Sponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for August 22, 2002
The hard side of the Bazaar
The "Bazaar" style of project management, as described by Eric Raymond and typified by the Linux kernel development model, is undoubtedly effective at producing quality software, at least in some situations. It can also, however, be a harsh environment in which to operate, as demonstrated by events in the kernel community over the 2.5 series, and especially over the last week.Readers of the LWN.net weekly Kernel Page will have been following the development of the IDE/ATA layer in the 2.5 series for some time. For the rest, here is some quick background to provide context for the rest.
The IDE layer, of course, is the low-level code that handles the disk (and CD) drives found on most Linux systems. This code operates under a number of serious constraints. It must be fast - able to drive the hardware at its maximum speed; the performance of a Linux system as a whole is highly dependent on how fast its disks can go. It also must be absolutely correct; users get grumpy when their data is lost or corrupted. And it must deal with a wide variety of, um, "inexpensive" hardware that does not always behave as the documentation and standards say it should. Hacking on the IDE subsystem is not for the faint of heart.
In recent times the IDE maintainer has been Andre Hedrick. Andre has had numerous communication problems with Linus (and others) which have made it difficult for him to get patches into the kernel. It is also fashionable in certain quarters to criticize the quality of Andre's code. But, it should be said: Andre's IDE layer has proved, over time, to be rigidly standards compliant and highly reliable.
Andre's inability to get patches into the kernel left a void in the 2.5 series, however. That void was filled by Marcin Dalecki, who started posting his "IDE cleanup" patches back in February. The "cleanups" began to look increasingly like a complete rework (and hostile takeover) of the IDE code, and, with IDE 18, Marcin put his name into the MAINTAINERS file.
Marcin's work has been controversial all along - especially after he started removing features that people were using, and when the IDE layer started breaking for some users. His approach was not subtle, and he seemed untroubled by the concerns of the other Linux kernel hackers. After all, said Marcin, "Breakage is the price you have to pay for advancements."
Linus, for the most part, seemed to agree; he merged almost every patch from Marcin through IDE 115, posted on August 9.
All this changed on August 16, when Linus, without fanfare, deleted the entire 2.5 IDE subsystem and replaced it with the "foreport" of the 2.4 IDE layer, done by Jens Axboe and others. The word from Linus is that Marcin got tired of all the criticism and quit; Marcin, himself, has been silent since then. It is telling, though, that Linus responded by simply deleting and replacing the entire body of 2.5 IDE work, rather than trying to find somebody who would continue that task. Either Linus came to agree with other kernel hackers about the quality of the reworked IDE code, or he concluded that nobody else would be willing to work with that code.
The end result is that six months worth of Marcin's work, in the form of 115 IDE patches, has just been dumped into the bit bucket.
And that is an example of the harsh side of participating in the kernel bazaar. One can work for months, see that work apparently accepted, then have it vanish in a moment. Linus has said numerous times that the doesn't much care about the feelings of kernel hackers; he is far more concerned about the quality of the code. This approach may well be part of why Linus is a good manager for Linux development - in the end, the code quality must remain high or the whole thing will collapse under its own weight. But it also explains why kernel hackers occasionally get frustrated and leave the kernel development community. The bazaar can be fun and effective, but it's not always nice.
The GNOME Human Interface Guidlines
The GNOME project has announced the release of version 1.0 of the GNOME Human Interface Guidelines (HIG). The HIG is, according to the announcement:
Leaving aside the hype, some examination of this 130-page document shows that it is, indeed, an impressive piece of work. The HIG examines many aspects of the usability of graphical applications, from window layouts, color selections, icon design, etc. through to things like how to label menu entries. A simple example of the sort of work that has been done:
Like many things in the usability arena, this conclusion seems obvious - in retrospect.
