Lindows goes for an IPO - a detailed look
Digging through IPO registrations is hard work; they tend to be long,
legalese-infested, and full of hype. Your editor, however, has been
spending much of the last year looking at lawsuit filings, which are a lot
worse. The chance to get into an IPO filing was too good to pass up, so,
when Lindows
submitted
its form S-1, we dug right in. Besides, how many SEC filings come with
screen shots?
Lindows proposes to sell $57.5 million worth of shares in its initial
offering. The
company will be using WR Hambrecht's "OpenIPO" process, which seeks to
price the stock at the highest level the market will bear via an auction
process. Other companies
which have used this method include Salon and Andover.Net (which is now
OSDN and part of VA Software).
So what is Lindows? From the filing:
We are a developer and vendor of Linux-based operating systems,
application software and services designed specifically for desktop
and laptop computers in homes, schools and businesses. We use
technology and software developed by the collaboration of
independent Linux developers, referred to as the open source
community, with our own technology and software to offer
affordable, easy-to-use software products and services, many of
which are similar in feel and functionality to our higher-priced
competitors. The cornerstone of our product line is our Linspire
operating system.
The company states that, as computers get cheaper, the cost of Windows
becomes more predominant, especially for desktop systems. Price pressures,
they say, will cause manufacturers and consumers to look more seriously at
Linux. And Lindows, of course, hopes to have the version of Linux which is
best suited to this market.
A big part of the Lindows plan is to get its distribution installed widely
in a short period of time. The company is targeting small computer
manufacturers, offering them a "low cost" licensing program. There is also
a deal with Seagate, which is pre-installing Linspire on some of its
drives. Remember, ten years ago, how you could buy disks with Linux
preinstalled? That market is back, it would seem.
Similarly, Elektra, a retail store chain with over 800 stores
throughout Mexico, sells a low-cost computer with Linspire
pre-installed. According to Elektra, since December 2003 and as of
April 2004, Elektra's best selling computer was the Linspire
system, outselling all other desktop computers it offers running
other operating systems.
How does Lindows plan to use the money?
We expect to use a majority of the net proceeds of this offering to
further develop the distribution channels for our Linux-based
operating system, application software and services, to expand our
sales and marketing activities, to continue to develop existing and
new products, technologies and services, to increase personnel, and
to repay substantially all of our outstanding debt obligations to
our founder of approximately $10,400,000.
In other words, the day Lindows goes public will be a good day for Michael
Robertson. Lindows says it may also use some of the money for
acquisitions.
Lindows has to disclose its financial state as part of this offering, of
course. The company, it turns out, brought in all of $63,131 in 2002, but
that jumped up to just over $2 million in 2003. Even so, Lindows
managed to lose over $4 million that year. As of the end of 2003, the
company had $250,000 in the bank, a "working capital" figure of
$-1.8 million, and $4.7 million in debt. How that figure squares
with the $10 million owed to Mr. Robertson (and earning
10% interest) is not entirely
clear.
From the obligatory "scary risk factors" section:
- They just might run into some financial problems when trying to
compete directly with Microsoft for desktop sales.
- "We have not demonstrated the success of our open source
software business model, which gives our customers the right to freely
copy and distribute some of the software in our operating system and
in the applications we develop and distribute. There is uncertainty in
connection with open source business models, particularly as to
whether or not businesses based on open source software can operate
profitably."
- Customers may not go for a model based on service and license fees.
- Their Japanese distributions are handled by Livedoor, which, having
just acquired Turbolinux, may lose interest in Lindows. Livedoor was
responsible for 11% of the company's 2003 revenue.
- Third-party applications for Linux may not be forthcoming.
- "We have received an audit report from our independent auditors
containing an explanatory paragraph stating that our historical losses
and negative cash flows from operations raise substantial doubt about
our ability to continue as a going concern."
- The trademark fight with Microsoft could yet sink them. They are
also, it appears, in a court battle with their insurance carrier over
whether the costs of the Microsoft litigation are covered.
Lindows claims a little over 250,000 installed systems. How do they know?
Each time a computer running the Linspire operating system is
connected to the Internet for the first time, our CNR technology
automatically records this connection on our servers. We refer to
this connection as a light up. We use light ups to monitor the
growth of our installed base, the effectiveness of our marketing
and distribution efforts and the quality and breadth of our
products and services.
