LWN.net Logo

LWN.net Weekly Edition for June 3, 2004

A look at SpamAssassin 3.0

June 2, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

For many of us, SpamAssassin is all that stands between us and an inbox clogged to the gills with unwanted e-mail. With the much-anticipated 3.0 release just around the corner, we decided to see what anti-spam fighters would have to work with in the near future. To that end, we touched base with SpamAssassin developers Theo Van Dinter and Craig Hughes. Hughes left the project recently, but was heavily involved in the development of 3.0 and still has his finger on the pulse of SpamAssassin development.

What's different from the current release, and why the version jump? Both Van Dinter and Hughes noted some important technical improvements in the 3.0 release. Hughes said that the most important feature for 3.0 is its modularity. The 3.0 release is "more modular, easier to write plugins for...easier to plug in other pieces of functionality that aren't distributed with the core package," said Hughes. He noted that prior to 3.0, it was difficult to add in custom code for functions that were not part of SpamAssassin.

Both Hughes and Van Dinter also noted the replacement of SpamAssassin's "genetic algorithm" with a "perceptron learner" for score generation. Van Dinter noted that the new score generation is vastly improved, taking the average time from "[around] 14 hours to less than five minutes per scoreset (there are four)." Van Dinter also told LWN that the message/mime parser for SpamAssassin has been rewritten "essentially from scratch."

Another big improvement for 3.0 is improved scalability. The new version supports installations with larger numbers of mailboxes, with preferences stored in an SQL database or LDAP server. The primary focus there, according to Hughes, was for large ISPs that wanted to use SpamAssassin without having a Unix login or home directory for every user.

While there are plenty of technical improvements in SpamAssassin, Hughes also noted that there's a non-technical rationale for the bump to 3.0. SpamAssassin is in the process of becoming a top-level project of the Apache Software Foundation. This also means a licensing change for the project, which was quite a bit of work according to Hughes:

It's going to be using the Apache License instead of using Perl's licensing, and we've gone through a tremendously long, laborious, tedious even, process of sourcing every line of code...making sure that every author really did have the rights to publish it.

Hughes said that the project met little resistance in switching from the former licensing scheme -- which allowed licensing under either the GPL or the Perl Artistic License -- to the Apache Software License. Hughes said that "only a handful" of developers said they wouldn't allow their code to be relicensed, as well as "two or three we couldn't contact." The end result, he said, was that nothing substantial had to be removed due to licensing issues.

Because of the nature of the project, we were also curious how SpamAssassin manages to stay ahead of spammers. According to Van Dinter, it's not so much staying ahead as an "arms race" between SpamAssassin and spammers:

We filter, they mutate, we start filtering the mutation, they mutate again. Lather, Rinse, Repeat. I'm actually not really involved in the rules (I work on the back-end code more than anything else,) but it basically comes down to looking at the spam that's coming in, seeing which ones aren't caught, and figuring out how to catch them in the future. There are also other useful data points unrelated to the messages themselves. For instance, verifying that the sender isn't forged via SPF (Sender Policy Framework) and utilizing the information provided by SenderBase.

Hughes told LWN that there are two things that help SpamAssassin stay ahead of spammers:

One is that you only have to stay ahead of most spammers. There may be one percent that may be particularly good [at getting by SpamAssassin] but if you can block 99 percent of it, it doesn't matter that much...we're not shooting to be perfect, we're shooting to be as good as we can without trying to squeeze out that last one percent.

The other thing is the sheer complexity of SpamAssassin. It's not just a Bayesian filter, it's not just looking up things in RBLs...it's all those things together. It's actually very, very non-trivial for a human to be able to craft a message that's a piece of spam and get through...to defeat all of the system requires a great deal of work, or a lot of luck.

Another piece of good news for SpamAssassin enthusiasts, is that it shouldn't be hard to upgrade. According to Hughes, it "should be simple, as long as you're not doing anything really funky" in terms of tweaking and customizing the SpamAssassin code. He noted that the 3.0 release is designed to recognize file format changes, and to automatically upgrade user files that are in the old format.

