LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Compromised systems: $0.10 each
Much attention has been given to the arrest of the Sasser worm author, but, as this Register article notes, the arrest of the author of Phatbot may be more significant. Phatbot, as described by CERT, propagates from one Windows system to the next via a whole set of vulnerabilities. Once established, it connects to an IRC server and awaits orders on what to do next. Systems compromised by Phatbot can be used for spamming, DOS attacks, and more.The interesting thing, perhaps, is the note that there is a market for access to Phatbot zombie systems; the going price for "non-exclusive" use of a compromised box is estimated to be about 10 cents.
The emergence of a market for compromised systems has the potential to change the dynamics of the security landscape somewhat. Many compromises are carried out by "script kiddies" who are breaking into systems for the fun of it. Others are attacked by crackers with specific goals: access to supercomputers or confidential information, for example. People who "have nothing worth stealing" on their systems have often taken a relaxed approach to security; even if they get broken into, they claim, there is very little that can actually happen.
In a world where zombie systems can be sold, everybody has something worth stealing. As this market develops, expect an increase in attacks as crackers race each other to control vulnerable systems and the money-making potential they represent. Sooner or later, a niche market for compromised Linux systems is almost certain to come into being as well. That will not be a welcome development for system administrators who were not looking for additional motivation for attacks on their systems.
New vulnerabilities
apache: multiple vulnerabilities
| Package(s): | apache | CVE #(s): | CAN-2003-0993 CAN-2003-0020 CAN-2003-0987 CAN-2004-0174 | ||||||||||||||||||
| Created: | May 12, 2004 | Updated: | May 26, 2004 | ||||||||||||||||||
| Description: | Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
clamav: improper string checking
| Package(s): | clamav | CVE #(s): | ||||
| Created: | May 12, 2004 | Updated: | May 12, 2004 | |||
| Description: | Versions of clamav prior to 0.70 fail to check filenames when responding to viruses; with certain configurations, this failure can allow an attacker to execute arbitrary commands. | |||||
| Alerts: |
| |||||
exim: stack-based buffer overflows
| Package(s): | exim exim-tls | CVE #(s): | CAN-2004-0399 CAN-2004-0400 | |||||||||
| Created: | May 7, 2004 | Updated: | May 14, 2004 | |||||||||
| Description: | Georgi Guninski discovered two stack-based buffer overflows.
CAN-2004-0399: When "sender_verify = true" is configured in exim.conf a buffer overflow can happen during verification of the sender. This problem is fixed in exim 4. CAN-2004-0400: When headers_check_syntax is configured in exim.conf a buffer overflow can happen during the header check. This problem does also exist in exim 4. | |||||||||||
| Alerts: |
| |||||||||||
SUSE Live CD: no-password root access
| Package(s): | SUSE Live CD | CVE #(s): | ||||
| Created: | May 12, 2004 | Updated: | May 12, 2004 | |||
| Description: | The SUSE 9.1 live CD boots with ssh connections enabled and no root password; as a result, a remote attacker can gain privileged access simply by logging in as root. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
LHA: stack buffer overflows and directory traversal flaws
| Package(s): | LHA | CVE #(s): | CAN-2004-0234 CAN-2004-0235 | ||||||||||||||||||||||||
| Created: | April 30, 2004 | Updated: | June 11, 2004 | ||||||||||||||||||||||||
| Description: | LHA is an archiving and compression utility for LHarc format archives. Ulf
Harnhammar discovered two stack buffer overflows and two directory
traversal flaws in LHA. See this advisory+patch for more details.
