LWN.net Logo

LWN.net Weekly Edition for April 8, 2004

The first X.Org release

The X.Org Foundation has announced the release of X11R6.7. This is, in some sense, a relatively minor release X.Org with little in the way of new features (see the release notes for the details). It is, however, a milestone in the development of the X Window System, and worthy of note.

Readers of LWN will be familiar with the tensions which have stressed the XFree86 project over the last year. There have long been disagreements over how the development of X should be managed, and core developers have been leaving the project for some time. The issue came to a head with the the adoption of the XFree86 1.1 license, which is widely seen as being incompatible with the GPL. That move led to the formation of the X.org Foundation under the umbrella of FreeDesktop.org. It also led to many distributors saying that they would not incorporate the XFree86 4.4 release.

The X11R6.7 release is the first official release from X.Org, though some distributions (e.g. Fedora Core 2 Test 2) have incorporated pre-release versions from the Foundation. It is intended to be a transitional release, a way for distributors to move over to the new code base. As such, it deliberately does not include much in the way of radical new changes. There will be a couple more X11R6.x releases this year which will add more new stuff.

The real plan for the future, however, is to split the X release into a number of components, including the server, client libraries, and applications. This split will allow each part of the system to progress at its own pace; it will be possible to release support for the latest graphics hardware without dragging along all of the applications as well. The X hackers have all kinds of schemes for reworking the server and the X protocol to better support modern 3D hardware to to get Linux, finally, out of its old, two-dimensional world.

Conventional wisdom says that forks in free software projects are a bad thing. But one of the valuable aspects of free software is that it can be forked. The X fork looks like a necessary one; with luck it will lead to a reinvigorated development process and good things for the future Linux desktop.

Comments (2 posted)

First SELinux impressions

April 7, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

With the recent release of the second Fedora Core 2 test, many users are getting their first exposure to Security Enhanced Linux (SELinux). We decided to take a look at SELinux in Fedora Core to give readers a taste of what's to come.

SELinux introduces new layers of security, enforced by the kernel, in addition to the standard Discretionary Access Control (DAC) model that Linux users are already familiar with. The DAC model applies security based only on a user's identity and the permissions associated with files and processes. SELinux adds Mandatory Access Control (MAC) over processes and files based on a policy set by the administrator, rather than based solely on user or process identity.

SELinux also provides Type Enforcement (TE) for files and devices, otherwise known as "objects," and Role-Based Access Control for users and processes. TE in conjunction with Role-Based Access Control (RBAC) provides the ability to set policies based on the type of object, rather than its DAC permissions. The practical upshot of this is that a user or process must not only have the appropriate DAC permissions to access an object, but also must meet the RBAC requirements to access an object.

It's important to note that SELinux does not do away with the standard DAC model. For example, if a normal user attempts to execute a file owned by root with the mode 500, they will be denied the ability to do so without SELinux features coming into play. However, SELinux goes beyond that level of control. For example, an administrator can set policy that prevents a user from granting access to files to other users even if that user owns the file.

To paraphrase Spider Man's tagline, with great power comes great complexity. Getting up to speed with SELinux tools and policy will take some time. While SELinux gives an administrator a greatly enhanced security toolbox, it also complicates the job of administrating a system. The integration of SELinux adds a number of new programs and configuration files for the administrator to familiarize themselves with, as well as adding new options to familiar programs like ps and ls. It is safe to say that the syntax for SELinux's policy configuration files is less than user-friendly.

Administrators who plan to tweak the SELinux policy settings should plan to set aside a fair amount of time to learn the syntax and procedure for updating policy. To edit a system's policy requires the administrator to edit one or more of dozens of configuration files under /etc/security/selinux/src/policy, then compile and load the new policy using make.

Users should also be aware that the additional security checks involved with SELinux may come at the price of a performance impact. The Fedora SELinux FAQ notes that SELinux decreased performance by 7% for "completely untuned code" when SELinux was last tested and may have become worse due to changes made since then. Of course, a 7% drop in system performance is generally considered preferable to a 100% compromised system.

