The first X.Org release
The X.Org Foundation has
announced the
release of X11R6.7. This is, in some sense, a relatively minor release
with little in the way of new features (see
the release
notes for the details). It is, however, a milestone in the development
of the X Window System, and worthy of note.
Readers of LWN will be familiar with the tensions which have stressed the
XFree86 project over the last year. There have long been disagreements
over how the development of X should be managed, and core developers have
been leaving the project for some time. The issue came to a head with the
the adoption of the XFree86 1.1 license, which is widely seen as being
incompatible with the GPL. That move led to the formation of the X.org Foundation under the umbrella
of FreeDesktop.org. It also led to many distributors saying that they
would not incorporate the XFree86 4.4 release.
The X11R6.7 release is the first official release from X.Org, though some
distributions (e.g. Fedora Core 2 Test 2) have incorporated pre-release
versions from the Foundation. It is intended to be a transitional release,
a way for distributors to move over to the new code base. As such, it
deliberately does not include much in the way of radical new changes.
There will be a couple more X11R6.x releases this year which will add more
new stuff.
The real plan for the future, however, is to split the X release into a
number of components, including the server, client libraries, and
applications. This split will allow each part of the system to progress at
its own pace; it will be possible to release support for the latest
graphics hardware without dragging along all of the applications as well.
The X hackers have all kinds of schemes for reworking the server and the X
protocol to better support modern 3D hardware to to get Linux, finally, out
of its old, two-dimensional world.
Conventional wisdom says that forks in free software projects are a bad
thing. But one of the valuable aspects of free software is that it
can be forked. The X fork looks like a necessary one; with luck it
will lead to a reinvigorated development process and good things for the
future Linux desktop.
Comments (2 posted)
First SELinux impressions
With the recent release of the second Fedora Core 2 test, many users are
getting their first exposure to
Security Enhanced
Linux (SELinux). We decided to take a look at SELinux in Fedora Core to
give readers a taste of what's to come.
SELinux introduces new layers of security, enforced by the kernel, in
addition to the standard Discretionary Access Control (DAC) model that
Linux users are already familiar with. The DAC model applies security based
only on a user's identity and the permissions associated with files and
processes. SELinux adds Mandatory Access Control (MAC) over processes and
files based on a policy set by the administrator, rather than based solely
on user or process identity.
SELinux also provides Type Enforcement (TE) for files and devices,
otherwise known as "objects," and Role-Based Access Control for users and
processes. TE in conjunction with Role-Based Access Control (RBAC) provides
the ability to set policies based on the type of object, rather than its
DAC permissions. The practical upshot of this is that a user or process
must not only have the appropriate DAC permissions to access an object, but
also must meet the RBAC requirements to access an object.
It's important to note that SELinux does not do away with the standard DAC
model. For example, if a normal user attempts to execute a file owned by
root with the mode 500, they will be denied the ability to do so without
SELinux features coming into play. However, SELinux goes beyond that level
of control. For example, an administrator can set policy that prevents a
user from granting access to files to other users even if that user owns
the file.
To paraphrase Spider Man's tagline, with great power comes great
complexity. Getting up to speed with SELinux tools and policy will take
some time. While SELinux gives an administrator a greatly enhanced security
toolbox, it also complicates the job of administrating a system. The
integration of SELinux adds a number of new programs and configuration
files for the administrator to familiarize themselves with, as well as
adding new options to familiar programs like ps and ls. It is safe to say
that the syntax for SELinux's policy configuration files is less
than user-friendly.
Administrators who plan to tweak the SELinux policy settings should plan to
set aside a fair amount of time to learn the syntax and procedure for
updating policy. To edit a system's policy requires the administrator to
edit one or more of dozens of configuration files under
/etc/security/selinux/src/policy, then compile and load the new policy
using make.
Users should also be aware that the additional security checks involved
with SELinux may come at the price of a performance impact. The Fedora SELinux
FAQ notes that SELinux decreased performance by 7% for "completely
untuned code" when SELinux was last tested and may have become worse due to
changes made since then. Of course, a 7% drop in system performance is
generally considered preferable to a 100% compromised system.
Administrators considering SELinux should note that it may limit
their choice of filesystems, at least with Fedora's implementation. The
popular ReiserFS in Fedora does not support file labeling, making it
unsuitable for use with SELinux.
This writer also found that the ability to turn enforcement on and off,
using "setenforce" is quite invaluable during SELinux testing. It is
possible to disable logins to a system simply by setting /etc/passwd's
security context incorrectly. For those who don't want to jump into
SELinux with both feet, setting the enforcement policy to "permissive" will
cause the system to print warnings whenever access to an object would have
been denied, but to not restrict any access beyond what the traditional
discretionary controls dictate.
