| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition For September 19, 2002
Closed betas and the GPL
Certain issues seem to come around over and over again. One of those, certainly, is that of closed beta tests of Linux distributions. Can a distributor run closed beta tests and still comply with the GPL? The straightforward answer is certainly "no." If you distribute GPL-licensed software to somebody else, you can not restrict their right to further distribute that software.That does not stop distributors from doing closed beta tests, however. Corel did it. Caldera (oops...SCO Group...) has done it. Lindows has done it. And UnitedLinux is doing it. The closed beta period ends on September 23, at which point the UnitedLinux beta, with source, will be available to all. In the mean time, however, one might wonder how the current closed beta is being kept closed.
At the UnitedLinux press conference, FSF director Bradley Kuhn asked about the terms of the non-disclosure agreement that was signed by the beta testers. The UnitedLinux spokesperson evidently agreed to disclose those terms. To help them remember, Mr. Kuhn has sent out an open letter on behalf of the FSF asking them to follow through:
It remains to be seen whether UnitedLinux violated the GPL, or whether it just picked a set of beta testers who, of their own will, chose not to distribute the UnitedLinux beta.
Closed betas will always raise this sort of issue however. They are also unnecessary. There are distributors, with MandrakeSoft and the Debian Project at the top of the list, who do all of their development and beta testing work in the open. In return, they get a wider pool of testers, the assistance of the free software development community, and the knowledge that they will not be accused of GPL violations. Distributions, too, are free software development projects; they benefit from frequent, public releases. Is it really worth the trouble to keep a Linux distribution under wraps?
Integrating intellectual property rights and development policy
The London-based Commission on Intellectual Property Rights has issued its final report on intellectual property law and developing countries. There is much to be found there in favor of free software and freedom of access to information in general. With regard to DMCA-like legislation, the report recommends:
Concerning software for use in government:
The full report covers a much wider range of topics, such as drugs, traditional knowledge, agriculture, etc. Reading the whole thing is a substantial commitment of time, but worth the trouble for those who are interested in these topics. Those wanting a rather shorter experience can read The Economist's coverage of the report.
LWN status update
After a few quiet weeks, we actually have some news to report: we have finally been able to set up a new merchant account which will allow us to accept credit cards. Hopefully we'll have better luck with the new bank than with the old - which is still holding a portion of the donations from last July.What this means is that, finally, we will be able to go forward with our subscription offering, at which point we will truly find out if there is enough support out there to keep LWN going on a sustainable basis. There is still some frantic code-bashing to be done; if all goes well, we should be able to start taking subscriptions next week. Next week's LWN Weekly Edition will be free to all readers; thereafter it will be available to subscribers only for an initial period (which will probably be one week).
On another front, our new mailing list mechanism is up and running. The first list is called "Notify;" it simply receives a message once a week when the new Weekly Edition is available. This list thus replaces our old lwn-notify list, which has been running since the beginning - almost five years ago. Other lists, mostly providing access to our content via email, will be available shortly (and mostly limited to subscribers). Mailing list subscriptions require a (free) LWN account, and can be controlled through the "MyAccount" link in the left column.
Thanks, yet again, for your support through this interesting period.
Page editor: Jonathan Corbet
Security
That OpenSSL Worm
This worm has been referred to by at least four different names: Apache/mod_ssl worm, linux.slapper.worm, bugtraq.c worm and Modap worm.On Friday September 13th the first reports appeared on Bugtraq of an active worm exploiting the OpenSSL buffer overflow vulnerability reported at the end of July. The next day CERT issued Advisory CA-2002-27 Apache/mod_ssl Worm.
By Sunday September 15th, at 17:00 GMT, F-Secure Corporation reported 13,000 infected servers out of "over 1,000,000 active OpenSSL installations in the public web." Updates to fix the problem, including backports to earlier versions of OpenSSL, had been available for over a month from the OpenSSL project, Caldera, Conectiva, Debian, EnGarde, Eridani, Gentoo, Mandrake, OpenPKG, Red Hat, SuSE, Trustix and Yellow Dog.