If the SpamAssassin 3.0 meta-bug dependency tree is any indication, there's not much left to do before the 3.0-final release. Hughes said that the project "looks like it's on target" to meet the June 30 release date. Users are encouraged to help test SpamAssassin prior to the final release.

Comments (20 posted)

BayStar leaves the building

Back in October, 2003, the $50 million PIPE investment in the SCO Group by BayStar and the Royal Bank of Canada was seen as good news for SCO. In May, 2004, things have changed to the point that the dissolution of that investment is also seen as good news for the company. SCO, it seems, is in a different world than it was late last year.

BayStar had been left holding 40,000 of the 50,000 shares of "series A-1" preferred stock created by the initial investment. BayStar had also been very public about its desire to redeem those shares and its lack of faith in SCO's management. The result was a dark cloud of potential litigation lurking over SCO; it is not surprising that SCO was looking for a way to settle the issue. As it turns out, SCO did pretty well for itself.

The full stock repurchase agreement is available via the SEC. It calls for SCO to buy back those 40,000 shares of preferred stock; the cost will be $13 million in cash and just over 2.1 million shares of SCO common stock. So, in the end, SCO sold that stock for $50 million, and was able to buy it back (including the 10,000 shares redeemed by RBC) for $13 million and some paper. This is, indeed, a good deal for SCO; BayStar must have wanted out badly.

There are a couple of interesting provisions in the agreement. One is that BayStar is limited in how quickly it can sell the common stock; it can't make up more than 10% of the average volume on any given day. The two companies also agree not to badmouth each other. The effect of that agreement would seem to be immediately apparent. In April, BayStar was complaining about SCO's attempts to continue to look like a software company, SCO's management, and its lack of focus on the IBM case. In the press release describing the new agreement, instead, we read:

"After productive and substantial discussions with SCO's management team, board of directors and legal team, BayStar is extremely satisfied with SCO's current operating and cash management plans, new initiatives, management of the litigation, and plans for improving its business going forward," said Larry Goldfarb, managing general partner, BayStar Capital.

It is true that the company would appear to have muzzled Darl McBride recently. Other than that, however, there has been little change. The same management team is in charge, and it's doing the same things. If BayStar were so happy with SCO's progress, what reason could it possibly have for cashing out its investment now at a serious loss? BayStar, instead, gives every indication of running for the exit at full speed, preferably ahead of the quarterly earnings announcement (which has been delayed until June 10).

One other interesting feature of the non-disparagement clause:

...the Company's obligation not to disparage or defame BayStar as set forth above shall be limited to the actions or comments of the Company's executive officers, directors, attorneys, advisors [sic], consultants, representatives and The Canopy Group, Inc.

Canopy is not a party to this agreement. One might well wonder how SCO is able to commit Canopy to keeping its mouth shut.

The end result of all this is that the SCO Group has freed itself from a major distraction, cleared a liability off its books (including the 8% dividends it was supposed to start paying BayStar next year), and obtained $37 million of obligation-free cash (excluding lawyer fees, of course). The company is, indeed, in a better position to concentrate on its many open court cases. It may even be able to turn Darl loose in the near future; life hasn't been the same without his strange pronouncements.

[Looking forward: the next events in SCO's legal calendar include a hearing in the DaimlerChrysler case (June 9), and a ruling due anytime in the Novell case. The Novell ruling will include Novell's motion to dismiss, and, if that is denied, SCO's motion to move the case back to Utah state court.]

Comments (4 posted)

SCO shows more code

On the surface, the declaration of Todd. M. Shaugnessy filed by IBM in the SCO case looks like fairly boring stuff. It consists of a long list of exhibits filed by IBM. Some of those exhibits, however, have not been seen before, and some of those warrant a look. In particular, exhibit 28 covers SCO's answers to the motions to compel discovery. SCO has now "shown the code," and we can see what the company is claiming.

The first part of the declaration covers code contributed from AIX and Dynix to Linux. In the former case, SCO now contents itself with listing the JFS filesystem. From Dynix, SCO notes the read-copy-update technique and some NUMA support code. The broader claim over Linux's SMP code appears to have quietly gone away.