For the most part, the end-user experience is, with luck,
largely unchanged. Though some users have reported problems with various
end-user applications not working with SELinux enabled, this writer did not
encounter any problems using FC2 on the desktop or at the shell for normal
work.
Despite its complexity, SELinux shows a great deal of promise for improving
the overall security of Linux systems. It seems likely that the tools for
creating and customizing SELinux will improve over time and make the task
less difficult. Even at the current level of complexity, it would be well
worth an administrator's time to learn and deploy SELinux for systems that
are directly connected to the Internet or other hostile environments.
Comments (11 posted)
Motion in Red Hat v. SCO
After a lengthy period of inactivity, there has finally been a bit of
movement in Red Hat's lawsuit against SCO. The news is mixed.
SCO's motion to dismiss the case was denied; Judge Robinson reached the
reasonable conclusion that Red Hat did, indeed, have reason to fear a
lawsuit from the SCO Group. So the case will go forward; SCO will not be
able to shake it quite so quickly.
This case will not go forward anytime soon, however. Instead, it has been
put on hold until the IBM case is worked out. Both sides have to file
every 90 days giving their view of the state of the IBM case. If that case
looks like it is not going anywhere, the court may restart the Red Hat
case.
For now, however, the Red Hat suit is suspended. Given the speed at which
things have moved in this case to date, it may be hard to tell the
difference. This ruling does, however, free SCO from the need to fight on
this front for now; SCO can concentrate its resources on the IBM, Novell,
DaimlerChrysler, and AutoZone suits. Plus any others that SCO might, in
its wisdom, decide to file. That should be enough to keep the lawyers busy
for a while. (See Groklaw
for more information).
Comments (3 posted)
The User-Accessible Filesystem Hierarchy Standard
The
User-Accessible
Filesystem Hierarchy Standard is a proposed standard which has recently
been put forward for wider review. The problem this standard attempts to
address is: how do users of desktop Linux systems install software for
their personal use without using the root password or hosing the system?
The problem is real enough; as Linux shows up on more desktops, and more
interesting applications become available, people will want to be able to
do their own installations. Anything which can make those installations
easier and safer should encourage desktop Linux adoption. It is not clear
that this proposal will do the trick, however.
The UAFHS states that every user should have a directory (.system)
in their home directory for the installation of personal software. This
directory would have the usual subdirectories: .system/bin,
.system/lib, etc. The placement of software there would contain
it within one subtree and make it easy to find. The standard also suggests
the creation of a .config directory under the home directory and
moving all application configuration files there.
The next problem is that users of a shared system may want to install
software for others to use as well. To that end, the standard says that
/home/shared/.system should be available and writable for all
users. The authors seem to have anticipated one of the possible complaints
with this setup:
An additional concern regarding security is that all users will be
able to easily install programs. This is not a security flaw, and
is in fact a way to strengthen security. All users are already
capable of installing software, it is merely difficult.
The argument here seems to be that, since the root password will not be
required for software installation, the system will be more secure. The
simple fact, however, is that making it easy for unprivileged users to
install programs into the path of other users is not the best way to secure a
system. This sort of mechanism could easily become a favored way of
escalating access to a user account into a full root compromise.
This standard also fails to address the real issue. Unprivileged users who
want to install software are not much concerned about where it is going to
go. They will be far more interested in easy management of installed
software. Mixing packages together into one big directory tree does little
to help somebody who wants to get rid of things in response to the
inevitable "no space left on device" or "quota exceeded" message. This
standard says "put
software over there," but does not concern itself with how users will
actually manage that software.
Making software installation easier is a worthy goal. Part of achieving
that goal can even be the designation of a target directory for
installations. But anybody who wants to concern themselves with making
this aspect of desktop Linux easier really needs to be dealing with the
package management issue. Creating a version of rpm or dpkg which can do
per-user package management could be harder than writing up a proposed
standard, but it would do far more to address the issue at hand.
Comments (22 posted)
Legislative fun worldwide
Linux Australia has published
a lengthy position
paper on the free software implications of the recently negotiated
"free trade agreement" (FTA) with the
United States. This agreement uses the trade treaty approach to bring
American-style anti-circumvention and software patents to Australia. Linux
Australia is now
working to prevent
the adoption of the FTA, and is looking for help. Among other things,
there is
an online
petition to be signed, but the first priority for Australians is
probably to contact their members of Parliament. See
the Linux Australia FTA page for
more information.
Meanwhile, on the European front: there will be a two-day gathering at the
European Parliament in Brussels starting April 14 in an attempt to,
once again, stop the threat of software patents in Europe; see this press release
and the demonstration home page for
details. The European Parliament voted against patents on software, but
the European Commission and Council of Ministers have the last word - and
they are considering a
very different course of action. If Europe is going to avoid the
imposition of U.S.-style software patents, Europeans will have to make
their voices heard.