Among other things, Lindows learns who sold you the system when the "light
up" occurs.
These end-user systems generated some 1.7 million in revenue in 2003.
The company has spent some $1.4 million in legal fights with
Microsoft. It has extracted most of that back from its insurance carrier
through lawsuits,
but that case is still outstanding. If things go badly, Lindows may have
to repay the insurance carrier, which would hurt. There are still
outstanding Microsoft suits in Spain, Canada, and France, and a fight
in South Africa would appear to be in the works.
Lindows has also sued Xandros, as it turns out. It would appear that
Lindows loaned Xandros $750,000 which has not been repaid.
As of the end of March, Lindows has 62 employees, 38 of whom are software
engineers. The CEO is Michael Robertson, of course, who, under a new
agreement, is to be paid $410,000 per year, plus bonuses. Mr. Robertson
owns something over 48 million shares of the company - 81% of the
total. The number of shares to be sold in the IPO has not yet been
specified, but it seems clear that Mr. Robertson will remain in possession
of a majority of the outstanding shares. The next biggest holder is the
"Burcham Community Property Trust," which is controlled by the parents of
Mr. Robertson's wife. Kevin Carmony, the company's president, holds
3 million shares.
The aggregate message from this filing is clear: Lindows is trying to go
public now because it very much needs the money. The company has large
debts, a series of ongoing legal battles, and a need for money to carry its
business plan forward. If the IPO fails, Lindows will have to come up with
another source of funds in a hurry, or, as its accountants warn, its
"ability to continue as a going concern" will be very much in doubt.
Someday there will be a thriving market around
desktop Linux, and Lindows may, indeed, be well positioned to profit in
that market. Getting there will be a challenge, however.
Comments (16 posted)
Report from the SCO front
It has been a busy week in the SCO world. Remember last October, when
BayStar and the Royal Bank of Canada invested $50 million into SCO?
That was when SCO's stock hit its high point; it has been all downhill from
there. On April 15, BayStar
sent SCO
a letter saying that it wants its money ($20 million) back.
BayStar has concluded that SCO is in breach of the investment agreement,
and thus must return the money - plus interest. BayStar has not said, in
any public way, how it believes that SCO has breached the agreement;
speculation centers, among other things, on SCO's creative representations
of its intellectual property rights and failure to disclose Novell's
letters contesting the ownership of the Unix copyrights.
RBC has not yet tried to
call back its share, but may well do so in the next few days.
Where this will go is hard to predict. Extracting money by force in
this way is not an easy thing to do; BayStar must face the threat that SCO
will choose to spend the money on more lawyers fighting the recall rather
than hand it over. BayStar's lawyers do have some leverage, however; among
other things, the amended
agreement reads (Section XV(g)):
[SCO] acknowledges that a breach by it of its obligations
hereunder will cause irreparable harm to the holders of Series A-1
Preferred Stock and that the remedy at law for any such breach may
be inadequate. The Corporation therefore agrees, in the event of
any such breach or threatened breach, that the holders of Series
A-1 Preferred Stock shall be entitled, in addition to all other
available remedies, to an injunction restraining any breach,
without the necessity of showing economic loss and without any bond
or other security being required.
That language would suggest that BayStar can go to a judge and have a good
chance at getting an injunction forcing the money to be escrowed until the
issue is resolved. Regular stockholders will lose out (not that they had
great prospects anyway) but BayStar and RBC will do better.
This recall has serious implications for SCO. If both investors pull their
money, SCO's remaining bank account will be tiny. The chances of finding
other investors are also tiny. SCO's legal fees are not going to get any
smaller anytime soon; the prospect of a legal battle with BayStar and RBC
can only make that problem worse. Unless some sort of more overt aid
comes from companies like Microsoft or Sun, SCO could find itself looking
at bankruptcy in the near future.
SCO's April 21 announcement
that its chief financial officer, Robert Bench, has been replaced may just
be coincidental. Mr. Bench will become the "acting vice president of
corporate development" until he retires later this year. His new
responsibilities will be to "focus on external growth opportunities and
industry partnerships" - scrambling for money, in other words. The new CFO
will be Bert Young, whose history with companies like Waste Management,
Inc. would seem to suit him well to SCO's way of business.