IBM keeps asking SCO to identify the specific lines of System V code which, SCO claims, IBM contributed to Linux. SCO continues to evade that question. The company did, under duress, provide listings of parts of AIX and Dynix that, it claims, derive from Unix. The bulk of the AIX listing is the curses and terminfo libraries; no kernel files are listed there. For Dynix, some kernel files are listed (along with the source of utilities like awk), but there appears to be no intersection with the Dynix files that, SCO claims, IBM contributed to Linux. SCO says that doesn't matter:

In fact, SCO steadfastly maintains that this item is not relevant to this litigation nor is it likely to lead to the discovery of admissible evidence. The main issue in this case is whether IBM has breached its contract with SCO because it contributed or otherwise disposed of a part of AIX or Dynix/ptx to others in contravention of the terms of the license agreement.

In other words, there is not actually any SCO-owned code in IBM's contributions to Linux, but SCO claims control over those contributions anyway. Nothing particularly new there.

Finally, and, perhaps, most interestingly, SCO has included a set of other files (exhibit 28-G) for which it claims ownership. The first part of this list consists of the Linux streams (LiS) patch which has never been part of the mainline kernel. Interestingly, the LiS distribution was hosted at Caldera for some time. But the company formerly known as Caldera would rather forget that now; the company claims, in its filing, the LiS has not appeared in "any Linux-related product distributed by SCO."

The Free Software Foundation recently claimed that the reason SCO went after the kernel and not the FSF was the latter's copyright assignment policies. So the FSF should be interested to see that SCO claims rights over significant chunks of the glibc and binutils packages. In particular, SCO claims ownership of just about anything which touches the ELF executable file format. Many tens of thousands of lines of FSF-owned code are claimed by SCO. Some of the claims are amusing in typical SCO fashion; for example, the exhibit lists elf/interp.c from glibc, which consists of the copyright header and exactly one line of code:

const char __invoke_dynamic_linker__[] __attribute__ ((section (".interp")))
  = RUNTIME_LINKER;

SCO has also added claims to the ELF code in the 2.4.21 kernel, along with the SYSV filesystem and the SYSV interprocess communication code.

SCO acknowledges that it distributed all of the above code (except for LiS), but claims it was unaware that "its intellectual property" was present at the time. One might well question how, if the SCO group claims to own the ELF file format, it could be unaware that it was distributing ELF-related code. ELF is, after all, the fundamental file format used by Linux. But one should not be surprised by this sort of claim from the SCO Group.

The interesting question, instead, is whether the SCO Group will attempt to pursue its claims to the ELF code. These claims could be used to launch attacks against the FSF, any Linux distributor, or even any of the BSD variants. The last thing SCO needs is yet another lawsuit, but that has not stopped this company before. As SCO's claims against the Linux kernel fall apart, its management may well be tempted to cast a wider net.

Comments (11 posted)

Page editor: Jonathan Corbet

Security

The CVS pserver bug - a timeline

Quick response to security incidents is considered one of the strong points of the free software community. It is also seen as a vital component of a site's defenses against attacks. With that in mind, it is worth taking a look at how the recent CVS vulnerability played out:

May 2 Stefan Esser discovers a vulnerability in CVS, up to versions 1.11.15 and 1.12.7. A buffer overflow in the "entry" line parsing code would allow an attacker to execute arbitrary code on the system when the "pserver" access technique is being used. Mr. Esser informs the CVS developers, and is told almost immediately that a fix has been prepared.
May 3 Various high-profile CVS sites are informed of the problem and its fix.
May 12 A new patch is prepared after SourceForge discovers a problem with the previous versions.
May 19 The "coordinated public disclosure" happens, just in time to screw up the LWN publication deadline. Updates are released by Debian, Fedora, Mandrake, Red Hat, Slackware, and SUSE.
May 20 Gentoo releases its updated cvs package.
May 27 CERT gets around to sending out an advisory on the vulnerability.

