| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
LWN.net Weekly Edition for August 12, 2004
The value of middlemen
Creators of Linux distributions perform a number of useful functions. They go out and find useful free software for their users. They put together a nice packaging system so that all that free software can be managed without going nuts. They ensure that the programs all fit together in a coherent design of the system as a whole. They create nice CD images for the distribution of their work, and installer programs so that all that software can be loaded onto your systems. Distributors run online repositories, create security updates, and, sometimes, even answer questions from users who are having difficulties.Users may not fully appreciate another role filled by Linux distributors, however: they serve as middlemen between the producers and consumers of free software. This work goes beyond packaging programs and feeding back bug reports; Linux distributors also serve as crucial advocates for their users. When developers fail to act in the interest of the people using their software, the distributors can come in with their advocacy and patching skills to improve the situation.
A good example of how this process works was brought to light via a long and unpleasant linux-kernel discussion involving Jörg Schilling, the maintainer of the much-used cdrecord program. For the curious, the thread starts with this message. There are several issues discussed, but much of it comes down to some fundamental disagreements between Mr. Schilling and the Linux distributors on how cdrecord should work.
For example: in the 2.6 kernel the preferred way of performing raw SCSI operations on a device (which is how CD burning is done) is to simply open the device directly and issue the right ioctl() calls. So, if your drive is /dev/hdc (or, better, /dev/cdwriter), you run cdrecord with dev=/dev/cdwriter and be done with it. Mr. Schilling swears that the only proper way to specify the output device is via SCSI bus, target, and unit numbers - despite the fact that most of these devices do not sit on a SCSI bus and have no such numbers. And despite the fact that figuring out that, say, dev=0,2,0 is the right magic sequence to type is not something many users want to do. So cdrecord issues a set of scary warnings with the "open by device" mode is used, despite the fact that it is the best way to do things.
Another example: some users have a strange idea that they might actually like to write DVDs on their DVD-capable drives. The official version of cdrecord has no such capability, and Mr. Schilling has refused to add it. Some of the more cynical observers have noted that the fact that Mr. Schilling offers a proprietary version of cdrecord with DVD support may have something to do with this refusal.
Users of cdrecord could try to address these issues directly with its author. Experience has shown, however, that this can be an unpleasant and unrewarding process.
This is where the distributors step in. A quick check in the latest Fedora source RPM for cdrtools shows a good dozen patches; these vary from small documentation tweaks through to DVD support and the removal of unnecessary, scary warnings. Other distributors have done similar things. The end result is that users get a version of cdrecord which works as they would expect, while the distributors take the heat (and there is some heat) for the changes that they make.
Mr. Schilling has given us a true gift: the cdrecord program embodies a great deal of knowledge of just what is required to make a wide variety of CD writers work on numerous operating systems. We get to make use of that knowledge because Mr. Schilling has released his work under the GPL. Before criticizing him too much, it is good to reflect on the value of that gift. But this is also a good place to appreciate the extra value added by the Linux distributors. Sometimes a middleman is just what is needed to make the whole process work.
Sarge is coming
Sarge is, finally, approaching. Last week, Steve Langasek announced a proposed timeline for Sarge and that Anthony Towns had stepped down as release manager for Debian. Langasek and Colin Watson are filling the post for the Sarge release. According to Watson's follow-up on Saturday, the release target for Sarge is now September 19. Joey Hess also announced release candidate 1 of the new Debian-Installer for Sarge on Saturday.With the release so close at hand, we decided to take a look at the state of Sarge. We touched base with Langasek on the status of the release, and also asked Towns for comment on his decision to step down. In Langasek's announcement, he alluded to "the recrimination and hostility towards some of our most dedicated developers" as a possible reason for Towns' departure from the release manager post. Towns declined to elaborate on his decision to step down from the release manager position, but said that Sarge is in good hands:
We also asked Langasek about the statement, and whether he feels that the internal conflicts in Debian have gotten worse.