Even after years of human factors research, creating highly usable applications still requires a great deal of plain hard work. Application designers are often blind to things they do that confuse their users. Creation of the best desktop applications available requires more than just great hacking; it requires serious attention to all of the little things that make those applications really work for the people who will use them. The HIG, thus, is a great contribution to the free software community, in that it will help to focus and guide that attention.
The HIG is also the sort of work that free software developers are not supposed to be good at. What self-respecting, ego-driven, itch-scratching free software hacker is going to bother with human factors research, after all? Such claims have been increasingly hard to defend for some time; the HIG is just one more example of what the free software community is really capable of.
One other quote from the announcement is worth a look:
A true gesture toward cooperation could certainly have been done in a less public and challenging way. It is true, though, that the creation of a common interface document could be a good way for the two projects to work together. The creation of a more consistent desktop environment across the two projects would help both - as would a more formal approach to human factors in general. And both projects could join this work while maintaining their own code bases. It's worth some thought.
The obligatory LWN status update
There is not a whole lot to report this week with regard to LWN's status and life expectancy. We are still in "discussions" with our credit card clearing company. We are still hacking on the subscription code (it's mostly complete) but are not sure if we will be able to accept credit cards to pay for those subscriptions. Hopefully all of this will settle out before too long. Meanwhile, we're doing what we can to continue to produce the best news available for the Linux and free software community. Thanks, as always, for your continuing support.
Page editor: Jonathan Corbet
Security
Security news
Konqueror and digital certificates
Here is an advisory from the KDE project regarding a flaw in Konqueror's digital certificate handling. It seems that Konqueror (along with certain other, proprietary web browsers) doesn't look hard enough at how a site's certificate was signed, meaning that anybody can fake a certificate for anybody else's site. Thus, with a little additional trickery, it would be possible to set up "man in the middle" attacks and steal credit card numbers.The Register described this vulnerability as "a colossal stuff-up." Certainly the error is worth fixing, but anybody who is greatly concerned about this vulnerability would be well advised to look at the end of the "Certificates and Credentials" chapter in Bruce Schneier's Secrets & Lies:
All that SSL does in almost every use is to verify that the remote site has a certificate issued by a trusted authority. There is no verification that said certificate has anything to do with the site that the user expects to be interacting with. Man in the middle attacks are easily done even when the web browser properly checks how digital certificates were signed; the Konqueror vulnerability has not really opened up any new holes.
The real issue, which nobody is all that concerned about, is that the digital certificate system is not doing much for its users. Quoting Schneier again: "Digital certificates provide no actual security for electronic commerce; it's a complete sham." Konqueror users should go ahead and apply the patch (see the LWN vulnerability entry for distributor updates as they arrive), but it's not going to make them all that much more secure against man in the middle attacks.
August CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for August is out; it includes a look at Palladium, the proposed law allowing attacks against online copyright violators, and the idea of arming airline pilots. "To me, it's another example of the insane lengths the entertainment companies are willing to go to preserve their business models. They're willing to destroy your privacy, have general-purpose computers declared illegal, and exercise special vigilante police powers that no one else has...just to make sure that no one watches 'The Little Mermaid' without paying for it. They're trying to invent a new crime: interference with a business model."
Security reports
FUDforum file access and SQL Injection
FUDforum is a web-based forum system. Ulf Harnhammar has reported two vulnerabilities in this package; one can provide access to files outside of the FUDforum directory, and the other can lead to SQL injection issues. The problems have been fixed in version 2.2.0.
New PHP-Nuke cross-site scripting bug exposes admin accounts
A new cross-site scripting vulnerability has been reported in PHP-Nuke v5.6; properly exploited, this hole can be used to obtain access to the site's administrative accounts. No fix is available as of this writing. (Additional note: this vulnerability was actually first reported in March. PostNuke also, apparently, has this problem).
Input validation attack in php-affiliate
php-affiliate - a script for running web site affiliate programs - places a little too much trust in the hidden fields it puts into forms, with the result that users can modify information belonging to other users.