A few quick conclusions can be drawn from this sequence of events:

  • The coordinated disclosure mechanism had some glitches in its early days, but it seems to be working well now. The problem was kept quiet for a couple of weeks, after which most major distributors were able to issue patches almost simultaneously.

  • One may well wonder, again, what the relevance of CERT is; it took just over a week to get an advisory out after the public disclosure. By then, anybody who was paying attention had already closed the hole.

  • Some distributions do not yet have updates out. These include Conectiva, Whitebox, and Trustix. (Update: Trustix lacks an update because it does not ship CVS, our mistake). Red Hat Linux users are also exposed; the Fedora Legacy project has not yet issued a cvs update.

The last item is somewhat troubling. Given the nature of this vulnerability and the availability of information, no serious distributor should have failed to have an update ready on the disclosure day. One can thus conclude that some distributors are more serious than others. In particular, it is worth noting that the projects which rework Red Hat distributions and updates (Whitebox, CentOS, Fedora Legacy) have failed to react to this vulnerability in a timely way. It may well be that, if you lack the structure necessary to create a distribution in the first place, you will be hard pressed to keep that distribution secure.

Comments (8 posted)

New vulnerabilities

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

gallery: unauthenticated access

Package(s):gallery CVE #(s):
Created:June 2, 2004 Updated:June 15, 2004
Description: The "gallery" photo album has a vulnerability which can allow access to the administrative account without authentication.
Alerts:
Gentoo 200406-10 2004-06-15
Debian DSA-512-1 2004-06-02

Comments (none posted)

gatos: privilege escalation

Package(s):gatos CVE #(s):CAN-2004-0395
Created:June 2, 2004 Updated:June 2, 2004
Description: The xatitv program, part of the gatos package, fails to drop root privileges after an initialization failure. For added fun, it then calls system() with unsanitized environment variables.
Alerts:
Debian DSA-509-1 2004-05-29

Comments (none posted)

jftpgw: format string vulnerability

Package(s):jftpgw CVE #(s):CAN-2004-0448
Created:June 2, 2004 Updated:June 2, 2004
Description: jftpgw (an FTP proxy) contains a format string vulnerability which could allow the execution of arbitrary commands with the privileges of the server process.
Alerts:
Debian DSA-510-1 2004-05-29

Comments (none posted)

kerberos: buffer overflows

Package(s):kerberos5 CVE #(s):
Created:June 2, 2004 Updated:June 2, 2004
Description: MIT Kerberos 5 suffers from multiple buffer overflows which could lead to a remote root exploit, though the exploit looks difficult. Versions through krb5-1.3.3 are affected; see this advisory for more information.
Alerts:
Trustix TSLSA-2004-0032 2004-06-02

Comments (none posted)

mailman: password disclosure

Package(s):mailman CVE #(s):CAN-2004-0412
Created:May 27, 2004 Updated:July 20, 2004
Description: In mailman versions above 2.1, third parties can retrieve member passwords from the server.
Alerts:
Fedora-Legacy FLSA:1734 2004-07-19
Fedora FEDORA-2004-168 2004-07-01
Fedora FEDORA-2004-167 2004-07-01
Gentoo 200406-04 2004-06-09
Mandrake MDKSA-2004:051 2004-05-26

Comments (none posted)

Updated vulnerabilities

apache: multiple vulnerabilities

Package(s):apache CVE #(s):CAN-2003-0993 CAN-2003-0020 CAN-2003-0987 CAN-2004-0174
Created:May 12, 2004 Updated:May 26, 2004
Description: Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details.
Alerts:
Gentoo 200405-22 2004-05-26
Mandrake MDKSA-2004:046-1 2004-05-20
Mandrake MDKSA-2004:046 2004-05-17
Trustix TSLSA-2004-0027 2004-05-13
Slackware SSA:2004-133-01 2004-05-12
OpenPKG OpenPKG-SA-2004.021 2004-05-12