CAN-2004-0234: An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim. CAN-2004-0235: An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
apache - denial of service in mod_ssl
| Package(s): | apache | CVE #(s): | CAN-2004-0113 | ||||||||||||
| Created: | April 13, 2004 | Updated: | May 25, 2004 | ||||||||||||
| Description: | A memory leak has been discovered in mod_ssl that may be triggered by sending normal HTTP requests to the Apache HTTPS port. An attacker can exploit this vulnerability to consume all memory available in the server, thus causing a denial of service condition. This problem has been fixed in Apache 2.0.49. | ||||||||||||||
| Alerts: |
| ||||||||||||||
cvs: client-side file overwrite vulnerability
| Package(s): | cvs | CVE #(s): | CAN-2004-0180 | |||||||||||||||||||||||||||||||||
| Created: | April 14, 2004 | Updated: | May 18, 2004 | |||||||||||||||||||||||||||||||||
| Description: | The cvs client is vulnerable to a pathname vulnerability which can allow a hostile server to overwrite files on the local system. The cvs server is subject to a similar vulnerability which allows the checkout of RCS archives anywhere on the server system. Versions 1.11.15 and 1.12.7 fix the problem. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
eterm: command execution
| Package(s): | eterm | CVE #(s): | CAN-2003-0068 | |||
| Created: | April 29, 2004 | Updated: | May 5, 2004 | |||
| Description: | eterm has a vulnerability in which escape codes can be inserted by an attacker to cause the user to execute malicious commands. | |||||
| Alerts: |
| |||||
ethereal - multiple vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2004-0176 CAN-2004-0365 CAN-2004-0367 | ||||||||||||||||||||||||
| Created: | March 29, 2004 | Updated: | June 2, 2004 | ||||||||||||||||||||||||
| Description: | There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
flim: insecure file creation
| Package(s): | flim | CVE #(s): | CAN-2004-0422 | |||||||||
| Created: | May 5, 2004 | Updated: | December 16, 2004 | |||||||||
| Description: | The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon | CVE #(s): | CAN-2004-0155 | |||||||||
| Created: | April 7, 2004 | Updated: | August 19, 2004 | |||||||||
| Description: | Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils | CVE #(s): | CAN-2004-0403 | |||||||||||||||||||||
| Created: | April 26, 2004 | Updated: | July 29, 2004 | |||||||||||||||||||||
| Description: | racoon does not check the length of ISAKMP headers. Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. This advisory contains additional details. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kdelibs: cookie disclosure
| Package(s): | kdelibs | CVE #(s): | CAN-2003-0592 | |||||||||||||||
| Created: | March 10, 2004 | Updated: | August 24, 2004 | |||||||||||||||
| Description: | kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim | CVE #(s): | CAN-2003-0988 | |||||||||||||||||||||
| Created: | January 15, 2004 | Updated: | May 26, 2004 | |||||||||||||||||||||
| Description: | KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel | CVE #(s): | CAN-2004-0109 | |||||||||||||||||||||||||||||||||||||||
| Created: | April 14, 2004 | Updated: | July 15, 2004 | |||||||||||||||||||||||||||||||||||||||
| Description: | The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
kernel - root exploit in MCAST_MSFILTER
| Package(s): | kernel | CVE #(s): | CAN-2004-0424 | |||||||||||||||||||||
| Created: | April 22, 2004 | Updated: | June 11, 2004 | |||||||||||||||||||||
| Description: | A locally exploitable integer overflow has been found the multicast code of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A successful exploit could lead to full superuser privileges. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 | CVE #(s): | CAN-2004-0077 | ||||||
| Created: | March 18, 2004 | Updated: | June 4, 2004 | ||||||
| Description: | A local root exploit is possible due to early flushing of the TLB. | ||||||||
| Alerts: |
| ||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
kolab: password disclosure
| Package(s): | kolab | CVE #(s): | |||||||
| Created: | May 5, 2004 | Updated: | May 27, 2004 | ||||||
| Description: | Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information. | ||||||||
| Alerts: |
| ||||||||
libpng: denial of service vulnerability.
