Welcome to the new LWN.net Security Page
Our first site code upgrade in nearly four years introduces
an integrated security alert and vulnerability database.
Our archive of security alerts dating back to July, 2001
now lives in a PostgreSQL relational database.
Vulnerabilities and alerts are actually linked to each other.
Recent alerts and vulnerabilities use
Common Vulnerabilities and Exposures (CVE)
numbers to uniquely identify each vulnerability.
Today you can browse alerts and vulnerabilities
using the links at the top of each page.
When viewing an alert, you can view the corresponding
vulnerability description with a mouse click.
In the future expect, and please continue to suggest, ways
for us to better provide you with the security information
you seek.
Comments (none posted)
US TurboLinux Security Severely Out of Date (iDEFENSE Labs)
iDEFENSE Labs has issued a
security
advisory for the US TurboLinux distribution.
The collective security weakness of the outstanding issues listed
below is staggering. The following is a list of the most serious
problems for which most other Linux vendors have provided updates on
their US sites. It represents the outstanding security problems
associated with the limited TurboLinux distributions and updates that
have been available on the US sites only.
LWN has pointed out in the past that Turbolinux has not been serious about security updates. With luck this advisory - or, perhaps, the UnitedLinux effort - will help get this distributor back on track.
Comments (1 posted)
Security news
Unique Preventative IDS for Linux
Scott Wimer, Chief Technology Officer of Cylant, dicusses preventive security in this paper.
The recent vulnerabilities with OpenSSH software demonstrate that even intensive auditing cannot necessarily root out all the defects from software. As software systems become larger and more complex, intensive auditing becomes more expensive and more difficult. Software audits
simply cannot be relied upon to find all of the security vulnerabilities in any given system.
Full Story (comments: 7)
Biometric Access Protection Devices and their Programs Put to the Test (c't)
C't has published
a study of eleven biometric access controls intended to prevent unauthorized access.
"In our attempts at outfoxing the protective programs and devices we have concentrated on the first method: direct attempts at deceiving the systems with the aid of obvious procedures (such as the reactivation of latent images) and obvious feature forgeries (photographs, videos, silicon fingerprints)."
Also see Bruce Schneier's previously published CRYPTO-GRAM
newsletter for May for a look at a technique for fooling fingerprint scanners with fake fingers made of gelatin.
Comments (none posted)
Security reports
Download Sites Hacked, Source Code Backdoored (Security Focus)
Brian McWilliams reports on the recent contamination of Fragroute
with a backdoor.
"According to program developer Dug Song, the source code to the Dsniff, Fragroute, and Fragrouter security tools was contaminated on May 17th after an attacker gained unauthorized access to his site, Monkey.org."
Note: Copies of Dsniff, Fragroute or Fragrouter downloaded
from Monkey.org between May 17th and May 24th are contaminated and
require replacement. For more details, see Dug Song's post to bugtraq about the incident.
Full Story (comments: none)
OpenSSH 3.2.3 released
Following on the heels of the last release, OpenSSH version 3.2.3
has been announced. This version
fixes a few bugs that showed up in version 3.2.2.
Full Story (comments: none)
Ethereal 0.9.4 released
Ethereal 0.9.4
was
released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Comments (none posted)
Information Disclosure Vulnerability in IDS 0.8x
IDS is a CGI script that generates a multi-gallery photo album for a website on the fly. IDS 0.8x is reported to have a directory disclosure vulnerability.
Full Story (comments: none)
CGIscript.net - csPassword.cgi has multiple vulnerabilities
Steve Gustin has reported multiple vulnerabilities in the csPassword.cgi
script from
CGIscript.net
"Make sure you only allow trusted users to use the
csPassword application and make sure your web server
in configured to deny requests for .ht* and *.tmp
files."
Full Story (comments: none)
Caldera Security Advisory - Volution Manager
Volution Manager stores the unencrypted Directory Administrator's password
in the /etc/ldap/slapd.conf file. This vulnerability will be corrected in
the next release of Volution Manager.
