A look at SpamAssassin 3.0
For many of us, SpamAssassin is all that stands between us and an inbox
clogged to the gills with unwanted e-mail. With the much-anticipated 3.0
release just around the corner, we decided to see what anti-spam fighters
would have to work with in the near future. To that end, we touched base
with SpamAssassin developers Theo Van Dinter and Craig Hughes. Hughes left
the project recently, but was heavily involved in the development of 3.0
and still has his finger on the pulse of SpamAssassin development.
What's different from the current release, and why the version jump? Both
Van Dinter and Hughes noted some important technical improvements in the
3.0 release. Hughes said that the most important feature for 3.0 is its
modularity. The 3.0 release is "more modular, easier to write plugins
for...easier to plug in other pieces of functionality that aren't
distributed with the core package," said Hughes. He noted that prior
to 3.0, it was difficult to add in custom code for functions that were not
part of SpamAssassin.
Both Hughes and Van Dinter also noted the replacement of SpamAssassin's
"genetic algorithm" with a "perceptron learner" for score generation. Van
Dinter noted that the new score generation is vastly improved, taking the
average time from "[around] 14 hours to less than five minutes per scoreset
(there are four)." Van Dinter also told LWN that the message/mime parser
for SpamAssassin has been rewritten "essentially from
scratch."
Another big improvement for 3.0 is improved scalability. The new version
supports installations with larger numbers of mailboxes, with preferences
stored in an SQL database or LDAP server. The primary focus there,
according to Hughes, was for large ISPs that wanted to use SpamAssassin
without having a Unix login or home directory for every user.
While there are plenty of technical improvements in SpamAssassin, Hughes
also noted that there's a non-technical rationale for the bump to
3.0. SpamAssassin is in the process of becoming a top-level project of the
Apache Software Foundation. This also means a licensing change for the
project, which was quite a bit of work according to Hughes:
It's going to be using the Apache License instead of using Perl's
licensing, and we've gone through a tremendously long, laborious, tedious
even, process of sourcing every line of code...making sure that every
author really did have the rights to publish it.
Hughes said that the project met little resistance in switching from the
former licensing scheme -- which allowed licensing under either the GPL or
the Perl Artistic License -- to the Apache Software
License. Hughes said that "only a handful" of developers
said they wouldn't allow their code to be relicensed, as well as "two
or three we couldn't contact." The end result, he said, was that
nothing substantial had to be removed due to licensing issues.
Because of the nature of the project, we were also curious how SpamAssassin
manages to stay ahead of spammers. According to Van Dinter, it's not so
much staying ahead as an "arms race" between SpamAssassin and spammers:
We filter, they mutate, we start filtering the mutation, they mutate
again. Lather, Rinse, Repeat. I'm actually not really involved in the rules
(I work on the back-end code more than anything else,) but it basically
comes down to looking at the spam that's coming in, seeing which ones
aren't caught, and figuring out how to catch them in the future. There are
also other useful data points unrelated to the messages themselves. For
instance, verifying that the sender isn't forged via SPF (
Sender Policy Framework) and utilizing the
information provided by SenderBase.
Hughes told LWN that there are two things that help SpamAssassin stay ahead
of spammers:
One is that you only have to stay ahead of most spammers. There may be one
percent that may be particularly good [at getting by SpamAssassin] but if
you can block 99 percent of it, it doesn't matter that much...we're not
shooting to be perfect, we're shooting to be as good as we can without
trying to squeeze out that last one percent.
The other thing is the sheer complexity of SpamAssassin. It's not just a
Bayesian filter, it's not just looking up things in RBLs...it's all those
things together. It's actually very, very non-trivial for a human to be
able to craft a message that's a piece of spam and get through...to defeat
all of the system requires a great deal of work, or a lot of luck.
Another piece of good news for SpamAssassin enthusiasts, is that it
shouldn't be hard to upgrade. According to Hughes, it "should be
simple, as long as you're not doing anything really funky" in terms
of tweaking and customizing the SpamAssassin code. He noted that the 3.0
release is designed to recognize file format changes, and to automatically
upgrade user files that are in the old format.
If the SpamAssassin 3.0 meta-bug
dependency
tree is any indication, there's not much left to do before the
3.0-final release. Hughes said that the project "looks like it's on
target" to meet the June 30 release date. Users are
encouraged to help test SpamAssassin prior to the final release.
