LWN.net Logo

LWN.net Weekly Edition for August 15, 2002

Engage with government - or ignore it?

There is no doubt that much of what is going on in legislative systems worldwide is hostile to both free software and the larger principles of fair use of ideas and copyrighted works. Laws like the DMCA or the upcoming UK copyright law ban the writing of programs which provide "unauthorized" access to legitimately purchased materials. Proposed laws like the CBDTPA (seen defined as "Consume, But Don't Try Programming Anything") could outlaw broad classes of free software outright. There is clearly cause to worry. But what should we do about these threats?

Columnist Dan Gillmor tells us to get involved and pressure government for better laws:

But I'm convinced that we can preserve our rights, if we can only persuade Congress that they're worth preserving. There's little or no constituency for fair use and other rights, partly because lawmakers are only hearing one side. But if the community of readers, listeners, viewers, scholars, researchers and others who don't ``own'' copyrights doesn't at least challenge the terms of the debate, it will surely lose.

Mr. Gillmor tells us that we need to "reeducate" Congress and press technology companies to be more assertive about the rights and needs of its customers, rather than those of big media. With enough political pressure, our rights can be preserved.

Before going off to pressure Congress (or Parliament, or whatever), though, it is worth taking a look at another view. Declan McCullagh, who has covered Congress and technology for years, has recently posted a column questioning the value of the political path:

Here's the bitter truth: These efforts are mostly a waste of time. Sure, they may make you feel better, but they're not the way to win.

His suggestion, instead, is to take the classic cypherpunk approach: write code.

Put another way, who made a bigger difference: Yet another letter-scribbling activist or Phil Zimmermann, who wrote the Pretty Good Privacy (PGP) encryption software? How about Shawn Fanning, the man who created Napster? Or the veterans of the Internet Engineering Task Force, which oversees the fundamental protocols of the Internet?

He has a point: had Phillip Zimmermann not written PGP when he did, the battle for the right to use strong encryption may well have been lost a decade ago.

In general, the wide diffusion of technology makes it harder to outlaw or control that technology. In 1990, it might just have been possible to pass a CBDTPA-like law which would have made the distribution of free operating systems impossible. In 2002, Linux and *BSD are everywhere, serving many critical functions; outlawing them is not a practical possiblity. Hackers should, indeed, be creating and distributing code. Getting that code out where it can not be recalled is an important activity for the defense of our freedom.

But wouldn't it be a nicer world if free software hackers did not need to fear arrest and incarceration for releasing the wrong code? Wouldn't it be better if copyright law were to swing back toward the longstanding values of fair use, first sale, and compromise between control and the free exchange of ideas? To claim that the only worthwhile work is writing code is to see the future as a sort of guerilla war against an entrenched copyright regime. This does not sound like a fun future, and it should not be seen as inevitable.

Sustained political effort can yield results. But success requires engaging and interest and support of a large number of people. Governmental representatives can easily ignore the noise from a small group of concerned programmers; they need to hear from a wider constituency before they will pay attention. Somehow we need to get Aunt Tillie worried about copyright law. That is going to be a difficult task, but it's an important one.

Comments (10 posted)

The Digital Software Security Act

One example of engagement with government is the Digital Software Security Act (DSSA), which is proposed for enactment in the state of California. This bill is strongly supported by Red Hat, to the point that CTO Michael Tiemann is leading a march to the San Francisco city hall on August 15. The law may look good at a first glance, but it is not clear that this is really the best way to promote the free software cause.

The DSSA is strict and unambiguous in its requirements. If a given software package does not come with source, and the ability to modify and redistribute that source, the state of California would not be able to buy it. If no suitable open source package exists for, say, the management of mineral rights or the operation of automated tollbooths, then state would simply have to do without. Chances are, some of the operations of the state of California would be adversely affected by this law.

The proposed law is extreme, and its chances of passage are minimal. Which is just as well. Imagine the backlash that would result once people figured out that, since nobody has gotten around to creating a SourceForge project for welfare case management, tracking of health insurance complaints, or the secure creation of drivers licenses, the state would no longer be able to perform those functions. This law would not last long.

More generally, free software is supposed to be about choices and freedom. That includes the freedom to choose software that does not necessarily meet the Open Source Definition. There are situations where a mandate of openness makes sense for governments: file formats for the storage of public data and electronic voting software come readily to mind. It is certainly in the interests of governments - and the governed - to use free software in situations where that software can do the job. But a heavy-handed law that requires the use of free software in all situations - even where such software does not exist - is excessive and counterproductive. World Domination is best achieved through better software and respect for freedom, not by legislative fiat.

Comments (8 posted)

LinuxWorld

The LinuxWorld Conference & Expo is happening without LWN's presence this year - but they seem to be getting along just fine without us. Our coverage is thus less that it might other wise be. Thanks to Russell Pavlicek, we do have reports from the first and second days at the event.

Beyond that, there are a few things of interest that have come out of this LinuxWorld iteration, including:

  • The Free Standards Group has announced that three distributors (MandrakeSoft, Red Hat, and SuSE) have won "LSB-compliant" certification for their distributions. Actual implementation by the distributors was an important part of the whole Linux Standard Base process, so this is good news.

  • Sun has jumped into the business of selling commodity PCs with Linux installed. This has proved to be a difficult living for many, but it's possible that Sun's experience will be different.

  • Dell's announcements show clearly where that company thinks money is to be made with Linux: large clusters and migration from proprietary Unix.

  • By the end of September, we're told, we'll see the Xandros 1.0 and UnitedLinux beta releases.

  • Oracle has joined the GPL community by releasing its "cluster filesystem" for Linux. The company seems to think that the Linux platform is important enough to be worth improving.