Red Hat, meanwhile, has filed a motion
for reconsideration in its suit against SCO. The company claims:
Red Hat will suffer manifest injustice from a stay, since SCO
apparently intends to continue to harass and threaten suit against
Red Hat's customers in other jurisdictions, while Red Hat's
declaratory judgment suit here, which was intended to prevent this
precise harm to it and its customers, is forced to languish.
Getting the judge to rethink her ruling (which put the case on hold until
the IBM case has run its course) looks like a difficult prospect, but Red
Hat had to try.
In the IBM case, the latest events have to do with IBM's subpoena for
information from S2 Strategic Consulting. S2, remember, is the company
that helped to bring Microsoft, BayStar, and SCO together, so it's not
surprising that IBM is interested in what was going on there. S2 is objecting
to the subpoena, stating that it is not part of this battle and that
much of the requested information is confidential. There is some
interesting information to be found in this document, however, including:
Without waiver of those objections, S2 responds that it has in its
possession, custody and control documents that entail
communications between it and Microsoft, that relate to parties in
this litigation...
S2 would appearing to be pushing for a protective order to keep these
documents from being publicly disclosed. Chances are it will succeed. So
we may never see just what was going on between these companies, but IBM
can be expected to have some fun with that information.
Finally, this whole mess has drawn the attention of another species of
shark: lawyers who do shareholder lawsuits. Among those trolling the
message boards for potential plaintiffs are
Ademi
& O'Reilly and, inevitably, Milberg
Weiss Bershad Hynes & Lerach. If you were silly enough to buy
stock in SCO, believe that SCO should be held legally responsible for the
predictable loss of your money, feel like enriching this particular class
of lawyer, and believe that there might actually be something left for a
settlement with shareholders when the dust settles, these folks would like
to talk with you.
Comments (7 posted)
Open Source Risk Management's protection plan
On Monday,
Open Source Risk
Management (OSRM) put out
several interesting press
releases. The company has "certified" that the Linux kernel is free of
"
source code that could provide a basis for meritorious copyright
infringement claims." OSRM has also announced the "Open Source Legal
Defense Center" (OSLDC) based in Washington D.C., which will offer
membership programs for developers and corporations that might find
themselves being sued by SCO or another company looking to make claims on
the Linux kernel. We contacted OSRM executive director John St. Clair and
OSRM director of research Pamela Jones about the announcements. Jones was
kind enough to respond to several questions via e-mail, and St. Clair took
the time to grant LWN a phone interview.
One might wonder how OSRM could "certify" that the Linux kernel is free of
infringement. According to St. Clair, OSRM is not saying that they have
proven that none of the code in the Linux kernel is tainted. However, he
says that the company has done due diligence and is willing to take
the risk of providing legal protection for copyright infringement claims
against the kernel. According to Jones:
OSRM's certification can never mean that there will be no claims in the
future; it means that they've taken a look and believe the risk is de
minimus and insurable, and OSRM is sufficiently confident that it is
willing to put its money where its mouth is.
St. Clair declined to provide specifics of the process that OSRM used to
research the Linux kernel, but he did say that OSRM has built up "an
extensive database of Unix variants... and compared that database against
two versions of the kernel, 2.4 and 2.6, to detect matches between those
two groups of source code." According to St. Clair, OSRM used
in-house technology "unique to OSRM in terms of
pattern-matching" and looked for straight text matches and
"more obfuscated" code that might be taken from Unix. We asked
whether OSRM might release the tools that they used for this research to
the community, but St. Clair said there were no plans to do so at this
time.
We were also curious how the OSLDC would work for developers, and whether
$25,000 would be sufficient protection for developers if SCO or another
party were to sue them. According to St. Clair:
This will provide developers, who are off on their own many times, a
cost-effective way at $250 to be able to get advice and legal counsel with
respect to their contributions to the Linux kernel. Should they be served
with a subpoena or other legal action regarding their contributions they
would receive up to $25,000 in legal protection from that.
He said that the $25,000 amount should be "pretty sufficient to cover
much of their exposure." St. Clair stressed that the OSRM offering
is vendor-neutral, and allows developers and corporations to make changes
to the code and still receive protection, unlike some of the
vendor-specific indemnification plans. He also pointed out that OSRM is not
selling insurance, but rather "certifying and indemnifying our work
around the kernel and with these clients to provide them an indemnification
that we as OSRM have an insurance policy behind us that provides the
financial wherewithal to offer that indemnification."