Comments (20 posted)
BayStar leaves the building
Back in October, 2003, the $50 million PIPE investment in the SCO Group by
BayStar and the Royal Bank of Canada was seen as good news for SCO. In
May, 2004, things have changed to the point that the dissolution of that
investment is also seen as good news for the company. SCO, it seems, is in
a different world than it was late last year.
BayStar had been left holding 40,000 of the 50,000 shares of "series A-1"
preferred stock created by the initial investment. BayStar had also been
very public about its desire to redeem those shares and its lack of faith
in SCO's management. The result was a dark cloud of potential litigation
lurking over SCO; it is not surprising that SCO was looking for a way to
settle the issue. As it turns out, SCO did pretty well for itself.
The full
stock repurchase agreement is available via the SEC. It calls for SCO
to buy back those 40,000 shares of preferred stock; the cost will be
$13 million in cash and just over 2.1 million shares of SCO
common stock. So, in the end, SCO sold that stock for $50 million,
and was able to buy it back (including the 10,000 shares redeemed by RBC)
for $13 million and some paper. This is,
indeed, a good deal for SCO; BayStar must have wanted out badly.
There are a couple of interesting provisions in the agreement. One is that
BayStar is limited in how quickly it can sell the common stock; it can't
make up more than 10% of the average volume on any given day. The two
companies also agree not to badmouth each other. The effect of that
agreement would seem to be immediately apparent. In April, BayStar was
complaining about SCO's attempts to continue to look like a software
company, SCO's management, and its lack of focus on the IBM case. In the press
release describing the new agreement, instead, we read:
"After productive and substantial discussions with SCO's management
team, board of directors and legal team, BayStar is extremely
satisfied with SCO's current operating and cash management plans,
new initiatives, management of the litigation, and plans for
improving its business going forward," said Larry Goldfarb,
managing general partner, BayStar Capital.
It is true that the company would appear to have muzzled Darl McBride
recently. Other than that, however, there has been little change. The
same management team is in charge, and it's doing the same things. If
BayStar were so happy with SCO's progress, what reason could it possibly
have for cashing out its investment now at a serious loss? BayStar, instead,
gives every indication of running for the exit at full speed, preferably
ahead of the quarterly earnings announcement (which has been delayed until
June 10).
One other interesting feature of the non-disparagement clause:
...the Company's obligation not to disparage or defame BayStar as
set forth above shall be limited to the actions or comments of the
Company's executive officers, directors, attorneys, advisors [sic],
consultants, representatives and The Canopy Group, Inc.
Canopy is not a party to this agreement. One might well wonder how SCO is
able to commit Canopy to keeping its mouth shut.
The end result of all this is that the SCO Group has freed itself from a
major distraction, cleared a liability off its books (including the 8%
dividends it was supposed to start paying BayStar next year), and obtained
$37 million of obligation-free cash (excluding lawyer fees, of
course). The company is, indeed, in a better position to concentrate on
its many open court cases. It may even be able to turn Darl loose in the
near future; life hasn't been the same without his strange pronouncements.
[Looking forward: the next events in SCO's legal calendar include a hearing
in the DaimlerChrysler case (June 9), and a ruling due anytime in the
Novell case. The Novell ruling will include Novell's motion to dismiss,
and, if that is denied, SCO's motion to move the case back to Utah state
court.]
Comments (4 posted)
SCO shows more code
On the surface, the
declaration
of Todd. M. Shaugnessy filed by IBM in the SCO case looks like fairly
boring stuff. It consists of a long list of exhibits filed by IBM. Some
of those exhibits, however, have not been seen before, and some of those
warrant a look. In particular, exhibit 28 covers SCO's answers to the
motions to compel discovery. SCO has now "shown the code," and we can see
what the company is claiming.
The first part of the declaration covers code contributed from AIX and
Dynix to Linux. In the former case, SCO now contents itself with listing
the JFS filesystem. From Dynix, SCO notes the read-copy-update technique
and some NUMA support code. The broader claim over Linux's SMP code
appears to have quietly gone away.
IBM keeps asking SCO to identify the specific lines of System V code
which, SCO claims, IBM contributed to Linux. SCO continues to evade that
question. The company did, under duress, provide listings of parts of AIX
and Dynix that, it claims, derive from Unix. The bulk of the AIX listing is the curses and
terminfo libraries; no kernel files are listed there. For Dynix, some
kernel files are listed (along with the source of utilities like
awk), but there appears to be no intersection with the Dynix files
that, SCO
claims, IBM contributed to Linux. SCO says that doesn't matter:
In fact, SCO steadfastly maintains that this item is not relevant to
this litigation nor is it likely to lead to the discovery of
admissible evidence. The main issue in this case is whether IBM
has breached its contract with SCO because it contributed or
otherwise disposed of a part of AIX or Dynix/ptx to others in
contravention of the terms of the license agreement.