See this week's Linux in Business page for more LinuxWorld press releases than you would ever really want to see. The Linux business world has changed, but LinuxWorld still seems to be its meeting place.

Comments (none posted)

SourceForge goes to DB2

Among the many announcements from LinuxWorld this week is this one from VA Software stating that the SourceForge software would be adapted to work with a number of proprietary IBM products, including the DB2 database manager and WebSphere. VA and IBM will also cooperate in the marketing of each other's products. Oh, and, incidentally, OSDN (owned by VA) has announced that SourceForge.net will be converted over to run DB2 exclusively.

This arrangement does not lack its good features. SourceForge becomes more interoperable and gains a new marketing channel. No details have been released, of course, but it is reasonable to expect that IBM will help support SourceForge.net's continued existence as part of this deal. Given the obvious cost of running a facility like SourceForge and the number of free software projects which depend on it, this is good news for the free software community.

The fact remains, however, that SourceForge is moving steadily away from free software. The site itself has not been pure free software for some time, and is now becoming a showcase for IBM's proprietary applications. There has not been a release of the SourceForge site code - the free part - since November, 2001. References to "open source" are most rare on the VA Software web site. Even the VA Software products FAQ shows an interesting emphasis:

Q: What platform (hardware/software) does SourceForge run on?

SourceForge runs on SPARC based Solaris servers using Solaris version 8 10/01 and higher. SourceForge also runs on Red Hat Linux versions 7.1 and higher on Intel processor-based platforms.

"Also runs" is better than nothing...

Almost exactly one year ago, Eric Raymond posted a message on how SourceForge wasn't really going proprietary:

So the real news here is that VA is still about open source -- if I didn't believe that, I'd be off their board of directors so fast it would make your head spin. We're just being pragmatic about how we sell the idea. Change peoples' behavior first, show them the advantages in doing so, and their hearts and minds will follow.

Given that, it is interesting to note that Mr. Raymond's name has been quietly dropped from VA's Board of Directors page.

We are, thus, in a position where a large portion of the free software community's work is hosted on a site owned by a company that no longer sees free software as part of its mission. The concentration of projects onto a single site (any single site) has been a cause of concern for some time; now it makes the community's position look truly precarious. SourceForge is still useful to VA as a demonstration of the scale on which its software can work. But it's an expensive advertisement which is increasingly being turned to the interests of those who are paying the bills. SourceForge remains a valuable contribution to the free software community, as it has been for years. But the need for alternatives (beyond Savannah and Berios, which are a good start) is more urgent than ever.

Comments (7 posted)

LWN status update

There is relatively little to report on the status of LWN since last week - despite the fact that we have been as busy as ever. Here's what's going on:
  • Our disagreement with our credit card clearing company is heading toward resolution - slowly. A small portion of the money given as donations (and advertising payments) to LWN has found its way into our bank account; we're working on getting the rest. Meanwhile, however, we lack the ability to accept credit card payments - something we have to fix before subscriptions can start.

  • Implementation of site code for the handling of subscriptions is proceeding - slowly. When writing code that does things like charge money to credit cards, it's best not to be in too much of a hurry.

Thanks yet again for your support. We'll do our best to keep you informed as things happen.

Comments (5 posted)

Page editor: Jonathan Corbet

Security

Security news

USENIX security 2002 wrap up

Jose Nazario has provided LWN with a brief wrap up of this year's USENIX Security 2002 conference. "Linux's LSM kernel features, part of the Linux Security Module feature kit, were presented by folks from WireX (makers of Immunix, StackGuard and FormatGuard), NAI labs (part of the SELinux development team), and others. Their paper gave an overview of the architecture, some example code, work to bring other Linux security projects into the LSM architecture, and some benchmarks. Overall an excellent report, showing how much work and research has gone into the project."

Full Story (comments: none)

Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG

A followup, addressing implementation issues, to the recent paper on chosen-ciphertext attacks against PGP and GnuPG by K. Jallad, J. Katz, and B. Schneier is available (PDF or Postscript format).

Werner Koch posted this partial rebuttal noting that countermeasures are defined in the OpenPGP drafts since October 2000.

The Mercury News covers the subject PGP flaw which could allow attackers to read mail intended for someone else only if they can be tricked into sending tampored mail back to the attacker after they receive it.

Full Story (comments: none)

Security pros create resource on flaws (News.com)

Here's a News.com article about the Internetworked Security Information Service (ISIS), which brings together four independent projects--the Open Source Vulnerability Database, the Alldas.de defacement-tracking service, the PacketStorm software database and the vulnerability watchdog VulnWatch.

Comments (none posted)

Defcon coverage

Wired and ZDNet covered the festival of just-for-fun denial of service attacks, system break-ins and other activities at this year's Defcon conference in Las Vegas.

Comments (none posted)

OUSPG Software vulnerability reporting survey

The Finnish Oulu University Secure Programming Group (OUSPG) is conducting a survey of "vendors who receive bug reports, to coordinators of the reporting process (e.g. mailing list moderators and national CERTs), and to reporters of software vulnerabilities."

If you do any of these functions we encourage you to participate.

Full Story (comments: none)

Security reports

Trojan horse in OpenSSH 3.4p1 source distribution

As described in this Bugtraq posting, the source distribution for OpenSSH 3.4p1 contains a trojan horse. Said trojan is apparently activated only during the build process; people who are running binary versions (from a trusted source!) should not need to worry. No word as yet on just how this came to be; stay tuned, we'll update things as we learn more. (Thanks to Christof Damian).