Administrators considering SELinux should note that it may limit their choice of filesystems, at least with Fedora's implementation. The popular ReiserFS in Fedora does not support file labeling, making it unsuitable for use with SELinux. This writer also found that the ability to turn enforcement on and off, using "setenforce" is quite invaluable during SELinux testing. It is possible to disable logins to a system simply by setting /etc/passwd's security context incorrectly. For those who don't want to jump into SELinux with both feet, setting the enforcement policy to "permissive" will cause the system to print warnings whenever access to an object would have been denied, but to not restrict any access beyond what the traditional discretionary controls dictate.

For the most part, the end-user experience is, with luck, largely unchanged. Though some users have reported problems with various end-user applications not working with SELinux enabled, this writer did not encounter any problems using FC2 on the desktop or at the shell for normal work.

Despite its complexity, SELinux shows a great deal of promise for improving the overall security of Linux systems. It seems likely that the tools for creating and customizing SELinux will improve over time and make the task less difficult. Even at the current level of complexity, it would be well worth an administrator's time to learn and deploy SELinux for systems that are directly connected to the Internet or other hostile environments.

Comments (11 posted)

Motion in Red Hat v. SCO

After a lengthy period of inactivity, there has finally been a bit of movement in Red Hat's lawsuit against SCO. The news is mixed.

SCO's motion to dismiss the case was denied; Judge Robinson reached the reasonable conclusion that Red Hat did, indeed, have reason to fear a lawsuit from the SCO Group. So the case will go forward; SCO will not be able to shake it quite so quickly.

This case will not go forward anytime soon, however. Instead, it has been put on hold until the IBM case is worked out. Both sides have to file every 90 days giving their view of the state of the IBM case. If that case looks like it is not going anywhere, the court may restart the Red Hat case.

For now, however, the Red Hat suit is suspended. Given the speed at which things have moved in this case to date, it may be hard to tell the difference. This ruling does, however, free SCO from the need to fight on this front for now; SCO can concentrate its resources on the IBM, Novell, DaimlerChrysler, and AutoZone suits. Plus any others that SCO might, in its wisdom, decide to file. That should be enough to keep the lawyers busy for a while. (See Groklaw for more information).

Comments (3 posted)

The User-Accessible Filesystem Hierarchy Standard

The User-Accessible Filesystem Hierarchy Standard is a proposed standard which has recently been put forward for wider review. The problem this standard attempts to address is: how do users of desktop Linux systems install software for their personal use without using the root password or hosing the system? The problem is real enough; as Linux shows up on more desktops, and more interesting applications become available, people will want to be able to do their own installations. Anything which can make those installations easier and safer should encourage desktop Linux adoption. It is not clear that this proposal will do the trick, however.

The UAFHS states that every user should have a directory (.system) in their home directory for the installation of personal software. This directory would have the usual subdirectories: .system/bin, .system/lib, etc. The placement of software there would contain it within one subtree and make it easy to find. The standard also suggests the creation of a .config directory under the home directory and moving all application configuration files there.

The next problem is that users of a shared system may want to install software for others to use as well. To that end, the standard says that /home/shared/.system should be available and writable for all users. The authors seem to have anticipated one of the possible complaints with this setup:

An additional concern regarding security is that all users will be able to easily install programs. This is not a security flaw, and is in fact a way to strengthen security. All users are already capable of installing software, it is merely difficult.

The argument here seems to be that, since the root password will not be required for software installation, the system will be more secure. The simple fact, however, is that making it easy for unprivileged users to install programs into the path of other users is not the best way to secure a system. This sort of mechanism could easily become a favored way of escalating access to a user account into a full root compromise.

This standard also fails to address the real issue. Unprivileged users who want to install software are not much concerned about where it is going to go. They will be far more interested in easy management of installed software. Mixing packages together into one big directory tree does little to help somebody who wants to get rid of things in response to the inevitable "no space left on device" or "quota exceeded" message. This standard says "put software over there," but does not concern itself with how users will actually manage that software.

Making software installation easier is a worthy goal. Part of achieving that goal can even be the designation of a target directory for installations. But anybody who wants to concern themselves with making this aspect of desktop Linux easier really needs to be dealing with the package management issue. Creating a version of rpm or dpkg which can do per-user package management could be harder than writing up a proposed standard, but it would do far more to address the issue at hand.