Full Story (comments: none)
(Proprietary product) Informix SE-7.25 Local Vulnerability
A buffer overflow vulnerability was reported in Informix SE-7.25 if INFORMIXDIR enviroment variable is defined with a size greater than 2023 bytes.
Full Story (comments: none)
New vulnerabilities
Denial of service vulnerability in version 9 of BIND
| Package(s): | bind |
CVE #(s): | CAN-2002-0400
|
| Created: | June 5, 2002 |
Updated: | August 19, 2002 |
| Description: |
Here is an advisory from the Computer Emergency Response Team (CERT)
regarding the denial of service vulnerability in version 9 of the BIND
nameserver, up to 9.2.1. An attacker can send a properly crafted packet
which triggers a check within BIND and causes it to shut down. The
vulnerability can not be exploited for any purpose beyond denial of
service, but that is bad enough; if you are running BIND 9, an upgrade
is probably a good idea.
Note that many or most systems out there will still be running
BIND 8, and thus will not be vulnerable.
News articles on the vulnerability appear in the
Register
and
Network World Fusion News. |
| Alerts: |
|
Comments (none posted)
Ghostscript arbitrary command execution vulnerability
| Package(s): | ghostscript |
CVE #(s): | CAN-2002-0363
|
| Created: | June 5, 2002 |
Updated: | June 12, 2002 |
| Description: |
Ghostscript may be used to execute arbitrary commands with a maliciously formed PostScript file.
Since ghostscript is frequently used while printing documents, updating
is strongly recommended.
The vulnerability has been fixed in the 6.53 source release of GNU Ghostscript. |
| Alerts: |
|
Comments (none posted)
Mailman 2.0.11 fixes two cross-site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | CAN-2002-0388
|
| Created: | June 5, 2002 |
Updated: | August 28, 2002 |
| Description: |
Barry A. Warsaw announced
the release of Mailman 2.0.11
"which fixes two
cross-site scripting exploits, one reported by "office" in the admin
login page, and another reported by Tristan Roddis in the Pipermail
index summaries.
It is recommended that all sites upgrade their 2.0.x systems to this
version."
|
| Alerts: |
|
Comments (none posted)
String format bug in pam_ldap logging
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0374
|
| Created: | June 5, 2002 |
Updated: | October 29, 2002 |
| Description: |
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism. |
| Alerts: |
|
Comments (none posted)
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump |
CVE #(s): | CAN-2002-0380
|
| Created: | June 5, 2002 |
Updated: | October 9, 2002 |
| Description: |
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
|
| Alerts: |
|
Comments (none posted)
Uucp authentication agent, in.uucdp, bad string termination
| Package(s): | uucp |
CVE #(s): | |
| Created: | June 5, 2002 |
Updated: | June 5, 2002 |
| Description: |
The in.uucpd authentication agent in the
uucp package does not properly terminate some long input strings. |
| Alerts: |
|
Comments (none posted)
xchat IC server based dns query vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2002-0382
|
| Created: | June 5, 2002 |
Updated: | September 24, 2002 |
| Description: |
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Ethereal packet handling vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0353
|
| Created: | June 5, 2002 |
Updated: | June 12, 2002 |
| Description: |
Ethereal 0.9.3 fixed three
packet handling vulnerabilities present in 0.9.2 when it was released
by the ethereal team on March 30th.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. (First LWN
report: May 2).
Update: The May 19, 2002 release of Ethereal 0.9.4
fixes four potential security issues in Ethereal 0.9.3.Please see
the new vulnerability for more information. |
| Alerts: |
|
Comments (none posted)
Remotely-exploitable buffer overflow vulnerability in fetchmail
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-0146
|
| Created: | June 5, 2002 |
Updated: | June 18, 2002 |
| Description: |
Fetchmail versions prior to 5.9.10 have a buffer overflow vulnerability
that may be exploited by a malicious IMAP server.