It's also true that as the project has grown, it has tended to become more politicized as it's harder for everyone to know everyone else personally. I don't think this is inevitable, though; it's simply something we need to learn to deal with as we grow. Since Debian has essentially been growing for its entire existence, we have a fair amount of experience with learning to address growing pains.
In any case, I definitely don't think AJ's decision represents any sort of crisis in Debian. The release manager's job is a hard one even when everything seems to be going right, so it's perfectly understandable that he would decide to step down.
With that unpleasant topic behind us, we also asked Langasek about the release schedule, and whether the schedule was realistic.
Our brief tests of the RC1 of the Debian installer were quite positive. The installer is still a text-based system, but consists of a fairly easy set of choices for the average Linux user to follow. We tested RC1 on a dual-PIII Xeon system, and tried out both the normal and "expert" installer modes. Users have the choice of installing the 2.4 or 2.6 kernel in either mode. The "expert" mode is largely unnecessary unless one wants (or needs) to dabble more directly with the kernel modules that are loaded or if one wishes to experiment with installer modules that are not part of the default installation.
The new installer also offers to partition the disk for the user, no doubt a welcome addition for many Linux users who aren't familiar with disk partitioning. The user has a choice between an all-in-one partition, a separate /home partition, or a multi-user partitioning scheme if they choose to let the installer do the work for them. Both the /home and multi-user schemes provided sane partition layouts on a 40GB disk, using the Ext3 filesystem. We might have chosen more swap space (the installer opted for 512MB on a system with 1GB of RAM), but both partition layouts were quite usable.
The hardware detection worked fine for the test system, though the system admittedly contained a sparse selection of components -- an add-on IDE controller, network card and generic video card, PS/2 keyboard and mouse, no sound card. This writer found it very nice not to have to know which module is appropriate for the system's network card while in the middle of an install.
Users have the option of choosing packages manually, or selecting from seven pre-selected groups of packages like "desktop," "Web server," and "DNS." These can be mixed and matched, so users who want a print server and desktop in one machine can choose both at install time. The desktop set of packages provided both the KDE and GNOME desktops, and a fair selection of desktop apps and games.
There were only two things we didn't like, overall and neither can rightly be considered a bug -- though there is a bug report for our first complaint. Though the machine in question is a dual-CPU machine, neither the normal or expert install gave the option of an SMP-enabled kernel. Though it's not at all difficult to download a suitable SMP kernel (or compile your own) it's an additional step that should be unnecessary.
Likewise, it seems to this writer that OpenSSH should be installed by default on any network-connected system. While not difficult to do after the fact, one would think that including OpenSSH is a no-brainer on almost any Linux system. It is certainly as likely to be used as wget or nano, which are installed by default.
Those are extremely minor grumbles, however. It appears that Sarge is just about ready to make its debut. The schedule is a bit ambitious, but it doesn't seem unrealistic based on our tests of the RC1 of the installer and packages now in testing. Langasek asks that users start banging on the new installer and install manual to help the process along:
We hope to soon have security support available for testing, at which point we will also send out a general call for users to test the upgrade path from woody to sarge.
And, of course, Langasek asks that users report bugs wherever they find them "particularly if they're using testing or unstable." As users are trying out the new Debian installer, they might wish to read the d-i retrospective, which recounts the history of d-i and gives perspective on the work that went into the installer. Langasek says that the work has paid off:
Indeed, this writer is enthusiastic about the installer as well. Though the old installer was usable enough (as evidenced by the enormous Debian user base), the new installer is much improved. The final Sarge release should do a great deal to help Debian's popularity with newer Linux users.
Munich and software patents
As was covered here last week, the high-profile Linux deployment in the city of Munich has been put on a temporary hold while a legal review of possible patent threats. This hold is a direct result of two motions filed recently by a Green Party alderman in the city. The motions, and their aftermath, have created a small storm, both in the city of Munich itself, and among free software advocates and anti-software patent activists. Those who oppose the transition from proprietary to free software in Munich took the opportunity to put a spanner in the works, and that prompted swift reactions from free software advocates; the events seem to have created some stress between the free software and anti-software patent communities.