Comments (22 posted)

Legislative fun worldwide

Linux Australia has published a lengthy position paper on the free software implications of the recently negotiated "free trade agreement" (FTA) with the United States. This agreement uses the trade treaty approach to bring American-style anti-circumvention and software patents to Australia. Linux Australia is now working to prevent the adoption of the FTA, and is looking for help. Among other things, there is an online petition to be signed, but the first priority for Australians is probably to contact their members of Parliament. See the Linux Australia FTA page for more information.

Meanwhile, on the European front: there will be a two-day gathering at the European Parliament in Brussels starting April 14 in an attempt to, once again, stop the threat of software patents in Europe; see this press release and the demonstration home page for details. The European Parliament voted against patents on software, but the European Commission and Council of Ministers have the last word - and they are considering a very different course of action. If Europe is going to avoid the imposition of U.S.-style software patents, Europeans will have to make their voices heard.

In the U.S., the House of Representatives is busily addressing our pressing national problems by considering the Piracy Deterrence and Education Act (PDEA - available in PDF format). This act calls for the FBI to "facilitate the sharing among law enforcement agencies, Internet service providers, and copyright owners" of information related to file sharing. The Attorney General's office is to set up an "education program" on "the value of copyrighted works and the effects of the theft of such works on those who create them," along with the security risks of file sharing. Most fun of all, however, is the provision for three-year jail sentences for anybody convicted of sharing a single file valued (by the copyright owner) at over $1000. The PDEA has passed the House Judiciary Intellectual Property Subcommittee; no word on when it may be voted on by the entire House.

Comments (5 posted)

Page editor: Jonathan Corbet

Security

Security news

Red Hat Linux: the end is near

For those who haven't been paying attention: Red Hat has sent out a reminder that the end of an era is approaching. After April 30, Red Hat will no longer produce security updates for Red Hat Linux 9, the last product in the Red Hat Linux line. If you have systems running Red Hat Linux, you should be well into the execution of your migration plan. We have been getting enough mail asking for articles about Red Hat Linux alternatives, however, that we suspect many sites have not yet figured out what they are going to do.

For those still in the planning process, here is a quick summary of alternatives to letting your Red Hat Linux systems go unpatched:

  • Get Red Hat Linux security updates from elsewhere. The Fedora Legacy Project has been issuing updates for Red Hat Linux 7.2, 7.3, and 8; updates for Red Hat Linux 9 should start coming out once Red Hat ceases support. Fedora Legacy updates are free and, so far, have been reliable, but its users are depending on a volunteer project for updates into the future.

    A commercial alternative is the Progeny Transition Service which, for a small monthly fee, will provide updates through at least the end of 2005.

  • Switch to a Red Hat Enterprise product. These products offer high-quality support for years into the future, but the price tag is relatively steep. See the Red Hat Enterprise Linux page for more information.

  • Switch to an RHEL knockoff distribution. Distributions like White Box Enterprise Linux and cAos Linux use the RHEL packages and do their best to provide the RHEL feel and support. These distributions are small and unproven, however, and, to some people, they push the "free rider" approach a little too far.

  • Switch to Fedora. Fedora Core is the successor to Red Hat Linux, and will be familiar to Red Hat administrators. It is also Red Hat's testing and development ground for features intended for eventual inclusion in RHEL. Fedora Core 1 was a reasonably solid release; Fedora Core 2 may be somewhat more challenging. Note that Fedora has a different security update policy than Red Hat Linux did: affected packages are updated to the latest version, rather than having the specific fix backported. Updates for specific Fedora Core releases should be available for extended periods of time through the Fedora Legacy Project.

  • Switch to another distribution entirely. SUSE or Mandrake Linux would be the most obvious (least disruptive) choices for Red Hat Linux refugees, but many other distributions are available.

The one option we don't recommend is "do nothing and hope for the best."

Many Red Hat Linux users will find this transition inconvenient and annoying. But this whole episode demonstrates one of the great strengths of free software: Red Hat Linux users have several entirely viable alternatives available to them. Users of proprietary operating systems tend not to be so lucky.

Comments (13 posted)

Joint Statement about GNU/Linux Security

Debian, Mandrake, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?". "Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities as equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed."