Updates:
An advisory from the OpenBSD folks has been issued. "OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the OpenBSD ftp server and potentially propagated via the normal mirroring process to other ftp servers....Anyone who has installed OpenSSH from the OpenBSD ftp server or any mirror within that time frame should consider his system compromised."

Tomi Nylund has compiled this list of mirrors that carried the trojaned OpenSSH.

Full Story (comments: 3)

L-Forum XSS, upload spoofing and SQL injection vulnerabilities

Ulf Harnhammar reports that L-Forum version 2.4.0, and possibily others, has got two different XSS (Cross-Site Scripting) holes and a distinct upload spoofing vulnerabiity

In a separate report, Matthew Murphy discovered an SQL injection flaw in L-Forum.

Full Story (comments: none)

TinySSL basic constraints vulnerability fixed

TinySSL version 1.03 has a server side fix for this IE SSL vulnerability. TinySSL is an open source, compact (125k jar), SSLv3 client implementation written in Java (1.1+).

Full Story (comments: 1)

New vulnerabilities

Bug in SunRPC-derived XDR libraries

An integer overflow in xdr_array() function when deserializing the XDR stream that originated in the SunRPC library has been propagated into, at least, glibc, Kerberos 5, OpenAFS and dietlibc. The result, in most cases, is a potential remote code or root access vulnerability.

According to the CERT Vulnerability Note, "this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information."

The result, so far, is the four new vulnerabilities (below) for glibc, Kerberos 5, OpenAFS and dietlibc.

News.com covers the bug and its impact on Kerberos Key Distribution Center authentication functions. "Several sellers of Unix and Unix-like operating systems, including Red Hat, Debian, FreeBSD, Sun and NetBSD, said that their software was affected by the issue, and issued fixes. HP said it was investigating the bug's impact."

Comments (none posted)

Potential remote root exploit in glibc

Package(s):glibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:June 29, 2003
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library which is used in glibc.This bug could be exploited to gain unauthorized root access to software linking to glibc.

Updating as soon as practical is a good idea.

Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-149-1 2002-08-13
Red Hat RHSA-2002:166-07 2002-08-12
Eridani ERISA-2002:036 2002-08-13
Trustix 2002-0067 2002-08-13
SuSE SuSE-SA:2002:031 2002-08-30
Gentoo glibc-20020905 2002-09-05
Mandrake MDKSA-2002:061 2002-09-23
Debian DSA-149-2 2002-09-26
Gentoo dietlibc-20020927 2002-09-27
Gentoo glibc-20020927 2002-09-27
EnGarde ESA-20021003-021 2002-10-03
Trustix 2002-0070 2002-10-17
Conectiva CLA-2002:535 2002-10-29
Debian DSA-333-1 2003-06-27

Comments (none posted)

Kerberos 5 unauthorized root access to KDC host vulnerability

Package(s):krb5 CVE #(s):
Created:August 14, 2002 Updated:October 29, 2002
Description: A bug in the Kerberos 5 remote administration service, "kadmind", could be exploited to gain unauthorized root access to a KDC host. It is believed that the attacker needs to be able to authenticate to the kadmin daemon for this attack to be successful.

Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system.

Updating now is recommended.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-143-1 2002-08-05
Conectiva CLA-2002:515 2002-08-07
Gentoo 200210-011 2002-10-28

Comments (none posted)

OpenAFS potential remote code execution vulnerability

Package(s):openafs CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: The OpenAFS database server is subject to the integer overflow bug in code derived from the SunRPC library.

This bug could be exploited to crash certain OpenAFS servers (volserver, vlserver, ptserver, buserver) or to obtain unauthorized root access to a host running one of these processes.

Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places including openafs.

Updating now is recommended.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-142-1 2002-08-05

Comments (none posted)

Potential unauthorized root access vulnerability in dietlibc

Package(s):dietlibc CVE #(s):CAN-2002-0391
Created:August 14, 2002 Updated:December 5, 2002
Description: Felix von Leitner, discovered a potential division by zero bug in code derived from the SunRPC library with is used in dietlibc, a libc optimized for small size. The bug could be exploited to gain unauthorized root access to software linking to dietlibc.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

Alerts:
Debian DSA-146-1 2002-08-08
Debian DSA-146-2 2002-08-08
SCO Group CSSA-2002-055.0 2002-12-04

Comments (none posted)

Local denial of service vulnerability in sendmail

Package(s):sendmail CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: A local user can stop local mail service by holding an exclusive read lock on specific sendmail files. The user must have permission to read a file such as /var/log/sendmail.st, which is world readable by default.

The problem is described in this advisory

Alerts:
Conectiva CLA-2002:xxx-1 2002-08-05

Comments (none posted)

Off by one buffer overflow vulnerability in cvsd

Package(s):cvs CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: cvs version 1.11, and possibily earlier versions, has a locally exploitable off by one buffer overflow vulnerability. The details are available here.
Alerts:
SCO Group CSSA-2002-035.0 2002-08-08

Comments (none posted)

Buffer overflow and format string vulnerabilities in ipppd

Package(s):i4l CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: The ipppd program, in the i4l package, has various buffer overflows and format string bugs. Since ipppd is installed setuid to root, attackers with appropriate group membership may be able to execute arbitrary commands as root. The i4l package for ISDN connectivity is installed by default in at least one distribution; you are vulnerable even if you do not have an ISDN connection.