In the U.S., the House of Representatives is busily addressing our pressing
national problems by considering the Piracy
Deterrence and Education Act (PDEA - available in
PDF format). This act calls for the FBI to
"facilitate the sharing among law enforcement agencies, Internet service
providers, and copyright owners" of information related to file sharing.
The Attorney General's office is to set up an "education program" on "the
value of copyrighted works and the effects of the theft of such works on
those who create them," along with the security risks of file sharing.
Most fun of all, however, is the provision for three-year jail sentences
for anybody convicted of sharing a single file valued (by the copyright
owner) at over $1000. The PDEA has passed the House Judiciary Intellectual
Property Subcommittee; no word on when it may be voted on by the entire
House.
Comments (5 posted)
Page editor: Jonathan Corbet
Security
Security news
Red Hat Linux: the end is near
For those who haven't been paying attention: Red Hat has sent out
a reminder that the end of an era is
approaching. After April 30, Red Hat will no longer produce security
updates for Red Hat Linux 9, the last product in the Red Hat Linux
line. If you have systems running Red Hat Linux, you should be well into
the execution of your migration plan. We have been getting enough mail
asking for articles about Red Hat Linux alternatives, however, that we
suspect many sites have not yet figured out what they are going to do.
For those still in the planning process, here is a quick summary of
alternatives to letting your Red Hat Linux systems go unpatched:
The one option we don't recommend is "do nothing and hope for the best."
Many Red Hat Linux users will find this transition inconvenient and
annoying. But this whole episode demonstrates one of the great strengths
of free software: Red Hat Linux users have several entirely viable
alternatives available to them. Users of proprietary operating systems
tend not to be so lucky.
Comments (13 posted)
Joint Statement about GNU/Linux Security
Debian, Mandrake, Red Hat, and SUSE have joined together to give a common
statement about the Forrester report entitled "Is Linux more Secure than
Windows?". "
Despite the report's claim to incorporate a
qualitative assessment of vendor reactions to serious vulnerabilities, it
treats all vulnerabilities as equal, regardless of their risk to users.
As a result, the conclusions drawn by Forrester have extremely limited
real-world value for customers assessing the practical issue of how
quickly serious vulnerabilities get fixed."
Full Story (comments: none)
New vulnerabilities
clamav: denial of service
| Package(s): | clamav |
CVE #(s): | |
| Created: | April 7, 2004 |
Updated: | April 7, 2004 |
| Description: |
The Clam AntiVirus utility through version 0.68 is vulnerable to a denial of service attack. |
| Alerts: |
|
Comments (none posted)
fte buffer overflows
| Package(s): | fte |
CVE #(s): | CAN-2003-0648
|
| Created: | April 5, 2004 |
Updated: | April 7, 2004 |
| Description: |
Steve Kemp and Jaguar discovered a number of buffer overflow
vulnerabilities in vfte, a version of the fte editor which runs on the
Linux console, found in the package fte-console. This program is
setuid root in order to perform certain types of low-level operations
on the console. |
| Alerts: |
|
Comments (none posted)
heimdal cross-realm vulnerability
| Package(s): | heimdal |
CVE #(s): | CAN-2004-0371
|
| Created: | April 6, 2004 |
Updated: | April 9, 2004 |
| Description: |
According to a security
advisory from the heimdal project: All releases prior to 0.6.1 and
0.5.3 have a cross-realm vulnerability allowing someone with control over a
realm to impersonate anyone in the cross-realm trust path. |
| Alerts: |
|
Comments (none posted)
interchange missing input sanitizing
| Package(s): | interchange |
CVE #(s): | CAN-2004-0374
|
| Created: | April 2, 2004 |
Updated: | April 7, 2004 |
| Description: |
A vulnerability was discovered recently in Interchange, an e-commerce
and general HTTP database display system. This vulnerability can be
exploited by an attacker to expose the content of arbitrary variables.
An attacker may learn SQL access information for your Interchange
application and use this information to read and manipulate sensitive
data. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
shar: buffer overflow
| Package(s): | sharutils |
CVE #(s): | |
| Created: | April 7, 2004 |
Updated: | April 7, 2004 |
| Description: |
The shar utility (as found in the sharutils package through version 4.2.1) suffers from a stack-based buffer overflow vulnerability; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
courier - Remote buffer overflow vulnerabilities
| Package(s): | Courier |
CVE #(s): | CAN-2004-0224
|
| Created: | March 29, 2004 |
Updated: | March 31, 2004 |
| Description: |
Remote buffer overflow vulnerabilities have been found in Courier-IMAP
and Courier MTA. These exploits may allow the execution of arbitrary
code, allowing unauthorized access to a vulnerable system. |
| Alerts: |
|
Comments (2 posted)
emil: Buffer overflow and format string vulnerabilities
| Package(s): | emil |
CVE #(s): | CAN-2004-0152
CAN-2004-0153
|
| Created: | March 25, 2004 |
Updated: | March 31, 2004 |
| Description: |
The emil mail filter utility has buffer overflow and format string
vulnerabilities that can be exploited locally and remotely,
It may be possible to craft an email that exploits the vulnerability
and executes arbitrary code.