Remote command execution in Web Shop Manager
The Web Shop Manager e-commerce system has trivial remote command execution vulnerability. This problem exists in version 1.1; no updates are yet visible on the project web site.
New vulnerabilities
Numerous vulnerabilities in bugzilla
| Package(s): | bugzilla | CVE #(s): | CAN-2002-0804 CAN-2002-0805 CAN-2002-0806 CAN-2002-0807 CAN-2002-0808 CAN-2002-0809 CAN-2002-0810 CAN-2002-0811 CAN-2002-0803 | |||
| Created: | August 21, 2002 | Updated: | August 21, 2002 | |||
| Description: | The bugzilla bug tracking system has a long list of security problems which can lead to data disclosure, administrative access, and denial of service attacks. The Red Hat advisory (below) gives the full list. | |||||
| Alerts: |
| |||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
Buffer overflow in libpng
| Package(s): | libpng | CVE #(s): | CAN-2002-0728 CAN-2002-0660 | ||||||||||||||||||
| Created: | August 20, 2002 | Updated: | August 20, 2002 | ||||||||||||||||||
| Description: | Versions of libpng prior to 1.0.14 contain a buffer overflow in the progressive reader when the PNG datastream contains more IDAT data than indicated by the IHDR chunk. Such deliberately malformed datastreams would crash applications that are linked to libpng and that use the progressive reading feature. (From the Red Hat alert). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Inadequate digital certificate verification in Konqueror
| Package(s): | Konqueror | CVE #(s): | ||||
| Created: | August 19, 2002 | Updated: | August 21, 2002 | |||
| Description: | The Konqueror web browser, versions 3.0.2 and prior, does not properly
check how digital certificates were signed; the result is that anybody can
create fake certificates and use them for "man in the middle" attacks. The
problem was fixed in Konqueror 3.0.3.
See also:
| |||||
| Alerts: |
| |||||
Multiple vulnerabilities in mantis
| Package(s): | mantis | CVE #(s): | |||||||
| Created: | August 20, 2002 | Updated: | September 4, 2002 | ||||||
| Description: | The Mantis project has reported a number of bugs in the Mantis bug tracking
system, including:
| ||||||||
| Alerts: |
| ||||||||
Safemode vulnerability in PHP
| Package(s): | PHP | CVE #(s): | CAN-2001-1246 | ||||||||||||
| Created: | August 20, 2002 | Updated: | October 9, 2002 | ||||||||||||
| Description: | PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. | ||||||||||||||
| Alerts: |
| ||||||||||||||
XDR vulnerability in krb5
| Package(s): | krb5 | CVE #(s): | CAN-2002-0391 | |||||||||
| Created: | August 19, 2002 | Updated: | August 20, 2002 | |||||||||
| Description: | The Kerberos 5 implementation suffers from the same SunRPC XDR buffer overflow problem as many other packages (see the CERT advisory). | |||||||||||
| Alerts: |
| |||||||||||
Updated vulnerabilities
LPRng accepts jobs from any host.
| Package(s): | LPRng | CVE #(s): | CAN-2002-0378 | |||||||||
| Created: | June 12, 2002 | Updated: | October 31, 2002 | |||||||||
| Description: | Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public. | |||||||||||
| Alerts: |
| |||||||||||
OpenSSL remotely-exploitable buffer overflow vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 30, 2002 | Updated: | September 24, 2002 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit.
Both client and server applications are affected.
The vulnerabilities are described in this security alert from the OpenSSL team.