Full Story (comments: none)

New vulnerabilities

clamav: denial of service

Package(s):clamav CVE #(s):
Created:April 7, 2004 Updated:April 7, 2004
Description: The Clam AntiVirus utility through version 0.68 is vulnerable to a denial of service attack.
Alerts:
Gentoo 200404-07 2004-04-07

Comments (none posted)

fte buffer overflows

Package(s):fte CVE #(s):CAN-2003-0648
Created:April 5, 2004 Updated:April 7, 2004
Description: Steve Kemp and Jaguar discovered a number of buffer overflow vulnerabilities in vfte, a version of the fte editor which runs on the Linux console, found in the package fte-console. This program is setuid root in order to perform certain types of low-level operations on the console.
Alerts:
Debian DSA-472-1 2004-04-03

Comments (none posted)

heimdal cross-realm vulnerability

Package(s):heimdal CVE #(s):CAN-2004-0371
Created:April 6, 2004 Updated:April 9, 2004
Description: According to a security advisory from the heimdal project: All releases prior to 0.6.1 and 0.5.3 have a cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.
Alerts:
Gentoo 200404-09 2004-04-09
Debian DSA-476-1 2004-04-06

Comments (none posted)

interchange missing input sanitizing

Package(s):interchange CVE #(s):CAN-2004-0374
Created:April 2, 2004 Updated:April 7, 2004
Description: A vulnerability was discovered recently in Interchange, an e-commerce and general HTTP database display system. This vulnerability can be exploited by an attacker to expose the content of arbitrary variables. An attacker may learn SQL access information for your Interchange application and use this information to read and manipulate sensitive data.
Alerts:
Debian DSA-471-1 2004-04-02

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

shar: buffer overflow

Package(s):sharutils CVE #(s):
Created:April 7, 2004 Updated:April 7, 2004
Description: The shar utility (as found in the sharutils package through version 4.2.1) suffers from a stack-based buffer overflow vulnerability; see this advisory for details.
Alerts:
OpenPKG OpenPKG-SA-2004.011 2004-04-07

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):xine-ui CVE #(s):CAN-2004-0372
Created:April 6, 2004 Updated:April 27, 2006
Description: Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:
Gentoo 200404-20 2004-04-27
Slackware SSA:2004-111-01 2004-04-20
Mandrake MDKSA-2004:033 2004-04-19
Debian DSA-477-1 2004-04-06

Comments (none posted)

Updated vulnerabilities

courier - Remote buffer overflow vulnerabilities

Package(s):Courier CVE #(s):CAN-2004-0224
Created:March 29, 2004 Updated:March 31, 2004
Description: Remote buffer overflow vulnerabilities have been found in Courier-IMAP and Courier MTA. These exploits may allow the execution of arbitrary code, allowing unauthorized access to a vulnerable system.
Alerts:
Gentoo 200403-06 2004-03-26

Comments (2 posted)

emil: Buffer overflow and format string vulnerabilities

Package(s):emil CVE #(s):CAN-2004-0152 CAN-2004-0153
Created:March 25, 2004 Updated:March 31, 2004
Description: The emil mail filter utility has buffer overflow and format string vulnerabilities that can be exploited locally and remotely, It may be possible to craft an email that exploits the vulnerability and executes arbitrary code.
Alerts:
Debian DSA-468-1 2004-03-24

Comments (none posted)

ethereal - multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
Created:March 29, 2004 Updated:June 2, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory.
Alerts:
Debian DSA-511-1 2004-05-30
OpenPKG OpenPKG-SA-2004.015 2004-04-16
Red Hat RHSA-2004:137-01 2004-03-31
Mandrake MDKSA-2004:024 2004-03-30
Conectiva CLA-2004:835 2004-03-31
Red Hat RHSA-2004:136-01 2004-03-30
Netwosix NW-2004-0007 2004-03-29
Gentoo 200403-07 2004-03-28

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

fetchmail may crash on specially crafted message

Package(s):fetchmail CVE #(s):CAN-2003-0792
Created:October 16, 2003 Updated:April 8, 2004
Description: A bug was discovered in fetchmail 6.2.4 where a specially crafted email message can cause fetchmail to crash.
Alerts:
OpenPKG OpenPKG-SA-2004.012 2004-04-08
Gentoo 200403-10 2004-03-30
Netwosix NW-2004-0002 2004-02-20
SCO Group CSSA-2004-004.0 2004-02-19
Slackware SSA:2003-300-02 2003-10-22
Mandrake MDKSA-2003:101 2003-10-16

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: local root exploit in 2.4.22

Package(s):kernel CVE #(s):CAN-2003-0961
Created:December 1, 2003 Updated:April 5, 2004
Description: A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable.