Comments (none posted)

cvs: heap overflow

Package(s):cvs CVE #(s):CAN-2004-0396
Created:May 19, 2004 Updated:June 11, 2004
Description: CVS (through version 1.11.15 or 1.12.7) contains a remotely exploitable heap overflow vulnerability; see this advisory from Stefan Esser for details. If you are running cvs with the "pserver" protocol, a quick upgrade is recommended (dropping pserver is also a very good idea for security-conscious sites).
Alerts:
Whitebox WBSA-2004:190-01 2004-06-10
Fedora-Legacy FLSA:1620 2004-06-02
Slackware SSA:2004-140-01 2004-05-19
Gentoo 200405-12 2004-05-20
OpenPKG OpenPKG-SA-2004.022 2004-05-19
Mandrake MDKSA-2004:048 2004-05-19
Fedora FEDORA-2004-131 2004-05-19
Fedora FEDORA-2004-126 2004-05-19
SuSE SuSE-SA:2004:013 2004-05-19
Red Hat RHSA-2004:190-01 2004-05-19
Debian DSA-505-1 2004-05-19

Comments (none posted)

ethereal - multiple vulnerabilities

Package(s):ethereal CVE #(s):CAN-2004-0176 CAN-2004-0365 CAN-2004-0367
Created:March 29, 2004 Updated:June 2, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3. More information can be found in this advisory from ethereal.com and in this Eye on Security advisory.
Alerts:
Debian DSA-511-1 2004-05-30
OpenPKG OpenPKG-SA-2004.015 2004-04-16
Red Hat RHSA-2004:137-01 2004-03-31
Mandrake MDKSA-2004:024 2004-03-30
Conectiva CLA-2004:835 2004-03-31
Red Hat RHSA-2004:136-01 2004-03-30
Netwosix NW-2004-0007 2004-03-29
Gentoo 200403-07 2004-03-28

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

firebird: Locally exploitable stack overflow

Package(s):firebird CVE #(s):
Created:May 24, 2004 Updated:May 26, 2004
Description: A buffer overflow exists in three Firebird database binaries (gds_inet_server, gds_lock_mgr, and gds_drop) that is exploitable by setting a large value to the INTERBASE environment variable. An attacker could control program execution, allowing privilege escalation to the UID of Firebird, full access to Firebird databases, and trojaning the Firebird binaries. An attacker could use this to compromise other user or root accounts. See also this bug report.
Alerts:
Gentoo 200405-18 2004-05-23

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

heimdal: missing input sanitizing

Package(s):heimdal CVE #(s):CAN-2004-0472
Created:May 18, 2004 Updated:May 27, 2004
Description: Evgeny Demidov discovered a potential buffer overflow in a Kerberos 4 component of heimdal, a free implementation of Kerberos 5. The problem is present in kadmind, a server for administrative access to the Kerberos database. This problem could perhaps be exploited to cause the daemon to read a negative amount of data which could lead to unexpected behavior.
Alerts:
Gentoo 200405-23 2004-05-27
Debian DSA-504-1 2004-05-18

Comments (none posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

racoon: denial of service vulnerability

Package(s):ipsec-tools racoon iputils CVE #(s):CAN-2004-0403
Created:April 26, 2004 Updated:July 29, 2004
Description: racoon does not check the length of ISAKMP headers. Attackers may be able to craft an ISAKMP header of sufficient length to consume all available system resources, causing a Denial of Service. This advisory contains additional details.
Alerts:
Red Hat RHSA-2004:308-01 2004-07-29
Mandrake MDKSA-2004:069 2004-07-14
Fedora FEDORA-2004-197 2004-06-28
Whitebox WBSA-2004:165-01 2004-06-10
Fedora FEDORA-2004-132 2004-05-19
Red Hat RHSA-2004:165-01 2004-05-11
Gentoo 200404-17 2004-04-24

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kde: URI Handler Vulnerabilities