In other words, there is not actually any SCO-owned code in IBM's
contributions to Linux, but SCO claims control over those contributions
anyway. Nothing particularly new there.
Finally, and, perhaps, most interestingly, SCO has included a set of other
files (exhibit 28-G) for which it claims ownership. The first part of this
list consists
of the Linux streams (LiS)
patch which has never been part of the mainline kernel. Interestingly,
the LiS distribution was
hosted at Caldera for some time. But the company formerly known as
Caldera would rather forget that now; the company claims, in its filing,
the LiS has not appeared in "any Linux-related product distributed by SCO."
The Free Software Foundation recently claimed that the
reason SCO went after the kernel and not the FSF was the latter's copyright
assignment policies. So the FSF should be interested to see that SCO
claims rights over significant chunks of the glibc and binutils packages. In
particular, SCO claims ownership of just about anything which touches the
ELF executable file format. Many tens of thousands of lines of FSF-owned
code are claimed by SCO. Some of the claims are amusing in typical SCO
fashion; for example, the exhibit lists elf/interp.c from glibc,
which consists of the copyright header and exactly one line of code:
const char __invoke_dynamic_linker__[] __attribute__ ((section (".interp")))
= RUNTIME_LINKER;
SCO has also added claims to the ELF code in the 2.4.21 kernel, along with
the SYSV filesystem and the SYSV interprocess communication code.
SCO acknowledges that it distributed all of the above code (except for
LiS), but claims it was unaware that "its intellectual property" was
present at the time. One might well question how, if the SCO group claims
to own the ELF file format, it could be unaware that it was distributing
ELF-related code.
ELF is, after all, the fundamental file format used by
Linux. But one should not be surprised by this sort of claim from the SCO
Group.
The interesting question, instead, is whether the SCO Group will attempt to
pursue its claims to the ELF code. These claims could be used to launch
attacks against the FSF, any Linux distributor, or even any of the BSD
variants. The last thing SCO needs is yet another lawsuit, but that has
not stopped this company before. As SCO's claims against the Linux kernel
fall apart, its management may well be tempted to cast a wider net.
Comments (11 posted)
Page editor: Jonathan Corbet
Security
The CVS pserver bug - a timeline
Quick response to security incidents is considered one of the strong points
of the free software community. It is also seen as a vital component of a
site's defenses against attacks. With that in mind, it is worth taking a
look at how
the recent CVS
vulnerability played out:
| May 2 |
Stefan Esser discovers a vulnerability in CVS, up to versions
1.11.15 and 1.12.7. A buffer overflow in the "entry" line parsing code
would allow an attacker to execute arbitrary code on the system when
the "pserver" access technique is being used. Mr. Esser informs the
CVS developers, and is told almost immediately that a fix has been
prepared.
|
| May 3 |
Various high-profile CVS sites are informed of the
problem and its fix. |
| May 12 |
A new patch is prepared after SourceForge discovers a problem with
the previous versions.
|
| May 19 |
The "coordinated public disclosure" happens, just in time to screw
up the LWN publication deadline. Updates are released by Debian,
Fedora, Mandrake, Red Hat, Slackware, and SUSE.
|
| May 20 |
Gentoo releases its updated cvs package. |
| May 27 |
CERT gets around to sending out an
advisory on the vulnerability. |
A few quick conclusions can be drawn from this sequence of events:
- The coordinated disclosure mechanism had some glitches in its early
days, but it seems to be working well now. The problem was kept quiet
for a couple of weeks, after which most major distributors were able
to issue patches almost simultaneously.
- One may well wonder, again, what the relevance of CERT is; it took
just over a week to get an advisory out after the public disclosure.
By then, anybody who was paying attention had already closed the
hole.
- Some distributions do not yet have updates out. These include
Conectiva, Whitebox, and Trustix. (Update: Trustix lacks an update because it does not ship CVS, our mistake). Red Hat Linux users are also
exposed; the Fedora Legacy project has not yet issued a cvs update.
The last item is somewhat troubling. Given the nature of this
vulnerability and the availability of information, no serious distributor
should have failed to have an update ready on the disclosure day. One can
thus conclude that some distributors are more serious than others. In
particular, it is worth noting that the projects which rework Red Hat
distributions and updates (Whitebox, CentOS, Fedora Legacy) have failed to
react to this vulnerability in a timely way. It may well be that, if you
lack the structure necessary to create a distribution in the first place,
you will be hard pressed to keep that distribution secure.