SecurityFocus has completed and released a full analysis (PDF format) of the worm in addition to their initial incident Alert (PDF format). F-Secure is maintaining a "Virus Description" of this worm with lots of interesting information.
The first reports in the press appeared Friday, the day the worm was first seen, in CNET and Network World Fusion. The next day CNET put up another story with additional information. By Monday evening both the Register and TechWeb had published their reports on events to date. On Tuesday Network World Fusion reported that the worm has infected at least 30,000 Linux Apache Web servers.
Also, see this other article from TechWeb on the worm:
RUS-CERT has made available a tool to remotely detect vulnerable servers. However, Eric Rescorla has observed behavior different from what that tool expects.
In the unlikely event that you haven't already, applying the appropriate OpenSSL update might be a very good thing to do before reading any further.
Security news
Mozilla bug leaks Web surfing data (CNET)
CNET has a short article about a little privacy bug in Mozilla's handling of referers. "The bug reveals the URL of the page someone is viewing to the Web server of the site last visited. This allows a Web server to track where people go after they leave the site, even if the next Web address comes from a bookmark or is manually typed into the browser." If you are using a Gecko-based browser, you can see the bug in action on this page.
September CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for September is out. It looks at possible new attack strategies for algorithms like AES, the Word97 vulnerability, and more. "We're seeing more and more of this: vulnerabilities in products that are no longer supported. When the SNMP vulnerabilities were published earlier this year, many products with the vulnerability were no longer supported. Some were made by companies no longer in business."
Security reports
ht://Check cross-site scripting problems
Ulf Harnhammar reports potential cross-site scripting problems in ht://Check version 1.1, and possibly earlier versions as well. "It doesn't remove HTML tags before displaying the crawled web servers' "Server:" headers and other information."
xbreaky symlink vulnerability
Marco van Berkum reports a symlink vulnerability in the xbreaky breakout game for X. If xbreaky is installed as suid, the vulnerabilty can be abused by any user to overwrite any file on the filesystem. Distributions which include xbreaky may or may not install it suid root.
MIMEDefang version 2.21 scans fragmented mail messages
The folks at Roaring Penguin Software have released, under the GPL, version 2.21 of MIMEDefang to deal with this Outlook Express based attack to bypass SMTP-based content filter engines.
A patched version of MIME-Tools that addresses the problem is also avilable as well as version 1.2-F17 of Roaring Penguin's commercial CanIt anti-spam solution based on MIMEDefang 2.21.
(Proprietary product) Race conditions in BRU Workstation 17.0
A race condition in TolisGroup's BRU Workstation 17.0 can be used to clobber any system file." According to this followup post, TolisGroup have responded with confirmation of an update for a race condition reported previously, and an estimated date for a new update for this one.
(Proprietary product) File disclosure vulnerability in DB4Web application server
Stefan Bagdohn reports a file disclosure vulnerability in the DB4Web high-performance application server from Guardeonic Solutions AG. The DB4Web team has already provided an update which is available from here.
New vulnerabilities
Local privilege escalation vulnerability in XFree86
| Package(s): | xf86 xfree86 | CVE #(s): | |||||||||||||
| Created: | September 18, 2002 | Updated: | October 27, 2002 | ||||||||||||
| Description: | XFree86 version 4.2.1 fixes a problem in Xlib that made it possible to execute arbitrary code in privileged clients. Other libraries are dynamically loaded by libX11.so as needed. When linking against a setuid program, arbitrary code could be loaded and executed from a pathname controlled by the user. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Cross-site scripting vulnerability in Konqueror for KDE 3.0.3
| Package(s): | kdelibs | CVE #(s): | |||||||||||||
| Created: | September 17, 2002 | Updated: | November 18, 2002 | ||||||||||||
| Description: | Konqueror for KDE 3.0.3, and earlier versions, is subject to this cross-site scripting vulnerability. Since the problem is in kdelibs, any other application which uses the KHTML renderer is also vulnerable. Javascript code running in one frame can access other frames which should be inaccessible. The problem is fixed in kdelibs 3.0.3a. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Buffer overflow vulnerabilities in purity
| Package(s): | purity | CVE #(s): | ||||
| Created: | September 17, 2002 | Updated: | September 25, 2002 | |||
| Description: | It seems that the "purity" game isn't entirely pure itself - a couple of buffer overflows have been found which could be exploited to gain access to the "games" group on Debian systems. Rather than face the prospect of people tampering with their nethack scores, the Debian Project released the first upgrade closing the vulnerability. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
LPRng accepts jobs from any host.
