Spam avoidance techniques
It is said that most free software comes about as the result of some
developer scratching a personal itch. It's also said that very little
innovative free software development is done; free software projects spend
their time "chasing taillights" - catching up to the features offered by
proprietary code. The field of spam filtering may well confirm one of
those stereotypes while refuting the other. After all, if there is
anything that truly itches, it's spam. But some of the free software being
developed to combat spam is truly innovative.
Most spam filtering work has involved two techniques: testing mail against
patterns indicative of spam and blocking mail from known sources of spam
(and other likely sources, such as ISP dialup lines). Source-based
blocking can be effective, but it also tends to block a fair amount of
legitimate mail along with the spam. For example, some blacklists cause the blocking of mail from kernel.org,
despite the fact that no spam originates there. Source-based blocking is
unreliable enough that quite a few sites are unwilling to use it, despite a
strong desire to be rid of spam.
Pattern matching has shown more promise. Early spam filtering was done
with complex procmail
scripts, but the current champion of pattern-based spam filtering can
only be SpamAssassin. Using a
detailed set of rules, SpamAssassin cleans out the trash to great effect.
LWN has been using it for some months, and it has made life much easier -
lwn@lwn.net gets a lot of spam. SpamAssassin has returned much of
our time back to us to work on LWN, as well as keeping us from accidentally
deleting mail from readers that tended to get buried in the spam.
One thing that SpamAssassin users tend to notice, however, is that its
effectiveness decreases over time. Each new update blocks more spam - a
recent upgrade freed us from a whole unpleasant class of Nigeria spam, for
example. But pattern-based matching only works as well as its patterns,
and they tend to go stale as spammers move on to new tricks. Keeping
SpamAssassin effective requires a number of highly dedicated people to
actually read all that spam and come up with new rules. Most
SpamAssassin users are unlikely to be able (or willing) to write new rules
themselves.
Recently, a new approach to spam filtering has attracted a lot of
attention, thanks mostly to Paul Graham's paper A Plan for Spam. Rather
than try to come up with an endless stream of clever patterns to detect
spam, why not just look at the words spammers use? Each word can be
assigned a probability that any message that contains it is spam; the
probabilities for the words in any specific message are then combined using a
Bayesian filter, yielding an overall probability estimate. If that
estimate is high enough, the message is classified as spam.
At a first glance, going up against a tool as good as SpamAssassin with
such a simple technique seems like a losing battle, but this approach has a
number of advantages:
- Development of the word-based rules can be automated - it is
just a matter of feeding the filter enough spam and "ham" (legitimate
mail) and letting it work out a probability factor for each word.
- The filter can be made to follow shifting patterns in spam by
passing it each message that it misclassifies. Users can not be
expected to master regular expressions and write patterns, but they
can be asked to hit a "this is spam" key in their mailer.
- Each user's spam filter comes to reflect the mail that the user
receives. Spam seems like the ultimate in indiscriminate marketing,
but the fact is that different people can receive very different spam.
An individually derived rule base should prove more effective than a
"one size fits all" set of patterns.
- Classification of mail with a Bayesian filter can be done relatively
quickly.
All of the above is irrelevant, however, if the Bayesian approach does not
succeed in actually filtering spam. To get a sense for the state of the
art, we took 3000 messages received at lwn@lwn.net - a little under two
weeks worth. 295 of those messages were real mail, and 2705 were spam. If
one were to believe the bulk of our mail, one would conclude that about
every part of our anatomy (even those we don't possess) is the wrong size,
that we are so honest that people want to extract money from Africa via our
bank account, that we're missing out on numerous hot stocks, that we have a
strange attraction to domesticated animals, and that the purchase of
something called the "TushyClean" would greatly improve our lives. Trust
us, this exercise has not been fun, but no sacrifice is too great for our
readers.
Once the messages were sorted, we fed them all to SpamAssassin and to bogofilter, a new
Bayesian filter written by Eric Raymond. Bogofilter was tested twice: once
after training with 15% of the 3000 messages, and once after being trained
with the whole set. Then we ran both filters on 5000 recent postings from
the linux-kernel list, twelve of which were spam (devfs flames were not
counted). The results were:
False positives are legitimate mail classified as spam. These, of course,
are bad news, since they can cause the loss of real mail. False negatives
are spam that slip through - an annoyance. It is appropriate that spam
filters tend to err toward false negatives, and both filters shown here do
exactly that.