The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article.

Alerts:
Debian DSA-475-1 2004-04-05
Debian DSA-470-1 2004-04-01
Debian DSA-442-1 2004-02-19
Debian DSA-433-1 2004-02-04
Debian DSA-423-1 2004-01-15
Red Hat RHSA-2003:368-01 2003-12-19
Conectiva CLA-2003:796 2003-12-05
Gentoo 200312-02 2003-12-04
SuSE SuSE-SA:2003:049 2003-12-04
Yellow Dog YDU-20031203-1 2003-12-03
Red Hat RHSA-2003:389-01 2003-12-01
Fedora FEDORA-2003-026 2003-12-02
Slackware SSA:2003-336-01 2003-12-01
Red Hat RHSA-2003:392-00 2003-12-01
Trustix 2003-0046 2003-12-01
Mandrake MDKSA-2003:110 2003-12-01
Debian DSA-403-1 2003-12-01

Comments (1 posted)

Linux kernel 2.2.10 failing function and TLB flush vulnerability

Package(s):kernel-source-2.2.10 CVE #(s):CAN-2004-0077
Created:March 18, 2004 Updated:June 4, 2004
Description: A local root exploit is possible due to early flushing of the TLB.
Alerts:
Debian DSA-514-1 2004-06-04
Debian DSA-466-1 2004-03-18

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:July 21, 2004
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mc: arbitrary code execution

Package(s):mc CVE #(s):CAN-2003-1023
Created:January 16, 2004 Updated:April 5, 2004
Description: A vulnerability was discovered in Midnight Commander, a file manager, whereby a malicious archive (such as a .tar file) could cause arbitrary code to be executed if opened by Midnight Commander.
Alerts:
OpenPKG OpenPKG-SA-2004.009 2004-04-05
Gentoo 200403-09 2004-03-29
Conectiva CLA-2004:833 2004-03-31
SCO Group CSSA-2004-014.0 2004-03-25
Whitebox WBSA-2004:035-01 2004-02-12
Fedora FEDORA-2004-058 2004-02-09
Red Hat RHSA-2004:035-01 2004-01-19
Mandrake MDKSA-2004:007 2004-01-26
Red Hat RHSA-2004:034-01 2004-01-19
Debian DSA-424-1 2004-01-16

Comments (none posted)

metamail: integer and buffer overflows

Package(s):metamail CVE #(s):CAN-2004-0104 CAN-2004-0105
Created:February 18, 2004 Updated:May 21, 2004
Description: Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message.
Alerts:
Gentoo 200405-17 2004-05-21
Debian DSA-449-1 2004-02-24
Mandrake MDKSA-2004:014 2004-02-18
Slackware SSA:2004-049-02 2004-02-18
Red Hat RHSA-2004:073-01 2004-02-18

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

monit: buffer overflow and DOS

Package(s):monit CVE #(s):
Created:March 31, 2004 Updated:April 19, 2004
Description: The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.

Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.

Alerts:
Gentoo 200404-16 2004-04-19
Netwosix NW-2004-0008 2004-04-06
Gentoo 200403-14 2004-03-31

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

mplayer: remotely exploitable buffer overflow vulnerability

Package(s):mplayer CVE #(s):CAN-2003-0835
Created:September 29, 2003 Updated:April 6, 2004
Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. Read the full advisory for details.
Alerts:
Mandrake MDKSA-2004:026 2004-04-05
Gentoo 200403-13 2004-03-31
Conectiva CLA-2003:760 2003-10-06
Mandrake MDKSA-2003:097 2003-09-30
Gentoo 200309-15 2003-09-27