| Package(s): | LPRng | CVE #(s): | CAN-2002-0378 | |||||||||
| Created: | June 12, 2002 | Updated: | October 31, 2002 | |||||||||
| Description: | Matthew Caron pointed out that LPRng's default configuration accepts job submissions from any host.
This could be an especially annoying vulnerability for adminstrators with systems exposed to the general public. | |||||||||||
| Alerts: |
| |||||||||||
OpenSSL remotely-exploitable buffer overflow vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2002-0655 CAN-2002-0656 CAN-2002-0657 CAN-2002-0659 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 30, 2002 | Updated: | September 24, 2002 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Four remotely-exploitable buffer overflows were found in OpenSSL versions 0.9.7 and 0.9.6d and earlier by a DARPA sponsored security audit.
Both client and server applications are affected.
The vulnerabilities are described in this security alert from the OpenSSL team.
A nasty exploit for one of the vulnerabilities is described in CERT Advisory CA-2002-27 Apache/mod_ssl Worm.
Compromise by the Apache/mod_ssl worm indicates that a remote attacker
can execute arbitrary code as the apache user on the victim system. It
may be possible for an attacker to subsequently leverage a local
privilege escalation exploit in order to gain root access to the
victim system. Furthermore, the DDoS capabilities included in the
Apache/mod_ssl worm allow victim systems to be used as platforms to
attack other systems.
If you haven't already, applying an update is a very good thing to do today. Mitel Networks has an update available which closes this vulnerabilty for their SME Server software. CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Safemode vulnerability in PHP
| Package(s): | PHP | CVE #(s): | CAN-2001-1246 | ||||||||||||
| Created: | August 20, 2002 | Updated: | October 9, 2002 | ||||||||||||
| Description: | PHP versions 4.0.5 through 4.1.0 fail to properly cleanse a parameter to the mail() function, allowing arbitrary command execution by local and (possibly) remote attackers. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL | CVE #(s): | ||||||||||||||||||||||||||||
| Created: | August 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||||||||||||||
| Description: | PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it
should be noted that these vulnerabilities are only critical on 'open' or
'shared' systems, as they require the ability to be able to connect to the
database before they can be exploited."
Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Denial of service vulnerability in amavis
| Package(s): | amavis | CVE #(s): | ||||
| Created: | September 11, 2002 | Updated: | September 11, 2002 | |||
| Description: | AMaViS is vulnerable to a denial of service attack via maliciously crafted input. Patches exist for AMaViS, but the recommended solution is to upgrade to the (actively developed) amavis-perl tool. See this advisory for details. | |||||
| Alerts: |
| |||||
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat | CVE #(s): | CAN-2002-0004 | |||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 15, 2003 | |||||||||||||||||||||||||||
| Description: | The at command has a potentially exploitable heap corruption bug. (First LWN report: January 17th). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Input validation vulnerability in cacti
| Package(s): | cacti | CVE #(s): | ||||
| Created: | September 11, 2002 | Updated: | September 11, 2002 | |||
| Description: | Cacti is a PHP front end to rrdtool; it assists in the creation of plots from a MySQL database. This tool does not properly validate all input, leading to a remote code execution vulnerability in certain, limited conditions. See this Bugtraq posting for details. | |||||
| Alerts: |
| |||||
Potential unauthorized root access vulnerability in dietlibc
| Package(s): | dietlibc | CVE #(s): | CAN-2002-0391 | |||||||||
| Created: | August 14, 2002 | Updated: | December 5, 2002 | |||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library with is used in
dietlibc, a libc optimized for small size.