The results indicate that bogofilter requires a substantial amount of
training before it reaches the level of effectiveness achieved by
SpamAssassin. This training is best done with each individual user's mail,
but most users are unlikely to have a few thousand nicely sorted messages
sitting around to train their filters with. So bogofilter is likely to be
frustrating for many users to adopt - it won't work well until the user has
run "about one thousand" (according to Eric Raymond) messages through it.
That said, bogofilter is surprisingly effective for a tool that
is so new and very much still in development. And the run time relative to
SpamAssassin speaks for itself. Much of the difference there will be
explained by the fact that bogofilter is coded in C, while SpamAssassin is
in Perl. But bogofilter also owes its speed to a much faster algorithm.
The Bayesian filter idea is not new - see this 1998
paper on the Microsoft site, for example. But recently a great deal of
effort has gone into expressing this approach in free software. Bogofilter
is one example; another is the spambayes
project, which has been set up as a testbed for variants on the Bayesian
filter idea. It will be interesting to see where these projects go; they
seem to be off to an interesting start. Taking on a tool as effective as
SpamAssassin is a difficult challenge, but the free software world likes
challenges.
Comments (27 posted)
Where free software should be required by law
RISKS 22.24 includes
a detailed article
by Rebecca Mercuri on the latest fun with the new voting systems in
Florida. That state, of course, was the source of (ongoing) uncertainty in
the 2000 U.S. presidential election, due, in part, to its ancient voting
equipment. Since then, the voting machines have been upgraded to new,
computer-based systems with touchscreen interfaces.
These systems are based on closed source code. There is no
external audit trail, no way of verifying that they are recording votes as
they were actually cast. Trade secret law forbids the inspection of the
code in the systems. One just has to trust the vendor that the results are
correct.
A primary election held there recently turned up a whole set of
problems, ranging from basic usability issues to outright failure.
There has been a lot of interest recently in laws requiring governments to
use free software in many or all situations. It remains unclear, to some
people anyway, that such laws are really in the best interest of
government, the governed, or the free software community. But, in the
case of voting systems, the case seems clear: no part of the system that
elects people into positions of power should be opaque. The creation of a
free, transparent, verifyable electronic voting system should not be that
hard a task for governments or the free software community. There is no
excuse for using anything else.
Comments (10 posted)
Page editor: Jonathan Corbet
Security
Security news
Multics security, thirty years later
Worth a read: Paul Karger and Roger Schell have released a new paper
(available
in
PDF format) entitled "Thirty Years Later: Lessons from the Multics
Security Evaluation." It includes an analysis of the security of the
Multics operating system, written by the same two authors and published in
1974, along with a new forward describing how things have changed in the
mean time. Their assessment of the current state of computer security is
harsh:
The unpleasant conclusion is that although few, if any,
fundamentally new vulnerabilities are evident today, today's
products generally do not even include many of the Multics security
techniques, let alone the enhancement identified as essential.
That essential enhancement is the creation of verifiable "security kernel"
around which the rest of the system could be built. In 2002, very few
systems built around such kernels exist, and the authors are not very
enthusiastic about those which do exist:
...the ring 0 supervisor of Multics of 1973 occupied about 628K
bytes of executable code and read-only data. This was considered
to be a very large system. By comparison, the size of the SELinux
module with the example policy code and read-only data has been
estimated to be 1767K bytes. This means that just the example
security policy of SELinux is more than 2.5 times bigger than the
entire 1973 Multics kernel and that doesn't count the size of the
Linux kernel itself. Given that complexity is the biggest single
enemy of security, this suggests that the complexity of SELinux
needs to be seriously examined.
Or, to put things in more general terms:
Given the understanding of system vulnerabilities that existed nearly
thirty years ago, today's "security enhanced" or "trusted" systems would
not be considered suitable for processing even in the benign closed
environment.
So how do we make things better? The paper does not provide a whole lot of
new suggestions. The authors talk some about the tools that are used; for
example, Multics was mostly free of buffer overflow vulnerabilities, thanks
to the use of PL/I as the implementation language. PL/I required an
explicit declaration of the length of all strings.