The fetchmail client allocated memory to store the sizes of the
messages it is attempting to retrieve based on
a message count provided by the IMAP server.
A malicious IMAP server could provide an artifically
large message count to force the
fetchmail process to write data outside of the allocated memory. (First LWN
report: May 9). |
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
OpenSSH 3.2.2 fixes multiple vulnerabilities
| Package(s): | openssh |
CVE #(s): | |
| Created: | June 5, 2002 |
Updated: | June 5, 2002 |
| Description: |
The OpenSSH developers have
released OpenSSH 3.2.2. Security fixes in this release are:
"
- fixed buffer overflow in Kerberos/AFS token passing
- fixed overflow in Kerberos client code
- sshd no longer auto-enables Kerberos/AFS
- experimental support for privilege separation [...]
- only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger"
(First LWN report: May 23). |
| Alerts: |
|
Comments (none posted)
UTF8 interaction bug in the perl-Digest-MD5 module
| Package(s): | perl-Digest-MD5 |
CVE #(s): | |
| Created: | June 5, 2002 |
Updated: | June 5, 2002 |
| Description: |
Versions prior to 2.20 of the perl-Digest-MD5 module have a bug
in the UTF8 interaction with perl that produces UTF8 strings
with improper MD5 digests.
(First LWN
report: May 16). |
| Alerts: |
|
Comments (none posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
DHCP remotely exploitable format string vulnerability
| Package(s): | dhcp/dhcp-server dhcp |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | June 20, 2002 |
| Description: |
The
May 8, 2000 release of ISC DHCP 3.0p1
fixes this serious
vulnerability in ISC DHCPD 3.0 to 3.0.1rc8 inclusive.
We encourage dhcp users to upgrade, disable dhcp or, at a minimum,
consider
using ingress filtering as described in the CERT advisory.
(First LWN
report: May 16).
Note: Distributions which use version 2 of ISC DHCP, such as Red Hat
Linux,
are not vulnerable.
|
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow problem in glibc
| Package(s): | glibc glibc/shlibs, glibc, nscd |
CVE #(s): | CAN-2001-0886
|
| Created: | May 20, 2002 |
Updated: | July 14, 2002 |
| Description: |
The glibc filename globbing code has a buffer overflow problem.
For those who are interested, Global InterSec LLC has provided
a detailed description
of this vulnerability.
This problem was first reported by LWN on December 20th.
|
| Alerts: |
|
Comments (2 posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 20, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
Problem loading untrusted images in imlib
| Package(s): | imlib |
CVE #(s): | CAN-2002-0167
CAN-2002-0168
|
| Created: | May 20, 2002 |
Updated: | June 5, 2002 |
| Description: |
Versions of
imlib prior to 1.9.13 used the NetPBM package in ways which
"make it possible
for attackers to create image files such that when loaded via software
which uses Imlib, could crash the program or potentially allow arbitrary
code to be executed."
(First LWN
report: March 28).
|
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in Horde/IMP 2.2.7 and 3.0
| Package(s): | imp horde/imp |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | June 19, 2002 |
| Description: |
Version 2.2.8 of IMP has been released, it
fixes some vulnerabilities. "The Horde team announces the
availability of IMP 2.2.8, which prevents some potential cross-site
scripting (CSS) attacks." Upgrading
to IMP 3.1 or, at least, 2.2.8 is recommended
(First LWN
report: April 11, 2002).
Update: IMP 3.0, which was initially believed to be
immune, is also vulnerable. The problem
is fixed in IMP 3.1. |
| Alerts: |
|
Comments (1 posted)
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla |
CVE #(s): | CAN-2002-0354
|
| Created: | May 20, 2002 |
Updated: | October 18, 2002 |
| Description: |
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 20, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 20, 2002 |
Updated: | October 30, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in tcpdump
| Package(s): | tcpdump |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | June 5, 2002 |
| Description: |
Version 3.5.2 fixed a
buffer overflow vulnerability in all prior versions. However,
newer versions, including 3.6.2, are vulnerable to another
buffer overflow in the AFS RPC functions that was reported by
Nick Cleaton.