The bug could be exploited to gain unauthorized root
access to software linking to dietlibc.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Ethereal 0.9.6 fixes potential remote code execution vulnerability
| Package(s): | ethereal | CVE #(s): | CAN-2002-0834 CAN-2002-0821 CAN-2002-0822 | ||||||||||||
| Created: | September 4, 2002 | Updated: | September 11, 2002 | ||||||||||||
| Description: | Ethereal 0.9.6 was released
on August 20, 2002 fixing a serious
buffer overflow vulnerability in the ISIS protocol dissector in Ethereal 0.9.5 and earlier versions.
It may be possible to make Ethereal crash or hang by injecting a purposefully malformed packet onto the wire, or by convincing someone to read a malformed packet trace file. It may be possible to make Ethereal run arbitrary code by exploiting the buffer and pointer problems.
Ethereal 0.9.4 has multiple buffer overflow and other vulnerabilities hat are best delt with by upgrading to 0.9.6. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code. Updating now, rather than later, is recommended. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Ethereal buffer overflow, infinite loop and memory management vulnerabilities
| Package(s): | ethereal | CVE #(s): | CAN-2002-0012 CAN-2002-0013 CAN-2002-0353 CAN-2002-0401 CAN-2002-0402 CAN-2002-0403 CAN-2002-0404 | |||||||||||||||
| Created: | June 12, 2002 | Updated: | October 27, 2002 | |||||||||||||||
| Description: | Ethereal 0.9.4
was released
on May 19, 2002 fixing four potential security issues in Ethereal 0.9.3:
No known exploits exist "in the wild" at the present time for any of these issues. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp | CVE #(s): | CAN-2002-0435 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | May 16, 2003 | ||||||||||||||||||
| Description: | A race condition in rm may cause the root user to delete the whole filesystem. The problem exists in the version of rm in fileutils 4.1 stable and 4.1.6 development version. A patch is available. (First LWN report: May 2). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Buffer overflow vulnerability in the Jabber plug-in module for gaim
| Package(s): | gaim | CVE #(s): | CAN-2002-0384 CAN-2002-0377 | |||||||||
| Created: | August 14, 2002 | Updated: | September 11, 2002 | |||||||||
| Description: | gaim versions prior to 0.58 contained a buffer overflow in the Jabber plug-in module. The problem is fixed in gaim 0.59 which is available here. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL." | |||||||||||
| Alerts: |
| |||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
Buffer overflow in groff
| Package(s): | groff | CVE #(s): | CAN-2002-0003 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | December 9, 2002 | ||||||||||||||||||
| Description: | The groff package has a buffer overflow vulnerability; if it is used with the print system, it is conceivably exploitable remotely. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
HylaFAX 4.1.3 fixes multiple vulnerabilities
| Package(s): | hylafax | CVE #(s): | CAN-2001-1034 | |||||||||
| Created: | July 30, 2002 | Updated: | October 9, 2002 | |||||||||
| Description: | The HylaFAX team has
released version 4.1.3 fixing
denial of service, elevated system privilege and possible
remote code execution vulnerabilities.
HylaFAX is a mature (est. 1991) enterprise-class open-source software
package for sending and receiving facsimiles as well as for sending
alpha-numeric pages. It runs on a wide variety of UNIX-like platforms
including Linux, BSD (including Mac OS X), SunOS and Solaris, SCO, IRIX,
AIX, and HP-UX.
