 2003-12-18
Red Hat RHSA-2003:320-01 2003-12-16
Red Hat RHSA-2003:360-01 2003-12-10
Gentoo 200310-03 2003-10-28
Trustix 2003-0041 2003-11-15
Conectiva CLA-2003:775 2003-11-05
Slackware SSA:2003-308-01 2003-11-03
EnGarde ESA-20031105-030 2003-11-05
Mandrake MDKSA-2003:103 2003-11-03
Gentoo 200310-04 2003-10-31
Immunix IMNX-2003-7+-025-01 2003-10-28
OpenPKG OpenPKG-SA-2003.046 2003-10-28

Comments (none posted)

apache2: Denial of Service vulnerability

Package(s):apache2 CVE #(s):
Created:September 29, 2003 Updated:March 25, 2004
Description: A problem was discovered in Apache2 where CGI scripts that write more than 4k to the standard error stream will hang the script's execution. This problem can lead to a denial of service situation. See this bug report for additional details.
Alerts:
Gentoo 200403-04 2004-03-22
Netwosix NW-2004-0006 2004-03-25
Mandrake MDKSA-2003:096-1 2003-10-24
Mandrake MDKSA-2003:096 2003-09-26

Comments (none posted)

bind: cache poisoning

Package(s):bind CVE #(s):CAN-2003-0914
Created:November 26, 2003 Updated:February 19, 2004
Description: A cache poisoning vulnerability in BIND may be exploited causing a temporary denial of service until the bad record expires from the cache.
Alerts:
SCO Group CSSA-2004-003.0 2004-02-19
Debian DSA-409-1 2004-01-05
SuSE SuSE-SA:2003:047 2003-11-28
Trustix 2003-0044 2003-11-27
Immunix IMNX-2003-7+-024-01 2003-10-27
EnGarde ESA-20031126-031 2003-11-26

Comments (none posted)

CUPS: denial of service

Package(s):CUPS CVE #(s):CAN-2003-0788
Created:November 3, 2003 Updated:March 4, 2004
Description: Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631).
Alerts:
SCO Group CSSA-2004-012.0 2004-03-03
Conectiva CLA-2003:779 2003-11-07
Mandrake MDKSA-2003:104 2003-11-05
Red Hat RHSA-2003:275-01 2003-11-03

Comments (none posted)

ethereal: multiple remote and local vulnerabilities

Package(s):ethereal CVE #(s):CAN-2003-0925 CAN-2003-0926 CAN-2003-0927
Created:November 10, 2003 Updated:December 17, 2003
Description: Multiple vulnerabilities have been found in ethereal versions below 0.9.16. Remote attackers can craft packets, and local users can build corrupt trace files, resulting denial of service and remote code execution.
Alerts:
Mandrake MDKSA-2003:114 2003-12-10
Fedora FEDORA-2003-022 2003-11-25
Gentoo 200311-04 2003-11-22
Red Hat RHSA-2003:323-01 2003-11-10
Conectiva CLA-2003:780 2003-11-07

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 16, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

fileutils/wu-ftpd: denial of service

Package(s):fileutils CVE #(s):CAN-2003-0854
Created:October 22, 2003 Updated:March 2, 2004
Description: There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details.
Alerts:
SCO Group CSSA-2004-006.0 2004-03-01
Trustix 2003-0042 2003-11-15
Mandrake MDKSA-2003:106 2003-11-12
Red Hat RHSA-2003:309-01 2003-11-03
Immunix IMNX-2003-7+-026-01 2003-10-31
Conectiva CLA-2003:771 2003-10-24
Conectiva CLA-2003:768 2003-10-22

Comments (none posted)

glibc: DNS stub resolvers contain buffer overflow vulnerability

Package(s):glibc CVE #(s):CAN-2002-1146
Created:November 7, 2002 Updated:February 5, 2004
Description: DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service. (See CERT Vulnerability Note VU#738331)

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

Alerts:
Mandrake MDKSA-2004:009 2004-02-04
Red Hat RHSA-2002:197-09 2002-11-06
Red Hat RHSA-2002:197-06 2002-10-03

Comments (none posted)