|
| Alerts: |
|
Comments (none posted)
ethereal - multiple vulnerabilities
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 16, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: local root exploit in 2.4.22
| Package(s): | kernel |
CVE #(s): | CAN-2003-0961
|
| Created: | December 1, 2003 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. |
| Alerts: |
|
Comments (1 posted)
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 |
CVE #(s): | CAN-2004-0077
|
| Created: | March 18, 2004 |
Updated: | June 4, 2004 |
| Description: |
A local root exploit is possible due to early flushing of the
TLB. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | July 21, 2004 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
mc: arbitrary code execution
| Package(s): | mc |
CVE #(s): | CAN-2003-1023
|
| Created: | January 16, 2004 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in Midnight Commander, a file manager,
whereby a malicious archive (such as a .tar file) could cause arbitrary
code to be executed if opened by Midnight Commander. |
| Alerts: |
|
Comments (none posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
monit: buffer overflow and DOS
| Package(s): | monit |
CVE #(s): | |
| Created: | March 31, 2004 |
Updated: | April 19, 2004 |
| Description: |
The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.
Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
oftpd - denial of service
| Package(s): | oftpd |
CVE #(s): | |
| Created: | March 29, 2004 |
Updated: | April 5, 2004 |
| Description: |
A remotely-exploitable overflow exists in versions of oftpd 0.3.6 and
earlier, allowing an attacker to crash the oftpd daemon. Issuing a port
command with a number higher than 255 causes the server to crash. The port
command may be issued before any authentication takes place, meaning the
attacker does not need to know a valid username and password in order to
exploit this vulnerability. |
| Alerts: |
|
Comments (1 posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | |
| Created: | March 31, 2004 |
Updated: | March 31, 2004 |
| Description: |
Versions of the OpenLDAP server through 2.1.12 suffer from a remotely exploitable denial of service vulnerability; some more information can be found in the OpenLDAP bug tracker. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pam-pgsql - missing input sanitizing
| Package(s): | pam-pgsql |
CVE #(s): | CAN-2004-0366
|
| Created: | March 29, 2004 |
Updated: | March 31, 2004 |
| Description: |
Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to
authenticate using a PostgreSQL database. The library does not escape all
user-supplied data that are sent to the database. An attacker could
exploit this bug to insert SQL statements. |
| Alerts: |
|
Comments (none posted)
perl information leak
| Package(s): | perl |
CVE #(s): | CAN-2003-0618
|
| Created: | February 2, 2004 |
Updated: | April 21, 2004 |
| Description: |
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
PWLib: possible Denial of Service
| Package(s): | PWLib |
CVE #(s): | CAN-2004-0097
|
| Created: | February 13, 2004 |
Updated: | April 9, 2004 |
| Description: |
PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
samba privilege escalation
| Package(s): | samba |
CVE #(s): | CAN-2004-0186
|
| Created: | March 15, 2004 |
Updated: | April 20, 2004 |
| Description: |
Samba, a LanManager-like file and printer server for Unix, was found
to contain a vulnerability whereby a local user could use the "smbmnt"
utility, which is setuid root, to mount a file share from a remote
server which contained setuid programs under the control of the user.
These programs could then be executed to gain privileges on the local
system. |
| Alerts: |
|
Comments (none posted)
squid - vulnerability in URL decoding
| Package(s): | squid |
CVE #(s): | CAN-2004-0189
|
| Created: | March 29, 2004 |
Updated: | April 20, 2004 |
| Description: |
A bug was found in the processing of %-encoded characters in a URL in
versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses
Access Control Lists (ACLs), a remote attacker could create URLs that would
not be correctly tested against Squid's ACLs, potentially allowing clients
to access prohibited URLs. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: flaws in the ISAKMP decoding routines
| Package(s): | tcpdump |
CVE #(s): | CAN-2003-0989
CAN-2004-0057
CAN-2004-0055
|
| Created: | January 15, 2004 |
Updated: | April 6, 2004 |
| Description: |
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0057 to this issue.
Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0055 to this issue.
Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
packets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user. |
| Alerts: |
|
Comments (none posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
util-linux: information leak in the login program
| Package(s): | util-linux |
CVE #(s): | CAN-2004-0080
|
| Created: | February 3, 2004 |
Updated: | April 8, 2004 |
| Description: |
The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function.
In some situations, the login program could use a pointer that had been
freed and reallocated. This could cause unintentional data leakage. |
| Alerts: |
|