Comments (8 posted)
New vulnerabilities
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
gallery: unauthenticated access
| Package(s): | gallery |
CVE #(s): | |
| Created: | June 2, 2004 |
Updated: | June 15, 2004 |
| Description: |
The "gallery" photo album has a vulnerability which can allow access to the administrative account without authentication. |
| Alerts: |
|
Comments (none posted)
gatos: privilege escalation
| Package(s): | gatos |
CVE #(s): | CAN-2004-0395
|
| Created: | June 2, 2004 |
Updated: | June 2, 2004 |
| Description: |
The xatitv program, part of the gatos package, fails to drop root privileges after an initialization failure. For added fun, it then calls system() with unsanitized environment variables. |
| Alerts: |
|
Comments (none posted)
jftpgw: format string vulnerability
| Package(s): | jftpgw |
CVE #(s): | CAN-2004-0448
|
| Created: | June 2, 2004 |
Updated: | June 2, 2004 |
| Description: |
jftpgw (an FTP proxy) contains a format string vulnerability which could allow the execution of arbitrary commands with the privileges of the server process. |
| Alerts: |
|
Comments (none posted)
kerberos: buffer overflows
| Package(s): | kerberos5 |
CVE #(s): | |
| Created: | June 2, 2004 |
Updated: | June 2, 2004 |
| Description: |
MIT Kerberos 5 suffers from multiple buffer overflows which could lead to a remote root exploit, though the exploit looks difficult. Versions through krb5-1.3.3 are affected; see this advisory for more information. |
| Alerts: |
|
Comments (none posted)
mailman: password disclosure
| Package(s): | mailman |
CVE #(s): | CAN-2004-0412
|
| Created: | May 27, 2004 |
Updated: | July 20, 2004 |
| Description: |
In mailman versions above 2.1, third parties can retrieve
member passwords from the server. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: multiple vulnerabilities
| Package(s): | apache |
CVE #(s): | CAN-2003-0993
CAN-2003-0020
CAN-2003-0987
CAN-2004-0174
|
| Created: | May 12, 2004 |
Updated: | May 26, 2004 |
| Description: |
Versions of apache 1 through 1.3.30 include several minor vulnerabilities, including the writing of unescaped data to the error log file, a denial of service vulnerability, and a parsing failure in Allow/Deny rules on big-endian, 64-bit platforms. See the apache 1.3.31 announcement for details. |
| Alerts: |
|
Comments (none posted)
cvs: heap overflow
| Package(s): | cvs |
CVE #(s): | CAN-2004-0396
|
| Created: | May 19, 2004 |
Updated: | June 11, 2004 |
| Description: |
CVS (through version 1.11.15 or 1.12.7) contains a remotely exploitable heap overflow vulnerability; see this advisory from Stefan Esser for details. If you are running cvs with the "pserver" protocol, a quick upgrade is recommended (dropping pserver is also a very good idea for security-conscious sites). |
| Alerts: |
|
Comments (none posted)
ethereal - multiple vulnerabilities
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
firebird: Locally exploitable stack overflow
| Package(s): | firebird |
CVE #(s): | |
| Created: | May 24, 2004 |
Updated: | May 26, 2004 |
| Description: |
A buffer overflow exists in three Firebird database binaries
(gds_inet_server, gds_lock_mgr, and gds_drop) that is exploitable by
setting a large value to the INTERBASE environment variable. An attacker
could control program execution, allowing privilege escalation to the UID
of Firebird, full access to Firebird databases, and trojaning the Firebird
binaries. An attacker could use this to compromise other user or root
accounts. See also this bug
report. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
heimdal: missing input sanitizing
| Package(s): | heimdal |
CVE #(s): | CAN-2004-0472
|
| Created: | May 18, 2004 |
Updated: | May 27, 2004 |
| Description: |
Evgeny Demidov discovered a potential buffer overflow in a Kerberos 4
component of heimdal, a free implementation of Kerberos 5. The
problem is present in kadmind, a server for administrative access to
the Kerberos database. This problem could perhaps be exploited to
cause the daemon to read a negative amount of data which could lead to
unexpected behavior. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils |
CVE #(s): | CAN-2004-0403
|
| Created: | April 26, 2004 |
Updated: | July 29, 2004 |
| Description: |
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kde: URI Handler Vulnerabilities
| Package(s): | kde Opera |
CVE #(s): | CAN-2004-0411
|
| Created: | May 17, 2004 |
Updated: | June 15, 2004 |
| Description: |
