On dealing with Microsoft
Sequels, it is said, often fail to live up to the original. So it may not
be entirely surprising that Eric Raymond's latest,
Halloween XI,
lacks some of the impact of its predecessors. There are no "smoking gun"
memos to dissect this time around; instead, Eric looks at Microsoft's
latest marketing techniques and redefines the free
software community in terms of a cold-war style confrontation with
Microsoft. This view of things is not likely to be helpful.
Eric's analysis of Microsoft's latest road show does have its good points.
The company, he notes, has dropped its discussion of "intellectual property
threats" posed by Linux and Microsoft's higher level of "innovation."
Instead, Microsoft is pushing total cost of ownership arguments and trying
to sell the idea that its "shared source" program is as good as truly free
software. The company's position does, indeed, appear to have shifted into
a more defensive mode.
But consider this quote:
Because coexistence is not a stable solution for them, it cannot be
for us either. We have to assume that Microsoft's long-term aim is
to crush our culture and drive us to extinction by whatever
combination of technical, economic, legal, and political means they
can muster.
One can imagine several ways of characterizing the whole free software
movement. A couple of those might be:
- A group of software developers and users who are pooling their
effort to supply themselves with the best software they can create,
free of restrictions, obnoxious licensing, hidden "features," etc.
- A noble, if outgunned army, led by wizards, in an epic battle against
the dark forces of Mordor and the roving red eye of Steve Ballmer.
The truth of the matter is that we are not fighting a war. We are building
a set of tools which allow us to better run and control our lives, and,
with luck, having some fun in the process. Forcing our efforts into the
mold of a battle is not likely to help us in that process.
The competitive threats to Linux are relevant. In general, expanding the
user base of free software is a good thing; it causes a corresponding expansion of the
developer base and makes it more likely that we will encounter free
software in all aspects of our lives. Growing the user base means dealing
with competing forces which have their own ideas of how things should go.
That's capitalism. Certainly some people should be thinking about how to
make free software competitive; this task naturally falls on those working
to build businesses around free software.
There is also a definite legislative threat - as there is in many aspects
of our lives. This threat goes far beyond Microsoft, however. Software
patents, black-box voting systems, cryptography regulations, mandatory
digital rights management schemes, anti-circumvention laws, etc. are all
part of the fight for freedom which is as old as the human race. Focusing
on Microsoft as the Big Threat can only distract attention from the real
battle, in which Microsoft is only a part.
In that context, consider this quote:
The thing not to do is talk abstractions. FSF-style propaganda
about freedom or user's rights has its uses occasionally, but it
will register on this campaign's target audience of
bottom-line-fixated IT managers as irrelevant or nutty. And when
you look irrelevant or nutty, you hand Microsoft a victory.
If your focus is Microsoft, this advice may make some sense. But if your
goal is an "abstraction" like freedom from software patents, systems which
spy on you, etc., a focus on Microsoft seems short-sighted. Let the folks
at IBM, Novell, Red Hat, and so on talk to the bottom-line people; that's
their job. They should, while they are at it, be able to find ways of
selling freedom as well; that freedom is just as valuable to a large
corporation as to anybody else. The rest of us, meanwhile, can find better
things to do.
Microsoft can certainly be expected to attack us. It will fund
corporations which attempt to claim ownership of Linux via the courts. It
will fund "think tanks" to spread doubts - see this
impressive list of Microsoft-funded organizations which have published
attacks on free software. It will attempt to intimidate government
officials contemplating switching away from its products. But Microsoft is
a small piece of the problem, and the best way to fight it is the
production of more, better code. That approach, after all, has worked
pretty well so far.
As a postscript, it is worth noting that there are good things to be found
in the latest Halloween essay. In particular, Eric's advice to work to
increase the adoption of Linux inside governments makes a lot of sense. If
we can feed a government enough free software that it becomes addicted,
that government is more likely to think twice before passing laws which are
highly inimical to free software. Of course, that's "drug dealer" talk,
which we'll get to in the next article.
Comments (20 posted)
A legal attack in Brazil
The recent
reports that
Microsoft has filed suit against Sérgio Amadeu, the president of the
Brazilian National Institute for Information Technology and a leader of
Brazil's move toward free software, have upset many in the community. This
suit looks very much like an attempt to intimidate a government which has
been making increasingly friendly noises about free software. A closer
look shows that, while this may be the case, there probably is not too much
to be concerned about here.