| |||||||||||
| Alerts: |
| |||||||||||
UW imapd remotely exploitable buffer overflow
| Package(s): | imap | CVE #(s): | CAN-2002-0379 | |||||||||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | December 20, 2002 | |||||||||||||||||||||||||||
| Description: | UW imapd versions 2000c and prior allow remote authenticated users to execute code via a buffer overflow. A malicious user can craft a request to run commands on the server under their UID and GID. (First LWN report: May 23). | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
KDE 3.0.3 fixes X.509 certificate check vulnerability
| Package(s): | kde | CVE #(s): | |||||||
| Created: | September 4, 2002 | Updated: | September 11, 2002 | ||||||
| Description: | The SSL implementation used by previous version of KDE accepted, without alerting the user, any X.509 certificate signed by any entity under specific conditions. This bug allows "for undetected MITM attacks ("man in the mittle"), which could compromise an encrypted HTTPS session." | ||||||||
| Alerts: |
| ||||||||
Kerberos 5 unauthorized root access to KDC host vulnerability
| Package(s): | krb5 | CVE #(s): | ||||||||||
| Created: | August 14, 2002 | Updated: | October 29, 2002 | |||||||||
| Description: | A bug in the Kerberos 5 remote
administration service, "kadmind", could be
exploited to gain unauthorized root access to a KDC host.
It is believed that the attacker needs to be able to
authenticate to the kadmin daemon for this attack to be successful.
Felix von Leitner, discovered this potential division by zero bug in code derived from the SunRPC library which is used in many places, including the Kerberos 5 administration system. Updating now is recommended. CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | |||||||||||
| Alerts: |
| |||||||||||
Cross-site scripting vulnerability in mhonarc
| Package(s): | mhonarc | CVE #(s): | CAN-2002-0738 CAN-2002-1307 CAN-2002-1388 | |||||||||
| Created: | September 11, 2002 | Updated: | January 3, 2003 | |||||||||
| Description: | Mhonarc is an HTML formatter for electronic mail; it can be vulnerable to cross-site scripting problems when presented with maliciously crafted messages. This problem is fixed in mhonarc version 2.5.3, but it is not clear that all possible vulnerabilities have been fixed. See the Debian advisory below for information on how to disable text/html attachment support in mhonarc, which may be a more secure solution. | |||||||||||
| Alerts: |
| |||||||||||
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 | CVE #(s): | ||||
| Created: | July 22, 2002 | Updated: | February 18, 2003 | |||
| Description: | PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory, almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP. Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP 4.2.0 or 4.2.1 installed, is to upgrade to PHP 4.2.2. For more information see the alert from the discover of the vulnerability, Stefan Esser of e-matters GmbH, or the security advisory from the php team. CERT Advisory: CA-2002-21 Vulnerability in PHP | |||||
| Alerts: |
| |||||
Mozilla XMLHttpRequest file disclosure vulnerability
| Package(s): | mozilla | CVE #(s): | CAN-2002-0354 | |||||||||
| Created: | May 21, 2002 | Updated: | October 18, 2002 | |||||||||
| Description: | This XMLHttpRequest security bug impacts all Mozilla-based browsers. "The bug is found in versions of Mozilla from 0.9.7 to 0.9.9 on various operating system platforms, and in Netscape versions 6.1 and higher." (First LWN report: May 2). | |||||||||||
| Alerts: |
| |||||||||||
String format bug in pam_ldap logging
| Package(s): | nss_ldap | CVE #(s): | CAN-2002-0374 | ||||||||||||
| Created: | June 5, 2002 | Updated: | October 29, 2002 | ||||||||||||
| Description: | The nss_ldap package includes the pam_ldap module for authenticating a user with an LDAP database. Pam_ldap versions prior to 144 have a string format bug in the logging mechanism. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Remotely exploitable vulnerability in pine
| Package(s): | pine | CVE #(s): | CAN-2002-0014 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | November 27, 2002 | ||||||||||||||||||
| Description: | Pine has an
unpleasant
vulnerability in URL handling vulnerability which can lead to
command execution by remote attackers.
(First LWN report: January 17th).
This vulnerability is remotely exploitable; updating is a good idea. Note: If an update isn't yet available for your distribution, setting enable-msg-view-urls to "off" in pine's setup will avoid the vulnerability. (Thanks to Greg Herlein). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
PXE server denial of service vulnerability
| Package(s): | pxe | CVE #(s): | CAN-2002-0835 | |||||||||
| Created: | September 4, 2002 | Updated: | November 11, 2002 | |||||||||
| Description: | The PXE server can be crashed using DHCP packets from
some Voice Over IP (VOIP) phones. Maliciously formed
DHCP packets could be used by a remote attacker to effect a
denial of service attack.