| Package(s): | libpng | CVE #(s): | CAN-2004-0421 | |||||||||||||||||||||||||||||||||
| Created: | April 29, 2004 | Updated: | June 11, 2004 | |||||||||||||||||||||||||||||||||
| Description: | The PNG library can accesses memory that is out of bounds when creating an error message, this can be exploited by a malformed PNG image file. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libxml2 - arbitrary code execution
| Package(s): | libxml2 | CVE #(s): | CAN-2004-0110 | |||||||||||||||||||||||||||||||||||||||
| Created: | February 26, 2004 | Updated: | July 21, 2004 | |||||||||||||||||||||||||||||||||||||||
| Description: | Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code. | |||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||
logcheck: symlink vulnerability
| Package(s): | logcheck | CVE #(s): | CAN-2004-0404 | ||||||
| Created: | April 21, 2004 | Updated: | December 22, 2004 | ||||||
| Description: | The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. | ||||||||
| Alerts: |
| ||||||||
mailman denial of service
| Package(s): | mailman | CVE #(s): | CAN-2003-0991 | ||||||||||||
| Created: | February 9, 2004 | Updated: | May 25, 2004 | ||||||||||||
| Description: | Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mc: multiple vulnerabilities
| Package(s): | mc | CVE #(s): | CAN-2004-0226 CAN-2004-0231 CAN-2004-0232 | |||||||||||||||||||||
| Created: | April 29, 2004 | Updated: | May 26, 2004 | |||||||||||||||||||||
| Description: | Midnight Commander has multiple vulnerabilities including buffer overflows, insecure temp files, and format string problems. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
metamail: integer and buffer overflows
| Package(s): | metamail | CVE #(s): | CAN-2004-0104 CAN-2004-0105 | |||||||||||||||
| Created: | February 18, 2004 | Updated: | May 21, 2004 | |||||||||||||||
| Description: | Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod_python: denial of service vulnerability
| Package(s): | mod_python | CVE #(s): | CAN-2003-0973 | |||||||||||||||||||||
| Created: | January 27, 2004 | Updated: | October 4, 2004 | |||||||||||||||||||||
| Description: | Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released. Users of mod_python 3.0.4 are not affected by this vulnerability. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
mozilla: multiple vulnerabilties
| Package(s): | mozilla | CVE #(s): | CAN-2003-0594 CAN-2003-0564 | ||||||||||||
| Created: | March 10, 2004 | Updated: | August 19, 2004 | ||||||||||||
| Description: | Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
MySQL: temporary file vulnerabilities
| Package(s): | mysql | CVE #(s): | CAN-2004-0381 CAN-2004-0388 | ||||||||||||
| Created: | April 14, 2004 | Updated: | August 18, 2004 | ||||||||||||
| Description: | The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. | ||||||||||||||
| Alerts: |
| ||||||||||||||
neon: format string vulnerabilities
| Package(s): | neon | CVE #(s): | CAN-2004-0179 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | April 14, 2004 | Updated: | May 18, 2004 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | The neon WebDAV library contains format string vulnerabilities which may be exploited by a hostile DAV server. This vulnerability exists in utilities which use neon, including cadaver and OpenOffice.org. | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
netpbm: insecure temporary files
| Package(s): | netpbm | CVE #(s): | CAN-2003-0924 | |||||||||||||||||||||||||||
| Created: | January 19, 2004 | Updated: | December 29, 2004 | |||||||||||||||||||||||||||
| Description: | netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
postfix: denial of service vulnerabilities
| Package(s): | postfix | CVE #(s): | CAN-2003-0468 CAN-2003-0540 | ||||||||||||||||||||||||
| Created: | August 5, 2003 | Updated: | May 27, 2004 | ||||||||||||||||||||||||
| Description: | The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
proftpd privilege escalation
| Package(s): | proftpd | CVE #(s): | ||||||||||
| Created: | April 30, 2004 | Updated: | May 19, 2004 | |||||||||