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

oftpd - denial of service

Package(s):oftpd CVE #(s):
Created:March 29, 2004 Updated:April 5, 2004
Description: A remotely-exploitable overflow exists in versions of oftpd 0.3.6 and earlier, allowing an attacker to crash the oftpd daemon. Issuing a port command with a number higher than 255 causes the server to crash. The port command may be issued before any authentication takes place, meaning the attacker does not need to know a valid username and password in order to exploit this vulnerability.
Alerts:
Debian DSA-473-1 2004-04-03
Gentoo 200403-08 2004-03-29

Comments (1 posted)

openldap: denial of service

Package(s):openldap CVE #(s):
Created:March 31, 2004 Updated:March 31, 2004
Description: Versions of the OpenLDAP server through 2.1.12 suffer from a remotely exploitable denial of service vulnerability; some more information can be found in the OpenLDAP bug tracker.
Alerts:
Gentoo 200403-12 2004-03-31

Comments (none posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pam-pgsql - missing input sanitizing

Package(s):pam-pgsql CVE #(s):CAN-2004-0366
Created:March 29, 2004 Updated:March 31, 2004
Description: Primoz Bratanic discovered a bug in libpam-psgl, a PAM module to authenticate using a PostgreSQL database. The library does not escape all user-supplied data that are sent to the database. An attacker could exploit this bug to insert SQL statements.
Alerts:
Debian DSA-469-1 2004-03-29

Comments (none posted)

perl information leak

Package(s):perl CVE #(s):CAN-2003-0618
Created:February 2, 2004 Updated:April 21, 2004
Description: Paul Szabo discovered a number of bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.
Alerts:
Debian DSA-431-2 2004-04-16
Debian DSA-431-1 2004-02-01

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

PWLib: possible Denial of Service

Package(s):PWLib CVE #(s):CAN-2004-0097
Created:February 13, 2004 Updated:April 9, 2004
Description: PWLib is a cross-platform class library designed to support the OpenH323 project. OpenH323 provides an implementation of the ITU H.323 teleconferencing protocol, used by packages such as Gnome Meeting.

A test suite for the H.225 protocol (part of the H.323 family) provided by the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker could trigger these bugs by sending carefully crafted messages to an application. The effects of such an attack can vary depending on the application, but would usually result in a Denial of Service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0097 to this issue.

Alerts:
Gentoo 200404-11 2004-04-09
Mandrake MDKSA-2004:017 2004-03-03
Fedora FEDORA-2004-078 2004-03-02
Debian DSA-448-1 2004-02-22
Whitebox WBSA-2004:047-01 2004-02-18
Red Hat RHSA-2004:047-01 2004-02-18
Red Hat RHSA-2004:048-01 2004-02-13

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

samba privilege escalation

Package(s):samba CVE #(s):CAN-2004-0186
Created:March 15, 2004 Updated:April 20, 2004
Description: Samba, a LanManager-like file and printer server for Unix, was found to contain a vulnerability whereby a local user could use the "smbmnt" utility, which is setuid root, to mount a file share from a remote server which contained setuid programs under the control of the user. These programs could then be executed to gain privileges on the local system.
Alerts:
Mandrake MDKSA-2004:035 2004-04-19
Debian DSA-463-1 2004-03-12

Comments (none posted)

squid - vulnerability in URL decoding

Package(s):squid CVE #(s):CAN-2004-0189
Created:March 29, 2004 Updated:April 20, 2004
Description: A bug was found in the processing of %-encoded characters in a URL in versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses Access Control Lists (ACLs), a remote attacker could create URLs that would not be correctly tested against Squid's ACLs, potentially allowing clients to access prohibited URLs.
Alerts:
Whitebox WBSA-2004:133-01 2004-04-19
Fedora FEDORA-2004-104 2004-04-15
Red Hat RHSA-2004:133-01 2004-04-14
Conectiva CLA-2004:838 2004-04-12
Debian DSA-474-1 2004-04-03
OpenPKG OpenPKG-SA-2004.008 2004-04-01
Mandrake MDKSA-2004:025 2004-03-30
Gentoo 200403-11 2004-03-30
Red Hat RHSA-2004:134-01 2004-03-29