The SuSE Security Team is aware of a published exploit for ipppd that gives a local attacker root privileges so you should either update the package or remove the setuid bit from ipppd.
Alerts:
SuSE SuSE-SA:2002:030 2002-08-12

Comments (none posted)

Buffer overflow vulnerability in the Jabber plug-in module for gaim

Package(s):gaim CVE #(s):CAN-2002-0384 CAN-2002-0377
Created:August 14, 2002 Updated:September 11, 2002
Description: gaim versions prior to 0.58 contained a buffer overflow in the Jabber plug-in module. The problem is fixed in gaim 0.59 which is available here. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL."
Alerts:
Red Hat RHSA-2002:107-11 2002-08-05
Yellow Dog YDU-20020810-4 2002-08-10
Mandrake MDKSA-2002:054-1 2002-09-05

Comments (none posted)

Tcl/Tk local root vulnerability

Package(s):tcltk expect CVE #(s):CAN-2001-1374 CAN-2001-1375
Created:August 14, 2002 Updated:September 24, 2002
Description: Tcl/Tk searches for its libraries in the current working directory before other directories. A local user could execute arbitrary code by inserting a Trojan horse library in the current working directory.

Versions of the expect application prior to 5.32, search for its libraries in /var/tmp before searching in other directories. A local user could gain root privleges by inserting a Trojan horse library in /var/tmp and then getting the root user to run mkpasswd.

Alerts:
Red Hat RHSA-2002:148-06 2002-08-12
Eridani ERISA-2002:037 2002-08-14
Mandrake MDKSA-2002:060 2002-09-23

Comments (none posted)

Remotely exploitable vulnerabilities in l2tpd

Package(s):l2tpd CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: l2tpd, a layer 2 tunneling client/server program, does not initialize the random generator. Since this makes all generated random number 100% guessable, the oversight could lead to remote exploits. There is also a buffer overflow vulnerability. Both problems are fixed in the updates below.
Alerts:
Debian DSA-152-1 2002-08-13

Comments (none posted)

Wwwoffle remote privilege escalation vulnerability

Package(s):wwwoffle CVE #(s):CAN-2002-0818
Created:August 14, 2002 Updated:October 1, 2003
Description: The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on."

CAN-2002-0818

Alerts:
SuSE SuSE-SA:2002:029 2002-08-01
Debian DSA-144-1 2002-08-06
SCO Group CSSA-2002-048.0 2002-11-18

Comments (none posted)

Remote execution vulnerability in gallery

Package(s):gallery CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: A remote attacker could execute commands under the uid of the web server by passing in the GALLERY_BASEDIR variable remotely. Gallery is a web-based photo album toolkit.
Alerts:
Debian DSA-138-1 2002-08-01

Comments (none posted)

File exposure vulnerability in interchange

Package(s):interchange CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: A problem has been discovered in interchange which may allow a remote attacker to read any file for which the user of the Interchange daemon has sufficient permissions. Interchange must be running in "INET mode" (internet domain socket) to be vulnerable. This is not the default setting, at least in Debian packages.

Interchange is an e-commerce and general HTTP database display system.

Alerts:
Debian DSA-150-1 2002-08-13

Comments (none posted)

Remote arbitrary code execution vulnerability in mantis

Package(s):mantis CVE #(s):
Created:August 14, 2002 Updated:August 20, 2002
Description: Mantis is a php based bug tracking system. Joao Gouveia and the Debian Security Team found multiple insecure uses of uninitialized variables in mantis.

When these occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system.
Alerts:
Debian DSA-153-1 2002-08-14

Comments (none posted)

Local root access vulnerability in super

Package(s):super CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: A format string bug in super may allow a local user to gain unauthorized root accesss. Super is a setuid-root program that offers restricted setuid-root access to executables and a relatively secure environment for scripts.
Alerts:
Debian DSA-139-1 2002-08-01

Comments (none posted)

Potential MIME encoded email arbitrary coded execution vulnerability

Package(s):mpack CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: The munpack program is used in the Debian distribution for decoding binary files in MIME (Multipurpose Internet Mail Extensions) format mail messages. Eckehard Berns discovered a buffer overflow in munpack which may allow a mailiciously formed email to run arbitrary code.
Alerts:
Debian DSA-141-1 2002-08-01

Comments (none posted)

Potential arbitrary code execution vulnerability in tinyproxy

Package(s):tinyproxy CVE #(s):
Created:August 14, 2002 Updated:August 14, 2002
Description: Tinyproxy, a lightweight HTTP proxy, handles some invalid proxy requests incorrectly.

Under some circumstances, an invalid request may result in a allocated memory being freed twice. This can potentially result in the execution of arbitrary code.
Alerts:
Debian DSA-145-1 2002-08-07

Comments (none posted)

Denial of service vulnerability in xinetd

Package(s):xinetd CVE #(s):
Created:August 14, 2002 Updated:December 3, 2002
Description: A file descriptor leak into services started from xinetd may be used, by programs it stats, to crash xinetd. Xinetd is a replacement for the BSD derived inetd.
Alerts:
Debian DSA-151-1 2002-08-13
Gentoo xinetd-20020814 2002-08-14
Mandrake MDKSA-2002:053 2002-08-26
Red Hat RHSA-2002:196-09 2002-10-14
Red Hat RHSA-2002:196-19 2002-12-02

Comments (none posted)

Updated vulnerabilities

LPRng accepts jobs from any host.

Package(s):LPRng CVE #(s):CAN-2002-0378
Created:June 12, 2002 Updated:October 31, 2002
Description: Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.

This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public.

Alerts:
Red Hat RHSA-2002:089-07 2002-06-09
Mandrake MDKSA-2002:042 2002-07-04
SuSE SuSE-SA:2002:040 2002-10-31

Comments (none posted)

OpenSSL remotely-exploitable buffer overflow vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659
Created:July 30, 2002 Updated:September 24, 2002
Description: Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit. Both client and server applications are affected. The vulnerabilities are described in this security alert from the OpenSSL team.