The net result is that a PL/I programmer would have to work very
hard to program a buffer overflow error, while a C programmer has
to work very hard to avoid programming a buffer overflow error.
Beyond that, one gets the sense that the authors feel they said what needed
to be said thirty years ago, and they are still waiting for the message to
get across. Their prediction:
It is unthinkable that another thirty years will go by without one
of two occurrences: either there will be horrific cyber disasters
that will deprive society of much of the value computers can
provide, or the available technology will be delivered, and
hopefully enhanced, in products that provide effective security.
The authors hope for the latter scenario; so do we.
Comments (8 posted)
Security reports
AFD 1.2.14 multiple local root compromises
AFD ("automatic file distributor") suffers from buffer overflow
vulnerabilities which can lead to a local root compromise. Version 1.2.15
of AFD contains fixes for the problems.
Full Story (comments: none)
A couple of KDE security advisories
The KDE project has issued a couple of security advisories:
- This one describes a cross-site
scripting vulnerability in Konqueror (and any other application which
uses the KHTML renderer). Javascript code running in one frame can
access other frames which should be inaccessible. This problem is
fixed in kdelibs 3.0.3a.
- The second is for a secure cookie
problem in Konqueror. The "secure" flag in cookies is not recognized,
with the result that "secure" cookes can be transmitted over
unencrypted connections. KDE 3.0.3 fixes the problem.
We will, of course, pass on distributor updates as we receive them.
Comments (1 posted)
A security update to XFree86
The XFree86 project has
released
XFree86 4.2.1, which fixes a few security problems. The most urgent
problem is a vulnerability in the internationalization code which can allow
an attacker to cause a privileged X client to load and execute arbitrary
code. This vulnerability only exists in XFree86 4.2.0; earlier releases
are not vulnerable.
No distributor updates have been received as of this writing, though
Slackware has updated its XFree86 packages.
Comments (1 posted)
New vulnerabilities
Denial of service vulnerability in amavis
| Package(s): | amavis |
CVE #(s): | |
| Created: | September 11, 2002 |
Updated: | September 11, 2002 |
| Description: |
AMaViS is vulnerable to a denial of service attack via maliciously crafted input. Patches exist for AMaViS, but the recommended solution is to upgrade to the (actively developed) amavis-perl tool. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
Input validation vulnerability in cacti
| Package(s): | cacti |
CVE #(s): | |
| Created: | September 11, 2002 |
Updated: | September 11, 2002 |
| Description: |
Cacti is a PHP front end to rrdtool; it assists in the creation of plots from a MySQL database. This tool does not properly validate all input, leading to a remote code execution vulnerability in certain, limited conditions. See this Bugtraq posting for details. |
| Alerts: |
|
Comments (none posted)
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc |
CVE #(s): | CAN-2002-0738
CAN-2002-1307
CAN-2002-1388
|
| Created: | September 11, 2002 |
Updated: | January 3, 2003 |
| Description: |
Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. |
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans |
CVE #(s): | CAN-2002-0837
|
| Created: | September 11, 2002 |
Updated: | February 4, 2003 |
| Description: |
The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
LPRng accepts jobs from any host.
| Package(s): | LPRng |
CVE #(s): | CAN-2002-0378
|
| Created: | June 12, 2002 |
Updated: | October 31, 2002 |
| Description: |
Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators
with systems exposed to the general public.
|
| Alerts: |
|
Comments (none posted)
OpenSSL remotely-exploitable buffer overflow vulnerabilities
| Package(s): | OpenSSL |
CVE #(s): | CAN-2002-0655
CAN-2002-0656
CAN-2002-0657
CAN-2002-0659
|
| Created: | July 30, 2002 |
Updated: | September 24, 2002 |
| Description: |
Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit.
Both client and server applications are affected.
The vulnerabilities are described in this security alert from the OpenSSL team.
A nasty exploit for one of the vulnerabilities is described in
CERT Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
If you haven't already, applying an update is a very good thing
to do today.
Mitel Networks has an update available which
closes this vulnerabilty for their SME Server software.
CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL |
| Alerts: |
|
Comments (none posted)
Safemode vulnerability in PHP
| Package(s): | PHP |
CVE #(s): | CAN-2001-1246
|
| Created: | August 20, 2002 |
Updated: | October 9, 2002 |
| Description: |
PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. |
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL |
CVE #(s): | |
| Created: | August 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by
"Sir Mordred The Traitor" in the cash_words,
repeat, and lpad
and rpad functions. |
| Alerts: |
|
Comments (none posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 21, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | October 1, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | December 5, 2002 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream |
| Alerts: |
|
Comments (none posted)
Ethereal 0.9.6 fixes potential remote code execution vulnerability
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0834
CAN-2002-0821
CAN-2002-0822
|
| Created: | September 4, 2002 |
Updated: | September 11, 2002 |
| Description: |
Ethereal 0.9.6 was released
on August 20, 2002 fixing a serious
buffer overflow vulnerability in the ISIS protocol dissector in Ethereal 0.9.5 and earlier versions.
It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems.
Ethereal 0.9.4 has multiple buffer overflow and other
vulnerabilities hat are best delt with by upgrading to 0.9.6.
These vulnerabilities may allow remote attackers
to cause a denial of service or execute arbitrary code.
Updating now, rather than later, is recommended. |
| Alerts: |
|
Comments (none posted)
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
CAN-2002-0353
CAN-2002-0401
CAN-2002-0402
CAN-2002-0403
CAN-2002-0404
|
| Created: | June 12, 2002 |
Updated: | October 27, 2002 |
| Description: |
Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
- The SMB dissector could potentially dereference a NULL pointer in two cases.
- The X11 dissector could potentially overflow a buffer while parsing keysyms.
- The DNS dissector could go into an infinite loop while reading a malformed packet.
- The GIOP dissector could potentially allocate large amounts of memory.
No known exploits exist "in the wild" at the present time for any of these issues.
Ethereal 0.9.2 has several packet handling vulnerabilities
that are best avoided by upgrading to 0.9.4.
The PROTOS test
suite found some flaws in SNMP and LDAP protocols support.
Malformed packets could also crash ethereal 0.9.2 due to a
ASN.1 zero-length g_malloc problem.
The zlib "double free" vulnerability
was addressed by the updates for that bug from many distributors. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 21, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Buffer overflow vulnerability in the Jabber plug-in module for gaim
| Package(s): | gaim |
CVE #(s): | CAN-2002-0384
CAN-2002-0377
|
| Created: | August 14, 2002 |
Updated: | September 11, 2002 |
| Description: |
gaim versions prior to 0.58
contained a buffer overflow in the Jabber plug-in module.
The problem is fixed in
gaim 0.59 which is available here.
"Gaim is an instant messaging client written in GTK and is based on the
published TOC messaging protocol from AOL." |
| Alerts: |
|
Comments (none posted)
Remote arbitrary code execution vulnerability in gaim
| Package(s): | gaim |
CVE #(s): | |
| Created: | August 28, 2002 |
Updated: | September 4, 2002 |
| Description: |
gaim versions prior to 0.59.1
contained a arbitrary code execution vulnerabilty in the
the hyperlink handling code.
The 'Manual' browser command passes an untrusted
string to the shell without escaping or reliable quoting, permitting
an attacker to execute arbitrary commands on the users machine.
Unfortunately, Gaim doesn't display the hyperlink before the user
clicks on it. Users who use other inbuilt browser commands aren't
vulnerable.
The problem is fixed in
gaim 0.59.1 which is available here.
Versions prior to 0.58 also contained a buffer overflow in the Jabber plug-in module which, of course, is still fixed in 0.59.1.
"Gaim is an instant messaging client written in GTK and is based on the
published TOC messaging protocol from AOL."
|
| Alerts: |
|
Comments (1 posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
Buffer overflow in groff
| Package(s): | groff |
CVE #(s): | CAN-2002-0003
|
| Created: | May 21, 2002 |
Updated: | December 9, 2002 |
| Description: |
The groff package has a buffer overflow
vulnerability; if it is used with the print system, it is conceivably
exploitable remotely.
|
| Alerts: |
|
Comments (none posted)
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax |
CVE #(s): | CAN-2001-1034
|
| Created: | July 30, 2002 |
Updated: | October 9, 2002 |
| Description: |
The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
|
| Alerts: |
|
Comments (none posted)
UW imapd remotely exploitable buffer overflow
| Package(s): | imap |
CVE #(s): | CAN-2002-0379
|
| Created: | June 5, 2002 |
Updated: | December 20, 2002 |
| Description: |
UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft
a request to run commands on the server under their UID and GID.