The PXE package contains the PXE (Preboot eXecution Environment)
server and code needed for Linux to boot from a boot disk image on a
Linux PXE server.
| |||||||||||
| Alerts: |
| |||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
Sharutils potential privilege escalation using uudecode
| Package(s): | sharutils | CVE #(s): | CAN-2002-0178 | ||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 30, 2002 | ||||||||||||||||||
| Description: | According to the CVE entry, "uudecode, as available in the sharutils package before 4.2.1, does not check whether the filename of the uudecoded file is a pipe or symbolic link, which could allow attackers to overwrite files or execute commands." (First LWN report: May 16). | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Multiple vulnerabilities fixed in Squid-2.4.STABLE7
| Package(s): | squid | CVE #(s): | |||||||||||||||||||
| Created: | July 8, 2002 | Updated: | November 15, 2002 | ||||||||||||||||||
| Description: | Here is the security advisory for the Squid proxy server reporting several vulnerabilities in versions up to and including 2.4.STABLE7.
Several of the bugs are believed to allow remote code execution.
The security advisory lists the following changes:
| ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Tcl/Tk local root vulnerability
| Package(s): | tcltk expect | CVE #(s): | CAN-2001-1374 CAN-2001-1375 | |||||||||
| Created: | August 14, 2002 | Updated: | September 24, 2002 | |||||||||
| Description: | Tcl/Tk searches for its libraries in the current working
directory before other directories.
A local user could
execute arbitrary code by inserting a Trojan horse library
in the current working directory.
Versions of the expect application prior to 5.32, search for its libraries in /var/tmp before searching in other directories. A local user could gain root privleges by inserting a Trojan horse library in /var/tmp and then getting the root user to run mkpasswd. | |||||||||||
| Alerts: |
| |||||||||||
Malformed NFS packet buffer overflow vulnerability in tcpdump
| Package(s): | tcpdump | CVE #(s): | CAN-2002-0380 | |||||||||||||||||||||
| Created: | June 5, 2002 | Updated: | October 9, 2002 | |||||||||||||||||||||
| Description: | A buffer overflow in tcpdump can be triggered by a bad NFS packet when tracing the network. Unmodified tcpdump versions 3.6.2 and earlier are vulnerable. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Multiple vulnerabilities in SNMP implementations
| Package(s): | ucdsnmp ucd-snmp | CVE #(s): | CAN-2002-0012 CAN-2002-0013 | ||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | September 17, 2002 | ||||||||||||||||||||||||
| Description: | Most SNMP implementations out there have a variety of buffer overflow vulnerabilities and should be upgraded at first opportunity. See this CERT advisory for more. (First LWN report: February 14). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Local root vulnerability in chfn
| Package(s): | util-linux | CVE #(s): | CAN-2002-0638 | |||||||||||||||||||||
| Created: | July 29, 2002 | Updated: | October 30, 2002 | |||||||||||||||||||||
| Description: | chfn (change finger information) is one of the utilities in
the util-linux package.
The BindView RAZOR Team has discovered a local root vulnerability
in chfn which is described in the Bindview Advisory.
Under certain conditions, "a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility, and, as a result, alter /etc/passwd to escalate privileges in the system." The conditions include a password file, /etc/passwd, over 4 kilobytes and locating the attacker's account record in any but the last 4 kB chunk of the file. CERT/CC Vulnerability Note VU#405955 util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
webalizer: reverse DNS buffer overflow vulnerability
| Package(s): | webalizer | CVE #(s): | ||||||||||||||||
| Created: | May 21, 2002 | Updated: | January 27, 2003 | |||||||||||||||
| Description: | The cause is a buffer overflow bug. This one sounds nasty. If reverse DNS lookups are enabled in webalizer, "an attacker with control over the victims DNS may spoof responses thus triggering a buffer overflow, potentially leading to a root compromise." Webalizer 2.01-10 "fixes this and a few other buglets that have been discovered in the last month or so". (First LWN report: April 18th, 2002). | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Webmin/Usermin vulnerabilities
| Package(s): | webmin | CVE #(s): | ||||||||||
| Created: | May 21, 2002 | Updated: | January 10, 2003 | |||||||||
| Description: | Webmin is a web-based interface for
system administration for Unix.