GnuPG: ElGamal signing keys compromised

Package(s):gnupg CVE #(s):CAN-2003-0971
Created:November 28, 2003 Updated:March 3, 2004
Description: A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Alerts:
SCO Group CSSA-2004-009.0 2004-03-02
Debian DSA-429-2 2004-02-13
Debian DSA-429-1 2004-01-26
Gentoo 200312-05 2003-12-12
Fedora FEDORA-2003-025 2003-12-10
Red Hat RHSA-2003:395-01 2003-12-10
Red Hat RHSA-2003:390-01 2003-12-10
Conectiva CLA-2003:798 2003-12-09
SuSE SuSE-SA:2003:048 2003-12-03
Mandrake MDKSA-2003:109 2003-11-28

Comments (3 posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

KDE: Two issues in KDM

Package(s):kde, xfree86 CVE #(s):CAN-2003-0690 CAN-2003-0692
Created:September 16, 2003 Updated:December 19, 2003
Description: According to this advisory two issues have been discovered in KDM:
  • CAN-2003-0690: Privilege escalation with specific PAM modules. The XDM display manager that ships with XFree86 prior to 4.3 is also vulnerable.
  • CAN-2003-0692: Session cookies generated by KDM are potentially insecure
All versions of KDM as distributed with KDE up to and including KDE 3.1.3 are affected.
Alerts:
Mandrake MDKSA-2003:118 2003-12-19
Gentoo 200311-01 2003-11-15
Debian DSA-388-1 2003-09-19
Conectiva CLA-2003:747 2003-09-19
Mandrake MDKSA-2003:091 2003-09-16
Red Hat RHSA-2003:269-01 2003-09-16

Comments (none posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-475-1 2004-04-05
Debian DSA-470-1 2004-04-01
Debian DSA-442-1 2004-02-19
Debian DSA-433-1 2004-02-04
Debian DSA-423-1 2004-01-15
Red Hat RHSA-2003:368-01 2003-12-19
Conectiva CLA-2003:796 2003-12-05
Gentoo 200312-02 2003-12-04
SuSE SuSE-SA:2003:049 2003-12-04
Yellow Dog YDU-20031203-1 2003-12-03
Red Hat RHSA-2003:389-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Slackware SSA:2003-336-01 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Trustix 2003-0046 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Debian DSA-403-1 2003-12-01

Comments (1 posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libnids: remotely exploitable buffer overflow

Package(s):libnids CVE #(s):CAN-2003-0850
Created:October 29, 2003 Updated:January 6, 2004
Description: libnids (a NIDS plugin which emulates the Linux 2.0 IP stack) contains a buffer overflow vulnerability which can be exploited remotely. Version 1.18 fixes the problem.
Alerts:
Debian DSA-410-1 2004-01-05
Gentoo 200311-07 2003-11-22
Conectiva CLA-2003:773 2003-10-29

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mpg123: heap overflow

Package(s):mpg123 CVE #(s):CAN-2003-0865
Created:November 12, 2003 Updated:February 19, 2004
Description: Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details.
Alerts:
SCO Group CSSA-2004-002.0 2004-02-19
Debian DSA-435-1 2004-02-06
Conectiva CLA-2003:781 2003-11-12

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

Net-SNMP: security bugs in versions before 5.0.9

Package(s):Net-SNMP CVE #(s):CAN-2003-0935
Created:December 2, 2003 Updated:February 13, 2004
Description: The Net-SNMP project includes various Simple Network Management Protocol (SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could allow an existing user/community to gain access to data in MIB objects that were explicitly excluded from their view.

Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition, Net-SNMP 5.0.9 fixes a number of other minor bugs.

Alerts:
Whitebox WBSA-2004:023-01 2004-02-12
Red Hat RHSA-2004:023-01 2004-01-15
Mandrake MDKSA-2003:115 2003-12-11
Red Hat RHSA-2003:335-01 2003-12-02

Comments (none posted)

nfs-utils xlog() off-by-one bug

Package(s):nfs-utils CVE #(s):CAN-2003-0252
Created:July 14, 2003 Updated:March 8, 2004
Description: Linux NFS utils package contains remotely exploitable off-by-one bug. A local or remote attacker could exploit this vulnerability by sending specially crafted request to rpc.mountd daemon. See this BugTraq post for more details.
Alerts:
Trustix TSLSA-2004-0009 2004-03-05
SCO Group CSSA-2003-037.0 2003-11-17
Conectiva CLA-2003:700 2003-07-22
Mandrake MDKSA-2003:076 2003-07-21
Gentoo 200307-07 2003-07-19
Yellow Dog YDU-20030718-1 2003-07-18
Slackware SSA:2003-195-01b 2003-07-15
Immunix IMNX-2003-7+-018-01 2003-07-14
SuSE SuSE-SA:2003:031 2003-07-15
Slackware SSA:2003-195-01 2003-07-14
Debian DSA-349-1 2003-07-14
Red Hat RHSA-2003:206-01 2003-07-14