A nasty exploit for one of the vulnerabilities is described in CERT Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
If you haven't already, applying an update is a very good thing to do today. Mitel Networks has an update available which closes this vulnerabilty for their SME Server software. CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | August 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||||||||||||||
| Description: | PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Denial of service vulnerability in version 9 of BIND
| Package(s): | bind | CVE #(s): | CAN-2002-0400 | ||||||||||||||||||
| Created: | June 5, 2002 | Updated: | August 19, 2002 | ||||||||||||||||||
| Description: | Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running BIND 8, and thus will not be vulnerable. News articles on the vulnerability appear in the Register and Network World Fusion News. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Off by one buffer overflow vulnerability in cvsd
| Package(s): | cvs | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | cvs version 1.11, and possibily earlier versions, has a locally exploitable off by one buffer overflow vulnerability. The details are available here. | |||||
| Alerts: |
| |||||
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc | CVE #(s): | CAN-2002-0391 | |||||||||
| Created: | August 14, 2002 | Updated: | December 5, 2002 | |||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404 | |||||||||||||||
| Created: | June 12, 2002 | Updated: | October 27, 2002 | |||||||||||||||
| Description: | Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
No known exploits exist "in the wild" at the present time for any of these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Buffer overflow vulnerability in the Jabber plug-in module for gaim
| Package(s): | gaim | CVE #(s): | CAN-2002-0384 CAN-2002-0377 | |||||||||
| Created: | August 14, 2002 | Updated: | September 11, 2002 | |||||||||
| Description: | gaim versions prior to 0.58 contained a buffer overflow in the Jabber plug-in module. The problem is fixed in gaim 0.59 which is available here. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL." | |||||||||||
| Alerts: |
| |||||||||||
Remote execution vulnerability in gallery
| Package(s): | gallery | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | A remote attacker could execute commands under the uid of the web server by passing in the GALLERY_BASEDIR variable remotely. Gallery is a web-based photo album toolkit. | |||||
| Alerts: |
| |||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Buffer overflow in groff
| Package(s): | groff | CVE #(s): | CAN-2002-0003 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | December 9, 2002 | ||||||||||||||||||
| Description: | The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax | CVE #(s): | CAN-2001-1034 | |||||||||
| Created: | July 30, 2002 | Updated: | October 9, 2002 | |||||||||
| Description: | The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
| |||||||||||
| Alerts: |
| |||||||||||
Buffer overflow and format string vulnerabilities in ipppd
| Package(s): | i4l | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | The ipppd program, in the i4l package, has
various buffer overflows and format string bugs. Since ipppd
is installed setuid to root,
attackers with appropriate group membership may be able to execute
arbitrary commands as root.
The i4l package for ISDN connectivity is installed by default
in at least one distribution; you are vulnerable even if
you do not have an ISDN connection.
The SuSE Security Team is aware of a published exploit for ipppd
that gives a local attacker root privileges so you should either update
the package or remove the setuid bit from ipppd.
| |||||
| Alerts: |
| |||||
UW imapd remotely exploitable buffer overflow
| Package(s): | imap | CVE #(s): | CAN-2002-0379 | |||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | December 20, 2002 | |||||||||||||||||||||||||||
| Description: | UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
File exposure vulnerability in interchange
| Package(s): | interchange | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | A problem has been discovered in interchange which may allow
a remote attacker to read any file for which the user of the Interchange
daemon has sufficient permissions.
Interchange must be running in "INET
mode" (internet domain socket) to be vulnerable.
This is not the default setting, at least in
Debian packages.
Interchange is an e-commerce and general HTTP database display system. | |||||
| Alerts: |
| |||||
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 | CVE #(s): | ||||||||||
| Created: | August 14, 2002 | Updated: | October 29, 2002 | |||||||||
| Description: | A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system. Updating now is recommended. CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Remotely exploitable vulnerabilities in l2tpd
| Package(s): | l2tpd | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | l2tpd, a layer 2 tunneling client/server program, does not initialize the random generator. Since this makes all generated random number 100% guessable, the oversight could lead to remote exploits. There is also a buffer overflow vulnerability. Both problems are fixed in the updates below. | |||||
| Alerts: |
| |||||
Apache mod_ssl off-by-one local code execution and DoS vulnerability
| Package(s): | libapache-mod-ssl mod_ssl | CVE #(s): | CAN-2002-0653 | ||||||||||||||||||||||||
| Created: | July 2, 2002 | Updated: | August 14, 2002 | ||||||||||||||||||||||||
| Description: | Mod-ssl provides strong cryptography for the Apache webserver
via the Secure Sockets Layer (SSL).