A nasty exploit for one of the vulnerabilities is described in CERT Advisory CA-2002-27 Apache/mod_ssl Worm.

Compromise by the Apache/mod_ssl worm indicates that a remote attacker can execute arbitrary code as the apache user on the victim system. It may be possible for an attacker to subsequently leverage a local privilege escalation exploit in order to gain root access to the victim system. Furthermore, the DDoS capabilities included in the Apache/mod_ssl worm allow victim systems to be used as platforms to attack other systems.

If you haven't already, applying an update is a very good thing to do today.

Mitel Networks has an update available which closes this vulnerabilty for their SME Server software.

CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL

Alerts:
Debian DSA-136-1 2002-07-30
EnGarde ESA-20020730-019 2002-07-30
OpenPKG OpenPKG-SA-2002.008 2002-07-30
Trustix 2002-0063 2002-07-29
Red Hat RHSA-2002:155-11 2002-07-29
Conectiva CLA-2002:513 2002-07-31
Mandrake MDKSA-2002:046 2002-07-30
SuSE SuSE-SA:2002:027 2002-07-30
Eridani ERISA-2002:033 2002-07-30
Gentoo openssl-20020730 2002-07-30
SCO Group CSSA-2002-033.0 2002-07-31
Yellow Dog YDU-20020801-3 2002-08-01
Eridani ERISA-2002:034 2002-08-06
Red Hat RHSA-2002:160-21 2002-08-05
Mandrake MDKSA-2002:046-1 2002-08-06
EnGarde ESA-20020807-020 2002-08-07
Conectiva CLA-2002:516 2002-08-08
Yellow Dog YDU-20020810-1 2002-08-10
Debian DSA-136-2 2002-09-15
SuSE SuSE-SA:2002:033 2002-09-19

Comments (none posted)

Heap corruption vulnerability in at

Package(s):at at, sudo, xchat CVE #(s):CAN-2002-0004
Created:May 21, 2002 Updated:May 15, 2003
Description: The at command has a potentially exploitable heap corruption bug. (First LWN report:  January 17th).
Alerts:
Debian DSA-102-1 2002-01-16
Debian DSA-102-2 2002-01-18
Mandrake MDKSA-2002:007 2002-01-18
Red Hat RHSA-2002:015-13 2002-01-22
Red Hat RHSA-2002:015-15 2002-02-07
Slackware sl-1011706104 2002-01-22
SuSE SuSE-SA:2002:003 2001-01-16
Yellow Dog YDU-20020127-9 2002-01-27
EnGarde ESA-20030515-015 2003-05-15

Comments (none posted)

Denial of service vulnerability in version 9 of BIND

Package(s):bind CVE #(s):CAN-2002-0400
Created:June 5, 2002 Updated:August 19, 2002
Description: Here is an advisory from the Computer Emergency Response Team (CERT) regarding the denial of service vulnerability in version 9 of the BIND nameserver, up to 9.2.1. An attacker can send a properly crafted packet which triggers a check within BIND and causes it to shut down. The vulnerability can not be exploited for any purpose beyond denial of service, but that is bad enough; if you are running BIND 9, an upgrade is probably a good idea.

Note that many or most systems out there will still be running BIND 8, and thus will not be vulnerable.

News articles on the vulnerability appear in the Register and Network World Fusion News.

Alerts:
Red Hat RHSA-2002:105-09 2002-06-04
Mandrake MDKSA-2002:038 2002-06-04
SuSE SuSE-SA:2002:021 2002-06-06
Conectiva CLA-2002:494 2002-06-06
Yellow Dog YDU-20020606-6 2002-06-06
Mandrake MDKSA-2002:038-1 2002-08-15

Comments (none posted)

bind buffer overflow vulnerability in DNS resolver libraries

Package(s):bind glibc CVE #(s):CAN-2002-0651 CAN-2002-0684
Created:July 8, 2002 Updated:October 1, 2003
Description: The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:
OpenPKG OpenPKG-SA-2002.006 2002-07-04
SuSE SuSE-SA:2002:026 2002-07-09
Conectiva CLA-2002:507 2002-07-11
Gentoo glibc-20020713 2002-07-13
Trustix 2002-0061 2002-07-15
Mandrake MDKSA-2002:043 2002-07-16
EnGarde ESA-20020724-018 2002-07-24
Red Hat RHSA-2002:139-10 2002-07-22
Eridani ERISA-2002:028 2002-07-25
Yellow Dog YDU-20020801-2 2002-08-01
SCO Group CSSA-2002-034.0 2002-08-05
Red Hat RHSA-2002:133-13 2002-08-08
Eridani ERISA-2002:035 2002-08-09
Yellow Dog YDU-20020810-3 2002-08-10
Mandrake MDKSA-2002:050 2002-08-13

Comments (1 posted)

Ethereal buffer overflow, infinite loop and memory management vulnerabilities

Package(s):ethereal CVE #(s):CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404
Created:June 12, 2002 Updated:October 27, 2002
Description: Ethereal 0.9.4 was released on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
  • The SMB dissector could potentially dereference a NULL pointer in two cases.
  • The X11 dissector could potentially overflow a buffer while parsing keysyms.
  • The DNS dissector could go into an infinite loop while reading a malformed packet.
  • The GIOP dissector could potentially allocate large amounts of memory.

No known exploits exist "in the wild" at the present time for any of these issues.