iDEFENSE identified a vulnerability in the Opera Web Browser that could
allow remote attackers to create or truncate arbitrary files. The KDE team
has found that similar vulnerabilities exists in all version of KDE, up to
KDE 3.2.2 inclusive. See this advisory for
more information. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
kernel - root exploit in MCAST_MSFILTER
| Package(s): | kernel |
CVE #(s): | CAN-2004-0424
|
| Created: | April 22, 2004 |
Updated: | June 11, 2004 |
| Description: |
A locally exploitable integer overflow has been found the multicast code
of the Linux kernel versions 2.4.22 to 2.4.25 and 2.6.1 - 2.6.3. A
successful exploit could lead to full superuser privileges. |
| Alerts: |
|
Comments (1 posted)
kernel: exploitable bug in the cpufreq code
| Package(s): | kernel |
CVE #(s): | CAN-2004-0228
|
| Created: | May 24, 2004 |
Updated: | May 26, 2004 |
| Description: |
Brad Spender discovered an exploitable bug in the cpufreq code in the Linux
2.6 kernel. |
| Alerts: |
|
Comments (none posted)
Linux kernel 2.2.10 failing function and TLB flush vulnerability
| Package(s): | kernel-source-2.2.10 |
CVE #(s): | CAN-2004-0077
|
| Created: | March 18, 2004 |
Updated: | June 4, 2004 |
| Description: |
A local root exploit is possible due to early flushing of the
TLB. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
kolab: password disclosure
| Package(s): | kolab |
CVE #(s): | |
| Created: | May 5, 2004 |
Updated: | May 27, 2004 |
| Description: |
Kolab stores passwords in plain text format, and these passwords can read from the underlying LDAP database. See this advisory for more information. |
| Alerts: |
|
Comments (3 posted)
LHA: stack buffer overflows and directory traversal flaws
| Package(s): | LHA |
CVE #(s): | CAN-2004-0234
CAN-2004-0235
|
| Created: | April 30, 2004 |
Updated: | June 11, 2004 |
| Description: |
LHA is an archiving and compression utility for LHarc format archives. Ulf
Harnhammar discovered two stack buffer overflows and two directory
traversal flaws in LHA. See this advisory+patch for more details.
CAN-2004-0234: An attacker could exploit the buffer overflows by creating a
carefully crafted LHA archive in such a way that arbitrary code would be
executed when the archive is tested or extracted by a victim.
CAN-2004-0235: An attacker could exploit the directory traversal issues to
create files as the victim outside of the expected directory. |
| Alerts: |
|
Comments (2 posted)
libpng: denial of service vulnerability.
| Package(s): | libpng |
CVE #(s): | CAN-2004-0421
|
| Created: | April 29, 2004 |
Updated: | June 11, 2004 |
| Description: |
The PNG library can accesses memory that is out of bounds when
creating an error message, this can be exploited by a malformed
PNG image file. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | July 21, 2004 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
mc: multiple vulnerabilities
| Package(s): | mc |
CVE #(s): | CAN-2004-0226
CAN-2004-0231
CAN-2004-0232
|
| Created: | April 29, 2004 |
Updated: | May 26, 2004 |
| Description: |
Midnight Commander
has multiple vulnerabilities including buffer overflows,
insecure temp files, and format string problems. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
passwd: various problems
| Package(s): | passwd |
CVE #(s): | |
| Created: | May 17, 2004 |
Updated: | June 2, 2004 |
| Description: |
Steve Grubb found some problems in the passwd program. Passwords given to
passwd via stdin are one character shorter than they are supposed to be.
He also discovered that pam may not have been sufficiently initialized to
ensure safe and proper operation. A few small memory leaks have been fixed
as well. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
rsync remote file write attack
| Package(s): | rsync |
CVE #(s): | CAN-2004-0426
|
| Created: | April 30, 2004 |
Updated: | July 12, 2004 |
| Description: |
See the rsync homepage for the
April 2004
advisory: "There is a security problem in all versions prior to
2.6.1 that affects only people running a read/write daemon WITHOUT using
chroot. If the user privs that such an rsync daemon is using is anything
above "nobody", you are at risk of someone crafting an attack that could
write a file outside of the module's "path" setting (where all its files
should be stored). Please either enable chroot or upgrade to 2.6.1. People
not running a daemon, running a read-only daemon, or running a chrooted
daemon are totally unaffected." |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a loc |