Webmin has cross-site scripting and
session ID spoofing vulnerabilities
which are fixed in the May 6, 2002 release of version 0.970.
(First LWN
report: May 9).
This one is scary. The session ID spoofing vulnerability allows the "possibility that arbitrary commands may be executed with root privileges." Upgrading is strongly recommended. At a minimum avoid the "preconditions for a successful exploit" by disabling password timeouts under Webmin->Configuration->Authentication. | |||||||||||
| Alerts: |
| |||||||||||
Multiple vulnerabilities in wordtrans
| Package(s): | wordtrans | CVE #(s): | CAN-2002-0837 | |||
| Created: | September 11, 2002 | Updated: | February 4, 2003 | |||
| Description: | The "wordtrans" interface to multilingual dictionaries suffers from input validation and cross-site scripting vulnerabilities; versions through 1.1pre8 are vulnerable. See this Guardent advisory for details. | |||||
| Alerts: |
| |||||
Problems with libgtop_daemon
| Package(s): | wuftpd libgtop | CVE #(s): | |||||||||||||
| Created: | May 21, 2002 | Updated: | May 7, 2003 | ||||||||||||
| Description: |
The libgtop_daemon package is a GNOME
program which makes system information available remotely.
LWN reported the remotely exploitable format
string and buffer overflow vulnerabilities in that package
on December 6th.
On November 28th
disabling the libgtop_daemon on systems where it is running until
an update is available.
Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway. | ||||||||||||||
| Alerts: |
| ||||||||||||||
Wwwoffle remote privilege escalation vulnerability
| Package(s): | wwwoffle | CVE #(s): | CAN-2002-0818 | |||||||||
| Created: | August 14, 2002 | Updated: | October 1, 2003 | |||||||||
| Description: | The wwwoffle web proxy incorrectly processes HTTP PUT and POST requests with negative Content Length values. "It is believed that an attacker could exploit this bug to gain remote wwwrun access to the system wwwoffled is running on." | |||||||||||
| Alerts: |
| |||||||||||
xchat IC server based dns query vulnerability
| Package(s): | xchat | CVE #(s): | CAN-2002-0382 | |||||||||||||||
| Created: | June 5, 2002 | Updated: | September 24, 2002 | |||||||||||||||
| Description: | A malicious IRC server may return a response to a /dns query that executes arbitrary commands with the privileges of the user running XChat. Versions of XChat prior to 1.8.9 are vulnerable. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Denial of service vulnerability in xinetd
| Package(s): | xinetd | CVE #(s): | ||||||||||||||||
| Created: | August 14, 2002 | Updated: | December 3, 2002 | |||||||||||||||
| Description: | A file descriptor leak into services started from xinetd may be used, by programs it stats, to crash xinetd. Xinetd is a replacement for the BSD derived inetd. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Resources
Linux Security Week and Advisory Watch
The September 16th Linux Security Week and September 13th Linux Advisory Watch newsletters from LinuxSecurity.com are available.
chkrootkit 0.37 is now available
Klaus Steding-Jessen announces the release of chkrootkit version 0.37. chkrootkit is a tool to locally check for signs of a rootkit.Well worth a look, especially if you arn't familiar with this useful tool.
Four final computer security guidelines availble from NIST
The US National Institute of Standards and Technology (NIST) announces the final publication of four computer security guidelines available from here.The four NIST Special Publications are:
- Security for Telecommuting and Broadband Communications
- Security Guide for Interconnecting Information Technology Systems
- Procedures for Handling Security Patches
- Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme.