The motivation behind the alderman's motions was simple: to persuade the city of Munich to put more pressure on German and European politicians to stop the EU's directive on the patentability of computer-implemented inventions. And insofar as they aimed to raise the problems associated with software patents among German politicians, they have met with some success. The city of Munich does appear to remain committed to its free software project, and despite speculation in the press, the only thing about which we can be certain is that, as LWN commented previously, the process will be slowed down while the lawyers do their thing. The latest word is that the delay may not last more than a few weeks.
So why, then, did the Free Software Foundation Europe feel compelled to issue a press release emphasizing that free software is no special case, and that the dangers posed by software patents affect all small and medium enterprises and projects, regardless of their licensing? I asked FSFE President Georg Greve whether he felt that the Green party should be condemned for its actions, and whether the FFII, which could be accused of spreading the flames with a widely-reported press release of its own, should be included in that as well. Mr. Greve described "condemnation" as "too strong a term," but it is clear that they aren't too happy, especially given that they have been actively campaigning against software patents for four years without jeopardizing free software deployments. He asked:
In response, the Green Party in Munich notes that it is software patents which threaten free software, and not anybody's attempts to fight the imposition of patents. Ignoring the patent directive, they say, would be far more dangerous than forcing this sort of confrontation.
As Tim Bray noted in his weblog, almost all software in the market probably infringes on some existing software patents, and the issue is one of financial resources (i.e. the ability to defend a case in court), not one of licensing. Greve claims that "[the] link is entirely artificial".
Bizarrely, part of the explanation of events lies in a mistake within the FFII. The study that lists the patents that affect the Munich project was never released as an FFII study; rather, it was a personal document on an FFII member's homepage. Harmut Pilch, the President of the FFII, wrote that he was "surprised by the announcement of Wilhelm Hoegner and the mayor", and that he "learnt from both only through the media". Nevertheless he goes on to defend the message given out by the Green Party, if not the exact methods they used, pointing out that the city of Munich had to assess the risk caused to its project by software patents.
The fallout of all of this is difficult to predict. We can be fairly sure that, barring an extraordinary risk assessment by the city of Munich's lawyers, their Linux project will go ahead. But it's impossible to judge the impact that the news will have on the vote in European Parliament later this year, and on other government projects involving free software. However, if the EU says "no" to software patents, the free software community in Europe could be saved from, possibly, the most damaging legal framework seriously considered to date. The knock-on effect in other countries and trade areas also can't be underestimated. So if steps like those taken by the Green Party in Munich can derail software patents in Europe at the expense of delaying, or even stopping, various free software deployments in government, would it not be worth the sacrifice? In this light the Green Party's actions seem like fine political ju jitsu.
An implicit assumption in that question is that the Green Party's initiative can be followed elsewhere. The only other example of a major deployment of free software in government in Europe is in Extremadura, where local politicians are already firmly against software patents. Employing this sort of technique elsewhere must be done carefully: emphasizing the software patent risk to free software could end up turning politicians against free software, rather than patents. A compromise approach, as Greve suggested, would be:
It may be too late for effective damage control in Munich, so we will have to wait for the outcome there. But in the future, it would seem wise for anti-software patent activists to be mindful of Greve's suggestion. Free Software advocates must fight software patents, and we must recognize that they are more important than individual deployments of free software. But all the same, we mustn't unnecessarily prejudice politicians and those who make technology decisions against free software for the sake of gains in the fight against software patents.
Page editor: Jonathan Corbet
Security
The Information Technology Security Handbook
The World Bank InfoDev Program has set itself a goal of helping computer users in developing countries avoid security problems. To that end, it has published the Information Technology Security Handbook; it can be downloaded from the site in PDF format. It is a very introductory-level book on security threats to computers and their users; if users at that level can be convinced to read the whole thing, it may well do some good. Unfortunately, however, this book does the developing world a disservice by being strongly biased toward proprietary software.The "Security for Individuals" section, for example, contains a couple of pages on "non-traditional and non-commercial software." Topics covered are, in this order, shareware, open source software, and pirated software. The open source discussion gives a brief overview of the "which is more secure?" debate, and informs us:
The fact of the matter, of course, is that the major distributors have all made the application of security updates into a trivially easy task, which can even be automated. The above statement might have been true some years ago; it certainly is not true now.