| Description: | A portability workaround was applied in version 1.2.9 of the FTP server ProFTPD. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN) ACL entries in "Allow" and "Deny" directives act like an "AllowAll" directive and so FTP clients are granted access to files and directories although the server configuration might explicitly deny this. See this bug report. | |||||||||||
| Alerts: |
| |||||||||||
python: buffer overflow
| Package(s): | python | CVE #(s): | CAN-2004-0150 | |||||||||||||||
| Created: | March 10, 2004 | Updated: | October 11, 2004 | |||||||||||||||
| Description: | Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
rsync remote file write attack
| Package(s): | rsync | CVE #(s): | CAN-2004-0426 | ||||||||||||||||||||||||||||||
| Created: | April 30, 2004 | Updated: | July 12, 2004 | ||||||||||||||||||||||||||||||
| Description: | See the rsync homepage for the April 2004 advisory: "There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected." | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
samba: local root and symlink vulnerabilities
| Package(s): | samba | CVE #(s): | |||||||
| Created: | April 29, 2004 | Updated: | May 5, 2004 | ||||||
| Description: | Two vulnerabilities in Samba have been found. Smbfs has a setuid root exploit problem, and smbprint has a tempfile symlink vulnerability. | ||||||||
| Alerts: |
| ||||||||
ssmtp format string vulnerability
| Package(s): | ssmtp | CVE #(s): | CAN-2004-0156 | |||||||||
| Created: | April 15, 2004 | Updated: | May 7, 2004 | |||||||||
| Description: | Max Vozeler discovered two format string vulnerabilities in ssmtp, a simple mail transport agent. Untrusted values in the functions die() and log_event() were passed to printf-like functions as format strings. These vulnerabilities could potentially be exploited by a remote mail relay to gain the privileges of the ssmtp process (including potentially root). | |||||||||||
| Alerts: |
| |||||||||||
sysklogd: heap overflow
| Package(s): | sysklogd | CVE #(s): | |||||||
| Created: | April 29, 2004 | Updated: | May 5, 2004 | ||||||
| Description: | Sysklogd has a memory allocation vulnerability that can allow a malicious attacker to write to unallocated memory and crash sysklogd. | ||||||||
| Alerts: |
| ||||||||
sysstat: temporary file vulnerability
| Package(s): | sysstat | CVE #(s): | CAN-2004-0107 CAN-2004-0108 | ||||||||||||||||||||||||
| Created: | March 10, 2004 | Updated: | October 4, 2004 | ||||||||||||||||||||||||
| Description: | The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump | CVE #(s): | CAN-2004-0183 CAN-2004-0184 | |||||||||||||||||||||||||||
| Created: | March 30, 2004 | Updated: | September 30, 2004 | |||||||||||||||||||||||||||
| Description: | TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
utempter problems with symlink and strncpy
| Package(s): | utempter | CVE #(s): | CAN-2004-0233 | |||||||||||||||||||||||||||
| Created: | April 19, 2004 | Updated: | June 11, 2004 | |||||||||||||||||||||||||||
| Description: | Steve Grubb discovered two potential issues in the utempter program:
| |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat | CVE #(s): | CAN-2004-0409 | |||||||||||||||||||||
| Created: | April 19, 2004 | Updated: | November 14, 2005 | |||||||||||||||||||||
| Description: | XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
xine-lib: malicious code execution
| Package(s): | xine-lib | CVE #(s): | CAN-2004-0433 | ||||||
| Created: | May 3, 2004 | Updated: | May 28, 2004 | ||||||
| Description: | A vulnerability exists in xine-lib where playing a specially crafted Real RTSP stream could run malicious code as the user playing the stream. More details can be found in this advisory. The problem has been fixed in xine-lib 1-rc4. | ||||||||
| Alerts: |
| ||||||||
xine-ui - insecure temporary file creation
| Package(s): | xine-ui | CVE #(s): | CAN-2004-0372 | ||||||||||||
| Created: | April 6, 2004 | Updated: | April 27, 2006 | ||||||||||||
| Description: | Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Resources
The Hackademy Journal
The Hackademy Journal is a new subscription publication aimed at coverage of security issues at a high technical level. Click below for more information.
Page editor: Jonathan Corbet
Next page: Kernel development>>