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:
Fedora-Legacy FLSA:1372 2004-10-03
Gentoo 200404-04 2004-04-06
Debian DSA-460-2 2004-04-03
Trustix TSLSA-2004-0011 2004-03-16
Whitebox WBSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:053-01 2004-03-10
Red Hat RHSA-2004:093-01 2004-03-10
Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):tar unzip CVE #(s):CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:October 1, 2002 Updated:April 9, 2006
Description: The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:
Fedora-Legacy FLSA:183571-1 2006-04-04
Red Hat RHSA-2006:0195-01 2006-02-21
Conectiva CLA-2002:538 2002-10-29
Mandrake MDKSA-2002:066 2002-10-10
Mandrake MDKSA-2002:065 2002-10-10
EnGarde ESA-20021003-022 2002-10-03
Gentoo unzip-20021001 2002-10-01
Gentoo tar-20021001 2002-10-01
Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: flaws in the ISAKMP decoding routines

Package(s):tcpdump CVE #(s):CAN-2003-0989 CAN-2004-0057 CAN-2004-0055
Created:January 15, 2004 Updated:April 6, 2004
Description: George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump versions prior to 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.

Jonathan Heusser discovered two additional flaws in the ISAKMP decoding routines of tcpdump versions up to and including 3.8.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0057 to this issue.

Jonathan Heusser discovered a flaw in the print_attr_string function in the RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0055 to this issue.

Remote attackers could potentially exploit these issues by sending carefully-crafted packets to a victim. If the victim uses tcpdump, these packets could result in a denial of service, or possibly execute arbitrary code as the 'pcap' user.

Alerts:
Gentoo 200404-03 2004-03-31
Fedora FEDORA-2004-091 2004-03-04
SCO Group CSSA-2004-008.0 2004-03-02
Fedora FEDORA-2004-092 2004-03-02
Whitebox WBSA-2004:008-01 2004-02-12
Fedora-Legacy FLSA:1222 2004-01-31
Mandrake MDKSA-2004:008 2004-01-26
EnGarde ESA-20040119-002 2004-01-19
Debian DSA-425-1 2004-01-16
OpenPKG OpenPKG-SA-2004.002 2004-01-16
Trustix 2004-0004 2004-01-05
SuSE SuSE-SA:2004:002 2004-01-14
Red Hat RHSA-2004:008-01 2004-01-15
Red Hat RHSA-2004:007-01 2004-01-14

Comments (none posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):tcpdump CVE #(s):CAN-2004-0183 CAN-2004-0184
Created:March 30, 2004 Updated:September 30, 2004
Description: TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:
Fedora-Legacy FLSA:1468 2004-09-29
Whitebox WBSA-2004:219-01 2004-06-10
Red Hat RHSA-2004:219-01 2004-05-26
Fedora FEDORA-2004-120 2004-05-13
Slackware SSA:2004-108-01 2004-04-17
Mandrake MDKSA-2004:030 2004-04-14
OpenPKG OpenPKG-SA-2004.010 2004-04-07
Debian DSA-478-1 2004-04-06
Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 CVE #(s):
Created:May 20, 2002 Updated:October 5, 2004
Description: This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:
Gentoo 200410-03 2004-10-05
Yellow Dog YDU-20010810-2 2001-08-10
Yellow Dog YDU-20010810-1 2001-08-10
SuSE SuSE-SA:2001:029 2001-09-03
Slackware sl-997726350 2001-08-09
Red Hat RHSA-2001:100-02 2001-08-09
Red Hat RHSA-2001:099-09 2002-02-07
Red Hat RHSA-2001:099-06 2001-08-09
Progeny PROGENY-SA-2001-27 2001-08-14
Mandrake MDKSA-2001:093 2001-12-17
Mandrake MDKSA-2001:068 2001-08-13
HP HPSBTL0202-023 2002-02-12
Debian DSA-075-2 2001-08-14
Debian DSA-075-1 2001-08-14
Conectiva CLA-2001:413 2001-08-24
SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

util-linux: information leak in the login program

Package(s):util-linux CVE #(s):CAN-2004-0080
Created:February 3, 2004 Updated:April 8, 2004
Description: The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function.

In some situations, the login program could use a pointer that had been freed and reallocated. This could cause unintentional data leakage.

Alerts:
Netwosix NW-2004-0010 2004-04-08
Gentoo 200404-06