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

Pan: denial of service

Package(s):Pan CVE #(s):CAN-2003-0855
Created:November 25, 2003 Updated:December 10, 2003
Description: Pan is a Gnome/GTK+ newsreader. A bug in Pan versions prior to 0.13.4 can cause Pan to crash when parsing an article header containing a very long author email address. This bug causes a crash (denial of service) but is not further exploitable.
Alerts:
Red Hat RHSA-2003:312-01 2003-12-10
Red Hat RHSA-2003:311-01 2003-11-24

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

proftpd: remote root shell

Package(s):proftpd CVE #(s):CAN-2003-0831
Created:September 24, 2003 Updated:January 2, 2004
Description: The ASCII translation mechanism in ProFTPD 1.2.8 contains a vulnerability which will provide a remote attacker with a root shell - if the attacker is able to download a specially-crafted file. See this ISS advisory for more information.
Alerts:
Mandrake MDKSA-2003:095-1 2003-12-31
Conectiva CLA-2003:750 2003-09-29
Gentoo 200309-16 2003-09-28
Trustix 2003-0037 2003-09-27
Mandrake MDKSA-2003:095 2003-09-26
OpenPKG OpenPKG-SA-2003.043 2003-09-25
Slackware SSA:2003-259-02 2003-09-23

Comments (2 posted)

Multiple-use vulnerability in Safe.pm

Package(s):Safe.pm CVE #(s):CAN-2002-1323
Created:October 9, 2002 Updated:February 20, 2004
Description: usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08.
Alerts:
SCO Group CSSA-2004-007.0 2004-02-20
Gentoo 200212-6 2002-12-20
Trustix 2002-0087 2002-12-19
OpenPKG OpenPKG-SA-2002.014 2002-12-16
Debian DSA-208-1 2002-12-12

Comments (none posted)

sane-backends: several vulnerabilities

Package(s):sane-backends CVE #(s):CAN-2003-0773 CAN-2003-0774 CAN-2003-0775 CAN-2003-0776 CAN-2003-0777 CAN-2003-0778
Created:September 11, 2003 Updated:February 20, 2004
Description: Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. These problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf.

You are only vulnerable if you actually run saned e.g. in xinetd or inetd. If the entries in the configuration file of xinetd or inetd respectively are commented out or do not exist, you are safe.

Try "telnet localhost 6566" on the server that may run saned. If you get "connection refused" saned is not running and you are safe.

The Common Vulnerabilities and Exposures project identifies the following problems:

  • CAN-2003-0773: saned checks the identity (IP address) of the remote host only after the first communication took place (SANE_NET_INIT). So everyone can send that RPC, even if the remote host is not allowed to scan (not listed in saned.conf).
  • CAN-2003-0774: saned lacks error checking nearly everywhere in the code. So connection drops are detected very late. If the drop of the connection isn't detected, the access to the internal wire buffer leaves the limits of the allocated memory. So random memory "after" the wire buffer is read which will be followed by a segmentation fault.
  • CAN-2003-0775: If saned expects strings, it mallocs the memory necessary to store the complete string after it receives the size of the string. If the connection was dropped before transmitting the size, malloc will reserve an arbitrary size of memory. Depending on that size and the amount of memory available either malloc fails (->saned quits nicely) or a huge amount of memory is allocated. Swapping and OOM measures may occur depending on the kernel.
  • CAN-2003-0776: saned doesn't check the validity of the RPC numbers it gets before getting the parameters.
  • CAN-2003-0777: If debug messages are enabled and a connection is dropped, non-null-terminated strings may be printed and segmentation faults may occur.
  • CAN-2003-0778: It's possible to allocate an arbitrary amount of memory on the server running saned even if the connection isn't dropped. At the moment this can not easily be fixed according to the author. Better limit the total amount of memory saned may use (ulimit).
Alerts:
SCO Group CSSA-2004-005.0 2004-02-19
SuSE SuSE-SA:2003:046 2003-11-18
Conectiva CLA-2003:769 2003-10-22
Mandrake MDKSA-2003:099 2003-10-09
Red Hat RHSA-2003:278-01 2003-10-07
Debian DSA-379-1 2003-09-11

Comments (none posted)

screen: privilege escalation

Package(s):screen CVE #(s):CAN-2003-0972
Created:November 28, 2003 Updated:March 3, 2004
Description: According to this advisory a buffer overflow in GNU screen allows privilege escalation for local users. Usually screen is installed either setgid-utmp or setuid-root.