A maliciously-crafted .htaccess file, may
be used by an attacker to execute arbitrary
commands as the httpd user or launch a denial of service attack.
The problem is fixed in mod_ssl 2.8.10 which is available
from here.
For more information see the announcement. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
libpng buffer overflow vulnerability
| Package(s): | libpng libpng2 libpng3 | CVE #(s): | |||||||
| Created: | July 17, 2002 | Updated: | August 19, 2002 | ||||||
| Description: | Versions of libpng prior to
1.2.4 and 1.0.14 have a buffer
overflow vulnerability that could lead to remote code execution.
Since libpng is used by programs that talk to the outside
world (i.e. mozilla), it is worth upgrading.
libpng is the official PNG reference library. It supports almost all PNG features, is extensible, and has been extensively tested for over five years.
| ||||||||
| Alerts: |
| ||||||||
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
| Package(s): | mailman | CVE #(s): | CAN-2002-0388 | ||||||||||||||||||
| Created: | June 5, 2002 | Updated: | August 28, 2002 | ||||||||||||||||||
| Description: | Barry A. Warsaw announced the release of Mailman 2.0.11 "which fixes two cross-site scripting exploits, one reported by "office" in the admin login page, and another reported by Tristan Roddis in the Pipermail index summaries. It is recommended that all sites upgrade their 2.0.x systems to this version." | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Remote arbitrary code execution vulnerability in mantis
| Package(s): | mantis | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 20, 2002 | |||
| Description: | Mantis is a php based bug tracking system.
Joao Gouveia and the Debian Security Team found
multiple insecure uses of uninitialized variables in mantis.
When these occasions are exploited, a remote user is able
to execute arbitrary code under the webserver user id on the web
server hosting the mantis system.
| |||||
| Alerts: |
| |||||
Temporary file vulnerability in mm library
| Package(s): | mm | CVE #(s): | CAN-2002-0658 | ||||||||||||||||||||||||
| Created: | July 30, 2002 | Updated: | August 14, 2002 | ||||||||||||||||||||||||
| Description: | The OSSP mm library (libmm) is frequently used in Apache
setups using mod_ssl and/or mod_php.
A temporary file vulnerabiity in OSSP mm library (libmm) before
version 1.2.0
permits a local Apache user to gain privileges.
It can be exploited to obtain root privilege in some circumstances.
Upgrading sooner, rather than later, is recommended. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 | CVE #(s): | ||||
| Created: | July 22, 2002 | Updated: | February 18, 2003 | |||
| Description: | PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP. Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2. For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team. CERT Advisory: CA-2002-21 Vulnerability in PHP | |||||
| Alerts: |
| |||||
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla | CVE #(s): | CAN-2002-0354 | |||||||||
| Created: | May 21, 2002 | Updated: | October 18, 2002 | |||||||||
| Description: | This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2). | |||||||||||
| Alerts: |
| |||||||||||
Potential MIME encoded email arbitrary coded execution vulnerability
| Package(s): | mpack | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | The munpack program is used in the Debian distribution for decoding binary files in MIME (Multipurpose Internet Mail Extensions) format mail messages. Eckehard Berns discovered a buffer overflow in munpack which may allow a mailiciously formed email to run arbitrary code. | |||||
| Alerts: |
| |||||
String format bug in pam_ldap logging
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0374 | ||||||||||||
| Created: | June 5, 2002 | Updated: | October 29, 2002 | ||||||||||||
| Description: | The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism. | ||||||||||||||
| Alerts: |
| ||||||||||||||
OpenAFS potential remote code execution vulnerability
| Package(s): | openafs | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | The OpenAFS database server is subject to the
integer overflow bug in code derived from the SunRPC library.