For the curious, Microsoft's complaint is available in PDF
format. That complaint comes down to the following: Mr. Amadeu
compared Microsoft's tactics to those of drug dealers, and Microsoft
doesn't like it. So Microsoft has filed a a "demand for explanation" aimed
at getting Mr. Amadeu to retract his statements, or, at least, to back them
up in court.
The "drug dealer" comment was, beyond doubt, over the top. Many public
statements made by Microsoft about free software are, beyond doubt, equally
over the top, as is Microsoft's reaction in this case. Microsoft seems
unlikely to get very far with this
particular complaint, especially in the face of public statements like:
As long as they are going to steal it, we want them to steal
ours. They'll get sort of addicted, and then we'll somehow figure
out how to collect sometime in the next decade .
(Bill Gates, 1998, quoted in News.com).
The most likely result of this action may well be to convince more
governmental employees that dealing with Microsoft is generally a bad
idea. This kind of ham-fisted attack seems unlikely to slow any
government's move toward Linux, though it may make the people involved
watch their words a little more carefully.
Comments (4 posted)
Large ISPs ponder spam
The Anti-Spam Technical Alliance is a consortium of large Internet service
providers, including Yahoo, Microsoft, EarthLink, American Online, and
others. This group has just
announced
the publication of a set of guidelines intended to reduce the amount of
spam in circulation; the document is available
in PDF format.
These ISPs carry enough network traffic between them that it's worth
looking at their recommended policies. After all, if these carriers decide
to screw up the net, they could succeed in making a big mess for
everybody.
The recommendations, unsurprisingly, are aimed primarily at ISPs. For the
most part, they are reasonably obvious stuff; they include:
- Close open relays. Most people who run mail systems will have done
this some time ago; anybody who doesn't finds it hard to send mail
after a short while. The guidelines also recommend tightening access
to open proxies.
- Shut down formmail.pl. It is hard to imagine that systems running
formmail are still out there, but they must be. The LWN web server
gets a handful of attempts to use formmail.pl (which has never been
installed there) every day.
- Detect and disconnect zombie systems. This clearly has to be done;
compromised systems are increasingly in demand as spam sources.
Detection of such systems should be relatively easy, most of the time;
one hopes, however, that ISPs will be careful when deciding just how
active they want to be when looking for compromised systems.
- Use authenticated email submission. The report also recommends
pushing customers over to the mail submission port
(port 587) for
feeding email into the system. Separating out the submission step,
again, allows for prior authentication. Of course, implicit in all of
this is the idea that ISP customers are not to be allowed to directly
send mail to remote systems.
- Put rate limits on outbound email traffic. Recommended limits are 150
recipients per hour, up to 500 recipients per day. This idea has all
kinds of problems, starting with the effect it will have on anybody
running a mailing list.
- Close down web redirector services. Evidently some redirection
services are open to anybody who wants to use them; putting redirected
URLs into spam helps make the message look more legitimate and hide
the ultimate destination.
- Set up and use spam reporting services.
There is also a set of recommendations for bulk mail senders, with ideas
like "do not harvest email addresses," avoid forged headers, and provide
clear opt-out instructions. The best recommendation, however (which would
be "cease and desist") is absent. The "recommendations for consumers"
section limits itself to suggesting the installation of firewalls and
anti-virus software.
In one sense, these guidelines are a step in the right direction. They are
an admission from a number of large ISPs that they must take responsibility
for spam originating on their networks. In the best possible scenario,
ISPs will take a higher level of interest in their contribution to the
problem and shut their spammers down. In the worst case, however, we could
see a significant reduction in what "normal users" are allowed to do on the
net, major hassles for anybody wanting to run mailing lists or handle their
own mail, and increasingly intrusive probes from ISPs which are ostensibly
intended to root out compromised systems - all with a wink to "legitimate"
bulk commercial emailers and no real reduction in spam volumes.
For now, at least, vast parts of the net are beyond the control of these
large ISPs. That puts a limit on their ability to make a significant dent
in the spam problem, but also in their ability to impose their own vision
of how the net should work. Limits of that sort can only be a good thing.