Since much of Microsoft's FUD these days is aimed at convincing customers
that the Total Cost of Ownership (TCO) for Linux is higher than for
Microsoft products, we asked St. John whether it was likely that their
offering would be seen as raising the TCO of Linux. St. Clair said that the
Legal Defense Center membership fees shouldn't harm Linux in the TCO
discussion. "This is something that end users can choose to have or
not have, it's not automatically bundled as part of Linux." Even
adding in the cost of OSRM's offerings, St. Clair said that he believes
that Linux will still have a lower TCO than its competitors. He also said
that OSRM's offerings "put a stake in the ground" to show what
indemnification may cost, rather than an unknown figure that opponents may
exaggerate when debating TCO.
OSRM is not planning to limit itself to copyright issues or the Linux
kernel. We asked whether OSRM was planning to examine other open source
software commonly used with the Linux kernel, and whether the company would
be expanding its protection to patent issues. The answer is yes on both
counts. St. Clair told LWN that dealing with legal issues from patents is
"absolutely in our plans," and Jones replied that she is
currently doing research on providing protection for patent issues:
Obviously, this is is a very large and complex undertaking that will
require help from numerous kernel developers, organizations, specialized
technical and legal experts, and hopefully volunteers in the community.
We will be asking for help finding and collecting prior art through our new
Grokline project, for example, which will go online shortly.
St. Clair said he believes that the SCO lawsuit will go away, but that SCO
has "pointed to a potential vulnerability" that will last
beyond SCO's suits. He said that OSRM also recognizes a need to go
"up the stack" of open source software beyond the kernel that
is also widely used. St. Clair said that he could not specify any software
that would be covered by OSRM beyond the kernel at the moment, or give a
timeline for announcing additional software.
Another area where OSRM is working, according to St. Clair, is in helping
companies with risk assessment and developing indemnification programs that
they can offer to their customers. He said that OSRM also helps
"place their risk with third parties to provide that
[indemnification] for their customers."
There is a "heavy amount of interest" in OSRM's offerings,
according to St. Clair. It will be interesting to see if OSRM is successful
in making a business out of offering indemnification for Linux and open
source software, and whether they remain the sole business that offers this
service if it proves to be popular.
Comments (1 posted)
Page editor: Jonathan Corbet
Security
TCP vulnerability: cancel red alert
The mainstream press has been quick to proclaim a new vulnerability which
threatens the entire Internet. CNN, for example, tells us: "
Flaw
could shut down Internet traffic". A bit of time spent actually
understanding the problem will quickly make it clear, for most
users, there is little to worry about.
There are several parameters which identify a particular TCP packet. The
source and destination addresses are exactly that: who sent
the packet, and who is to receive it. The destination port number
allows the packet to be routed to the proper process on the receiving
system; on the server side of a connection, the destination port will
usually be a well-known number assigned to a specific service. For
example, the process which receives electronic mail will be expecting it to
arrive on port 25. The source port identifies the process which
sent the packet. On the client (initiating) side of a connection, the
source port is ostensibly a random number, though, in practice, they tend
to be assigned in a sequential (and thus predictable) way. Yet another
parameter is the sequence number, which describes where the packet
fits within the overall stream. The initial sequence numbers for a
connection are assigned randomly; they then increase as data is sent over
the connection.
TCP packets also have a "flags" field for control purposes. One of those
flags is called "reset" or "RST"; it indicates that the sending side is
shutting down the connection immediately. Resets typically happen when one
side receives a packet for a connection it knows nothing about. Suppose
you log into a remote system with ssh, then go out for lunch; while you are
eating, the remote system is rebooted. When you return and try to type
over the connection, the remote system will have no record of it, so it
will send back a reset packet. That's when
you get that fun "connection reset by peer" message.