It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and older versions are vulnerable.

Alerts:
SCO Group CSSA-2004-011.0 2004-03-02
Fedora-Legacy FLSA:1187 2004-01-26
Conectiva CLA-2004:809 2004-01-20
Debian DSA-408-1 2004-01-05
Mandrake MDKSA-2003:113 2003-12-08
OpenPKG OpenPKG-SA-2003.050 2003-11-28

Comments (none posted)

stunnel: file descriptor leak

Package(s):stunnel CVE #(s):CAN-2003-0740
Created:November 26, 2003 Updated:December 3, 2003
Description: A vulnerability was discovered in stunnel versions 3.24 and earlier, as well as 4.00, by Steve Grubb. It was found that stunnel leaks a critical file descriptor that can be used to hijack stunnel's services. See this advisory for more information.
Alerts:
Trustix 2003-0045 2003-11-27
Mandrake MDKSA-2003:108 2003-11-25

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 9, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 20, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

vim - modeline vulnerability

Package(s):vim CVE #(s):CAN-2002-1377
Created:January 16, 2003 Updated:February 10, 2004
Description: VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed.
Alerts:
Conectiva CLA-2004:812 2004-02-10
Mandrake MDKSA-2003:012 2003-02-03
Yellow Dog YDU-20030127-3 2003-01-27
Gentoo 200301-13 2003-01-22
OpenPKG OpenPKG-SA-2003.003 2003-01-21
Red Hat RHSA-2002:297-17 2003-01-15

Comments (4 posted)

wget: buffer overflow

Package(s):wget CVE #(s):CAN-2003-1565
Created:August 5, 2003 Updated:December 10, 2003
Description: The wget utility contains a buffer overflow which, when exploited with an over-long URL, can enable arbitrary code execution.
Alerts:
Red Hat RHSA-2003:372-01 2003-12-10
SCO Group CSSA-2003-025.0 2003-10-03
Conectiva CLA-2003:716 2003-08-04

Comments (1 posted)

zebra: denial of service vulnerability

Package(s):zebra CVE #(s):CAN-2003-0795 CAN-2003-0858
Created:November 13, 2003 Updated:January 7, 2004
Description: Zebra an open source implementation of TCP/IP routing software.

Jonny Robertson reported that Zebra can be remotely crashed if a Zebra password has been enabled and a remote attacker can connect to the Zebra telnet management port. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0795 to this issue.

Herbert Xu reported that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0858 to this issue.

Alerts:
Debian DSA-415-1 2004-01-06
OpenPKG OpenPKG-SA-2003.049 2003-11-25
Conectiva CLA-2003:786 2003-11-20
Red Hat RHSA-2003:307-01 2003-11-13

Comments (none posted)

Resources

Patchmanagement.org

Patchmanagement.org has been launched as a moderated mailing list where interested parties can talk about patch management.

Full Story (comments: none)

A FAQ on the OpenSSL FIPS 140-2 validation effort

The Open Source Software Institute has posted a FAQ describing the current OpenSSL FIPS 140-2 validation effort. This work, which is sponsored by HP and the Defense Medical Logistics Standard Support program of the DoD Military Health System, seeks to have the OpenSSL cryptographic modules certified as complying with the FIPS 140-2 standard. At that point, it would be possible for vendors to create applications which carry the same validation. See the document for lots of details.

Comments (none posted)

Events

Black Hat Briefings Amsterdam Call for Papers

The 2004 version of the Black Hat Briefings will be held in Amsterdam on May 17 to 20. The call for papers is out now, with a submission deadline of March 25.

Full Story (comments: none)

Page editor: Jonathan Corbet

Kernel development

Release status

Kernel release status

The current development kernel remains 2.6.0-test11; Linus seems to be waiting for Andrew Morton to return from vacation and pick up the baton. Linus has, however, accepted a few dozen small bugfixes into his BitKeeper repository.

The current stable kernel is 2.4.23; Marcelo has started off the 2.4.24 process with 2.4.24-pre1. This prepatch includes the XFS filesystem (see below) along with a fair number of networking and architecture patches.

Comments (1 posted)

Kernel development news

2.4, XFS, and DM

As reported last week, many users had requested that the XFS filesystem be added to the 2.4 kernel despite Marcelo's stated intent to go into a maintenance-only mode. Those users h