The discussion of free software pretty much ends there. So, for example, we get a long section on email problems; infection via email is said to be "highly likely." Six rules are given for protecting a system from email-borne malware ("Do not open an attachment from someone you do know and trust unless you are sure that they sent it deliberately"), but there is no mention of the fact that email-borne malware is, for all practical purposes, unknown outside of the Windows world.
The "security for organizations" chapter is written in an entirely different voice. It covers a wide range of topics, including regulatory compliance, wireless security, personnel threats, etc. There is a lot of useful material there for somebody who is beginning to think about security in an organizational context, but no specifics at all. There is a section on government policy which has mostly to do with bureaucratic organization and the crafting of security-related legislation.
The final and largest section is aimed at technical administrators. Interestingly, this section is mostly oriented around Unix and Unix-like systems. The coverage is strange, however; NIS netgroups warrant several pages, while PAM is breezed over in a single page. There is a long section full of rules on writing safe CGI scripts, but nothing about web server setup. The chapter contains some good stuff, but it looks like it was gathered together from several different sources.
This handbook looks like a useful resource in many ways. It falls short of what a book on security for the developing world could be, however. Like the rich world, the developing world has no need to rely on expensive and insecure proprietary software. A book on information security on developing countries really owes it to its readers to point out that, with free software, they can take greater control over their systems and not have to rely on the good intentions of a large, foreign company.
New vulnerabilities
Cfengine: RSA Authentication Heap Corruption
| Package(s): | Cfengine | CVE #(s): | ||||
| Created: | August 10, 2004 | Updated: | August 11, 2004 | |||
| Description: | Two vulnerabilities have been found in cfservd. One is a buffer overflow in the AuthenticationDialogue function and the other is a failure to check the proper return value of the ReceiveTransaction function. An attacker could use the buffer overflow to execute arbitrary code with the permissions of the user running cfservd, which is usually the root user. However, before such an attack could be mounted, the IP-based ACL would have to be bypassed. With the second vulnerability, an attacker could cause a denial of service attack. | |||||
| Alerts: |
| |||||
cvstrac: arbitrary code execution
| Package(s): | cvstrac | CVE #(s): | ||||
| Created: | August 6, 2004 | Updated: | August 11, 2004 | |||
| Description: | Richard Ngo reported on BugTraq that a vulnerability has been discovered in the CVS repository web browsing tool CVSTrac. If properly exploited an attacker can execute arbitrary code on the CVSTrac host with the privileges of the associated web server. | |||||
| Alerts: |
| |||||
opera: remote filesystem read access vulnerability
| Package(s): | opera | CVE #(s): | ||||
| Created: | August 5, 2004 | Updated: | August 11, 2004 | |||
| Description: | The Opera browser has a vulnerability that may allow a remote attacker to read a local filesystem. | |||||
| Alerts: |
| |||||
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty | CVE #(s): | |||||||
| Created: | August 5, 2004 | Updated: | October 28, 2004 | ||||||
| Description: | PuTTY, a telnet and SSH client, contains a vulnerability that can allow an SSH server to execute arbitrary code on a connecting client. | ||||||||
| Alerts: |
| ||||||||
shorewall: temporary file exploit
| Package(s): | shorewall | CVE #(s): | ||||
| Created: | August 10, 2004 | Updated: | August 11, 2004 | |||
| Description: | Javier Fernández-Sanguino Peña has discovered an exploitable vulnerability in the way that Shorewall handles temporary files and directories. The vulnerability can allow a non-root user to cause arbitrary files on the system to be overwritten. LEAF Bering and Bering uClibc users are generally not at risk due to the fact that LEAF boxes do not typically allow logins by non-root users. The complete advisory is here. | |||||