Ethereal 0.9.2 has several packet handling vulnerabilities that are best avoided by upgrading to 0.9.4. The PROTOS test suite found some flaws in SNMP and LDAP protocols support. Malformed packets could also crash ethereal 0.9.2 due to a ASN.1 zero-length g_malloc problem. The zlib "double free" vulnerability was addressed by the updates for that bug from many distributors.
Alerts:
Eridani ERISA-2002:023 2002-06-06
Red Hat RHSA-2002:088-06 2002-06-04
Yellow Dog YDU-20020606-7 2002-06-06
Conectiva CLA-2002:505 2002-07-04
SCO Group CSSA-2002-037.0 2002-10-24

Comments (none posted)

GNU fileutils race condition

Package(s):fileutils ucdsnmp CVE #(s):CAN-2002-0435
Created:May 21, 2002 Updated:May 16, 2003
Description: A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2).
Alerts:
SCO Group CSSA-2002-018.1 2002-05-13
Mandrake MDKSA-2002:031 2002-05-16
SuSE SuSE-SA:2002:012 2002-04-08
Trustix 2002-0052 2002-06-06
Red Hat RHSA-2003:015-05 2003-02-12
Immunix IMNX-2003-7+-010-01 2003-05-16

Comments (none posted)

Buffer overflow in groff

Package(s):groff CVE #(s):CAN-2002-0003
Created:May 21, 2002 Updated:December 9, 2002
Description: The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely.
Alerts:
Mandrake MDKSA-2002:012 2002-02-07
Red Hat RHSA-2002:004-06 2002-01-14
Trustix 2002-0020 2002-01-18
Yellow Dog YDU-20020127-11 2002-01-27
Gentoo groff-20021019 2002-10-19
SCO Group CSSA-2002-057.0 2002-12-06

Comments (none posted)

HylaFAX 4.1.3 fixes multiple vulnerabilities

Package(s):hylafax CVE #(s):CAN-2001-1034
Created:July 30, 2002 Updated:October 9, 2002
Description: The HylaFAX team has released version 4.1.3 fixing denial of service, elevated system privilege and possible remote code execution vulnerabilities.

HylaFAX is a mature (est. 1991) enterprise-class open-source software package for sending and receiving facsimiles as well as for sending alpha-numeric pages. It runs on a wide variety of UNIX-like platforms including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX, AIX, and HP-UX.
Alerts:
Debian DSA-148-1 2002-08-12
Mandrake MDKSA-2002:055 2002-08-28
SuSE SuSE-SA:2002:035 2002-10-04

Comments (none posted)

UW imapd remotely exploitable buffer overflow

Package(s):imap CVE #(s):CAN-2002-0379
Created:June 5, 2002 Updated:December 20, 2002
Description: UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23).
Alerts:
SCO Group CSSA-2002-021.0 2002-05-15
Conectiva CLA-2002:487 2002-05-24
Eridani ERISA-2002:018 2002-05-25
Mandrake MDKSA-2002:034 2002-05-27
Red Hat RHSA-2002:092-11 2002-05-22
Yellow Dog YDU-20020606-1 2002-06-06
EnGarde ESA-20020607-013 2002-06-07
Trustix 2002-0054 2002-06-06
SuSE SuSE-SA:2002:048 2002-12-20

Comments (2 posted)

Apache mod_ssl off-by-one local code execution and DoS vulnerability

Package(s):libapache-mod-ssl mod_ssl CVE #(s):CAN-2002-0653
Created:July 2, 2002 Updated:August 14, 2002
Description: Mod-ssl provides strong cryptography for the Apache webserver via the Secure Sockets Layer (SSL). A maliciously-crafted .htaccess file, may be used by an attacker to execute arbitrary commands as the httpd user or launch a denial of service attack. The problem is fixed in mod_ssl 2.8.10 which is available from here.

For more information see the announcement.

Alerts:
Debian DSA-135-1 2002-07-02
Conectiva CLA-2002:504 2002-07-02
EnGarde ESA-20020702-017 2002-07-02
Red Hat RHSA-2002:134-12 2002-07-16
SCO Group CSSA-2002-031.0 2002-07-16
Eridani ERISA-2002:029 2002-07-25
Yellow Dog YDU-20020801-1 2002-08-01
Mandrake MDKSA-2002:048 2002-08-08

Comments (none posted)

libpng buffer overflow vulnerability

Package(s):libpng libpng2 libpng3 CVE #(s):
Created:July 17, 2002 Updated:August 19, 2002
Description: Versions of libpng prior to 1.2.4 and 1.0.14 have a buffer overflow vulnerability that could lead to remote code execution. Since libpng is used by programs that talk to the outside world (i.e. mozilla), it is worth upgrading.

libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
Alerts:
Conectiva CLA-2002:512 2002-07-17
Eridani ERISA-2002:030 2002-07-25

Comments (2 posted)

Mailman 2.0.11 fixes two cross-site scripting vulnerabilities

Package(s):mailman CVE #(s):CAN-2002-0388
Created:June 5, 2002 Updated:August 28, 2002
Description: Barry A. Warsaw announced the release of Mailman 2.0.11 "which fixes two cross-site scripting exploits, one reported by "office" in the admin login page, and another reported by Tristan Roddis in the Pipermail index summaries. It is recommended that all sites upgrade their 2.0.x systems to this version."
Alerts:
Conectiva CLA-2002:489 2002-05-24
Red Hat RHSA-2002:100-03 2002-06-06
Red Hat RHSA-2002:099-04 2002-06-06
Red Hat RHSA-2002:101-06 2002-06-27
Debian DSA-147-1 2002-08-08
Debian DSA-147-2 2002-08-26

Comments (none posted)

Temporary file vulnerability in mm library

Package(s):mm CVE #(s):CAN-2002-0658
Created:July 30, 2002 Updated:August 14, 2002
Description: The OSSP mm library (libmm) is frequently used in Apache setups using mod_ssl and/or mod_php. A temporary file vulnerabiity in OSSP mm library (libmm) before version 1.2.0 permits a local Apache user to gain privileges. It can be exploited to obtain root privilege in some circumstances.