Suppose you were an Internet vandal looking to shut down other people's
connections. This could be accomplished by sending the right sort of reset
packet. Crafting this packet is not an entirely easy thing to do: you have
to match all five of the parameters listed above. Presumably coming up
with source and destination addresses would not be too hard, if you know
which connection you are targeting. One of the two port numbers will
probably be a well-known service number, and thus easily accessible. The
other port number will require a guess, but the range of possible numbers
is, in many cases, small. The hardest part is the sequence number; it is a
randomly-chosen, 32-bit number. In the past, poor initial sequence number
generation has allowed protocol attacks, but most of those problems are
long since fixed. To mount a reset attack against a modern TCP
implementation, the attacker must work through the entire space of
4 billion possible sequence numbers; by the time that has been
accomplished, chances are the target connection will have shut down
normally anyway.
Except, as it turns out, that is not entirely true. TCP uses a "receive
window" to control the flow of data. The window gives a range of sequence
numbers for which the destination is prepared to receive data; this window
can vary widely between systems, but 32KB is a fairly common size. Since
the two sides of a TCP connection may not share the exact same idea of what
the current sequence number is (one side may have sent packets that the
other has not received), a reset packet with a sequence number that falls
anywhere inside the receive window will be honored. Thus an attacker need
not try every possible sequence number; attempts may, instead, be spaced as
widely as the probable receive window. That changes the situation
significantly; if the other four parameters are correct, a usable sequence
number can be found with less than 100,000 attempts. It does not take very
long to send that many (very short) packets, even over a relatively slow
connection.
So, a dedicated attacker stands a fairly good chance of shutting down a
connection. What are the implications of this? Very few, for the most
part. In general, the damage caused by a prematurely closed connection is
small; the user swears and restarts their download operation. It would be
hard to use this technique to shut down a web server; HTTP connections tend
to be short-lived to begin with. That is why the largest threat is seen to
be for applications which use long-lived TCP connections for some important
task. The BGP protocol used for much of the core Internet routing is one
such case; most of the affected systems have already been fixed, however.
For those who
are in a situation where this sort of attack could pose a threat, there are
a few things which can be done, including
using IPSec, which is not vulnerable to this sort of problem, or
configuring networking to use a smaller window size (but be aware that
performance can be reduced). The IETF has also come up with
a proposed protocol change which addresses the problem: when a reset
packet is received which, while falling within the receive window, does not
exactly match the sequence number, the receiving side will send an
acknowledgment rather than immediately resetting the connection. That
acknowledgment will contain the current sequence number as seen by the
side receiving the reset, which will allow the sending of a second reset
packet with the exact sequence number.
Some vendors (mostly router manufacturers) are issuing software updates to
implement the IETF suggestion. Most of us, however, can sit back and look
for something else to worry about.
Comments (13 posted)
New vulnerabilities
kernel: ext3 information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0177
|
| Created: | April 21, 2004 |
Updated: | April 26, 2004 |
| Description: |
Solar Designer turned up a bug in the ext3 filesystem where blocks allocated to the journal file are not properly cleaned prior to use. This failure could expose some (random) kernel memory to an attacker, but only if that attacker can perform raw I/O to the device. |
| Alerts: |
|
Comments (1 posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
ssmtp format string vulnerability
| Package(s): | ssmtp |
CVE #(s): | CAN-2004-0156
|
| Created: | April 15, 2004 |
Updated: | May 7, 2004 |
| Description: |
Max Vozeler discovered two format string vulnerabilities in ssmtp, a
simple mail transport agent. Untrusted values in the functions die()
and log_event() were passed to printf-like functions as format
strings. These vulnerabilities could potentially be exploited by a
remote mail relay to gain the privileges of the ssmtp process
(including potentially root). |
| Alerts: |
|
Comments (none posted)
utempter problems with symlink and strncpy
| Package(s): | utempter |
CVE #(s): | CAN-2004-0233
|
| Created: | April 19, 2004 |
Updated: | June 11, 2004 |
| Description: |
Steve Grubb discovered two potential issues in the utempter program:
- If the path to the device contained /../ or /./ or //, the program
was not exiting as it should. It would be possible to use something like
/dev/../tmp/tty0, and then if /tmp/tty0 were deleted and symlinked to
another important file, programs that have root privileges that do no
further validation can then overwrite whatever the symlink pointed to.
- Several calls to strncpy without a manual termination of the string.