(First LWN report: May 23). |
| Alerts: |
|
Comments (2 posted)
KDE 3.0.3 fixes X.509 certificate check vulnerability
| Package(s): | kde |
CVE #(s): | |
| Created: | September 4, 2002 |
Updated: | September 11, 2002 |
| Description: |
The SSL implementation used by previous version of KDE
accepted, without alerting the user, any X.509 certificate signed
by any entity under specific conditions.
This bug allows
"for undetected MITM attacks ("man in the mittle"), which
could compromise an encrypted HTTPS session."
|
| Alerts: |
|
Comments (none posted)
Kernel update for RedHat 7.3 i810 video
| Package(s): | kernel |
CVE #(s): | |
| Created: | August 28, 2002 |
Updated: | September 4, 2002 |
| Description: |
Red Hat has issued a kernel update that fixes an "i810 video oops".
"Updated kernel packages are now available which fix an oops in the i810 3D
kernel code. This kernel update also fixes a difficult to trigger race in
the dcache (filesystem cache) code, as well as some potential security
holes, although we are not currently aware of any exploits."
|
| Alerts: |
|
Comments (none posted)
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | October 29, 2002 |
| Description: |
A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this
potential division by zero bug in
code derived from the SunRPC library which is used
in many places, including the Kerberos 5 administration system.
Updating now is recommended.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
Mailman 2.0.12 closes cross-site scripting vulnerability
| Package(s): | mailman |
CVE #(s): | CAN-2002-0855
|
| Created: | August 28, 2002 |
Updated: | September 4, 2002 |
| Description: |
Mailman 2.0.12, released on July 2nd, closed a minor
cross-site scripting vulnerabilty and implemented
"a guard against some reply loops and 'bot
subscription attacks."
Upgrading to Mailman 2.0.13, which also
fixes
some Python 1.5.2 incompatabilities, is recommended. |
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in mantis
| Package(s): | mantis |
CVE #(s): | |
| Created: | August 20, 2002 |
Updated: | September 4, 2002 |
| Description: |
The Mantis project has reported a number of bugs in the Mantis bug tracking
system, including:
Needless to say, upgrading to a version later than 0.17.3 is recommended. |
| Alerts: |
|
Comments (none posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla |
CVE #(s): | CAN-2002-0354
|
| Created: | May 21, 2002 |
Updated: | October 18, 2002 |
| Description: |
This XMLHttpRequest security
bug impacts all Mozilla-based browsers. "The bug is found in versions of
Mozilla from 0.9.7 to 0.9.9 on various operating
system platforms, and in Netscape versions 6.1 and
higher."
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
String format bug in pam_ldap logging
| Package(s): | nss_ldap |
CVE #(s): | CAN-2002-0374
|
| Created: | June 5, 2002 |
Updated: | October 29, 2002 |
| Description: |
The nss_ldap package includes the pam_ldap module for
authenticating a user with an LDAP database.
Pam_ldap versions prior to 144 have a string format
bug in the logging mechanism. |
| Alerts: |
|
Comments (none posted)
Remotely exploitable vulnerability in pine
| Package(s): | pine |
CVE #(s): | CAN-2002-0014
|
| Created: | May 21, 2002 |
Updated: | November 27, 2002 |
| Description: |
Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea.
Note: If an update isn't yet available for your distribution,
setting enable-msg-view-urls to "off" in pine's setup will
avoid the vulnerability. (Thanks to Greg Herlein).
|
| Alerts: |
|
Comments (none posted)
PXE server denial of service vulnerability
| Package(s): | pxe |
CVE #(s): | CAN-2002-0835
|
| Created: | September 4, 2002 |
Updated: | November 11, 2002 |
| Description: |
The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
|
| Alerts: |
|
Comments (none posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | October 1, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Scrollkeeper temporary file vulnerability
| Package(s): | scrollkeeper |
CVE #(s): | CAN-2002-0662
|
| Created: | September 4, 2002 |
Updated: | September 4, 2002 |
| Description: |
There is
a tempfile vulnerability in ScrollKeeper versions between 0.3 and 0.3.11.