Upgrading sooner, rather than later, is recommended.

Alerts:
Mandrake MDKSA-2002:045 2002-07-29
OpenPKG OpenPKG-SA-2002.007 2002-07-30
Red Hat RHSA-2002:153-07 2002-07-30
SCO Group CSSA-2002-032.0 2002-07-30
Debian DSA-137-1 2002-07-30
SuSE SuSE-SA:2002:028 2002-07-31
Red Hat RHSA-2002:156-04 2002-08-05
Yellow Dog YDU-20020810-2 2002-08-10

Comments (none posted)

PHP Remote Compromise/DOS Vulnerability

Package(s):mod_php4 CVE #(s):
Created:July 22, 2002 Updated:February 18, 2003
Description: PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.

According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.

Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2.

For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team.

CERT Advisory: CA-2002-21 Vulnerability in PHP

Alerts:
SuSE SuSE-SA:2003:0009 2003-02-18

Comments (1 posted)

Mozilla XMLHttpRequest file disclosure vulnerability

Package(s):mozilla CVE #(s):CAN-2002-0354
Created:May 21, 2002 Updated:October 18, 2002
Description: This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2).
Alerts:
Conectiva CLA-2002:490 2002-05-29
Red Hat RHSA-2002:079-13 2002-05-13
Red Hat RHSA-2002:192-13 2002-10-09

Comments (none posted)

String format bug in pam_ldap logging

Package(s):nss_ldap CVE #(s):CAN-2002-0374
Created:June 5, 2002 Updated:October 29, 2002
Description: The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism.
Alerts:
Eridani ERISA-2002:019 2002-05-28
Red Hat RHSA-2002:084-17 2002-05-26
Yellow Dog YDU-20020606-2 2002-06-06
SCO Group CSSA-2002-041.0 2002-10-28

Comments (none posted)

Remotely exploitable vulnerability in pine

Package(s):pine CVE #(s):CAN-2002-0014
Created:May 21, 2002 Updated:November 27, 2002
Description: Pine has an unpleasant vulnerability in URL handling vulnerability which can lead to command execution by remote attackers. (First LWN report:  January 17th).

This vulnerability is remotely exploitable; updating is a good idea.

Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein).

Alerts:
Conectiva CLA-2002:460 2002-01-31
EnGarde ESA-20020114-002 2002-01-14
Red Hat RHSA-2002:009-06 2002-01-14
Slackware sl-1010936849 2002-01-13
Yellow Dog YDU-20020127-8 2002-01-27
SuSE SuSE-SA:2002:046 2002-11-25

Comments (none posted)

Sharutils potential privilege escalation using uudecode

Package(s):sharutils CVE #(s):CAN-2002-0178
Created:May 21, 2002 Updated:October 30, 2002
Description: According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16).
Alerts:
Eridani ERISA-2002:014 2002-05-16
Red Hat RHSA-2002:065-13 2002-05-14
Yellow Dog YDU-20020522-4 2002-05-22
Mandrake MDKSA-2002:052 2002-08-14
SCO Group CSSA-2002-040.0 2002-10-28
Gentoo 200210-012 2002-10-30

Comments (none posted)

Multiple vulnerabilities fixed in Squid-2.4.STABLE7

Package(s):squid CVE #(s):
Created:July 8, 2002 Updated:November 15, 2002
Description: Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7. Several of the bugs are believed to allow remote code execution.

The security advisory lists the following changes:

  • Several bugfixes and cleanup of the Gopher client, both to correct some security issues and to make Squid properly render certain Gopher menus.
  • Security fixes in how Squid parses FTP directory listings into HTML
  • FTP data channels are now sanity checked to match the address of the requested FTP server. This to prevent theft or injection of data. See the new ftp_sanitycheck directive if this sanity check is not desired.
  • The MSNT auth helper has been updated to v2.0.3+fixes for buffer overflow security issues found in this helper.
  • A security issue in how Squid forwards proxy authentication credentials has been fixed
Alerts:
Conectiva CLA-2002:506 2002-07-05
SuSE SuSE-SA:2002:025 2002-07-09
Trustix 2002-0062 2002-07-15
Mandrake MDKSA-2002:044 2002-07-17
Eridani ERISA-2002:031 2002-07-26
SCO Group CSSA-2002-046.0 2002-11-14

Comments (none posted)

Malformed NFS packet buffer overflow vulnerability in tcpdump

Package(s):tcpdump CVE #(s):CAN-2002-0380
Created:June 5, 2002 Updated:October 9, 2002
Description: A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
Alerts:
Eridani ERISA-2002:020 2002-05-30
Red Hat RHSA-2002:094-08 2002-05-29
Conectiva CLA-2002:491 2002-06-05
SCO Group CSSA-2002-025.0 2002-06-04
Trustix 2002-0055 2002-06-05
Yellow Dog YDU-20020606-3 2002-06-06
Red Hat RHSA-2002:094-16 2002-10-04

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 21, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
SCO Group CSSA-2001-030.0 2001-08-10
Conectiva CLA-2001:413 2001-08-24
Debian DSA-075-1 2001-08-14
Debian DSA-075-2 2001-08-14
HP HPSBTL0202-023 2002-02-12
Mandrake MDKSA-2001:068 2001-08-13
Mandrake MDKSA-2001:093 2001-12-17
Progeny PROGENY-SA-2001-27 2001-08-14
Red Hat RHSA-2001:099-06 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:100-02 2001-08-09
Slackware sl-997726350 2001-08-09
SuSE SuSE-SA:2001:029 2001-09-03
Yellow Dog YDU-20010810-1 2001-08-10
Yellow Dog YDU-20010810-2 2001-08-10
Gentoo 200410-03 2004-10-05