(First LWN
report: May 9).
Both problems appear to have been reported and fixed in FreeBSD some months
ago. The CIAC
report on the vulnerability in versions prior to 3.5.2 is dated October
31, 2000. Nick Cleaton's FreeBSD
security advisory on the AFS RPC bug, and reference to a fix for
FreeBSD, is dated July, 17, 2001. Tcpdump 3.7 was released on January 21,
2002.
|
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in SNMP implementations
| Package(s): | ucdsnmp ucd-snmp |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
|
| Created: | May 20, 2002 |
Updated: | September 17, 2002 |
| Description: |
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
|
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
zlib corrupts malloc data structures via double
free
| Package(s): | zlib rsync libz vnc zlib, cvs, gnupg, rrdtool, libz/zlib packages upgrade security problems cvs recompiled against updated + /tmp |
CVE #(s): | CAN-2002-0059
CAN-2002-0092
CAN-2002-0080
|
| Created: | May 20, 2002 |
Updated: | June 5, 2002 |
| Description: |
This vulnerability impacts all major Linux vendors. It may
impact every Linux installation on Earth.
Updates are required to zlib and any
packages that were statically built with the zlib code.
(First LWN report: March 14).
LinuxSecurity
describes the vulnerability and coordinated distributor efforts
in detail.
"Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc,
vnc, and many other programs that have the ability to use network
compression are potentially vulnerable."
Updating is recommended.
As always, please proceed with caution when applying updates to
the kernel.
|
| Alerts: |
|
Comments (none posted)
Resources
CERT Summary CS-2002-02
The
CERT Coordination Center (CERT/CC) issued their CERT
quaterly summary
"to draw attention to the types of attacks reported to our
incident response team, as well as other noteworthy incident and
vulnerability information."
Full Story (comments: none)
Announcing Fenris 0.06
Fenris 0.06
has been released by Michal Zalewski.
"This release brings you much improved debugging capabilities, from a
console-based debugging GUI [...], to
core functionality fixes, anti-debugger techniques detection, better
performance, or an updated write-up on debugging burneye-protected code."
Full Story (comments: none)
Linux Security Week and Advisory Watch
The
June 3 Linux Security Week from
LinuxSecurity.com is available, as are the Linux Advisory Watch Newsletters
from
May 24 and
May 31.
Comments (none posted)
Book Review: SSH, The Secure Shell - The Definitive Guide
Danny Yee has
reviewed
SSH, The Secure Shell - The Definitive Guide published by
O'Reilly & Associates in 2001.
Full Story (comments: none)
Events
Upcoming Security Events
| Date | Event | Location |
| June 6 - 7, 2002 | Qualys Security Conference | (Hotel Nikko)San Francisco, CA |
| June 17 - 19, 2002 | NetSec 2002 | San Fransisco, California, USA |
| June 24 - 28, 2002 | 14th Annual Computer Security Incident Handling Conference | (Hilton Waikoloa Village)Hawaii |
| June 24 - 26, 2002 | 15th IEEE Computer Security Foundations Workshop | (Keltic Lodge, Cape Breton)Nova Scotia, Canada |
| June 28 - 29, 2002 | Edinburgh Financial Cryptography Engineering 2002 | Edinburgh, Scotland |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
For additional security-related events, included training courses (which we
don't list above) and events further in the future, check out
Security Focus' calendar,
one of the primary resources we use for building the above list. To
submit an event directly to us, please send a plain-text message to
lwn@lwn.net.
Comments (none posted)
Page editor: Dennis Tenney
Next page: Kernel development>>