Choosing passwords: random, mnemonic phrases and more
Folks at the Cambridge University Computer Laboratory have done a good study on different password selection approaches which is summarized in two papers:- The Memorability and Security of Passwords - Some Empirical Results by Jianxin Yan, Alan Blackwell, Ross Anderson and Alasdair Grant (PDF format)
- A Note on Proactive Password Checking by Jianxin Jeff Yan (PDF format)
Crispin Cowan also has some interesting comments on the conclutions reached by the study.
Events
Final Speakers Announced for HiverCon 2002
HiverCon 2002 is scheduled for November 26th and 27th, 2002 in Dublin Ireland.
Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| September 19 - 20, 2002 | SEcurity of Communications on the Internet 2002(SECI'02) | Tunis, Tunisia |
| September 23 - 26, 2002 | New Security Paradigms Workshop 2002 | (The Chamberlain Hotel)Hampton, Virginia, USA |
| September 23 - 25, 2002 | University of Idaho Workshop on Computer Forensics | (University of Idaho)Moscow, Idaho, USA |
| September 27 - 29, 2002 | ToorCon 2002 | (San Diego Concourse)San Diego, CA, USA |
| October 16 - 18, 2002 | Recent Advances in Intrusion Detection 2002(RAID 2002) | Zurich, Switzerland |
| November 26 - 27, 2002 | HiverCon 2002 | (Burlington Hotel)Dublin, Ireland |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Kernel development
Release status
Kernel release status
The current development kernel is 2.5.36, which was released by Linus on September 17. The big news was, of course, is the merge of the XFS journaling filesystem. There's also the x86 "huge page" patch, an IEEE-1394 ("Firewire") update, a big USB update (converting the code to the new driver model scheme), an IDE update, and various other fixes. See the long-format changelog for the details.Linus has had a busy week; 2.5.35 was released on September 15. This (large) patch included, among other things, the merge of User-mode Linux, a large IDE update, various memory management improvements, more threading improvements, a bunch of NFS server patches and PPC64 and SPARC updates. Again, the long-format changelog has the details.
Linus's BitKeeper tree, which will become 2.5.37, has some block I/O work, some RPC fixes, a bit of memory management work, and Linus's simple solution to the get_pid() problem (see below).
The current 2.5 Status Summary from Guillaume Boissere is dated September 17.
The current stable kernel is 2.4.19; Marcelo released 2.4.20-pre7 on September 12. Big MIPS and IA-64 updates make up the bulk of the patch this time around, along with a relatively small set of other fixes.
Alan Cox's current prepatch is 2.4.20-pre7-ac2. The IDE work continues; this patch also contains a number of other, unrelated fixes.
The current ancient kernel is 2.2.22, which was released by Alan Cox on September 16. It contains a few security fixes, so people still running 2.2 will probably want to have a look at this update.
Kernel development news
A new way to sleep?
A quick look through the kernel source will turn up no end of examples of code like:
while (some_condition)
interruptible_sleep_on(some_queue);
The idea, of course, is to put the process asleep until something of interest has happened. The problem with this kind of code is that if the condition changes (and the wakeup happens) between the two lines of code above, the process will miss the wakeup and could sleep for far longer than intended. Because of this inherent race condition, the elimination of sleep_on() and its variants has been on the kernel hackers' todo list for some time.
There is a macro (wait_event) which can be used to sleep safely, but most code which includes race-free sleeps does so manually with the following approximate steps:
- Create a wait queue entry (usually with DECLARE_WAITQUEUE).
- Change the process to a state (usually TASK_INTERRUPTIBLE)
which indicates that it is asleep - even though the process is still
running in kernel code.
- Add the current process to a wait queue which will be awakened when
the condition is met.
- Test the condition of interest; if no sleep is necessary, reset the
process state to TASK_RUNNING, remove the wait queue entry,
and get on with the job at hand.
- Otherwise call the scheduler to let some other process run until
somebody wakes the current process up.
- On wakeup, go back to the top and do it all again.
This sequence works because a wakeup will reset the task state to TASK_RUNNING; this "shorts out" the sleep should the process test its condition at the wrong tim