Comments (none posted)

Multiple vulnerabilities in SNMP implementations

Package(s):ucdsnmp ucd-snmp CVE #(s):CAN-2002-0012 CAN-2002-0013
Created:May 21, 2002 Updated:September 17, 2002
Description: Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14).
Alerts:
SCO Group CSSA-2002-004.0 2002-01-22
Conectiva CLA-2002:462 2002-02-14
Debian DSA-111-1 2002-02-14
Debian DSA-111-2 2002-02-28
Mandrake MDKSA-2002:014 2002-02-15
Red Hat RHSA-2001:163-20 2002-02-12
Yellow Dog YDU-20020211-1 2002-02-11
Red Hat RHSA-2002:036-26 2002-09-12

Comments (none posted)

Local root vulnerability in chfn

Package(s):util-linux CVE #(s):CAN-2002-0638
Created:July 29, 2002 Updated:October 30, 2002
Description: chfn (change finger information) is one of the utilities in the util-linux package. The BindView RAZOR Team has discovered a local root vulnerability in chfn which is described in the Bindview Advisory.

Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file.

CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility

Alerts:
Eridani ERISA-2002:032 2002-07-29
Red Hat RHSA-2002:132-14 2002-07-29
Trustix 2002-0064 2002-07-30
Yellow Dog YDU-20020801-4 2002-08-01
Mandrake MDKSA-2002:047 2002-08-08
Conectiva CLA-2002:523 2002-09-12
SCO Group CSSA-2002-043.0 2002-10-29

Comments (none posted)

webalizer: reverse DNS buffer overflow vulnerability

Package(s):webalizer CVE #(s):
Created:May 21, 2002 Updated:January 27, 2003
Description: The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report:  April 18th, 2002).
Alerts:
Conectiva CLA-2002:476 2002-04-26
EnGarde ESA-20020423-009 2002-04-23
SCO Group CSSA-2002-036.0 2002-10-22
Red Hat RHSA-2002:254-05 2002-12-04
Yellow Dog YDU-20030127-4 2003-01-27

Comments (none posted)

Webmin/Usermin vulnerabilities

Package(s):webmin CVE #(s):
Created:May 21, 2002 Updated:January 10, 2003
Description: Webmin is a web-based interface for system administration for Unix. Webmin has cross-site scripting and session ID spoofing vulnerabilities which are fixed in the May 6, 2002 release of version 0.970. (First LWN report: May 9).

This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication.

Alerts:
Mandrake MDKSA-2002:033 2002-05-21
Yellow Dog YDU-20020522-7 2002-05-22
SCO Group CSSA-2003-002.0 2003-01-09

Comments (1 posted)

Problems with libgtop_daemon

Package(s):wuftpd libgtop CVE #(s):
Created:May 21, 2002 Updated:May 7, 2003
Description: The libgtop_daemon package is a GNOME program which makes system information available remotely. LWN reported the remotely exploitable format string and buffer overflow vulnerabilities in that package on December 6th. On November 28th disabling the libgtop_daemon on systems where it is running until an update is available.

Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway.

Alerts:
Conectiva CLA-2002:448 2002-01-03
Debian DSA-098-1 2002-01-09
Mandrake MDKSA-2001:094 2001-12-19
Debian DSA-301-1 2003-05-07

Comments (1 posted)

xchat IC server based dns query vulnerability

Package(s):xchat CVE #(s):CAN-2002-0382
Created:June 5, 2002 Updated:September 24, 2002
Description: A malicious IRC server may return a response to a /dns query that executes arbitrary commands with the privileges of the user running XChat. Versions of XChat prior to 1.8.9 are vulnerable.
Alerts:
Red Hat RHSA-2002:097-08 2002-06-04
Eridani ERISA-2002:021 2002-06-05
Yellow Dog YDU-20020606-5 2002-06-06
Mandrake MDKSA-2002:051 2002-08-14
Conectiva CLA-2002:526 2002-09-23

Comments (none posted)

Resources

Linux Security Week and Advisory Watch

The August 12th Linux Security Week and August 9th Linux Advisory Watch newsletters from LinuxSecurity.com are available.

Comments (none posted)

Xprobe2 - Tool & Paper release

Ofir Arkin announces the release of the Xprobe2 source code and white paper (PDF format). The code is licensed under the GPL.

Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 rely on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.

Full Story (comments: none)

Nmap 3.00 Released

Fyodor announces the release of Nmap Security Scanner version 3.00.

Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most UNIX and Windows platforms are supported in both GUI and command-line modes.

Full Story (comments: none)

The Security Digest Archives

The 'Security Digest' Archives is attempting to build "a history of the early 'Security Digest' archives, from the Unix 'Security Mailing List', through the Zardoz 'Security Digest' to the Core 'Security List'." If you're interested in contributing, or just curious, please take a look.

Comments (none posted)

Events

CodeCon 2003 Call for Papers

CodeCon 2003 will be held February 2003 in San Francisco CA, USA. The deadline for papaers and proposals is December 1, 2002.

Full Story (comments: none)

HiverCon 2002, Ireland - Earlybird registration now available

HiverCon 2002 is scheduled for November 26th and 27th, 2002 in Dublin Ireland.

Full Story (comments: none)

Upcoming Security Events

Date Event Location
August 19 - 21, 2002Canadian Security & Intelligence Conference(CSICON)</