Package(s):kde Opera CVE #(s):CAN-2004-0411
Created:May 17, 2004 Updated:June 15, 2004
Description: iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that similar vulnerabilities exists in all version of KDE, up to KDE 3.2.2 inclusive. See this advisory for more information.
Alerts:
Debian DSA-518-1 2004-06-14
Conectiva CLA-2004:843 2004-05-26
SuSE SuSE-SA:2003:014 2004-05-26
Gentoo 200405-19 2004-05-25
Gentoo 200405-11 2004-05-19
Fedora FEDORA-2004-122 2004-05-19
Mandrake MDKSA-2004:047 2004-05-18
Fedora FEDORA-2004-121 2004-05-17
Slackware SSA:2004-238-01 2004-05-17
Red Hat RHSA-2004:222-01 2004-05-17

Comments (none posted)

kdepim: VCF file information reader vulnerability

Package(s):kdepim CVE #(s):CAN-2003-0988
Created:January 15, 2004 Updated:May 26, 2004
Description: KDE has issued a security advisory for all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4 inclusive. A carefully crafted .VCF file potentially enables local attackers to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to this issue.
Alerts:
Fedora FEDORA-2004-133 2004-05-19
Gentoo 200404-02 2004-04-06
Whitebox WBSA-2004:005-01 2004-02-12
Conectiva CLA-2004:810 2004-01-20
Slackware SSA:2004-014-01 2004-01-14
Mandrake MDKSA-2004:003 2004-01-14
Red Hat RHSA-2004:006-01 2004-01-07

Comments (none posted)

kernel: symlink overflow in the iso9660 filessytem

Package(s):kernel CVE #(s):CAN-2004-0109
Created:April 14, 2004 Updated:July 15, 2004
Description: The 2.4 and 2.6 kernels contain a vulnerability in the iso9660 (CDROM) filesystem which can be used by a local attacker to obtain root privileges. The exploit requires creating a specially-crafted filesystem and getting the kernel to mount it. Many systems are configured to automatically mount CDs on insertion, however, so the possibility of this vulnerability being exploited by users with physical access to the system is real. The 2.4.26 kernel contains the fix, which will also be merged into the upcoming 2.6.6 release.
Alerts:
Conectiva CLA-2004:846 2004-07-15
Red Hat RHSA-2004:106-01 2004-04-21
Red Hat RHSA-2004:105-01 2004-04-21
Debian DSA-489-1 2004-04-17
Debian DSA-491-1 2004-04-17
Debian DSA-479-2 2004-04-14
SuSE SuSE-SA:2004:009 2004-04-14
Mandrake MDKSA-2004:029 2004-04-14
Fedora FEDORA-2004-101 2004-04-14
Debian DSA-482-1 2004-04-14
Debian DSA-481-1 2004-04-14
Debian DSA-480-1 2004-04-14
Debian DSA-479-1 2004-04-14

Comments (none posted)

kernel - root exploit in MCAST_MSFILTER

Package(s):kernel CVE #(s):CAN-2004-0424
Created:April 22, 2004 Updated:June 11, 2004
Description: A locally exploitable integer overflow has been found the multicast code of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A successful exploit could lead to full superuser privileges.
Alerts:
Whitebox WBSA-2004:183-01 2004-06-10
SuSE SuSE-SA:2004:010 2004-05-05
Slackware SSA:2004-119-01 2004-04-28
Mandrake MDKSA-2004:037 2004-04-27
Red Hat RHSA-2004:183-01 2004-04-22
Fedora FEDORA-2004-111 2004-04-22
Trustix TSLSA-2004-0022 2004-04-21

Comments (1 posted)

kernel: exploitable bug in the cpufreq code

Package(s):kernel CVE #(s):CAN-2004-0228
Created:May 24, 2004 Updated:May 26, 2004
Description: Brad Spender discovered an exploitable bug in the cpufreq code in the Linux 2.6 kernel.
Alerts:
Mandrake MDKSA-2004:050 2004-05-21

Comments (none posted)

Linux kernel 2.2.10 failing function and TLB flush vulnerability

Package(s):kernel-source-2.2.10 CVE #(s):CAN-2004-0077
Created:March 18, 2004 Updated:June 4, 2004
Description: A local root exploit is possible due to early flushing of the TLB.
Alerts:
Debian DSA-514-1 2004-06-04
Debian DSA-466-1 2004-03-18