This bug could be exploited to crash certain OpenAFS servers
(volserver, vlserver, ptserver, buserver) or to obtain unauthorized
root access to a host running one of these processes.
Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places including openafs. Updating now is recommended. CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||
| Alerts: |
| |||||
Remotely exploitable vulnerability in pine
| Package(s): | pine | CVE #(s): | CAN-2002-0014 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | November 27, 2002 | ||||||||||||||||||
| Description: | Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea. Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Local denial of service vulnerability in sendmail
| Package(s): | sendmail | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | A local user can stop local mail service
by holding an exclusive read
lock on specific sendmail files.
The user must have permission to read
a file such as /var/log/sendmail.st, which
is world readable by default.
The problem is described in this advisory | |||||
| Alerts: |
| |||||
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils | CVE #(s): | CAN-2002-0178 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 30, 2002 | ||||||||||||||||||
| Description: | According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid | CVE #(s): | |||||||||||||||||||
| Created: | July 8, 2002 | Updated: | November 15, 2002 | ||||||||||||||||||
| Description: | Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following changes:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Local root access vulnerability in super
| Package(s): | super | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | A format string bug in super may allow a local user to gain unauthorized root accesss. Super is a setuid-root program that offers restricted setuid-root access to executables and a relatively secure environment for scripts. | |||||
| Alerts: |
| |||||
Tcl/Tk local root vulnerability
| Package(s): | tcltk expect | CVE #(s): | CAN-2001-1374 CAN-2001-1375 | |||||||||
| Created: | August 14, 2002 | Updated: | September 24, 2002 | |||||||||
| Description: | Tcl/Tk searches for its libraries in the current working
directory before other directories.
A local user could
execute arbitrary code by inserting a Trojan horse library
in the current working directory.
Versions of the expect application prior to 5.32, search for its libraries in /var/tmp before searching in other directories. A local user could gain root privleges by inserting a Trojan horse library in /var/tmp and then getting the root user to run mkpasswd. | |||||||||||
| Alerts: |
| |||||||||||
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump | CVE #(s): | CAN-2002-0380 | |||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | October 9, 2002 | |||||||||||||||||||||
| Description: | A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential arbitrary code execution vulnerability in tinyproxy
| Package(s): | tinyproxy | CVE #(s): | ||||
| Created: | August 14, 2002 | Updated: | August 14, 2002 | |||
| Description: | Tinyproxy, a lightweight HTTP proxy, handles some
invalid proxy requests incorrectly.
Under some
circumstances, an invalid request may result in a allocated memory
being freed twice. This can potentially result in the execution of
arbitrary code.
| |||||
| Alerts: |
| |||||
Multiple vulnerabilities in SNMP implementations
| Package(s): | ucdsnmp ucd-snmp | CVE #(s): | CAN-2002-0012 CAN-2002-0013 | ||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | September 17, 2002 | ||||||||||||||||||||||||
| Description: | Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Local root vulnerability in chfn
| Package(s): | util-linux | CVE #(s): | CAN-2002-0638 | |||||||||||||||||||||
| Created: | July 29, 2002 | Updated: | October 30, 2002 | |||||||||||||||||||||
| Description: | chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file. CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer | CVE #(s): | ||||||||||||||||
| Created: | May 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||
| Description: | The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Webmin/Usermin vulnerabilities
| Package(s): | webmin | CVE #(s): | ||||||||||
| Created: | May 21, 2002 | Updated: | January 10, 2003 | |||||||||
| Description: | Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication. | |||||||||||
| Alerts: |
| |||||||||||
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop | CVE #(s): | ||||||||
| Created: | May 21, 2002 | Updated: | May 7, 2003 | |||||||
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway. | |||||||||
| Alerts: |
| |||||||||