The scrollkeeper-get-cl command generates temporary files
with predictable names and follows symbolic links.
"These files are created when a user logs in to a GNOME session and are
created as the user who logged in. This means an attacker with local
access can easily create and overwrite files as another user."
For more information see this security advisory
from Spybreak.
ScrollKeeper is a cataloging system for documentation on open
systems. It manages documentation metadata (as specified
by the Open
Source Metadata Framework(OMF)) and provides a simple
API to allow help browsers to find, sort, and search
the document catalog.
|
| Alerts: |
|
Comments (none posted)
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils |
CVE #(s): | CAN-2002-0178
|
| Created: | May 21, 2002 |
Updated: | October 30, 2002 |
| Description: |
According to the CVE entry,
"uudecode, as available in the sharutils package before 4.2.1, does not
check whether the filename of the uudecoded file is a pipe or symbolic
link, which could allow attackers to overwrite files or execute commands."
(First LWN
report: May 16).
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid |
CVE #(s): | |
| Created: | July 8, 2002 |
Updated: | November 15, 2002 |
| Description: |
Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following
changes:
- Several bugfixes and cleanup of the Gopher client, both
to correct some security issues and to make Squid properly
render certain Gopher menus.
- Security fixes in how Squid parses FTP directory listings into
HTML
- FTP data channels are now sanity checked to match the address
of the requested FTP server. This to prevent theft or injection
of data. See the new ftp_sanitycheck directive if this sanity
check is not desired.
- The MSNT auth helper has been updated to v2.0.3+fixes for
buffer overflow security issues found in this helper.
- A security issue in how Squid forwards proxy authentication
credentials has been fixed
|
| Alerts: |
|
Comments (none posted)
Tcl/Tk local root vulnerability
| Package(s): | tcltk expect |
CVE #(s): | CAN-2001-1374
CAN-2001-1375
|
| Created: | August 14, 2002 |
Updated: | September 24, 2002 |
| Description: |
Tcl/Tk searches for its libraries in the current working
directory before other directories.
A local user could
execute arbitrary code by inserting a Trojan horse library
in the current working directory.
Versions of the expect application prior to 5.32, search for its libraries
in /var/tmp before searching in other directories.
A local user could
gain root privleges by inserting a Trojan horse library
in /var/tmp and then getting the root user to run mkpasswd.
|
| Alerts: |
|
Comments (none posted)
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump |
CVE #(s): | CAN-2002-0380
|
| Created: | June 5, 2002 |
Updated: | October 9, 2002 |
| Description: |
A buffer overflow in tcpdump can be triggered by a bad NFS packet when
tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable.
|
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
Multiple vulnerabilities in SNMP implementations
| Package(s): | ucdsnmp ucd-snmp |
CVE #(s): | CAN-2002-0012
CAN-2002-0013
|
| Created: | May 21, 2002 |
Updated: | September 17, 2002 |
| Description: |
Most SNMP
implementations out there have a variety of buffer overflow vulnerabilities
and should be upgraded at first opportunity. See this CERT advisory for more. (First
LWN report: February 14).
|
| Alerts: |
|
Comments (none posted)
Local root vulnerability in chfn
| Package(s): | util-linux |
CVE #(s): | CAN-2002-0638
|
| Created: | July 29, 2002 |
Updated: | October 30, 2002 |
| Description: |
chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a
carefully crafted attack sequence can be performed to exploit a
complex file locking and modification race present in this utility,
and, as a result, alter /etc/passwd to escalate privileges in the
system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any
but the last 4 kB chunk of the file.
CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility |
| Alerts: |
|
Comments (none posted)
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 27, 2003 |
| Description: |
The cause is a buffer overflow bug.
This one sounds nasty.
If reverse DNS lookups are enabled in webalizer,
"an attacker with control over the victims DNS may spoof responses thus
triggering a buffer overflow, potentially leading to a root compromise."
Webalizer 2.01-10 "fixes this and a few
other buglets that have been discovered in the last month or so".