This would most likely crash utempter.
|
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 14, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xonix fails to drop privileges
| Package(s): | xonix |
CVE #(s): | CAN-2004-0157
|
| Created: | April 15, 2004 |
Updated: | April 21, 2004 |
| Description: |
Steve Kemp discovered a vulnerability in xonix, a game, where an
external program was invoked while retaining setgid privileges. A
local attacker could exploit this vulnerability to gain gid "games". |
| Alerts: |
|
Comments (none posted)
zope: potential code execution
| Package(s): | zope |
CVE #(s): | CVE-2002-0688
|
| Created: | April 21, 2004 |
Updated: | April 21, 2004 |
| Description: |
The ZCatalog component of the Zope application server can allow anonymous users and untrusted code to call arbitrary methods in the catalog indexes. |
| Alerts: |
|
Comments (1 posted)
Updated vulnerabilities
apache - denial of service in mod_ssl
| Package(s): | apache |
CVE #(s): | CAN-2004-0113
|
| Created: | April 13, 2004 |
Updated: | May 25, 2004 |
| Description: |
A memory leak has been discovered in mod_ssl that may be triggered by
sending normal HTTP requests to the Apache HTTPS port. An attacker can
exploit this vulnerability to consume all memory available in the server,
thus causing a denial of service condition. This problem has been fixed in
Apache 2.0.49. |
| Alerts: |
|
Comments (none posted)
automake: symbolic link attack
| Package(s): | automake |
CVE #(s): | |
| Created: | April 8, 2004 |
Updated: | April 14, 2004 |
| Description: |
Automake may be vulnerable to a symbolic link attack which may allow an
attacker to modify data or escalate their privileges. This is due to
the insecure way Automake creates directories during compilation. An
attacker may be able to create symbolic links in the place of files
contained in the affected directories, which may potentially lead to
elevated privileges due to modification of data. |
| Alerts: |
|
Comments (none posted)
cvs: client-side file overwrite vulnerability
| Package(s): | cvs |
CVE #(s): | CAN-2004-0180
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem. |
| Alerts: |
|
Comments (none posted)
ethereal - multiple vulnerabilities
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 |
CVE #(s): | CAN-2004-0077
|
| Created: | March 18, 2004 |
Updated: | June 4, 2004 |
| Description: |
A local root exploit is possible due to early flushing of the
TLB. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | July 21, 2004 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
monit: buffer overflow and DOS
| Package(s): | monit |
CVE #(s): | |
| Created: | March 31, 2004 |
Updated: | April 19, 2004 |
| Description: |
The monit system administration program through version 4.1 suffers from remotely exploitable buffer overflow and denial of service vulnerabilities.
Two additional vulnerabilities have been found in the HTTP interface of monit, possibly leading to denial of service or execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: format string vulnerabilities
| Package(s): | neon |
CVE #(s): | CAN-2004-0179
|
| Created: | April 14, 2004 |
Updated: | May 18, 2004 |
| Description: |
The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
perl information leak
| Package(s): | perl |
CVE #(s): | CAN-2003-0618
|
| Created: | February 2, 2004 |
Updated: | April 21, 2004 |
| Description: |
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
samba privilege escalation
| Package(s): | samba |
CVE #(s): | CAN-2004-0186
|
| Created: | March 15, 2004 |
Updated: | April 20, 2004 |
| Description: |
Samba, a LanManager-like file and printer server for Unix, was found
to contain a vulnerability whereby a local user could use the "smbmnt"
utility, which is setuid root, to mount a file share from a remote
server which contained setuid programs under the control of the user.
These programs could then be executed to gain privileges on the local
system. |
| Alerts: |
|
Comments (none posted)
Scorched3D: format string vulnerability
| Package(s): | Scorched 3D |
CVE #(s): | |
| Created: | April 9, 2004 |
Updated: | April 14, 2004 |
| Description: |
The server from the game Scorched 3D is vulnerable to a
format string attack that can lead to a denial of service and
possibly to the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
squid - vulnerability in URL decoding
| Package(s): | squid |
CVE #(s): | CAN-2004-0189
|
| Created: | March 29, 2004 |
Updated: | April 20, 2004 |
| Description: |
A bug was found in the processing of %-encoded characters in a URL in
versions of Squid 2.5.STABLE4 and earlier. If a Squid configuration uses
Access Control Lists (ACLs), a remote attacker could create URLs that would
not be correctly tested against Squid's ACLs, potentially allowing clients
to access prohibited URLs. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|