| Alerts: |
| |||||
SpamAssassin: Denial of Service vulnerability
| Package(s): | spamassassin | CVE #(s): | CAN-2004-0796 | |||||||||||||||||||||
| Created: | August 9, 2004 | Updated: | August 11, 2005 | |||||||||||||||||||||
| Description: | SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Updated vulnerabilities
Horde-IMP: improper input validation
| Package(s): | Horde-IMP | CVE #(s): | |||||||
| Created: | June 16, 2004 | Updated: | August 10, 2004 | ||||||
| Description: | An input validation error exists in Horde-IMP through version 3.2.4; a specially crafted message could be used to run scripts in the context of the target's browser. | ||||||||
| Alerts: |
| ||||||||
OpenSSL: denial of service vulnerabilities
| Package(s): | OpenSSL | CVE #(s): | CAN-2004-0081 CAN-2003-0851 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2004 | Updated: | November 2, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Apache mod_proxy: denial of service
| Package(s): | apache | CVE #(s): | CAN-2004-0492 | |||||||||||||||
| Created: | June 11, 2004 | Updated: | October 14, 2004 | |||||||||||||||
| Description: | A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache mod_ssl format string vulnerability
| Package(s): | apache mod_ssl | CVE #(s): | ||||||||||||||||
| Created: | July 16, 2004 | Updated: | August 6, 2004 | |||||||||||||||
| Description: | Triggered by a report to Packet Storm from Virulent, a format string vulnerability was found in mod_ssl, the Apache SSL/TLS interface to OpenSSL, version (up to and including) 2.8.18 for Apache 1.3. The mod_ssl in Apache 2.x is not affected. The vulnerability could be exploitable if Apache is used as a proxy for HTTPS URLs and the attacker established a own specially prepared DNS and origin server environment. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 | CVE #(s): | CAN-2004-0488 | ||||||||||||||||||||||||||||||
| Created: | June 1, 2004 | Updated: | October 14, 2004 | ||||||||||||||||||||||||||||||
| Description: | A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
aspell: bounds checking problem
| Package(s): | aspell | CVE #(s): | CAN-2004-0548 | |||||||||
| Created: | June 17, 2004 | Updated: | December 20, 2004 | |||||||||
| Description: | Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker. | |||||||||||
| Alerts: |
| |||||||||||
courier: cross-site scripting vulnerability
| Package(s): | courier | CVE #(s): | CAN-2004-0591 | ||||||
| Created: | July 23, 2004 | Updated: | August 4, 2004 | ||||||
| Description: | The sqwebmail application has a cross-site scripting vulnerability. An attacker can inject and execute a web mail script via an email message. | ||||||||
| Alerts: |
| ||||||||
Ethereal: Multiple security problems
| Package(s): | ethereal | CVE #(s): | CAN-2004-0633 CAN-2004-0634 CAN-2004-0635 | |||||||||||||||||||||||||||
| Created: | July 9, 2004 | Updated: | August 19, 2004 | |||||||||||||||||||||||||||
| Description: | There are multiple vulnerabilities in versions of Ethereal earlier than
0.10.5, including: * In some cases the iSNS dissector could cause Ethereal to abort. * If there was no policy name for a handle for SMB SID snooping it could cause a crash. * A malformed or missing community string could cause the SNMP dissector to crash. See this advisory for more information. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
flim: insecure file creation
| Package(s): | flim | CVE #(s): | CAN-2004-0422 | |||||||||
| Created: | May 5, 2004 | Updated: | December 16, 2004 | |||||||||
| Description: | The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. | |||||||||||
| Alerts: |
| |||||||||||
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs | CVE #(s): | CAN-2004-0494 | |||||||||
| Created: | August 4, 2004 | Updated: | February 21, 2005 | |||||||||
| Description: | Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. | |||||||||||
| Alerts: |
| |||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
iproute: local denial of service
| Package(s): | iproute net-tools | CVE #(s): | CAN-2003-0856 | ||||||||||||||||||
| Created: | November 25, 2003 | Updated: | December 14, 2004 | ||||||||||||||||||