(First LWN report: April 18th, 2002).
|
| Alerts: |
|
Comments (none posted)
Webmin/Usermin vulnerabilities
| Package(s): | webmin |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | January 10, 2003 |
| Description: |
Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID
spoofing vulnerability allows the "possibility that arbitrary
commands may be executed with root privileges."
Upgrading is strongly recommended. At a minimum avoid the
"preconditions for a successful exploit" by disabling
password timeouts under Webmin->Configuration->Authentication.
|
| Alerts: |
|
Comments (1 posted)
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | May 7, 2003 |
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run
libgtop by default, but applying the update is a good idea anyway.
|
| Alerts: |
|
Comments (1 posted)
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle |
CVE #(s): | CAN-2002-0818
|
| Created: | August 14, 2002 |
Updated: | October 1, 2003 |
| Description: |
The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests
with negative Content Length values.
"It is believed
that an attacker could exploit this bug to gain remote wwwrun access
to the system wwwoffled is running on."
CAN-2002-0818 |
| Alerts: |
|
Comments (none posted)
xchat IC server based dns query vulnerability
| Package(s): | xchat |
CVE #(s): | CAN-2002-0382
|
| Created: | June 5, 2002 |
Updated: | September 24, 2002 |
| Description: |
A malicious IRC server may
return a response to a /dns query that executes arbitrary commands
with the privileges of the user running XChat.
Versions of XChat prior to 1.8.9 are vulnerable. |
| Alerts: |
|
Comments (none posted)
Denial of service vulnerability in xinetd
| Package(s): | xinetd |
CVE #(s): | |
| Created: | August 14, 2002 |
Updated: | December 3, 2002 |
| Description: |
A file descriptor leak into services started from xinetd
may be used, by programs it stats, to crash xinetd.
Xinetd is a replacement for the BSD derived inetd. |
| Alerts: |
|
Comments (none posted)
Resources
The IP Security Protocol (Linux Journal)
This Linux Journal article
explains
IPSec, different levels of security and how to be safe sending and
receiving packets over the network. "
Several different solutions
exist that allow us to cope with this problem, each operating at a
different level of abstraction. In this article, we will discuss the
differences between and purposes of application-level security,
socket-level security and network-level security."
This article continues with part 2 which
moves on to encapsulating security payloads and key exchange mechanisms.
Comments (none posted)
This week's Linux Advisory Watch and Security Week
The
Linux Advisory Watch and
Linux Security Week newsletters from
LinuxSecurity.com are available.
Comments (none posted)
"Know Your Enemy: Honeynets" paper updated
The Honeynet Project has announced an update to its "Know Your Enemy:
Honeynets" paper. "
This
update includes far greater detail in explaining how to deploy 1st and 2nd
generation Honeynets. Even more exciting, we have released a significant
amount of new code, especially for GenII (2nd generation) Honeynets! This
should make deploying these technologies much easier, with different
options and different operating systems."
Full Story (comments: none)
Events
Security events calendar
| September 19 - 20, 2002 | SEcurity of Communications on the Internet 2002(SECI'02) | Tunis, Tunisia |
| September 23 - 26, 2002 | New Security Paradigms Workshop 2002 | (The Chamberlain Hotel)Hampton, Virginia, USA |
| September 23 - 25, 2002 | University of Idaho Workshop on Computer Forensics | (University of Idaho)Moscow, Idaho, USA |
| September 26 - 27, 2002 | HiverCon 2002 | (Hilton Hotel)Dublin, Ireland |
| September 27 - 29, 2002 | ToorCon 2002 | (San Diego Concourse)San Diego, CA, USA |
| October 16 - 18, 2002 | Recent Advances in Intrusion Detection 2002(RAID 2002) | Zurich, Switzerland |
Comments (none posted)
Page editor: Jonathan Corbet
Kernel development
Release status
Kernel release status
The current development kernel is 2.5.34,
released by Linus on September 9. People
who had trouble with 2.5.33 may want to give this one a try; it has some
important per-CPU fixes, and the floppy driver is said to
really
work this time. Also included is a bunch of block I/O work from Al Viro,
memory management work from Andrew Morton, a JFS update, and quite a few
other fixes and updates. The
long-format
changelog is available, as usual. Note that this kernel has a bug
which can caus