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

kolab: password disclosure

Package(s):kolab CVE #(s):
Created:May 5, 2004 Updated:May 27, 2004
Description: Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information.
Alerts:
Mandrake MDKSA-2004:052 2004-05-26
OpenPKG OpenPKG-SA-2004.019 2004-05-05

Comments (3 posted)

LHA: stack buffer overflows and directory traversal flaws

Package(s):LHA CVE #(s):CAN-2004-0234 CAN-2004-0235
Created:April 30, 2004 Updated:June 11, 2004
Description: LHA is an archiving and compression utility for LHarc format archives. Ulf Harnhammar discovered two stack buffer overflows and two directory traversal flaws in LHA. See this advisory+patch for more details.

CAN-2004-0234: An attacker could exploit the buffer overflows by creating a carefully crafted LHA archive in such a way that arbitrary code would be executed when the archive is tested or extracted by a victim.

CAN-2004-0235: An attacker could exploit the directory traversal issues to create files as the victim outside of the expected directory.

Alerts:
Whitebox WBSA-2004:178-01 2004-06-10
Debian DSA-515-1 2004-06-05
Red Hat RHSA-2004:178-01 2004-05-26
Fedora FEDORA-2004-119 2004-05-11
Gentoo 200405-02 2004-05-09
Conectiva CLA-2004:840 2004-05-06
Slackware SSA:2004-125-01 2004-05-04
Red Hat RHSA-2004:179-01 2004-04-30

Comments (2 posted)

libpng: denial of service vulnerability.

Package(s):libpng CVE #(s):CAN-2004-0421
Created:April 29, 2004 Updated:June 11, 2004
Description: The PNG library can accesses memory that is out of bounds when creating an error message, this can be exploited by a malformed PNG image file.
Alerts:
Whitebox WBSA-2004:180-01 2004-06-10
Red Hat RHSA-2004:180-01 2004-05-19
Gentoo 200405-06 2004-05-14
Fedora FEDORA-2004-106 2004-05-05
Fedora FEDORA-2004-105 2004-05-05
Slackware SSA:2004-124-04 2004-05-02
Red Hat RHSA-2004:181-01 2004-04-30
Trustix TSLSA-2004-0025 2004-04-30
Debian DSA-498-1 2004-04-30
Mandrake MDKSA-2004:040 2004-04-29
OpenPKG OpenPKG-SA-2004.017 2004-04-29

Comments (none posted)

libpng, libpng3: buffer overflow

Package(s):libpng, libpng3 CVE #(s):CAN-2002-1363
Created:December 19, 2002 Updated:July 14, 2004
Description: Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer.
Alerts:
Gentoo 200407-06 2004-07-08
OpenPKG OpenPKG-SA-2004.030 2004-07-06
Mandrake MDKSA-2004:063 2004-06-29
Whitebox WBSA-2004:249-01 2004-06-21
Fedora FEDORA-2004-176 2004-06-18
Fedora FEDORA-2004-174 2004-06-18
Fedora FEDORA-2004-175 2004-06-18
Fedora FEDORA-2004-173 2004-06-18
Red Hat RHSA-2004:249-01 2004-06-18
Conectiva CLA-2003:564 2003-01-23
Mandrake MDKSA-2003:008 2003-01-20
OpenPKG OpenPKG-SA-2003.001 2003-01-15
Yellow Dog YDU-20030114-2 2002-01-14
SuSE SuSE-SA:2003:0004 2003-01-14
Red Hat RHSA-2003:006-06 2003-01-09
Debian DSA-213-1 2002-12-19

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:July 21, 2004
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

mailman denial of service

Package(s):mailman CVE #(s):CAN-2003-0991
Created:February 9, 2004 Updated:May 25, 2004
Description: Matthew Galgoci of Red Hat discovered a Denial of Service (DoS) vulnerability in versions of Mailman prior to 2.1. An attacker could send a carefully-crafted message causing mailman to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0991 to this issue.
Alerts:
Conectiva CLA-2004:842 2004-05-25
Red Hat RHSA-2004:156-01 2004-04-14
Mandrake MDKSA-2004:013 2004-02-13
Red Hat RHSA-2004:019-01 2004-02-09