| Description: | The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
racoon: failure to verify signatures
| Package(s): | ipsec-tools racoon | CVE #(s): | CAN-2004-0155 | |||||||||
| Created: | April 7, 2004 | Updated: | August 19, 2004 | |||||||||
| Description: | Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details. | |||||||||||
| Alerts: |
| |||||||||||
kdelibs: cookie disclosure
| Package(s): | kdelibs | CVE #(s): | CAN-2003-0592 | |||||||||||||||
| Created: | March 10, 2004 | Updated: | August 24, 2004 | |||||||||||||||
| Description: | kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
kernel allows unauthorized changes to the group ID
| Package(s): | kernel | CVE #(s): | CAN-2004-0497 | |||||||||||||||||||||||||||
| Created: | July 2, 2004 | Updated: | September 27, 2004 | |||||||||||||||||||||||||||
| Description: | During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances - such as when the files are exported via NFS. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
kernel information leak
| Package(s): | kernel | CVE #(s): | CAN-2004-0415 | ||||||||||||||||||||||||||||||||||||
| Created: | August 3, 2004 | Updated: | October 26, 2004 | ||||||||||||||||||||||||||||||||||||
| Description: | Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth 2.4.27 release candidate. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
libpng: multiple vulnerabilities
| Package(s): | libpng | CVE #(s): | CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 4, 2004 | Updated: | February 10, 2005 | |||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details. | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||
logcheck: symlink vulnerability
| Package(s): | logcheck | CVE #(s): | CAN-2004-0404 | ||||||
| Created: | April 21, 2004 | Updated: | December 22, 2004 | ||||||
| Description: | The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. | ||||||||
| Alerts: |
| ||||||||
mikmod: buffer overflow
| Package(s): | mikmod | CVE #(s): | CAN-2003-0427 | |||||||||||||||
| Created: | June 16, 2003 | Updated: | June 16, 2005 | |||||||||||||||
| Description: | Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
mod_python: denial of service vulnerability
| Package(s): | mod_python | CVE #(s): | CAN-2003-0973 | |||||||||||||||||||||
| Created: | January 27, 2004 | Updated: | October 4, 2004 | |||||||||||||||||||||
| Description: | Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released. Users of mod_python 3.0.4 are not affected by this vulnerability. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
MoinMoin Group ACL Bypass
| Package(s): | moinmoin | CVE #(s): | ||||
| Created: | July 12, 2004 | Updated: | August 26, 2004 | |||
| Description: | MoinMoin contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker creates a user with the same name as an administrative group. This flaw may lead to a loss of integrity. See this osvdb entry for additional information. | |||||
| Alerts: |
| |||||
mozilla: multiple vulnerabilties
| Package(s): | mozilla | CVE #(s): | CAN-2003-0594 CAN-2003-0564 | ||||||||||||
| Created: | March 10, 2004 | Updated: | August 19, 2004 | ||||||||||||
| Description: | Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks. | ||||||||||||||
| Alerts: |
| ||||||||||||||
mpg321: format string vulnerability
| Package(s): | mpg321 | CVE #(s): | CAN-2003-0969 | ||||||
| Created: | January 6, 2004 | Updated: | March 28, 2005 | ||||||
| Description: | A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming). | ||||||||
| Alerts: |
| ||||||||
MPlayer: GUI filename handling overflow
| Package(s): | mplayer | CVE #(s): | ||||
| Created: | August 2, 2004 | Updated: | August 4, 2004 | |||
| Description: | The MPlayer GUI code contains several buffer overflow vulnerabilities, and at least one in the TranslateFilename() function is exploitable. By enticing a user to play a file with a carefully crafted filename an attacker could execute arbitrary code with the permissions of the user running MPlayer. | |||||
| Alerts: |
| |||||
MySQL: temporary file vulnerabilities
| Package(s): | mysql | CVE #(s): | CAN-2004-0381 CAN-2004-0388 | ||||||||||||
| Created: | April 14, 2004 | Updated: | August 18, 2004 | ||||||||||||