Comments (15 posted)
Page editor: Jonathan Corbet
Security
Long-lived security holes
It is time, once again, to look at quick distributor response to security
holes - or the lack thereof. We could start by poking fun at the
distributors which have taken over a week to fix the latest kernel
vulnerability - but we won't. The updates probably
should have come out more
quickly, but, in the end, it was a local denial-of-service vulnerability; it
was not the top priority for a lot of administrators.
Let's look, instead, at a fix that took a little longer. Red Hat, Fedora,
and Whitebox recently sent out advisories for a buffer overrun in the
libpng library; this problem could be exploited by way of a hostile image
to run arbitrary code on a victim's system. These distributors are thus
running just a little behind Debian, which sent out its advisory on December 19, 2002.
In fact, Red Hat had issued an advisory as well. It just turns out that
the problem had not actually been fixed. As a result, Red Hat users were
vulnerable to attackers wielding evil PNG images for over two years. This
is not the quick response time that is a source of such pride for the free
software community.
Of course, one should note that, as far as anybody can tell, not a single
Red Hat user suffered any sort of compromise as a result of this unfixed
bug. It almost certainly could have remained unfixed for another two years
without ill effect. Perhaps the world isn't quite as dangerous as we
sometimes think.
The truth of the matter is that our community finds (and fixes) dozens of
vulnerabilities every year which are unlikely to ever be exploited. These
fixes add to the load of already overworked system administrators and give
ammunition to "alert counters" who like to claim that Linux is less secure
than other operating systems. Perhaps it is time to come out and admit
that many of the patches issued every year are not actually all that
important.
System administrators already prioritize updates as they come in. Remotely
exploitable holes (should) get fixed in a hurry. Vulnerabilities like this week's aspell hole - a buffer overflow
caused by words more than 256 bytes long - can be allowed to sit for a
while. It would be nice if distributors could help out by explicitly
noting the importance of every update. If the truly serious fixes came
with a bright red flag, they might stand out from the noise and be applied
more quickly.
There are some obvious problems with this idea. Some truly serious
vulnerabilities are not seen as such when they are originally fixed. In certain
litigious countries, nobody wants to be exposed to lawsuits from users who
were broken into by way of a "non-urgent" vulnerability. These issues
would need to be addressed, but the fact remains: we are not necessarily
helping ourselves by treating all updates as if they were equally important.
Comments (14 posted)
New vulnerabilities
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
dhcp: buffer overflows
| Package(s): | dhcp |
CVE #(s): | CAN-2004-0460
CAN-2004-0461
|
| Created: | June 23, 2004 |
Updated: | July 14, 2004 |
| Description: |
Two separate buffer overflows have been found in versions 3.0.1rc12 and 3.0.1rc13 of the ISC DHCP server. These overflows can be exploited by a remote attacker to cause a denial of service, or, potentially, to execute arbitrary code. DHCP servers should not be exposed to the Internet, but this problem is worth fixing regardless. See this CERT advisory for more information. |
| Alerts: |
|
Comments (none posted)
racoon: improper certificate validation
| Package(s): | racoon ipsec-utils |
CVE #(s): | |
| Created: | June 23, 2004 |
Updated: | June 23, 2004 |
| Description: |
The racoon tool found in ipsec-tools (through version 0.3.3) fails to
perform proper authentication, enabling a potential man-in-the-middle
attack. |
| Alerts: |
|
Comments (none posted)
rlpr: format string vulnerability
| Package(s): | rlpr |
CVE #(s): | CAN-2004-0393
CAN-2004-0454
|
| Created: | June 21, 2004 |
Updated: | June 21, 2004 |
| Description: |
rlpr contains format string and buffer overflow vulnerabilities which could potentially be exploited by a remote attacker to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
sup: format string vulnerability
| Package(s): | sup |
CVE #(s): | CAN-2004-0451
|
| Created: | June 21, 2004 |
Updated: | June 21, 2004 |
| Description: |
sup contains a format string vulnerability which could be used by a remote attacker to cause arbitrary code to run on the server. |
| Alerts: |
|
Comments (none posted)
super: format string vulnerability
| Package(s): | super |
CVE #(s): | CAN-2004-0579
|
| Created: | June 21, 2004 |
Updated: | June 21, 2004 |
| Description: |
A format string vulnerability has been found in super; this hole can be exploited by a local user to obtain root access. |
| Alerts: |
|
Comments (none posted)
usermin: information disclosure and denial of service
| Package(s): | usermin |
CVE #(s): | |
| Created: | June 21, 2004 |
Updated: | June 21, 2004 |
| Description: |
Versions of the usermin utility prior to 1.080 suffer from two vulnerabilities: a failure to sanitize email which could lead to information disclosure, and one which allows an attacker to lock out an account. |
| Alerts: |
|
Comments (none posted)
www-sql: buffer overflow
| Package(s): | www-sql |
CVE #(s): | CAN-2004-0455
|
| Created: | June 21, 2004 |
Updated: | June 21, 2004 |
| Description: |
www-sql contains a buffer overflow which can be exploited by a local user to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
Horde-IMP: improper input validation
| Package(s): | Horde-IMP |
CVE #(s): | |
| Created: | June 16, 2004 |
Updated: | August 10, 2004 |
| Description: |
An input validation error exists in Horde-IMP through version 3.2.4; a specially crafted message could be used to run scripts in the context of the target's browser. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon |
CVE #(s): | CAN-2004-0155
|
| Created: | April 7, 2004 |
Updated: | August 19, 2004 |
| Description: |
Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
racoon: denial of service vulnerability
| Package(s): | ipsec-tools racoon iputils |
CVE #(s): | CAN-2004-0403
|
| Created: | April 26, 2004 |
Updated: | July 29, 2004 |
| Description: |
racoon does not check the length of ISAKMP headers. Attackers may be able
to craft an ISAKMP header of sufficient length to consume all available
system resources, causing a Denial of Service. This advisory contains additional
details. |
| Alerts: |
|
Comments (none posted)
kdelibs: cookie disclosure
| Package(s): | kdelibs |
CVE #(s): | CAN-2003-0592
|
| Created: | March 10, 2004 |
Updated: | August 24, 2004 |
| Description: |
kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. |
| Alerts: |
|
Comments (none posted)
kernel: symlink overflow in the iso9660 filessytem
| Package(s): | kernel |
CVE #(s): | CAN-2004-0109
|
| Created: | April 14, 2004 |
Updated: | July 15, 2004 |
| Description: |
The 2.4 and 2.6 kernels contain a
vulnerability in the iso9660 (CDROM) filesystem which can be used by a
local attacker to obtain root privileges. The exploit requires creating a
specially-crafted filesystem and getting the kernel to mount it. Many
systems are configured to automatically mount CDs on insertion, however, so
the possibility of this vulnerability being exploited by users with
physical access to the system is real. The 2.4.26 kernel contains the fix,
which will also be merged into the upcoming 2.6.6 release. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CAN-2004-0554
|
| Created: | June 15, 2004 |
Updated: | July 5, 2004 |
| Description: |
2.4 and 2.6 kernels running on the i386 and x86_64 kernels have a vulnerability which can allow a local attacker to lock up the system. See this LWN article for a description of the problem.
Many of the updates for this problem also fix various potential driver vulnerabilities found while instrumenting the code for automated auditing. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
krb5: unauthorized root privileges
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0523
|
| Created: | June 3, 2004 |
Updated: | June 29, 2004 |
| Description: |
Multiple buffer overflows exist in the krb5_aname_to_localname() library
function that if exploited could lead to unauthorized root privileges. In
order to exploit this flaw, an attacker must first successfully
authenticate to a vulnerable service, which must be configured to enable
the explicit mapping or rules-based mapping functionality of
krb5_aname_to_localname, which is not a default configuration. See the
this MIT krb5 Security Advisory for more information. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | July 21, 2004 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
mailman: password disclosure
| Package(s): | mailman |
CVE #(s): | CAN-2004-0412
|
| Created: | May 27, 2004 |
Updated: | July 20, 2004 |
| Description: |
In mailman versions above 2.1, third parties can retrieve
member passwords from the server. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
mozilla: multiple vulnerabilties
| Package(s): | mozilla |
CVE #(s): | CAN-2003-0594
CAN-2003-0564
|
| Created: | March 10, 2004 |
Updated: | August 19, 2004 |
| Description: |
Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
MySQL: temporary file vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0381
CAN-2004-0388
|
| Created: | April 14, 2004 |
Updated: | August 18, 2004 |
| Description: |
The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. |
| Alerts: |
|
Comments (none posted)
neon: buffer overflow
| Package(s): | neon |
CVE #(s): | CAN-2004-0398
|
| Created: | May 19, 2004 |
Updated: | September 30, 2004 |
| Description: |
The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
postgresql buffer overflow in ODBC driver
| Package(s): | postgresql |
CVE #(s): | |
| Created: | June 7, 2004 |
Updated: | July 28, 2004 |
| Description: |
A buffer overflow has been discovered in the ODBC driver of PostgreSQL,
an object-relational SQL database, descended from POSTGRES. It possible
to exploit this problem and crash the surrounding application. Hence, a
PHP script using php4-odbc can be utilized to crash the surrounding
Apache webserver. Other parts of postgresql are not affected. |
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
rsync remote file write attack
| Package(s): | rsync |
CVE #(s): | CAN-2004-0426
|
| Created: | April 30, 2004 |
Updated: | July 12, 2004 |
| Description: |
See the rsync homepage for the
April 2004
advisory: "There is a security problem in all versions prior to
2.6.1 that affects only people running a read/write daemon WITHOUT using
chroot. If the user privs that such an rsync daemon is using is anything
above "nobody", you are at risk of someone crafting an attack that could
write a file outside of the module's "path" setting (where all its files
should be stored). Please either enable chroot or upgrade to 2.6.1. People
not running a daemon, running a read-only daemon, or running a chrooted
daemon are totally unaffected." |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CAN-2004-0519
CAN-2004-0520
CAN-2004-0521
|
| Created: | May 21, 2004 |
Updated: | October 4, 2004 |
| Description: |
Several unspecified cross-site scripting (XSS) vulnerabilities and a well
hidden SQL injection vulnerability were found in SquirrelMail versions
1.4.2 and lower. An XSS attack allows an attacker to insert malicious code
into a web-based application. SquirrelMail does not check for code when
parsing variables received via the URL query string. |
| Alerts: |
|
Comments (none posted)
Subversion: Remote heap overflow
| Package(s): | subversion |
CVE #(s): | CAN-2004-0413
|
| Created: | June 11, 2004 |
Updated: | March 7, 2005 |
| Description: |
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
sysstat: temporary file vulnerability
| Package(s): | sysstat |
CVE #(s): | CAN-2004-0107
CAN-2004-0108
|
| Created: | March 10, 2004 |
Updated: | October 4, 2004 |
| Description: |
The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 9, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: ISAKMP payload handling denial-of-service vulnerabilities
| Package(s): | tcpdump |
CVE #(s): | CAN-2004-0183
CAN-2004-0184
|
| Created: | March 30, 2004 |
Updated: | September 30, 2004 |
| Description: |
TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet
display functions for the ISAKMP protocol. Upon receiving specially
crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the
packet capture buffer and crash. More information is available in this Rapid7 advisory. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 20, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
tripwire format string vulnerability
| Package(s): | tripwire |
CVE #(s): | CAN-2004-0536
|
| Created: | June 4, 2004 |
Updated: | July 7, 2004 |
| Description: |
The code that generates email reports contains a format string
vulnerability in pipedmailmessage.cpp. With a carefully crafted filename
on a local filesystem an attacker could cause execution of arbitrary code
with permissions of the user running tripwire, which could be the root
user. See this advisory on SecurityFocus for more details. |
| Alerts: |
|
Comments (none posted)
webmin: denial of service
| Package(s): | webmin |
CVE #(s): | CAN-2004-0582
CAN-2004-0583
|
| Created: | June 16, 2004 |
Updated: | July 28, 2004 |
| Description: |
Versions of webmin prior to 1.150 suffer from denial of service and information disclosure vulnerabilities. See advisories for the disclosure and lockout problems for more information. |
| Alerts: |
|
Comments (none posted)
XChat 2.0.x SOCKS5 Vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2004-0409
|
| Created: | April 19, 2004 |
Updated: | November 14, 2005 |
| Description: |
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client. |
| Alerts: |
|
Comments (none posted)
xine-ui - insecure temporary file creation
| Package(s): | xine-ui |
CVE #(s): | CAN-2004-0372
|
| Created: | April 6, 2004 |
Updated: | April 27, 2006 |
| Description: |
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine. |
| Alerts: |
|