Comments (1 posted)

mc: multiple vulnerabilities

Package(s):mc CVE #(s):CAN-2004-0226 CAN-2004-0231 CAN-2004-0232
Created:April 29, 2004 Updated:May 26, 2004
Description: Midnight Commander has multiple vulnerabilities including buffer overflows, insecure temp files, and format string problems.
Alerts:
Gentoo 200405-21 2004-05-26
Red Hat RHSA-2004:172-01 2004-05-19
Slackware SSA:2004-136-01 2004-05-14
SuSE SuSE-SA:2004:012 2004-05-14
Red Hat RHSA-2004:173-01 2004-04-30
Mandrake MDKSA-2004:039 2004-04-29
Debian DSA-497-1 2004-04-29

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):nessus CVE #(s):
Created:May 27, 2003 Updated:August 12, 2004
Description: Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:
Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

passwd: various problems

Package(s):passwd CVE #(s):
Created:May 17, 2004 Updated:June 2, 2004
Description: Steve Grubb found some problems in the passwd program. Passwords given to passwd via stdin are one character shorter than they are supposed to be. He also discovered that pam may not have been sufficiently initialized to ensure safe and proper operation. A few small memory leaks have been fixed as well.
Alerts:
Mandrake MDKSA-2004:045 2004-05-17

Comments (none posted)

postfix: denial of service vulnerabilities

Package(s):postfix CVE #(s):CAN-2003-0468 CAN-2003-0540
Created:August 5, 2003 Updated:May 27, 2004
Description: The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details.
Alerts:
Mandrake MDKA-2004:028 2004-05-26
Trustix 2003-0029 2003-08-04
Mandrake MDKSA-2003:081 2003-08-04
EnGarde ESA-20030804-019 2003-08-04
Conectiva CLA-2003:717 2003-08-04
SuSE SuSE-SA:2003:033 2003-08-04
Red Hat RHSA-2003:251-01 2003-08-04
Debian DSA-363-1 2003-08-03

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

rsync remote file write attack

Package(s):rsync CVE #(s):CAN-2004-0426
Created:April 30, 2004 Updated:July 12, 2004
Description: See the rsync homepage for the April 2004 advisory: "There is a security problem in all versions prior to 2.6.1 that affects only people running a read/write daemon WITHOUT using chroot. If the user privs that such an rsync daemon is using is anything above "nobody", you are at risk of someone crafting an attack that could write a file outside of the module's "path" setting (where all its files should be stored). Please either enable chroot or upgrade to 2.6.1. People not running a daemon, running a read-only daemon, or running a chrooted daemon are totally unaffected."
Alerts:
Gentoo 200407-10 2004-07-12
Fedora FEDORA-2004-116 2004-07-01
Whitebox WBSA-2004:192-01 2004-06-10
Debian DSA-499-2 2004-06-02
OpenPKG OpenPKG-SA-2004.025 2004-05-21
Red Hat RHSA-2004:192-01 2004-05-19
Mandrake MDKSA-2004:042 2004-05-10
Slackware SSA:2004-124-01 2004-05-02
Debian DSA-499-1 2004-05-01
Trustix TSLSA-2004-0024 2004-04-29

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):squirrelmail CVE #(s):CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:May 21, 2004 Updated:October 4, 2004
Description: Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:
Fedora-Legacy FLSA:1733 2004-10-02
Conectiva CLA-2004:858 2004-08-12
Whitebox WBSA-2004:240-01 2004-06-21
Gentoo 200406-08 2004-06-15
Red Hat RHSA-2004:240-01 2004-06-14
Fedora FEDORA-2004-160 2004-06-09
Fedora FEDORA-2004-159 2004-06-09
Gentoo 200405-16:02 2004-05-25
Gentoo 200405-16 2004-05-21

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):sysstat CVE #(s):CAN-2004-0107 CAN-2004-0108
Created:March 10, 2004 Updated:October 4, 2004
Description: The sysstat utility has a temporary file vulnerability which can be exploited by a loc