| Description: | The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system. | ||||||||||||||
| Alerts: |
| ||||||||||||||
neon: buffer overflow
| Package(s): | neon | CVE #(s): | CAN-2004-0398 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 19, 2004 | Updated: | September 30, 2004 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver). | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
netpbm: insecure temporary files
| Package(s): | netpbm | CVE #(s): | CAN-2003-0924 | |||||||||||||||||||||||||||
| Created: | January 19, 2004 | Updated: | December 29, 2004 | |||||||||||||||||||||||||||
| Description: | netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pavuk: buffer overflow
| Package(s): | pavuk | CVE #(s): | CAN-2004-0456 | |||||||||
| Created: | June 30, 2004 | Updated: | November 11, 2004 | |||||||||
| Description: | Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. | |||||||||||
| Alerts: |
| |||||||||||
php: remotely exploitable memory errors
| Package(s): | php | CVE #(s): | CAN-2004-0594 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | July 14, 2004 | Updated: | February 7, 2005 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not). | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
phpMyAdmin: remote PHP execution
| Package(s): | phpmyadmin | CVE #(s): | ||||
| Created: | July 29, 2004 | Updated: | August 4, 2004 | |||
| Description: | phpMyAdmin has a vulnerability that allows a remote attacker to modify variables and execute PHP code. The attacker must have a valid user account. | |||||
| Alerts: |
| |||||
python: buffer overflow
| Package(s): | python | CVE #(s): | CAN-2004-0150 | |||||||||||||||
| Created: | March 10, 2004 | Updated: | October 11, 2004 | |||||||||||||||
| Description: | Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
samba: potential buffer overruns
| Package(s): | samba | CVE #(s): | CAN-2004-0600 CAN-2004-0686 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 22, 2004 | Updated: | September 2, 2004 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | According to this Samba advisory, Evgeny
Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug
in the Samba Web Administration Tool (SWAT) on decoding Base64 data during
HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are
affected. (CAN-2004-0600)
Another buffer overflow bug has been located in the Samba code used to support the "mangling method = hash" functionality. The default setting for this parameter is "mangling method = hash2" and therefore Samba is not vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected. (CAN-2004-0686) | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
sox: buffer overflow
| Package(s): | sox | CVE #(s): | CAN-2004-0557 | ||||||||||||||||||||||||||||||
| Created: | July 28, 2004 | Updated: | February 21, 2005 | ||||||||||||||||||||||||||||||
| Description: | Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file. | ||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||
squid: buffer overflow
| Package(s): | squid | CVE #(s): | CAN-2004-0541 | |||||||||||||||||||||||||||||||||
| Created: | June 9, 2004 | Updated: | September 30, 2004 | |||||||||||||||||||||||||||||||||
| Description: | The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
SquirrelMail cross site scripting vulnerabilities
| Package(s): | squirrelmail | CVE #(s): | CAN-2004-0519 CAN-2004-0520 CAN-2004-0521 | |||||||||||||||||||||||||||
| Created: | May 21, 2004 | Updated: | October 4, 2004 | |||||||||||||||||||||||||||
| Description: | Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Subversion: Remote heap overflow
| Package(s): | subversion | CVE #(s): | CAN-2004-0413 | ||||||||||||||||||
| Created: | June 11, 2004 | Updated: | March 7, 2005 | ||||||||||||||||||
| Description: | Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
sysstat: temporary file vulnerability
| Package(s): | sysstat | CVE #(s): | CAN-2004-0107 CAN-2004-0108 | ||||||||||||||||||||||||
| Created: | March 10, 2004 | Updated: | October 4, 2004 | ||||||||||||||||||||||||
| Description: | The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 |
| Created: | October 1, 2002 | Updated: | April 9, 2006 |
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostil | ||