LWN.net Logo

LWN.net Weekly Edition for August 26, 2004

IBM brings the GPL to court

IBM's memo in support of its motion for a partial summary judgment on its copyright counterclaims is now available, via Groklaw, in plain text format. This one is truly worth a read; it is far shorter than the complex memo for IBM's other motion (the attempt to do away with the breach of contract charges), and it shows just how a GPL infringement case can be brought to court. SCO, which has made its disdain for the GPL clear over the last year and a half, is going to have an interesting time trying to dance around this one.

Summary judgment motions depend on the lack of a dispute over the relevant facts, so IBM leads off with its list of the facts which, it says, are undisputed. The very first one is a statement that Linux development started with Linus; this, of course, is very much a disputed fact in many circles. The SCO Group, however, is unlikely to have a great interest in ensuring that the GNU Project gets proper credit for its work, and thus will probably not make a big deal out of this issue in court.

IBM goes on to list its contributions to Linux; these include the Enterprise Volume Management System (which was never actually merged into the kernel), PowerPC64 support, the Omni print driver, JFS, PCI hotplug support, and more. Copyrights for all of these contributions have been registered. Each contribution is also listed with the exact number of lines of code; IBM is showing that it is possible to be specific about such topics. IBM points out just where SCO has distributed copies of each of the claimed contributions to Linux.

The final set of "undisputed facts" has to do with the GPL and SCO's actions relative to the GPL. IBM notes that it has not authorized the copying, modification, or distribution of its code except under the terms of the GPL. SCO, meanwhile, has denied the validity of the GPL and has attempted to add restrictions to IBM's GPL-licensed code by way of its lawsuit threats and "Linux license" scheme.

Several paragraphs describing SCO's activities have been redacted from the publicly-available version of the memo. It would be most interesting to know what IBM is arguing that cannot be made available to the world as a whole.

With the "undisputed facts" in place, IBM moves on to the "argument" portion of its memorandum. The first step is to reiterate that IBM owns its copyrights, and that SCO has, beyond doubt, redistributed the code. The full memo includes a "side-by-side comparison" of IBM's code with the version that appeared in SCO Linux Server 4.0. This step may have been a bit more than was truly necessary, given that SCO does not dispute that it distributes Linux, but IBM is being sure that all the bases are covered.

IBM still has to show that SCO's copying was copyright infringement, however. So that's where the argument goes next:

As stated, IBM has not authorized the copying, modification, or distribution of the IBM Copyrighted Works, except pursuant to the terms of the GPL or LGPL. SCO does not have permission or any license to copy, modify, or distribute the IBM Copyrighted Works for at least two independent reasons: (1) SCO has repudiated and disclaimed the GPL (and thus also the LGPL) as a source of legal rights, and (2) SCO has breached the GPL and LGPL and thus lost any rights it might have had under the GPL or LGPL.

The first argument is interesting. IBM has no trouble citing statements from SCO challenging the validity of the GPL; some of them appear in SCO's own filings in the same case. But the argument that, by publicly trashing the GPL, SCO has forfeited its right to distribute GPL-licensed code does not convince everybody. The case law on the subject appears to be inconclusive; there is no real way to know how the court will treat this argument until the time comes.

The second part of the argument - that SCO has flat-out breached the terms of the GPL - is more straightforward. SCO has very clearly attempted to impose additional restrictions on GPL-licensed code, and that is not an action that the GPL allows. IBM should have little trouble establishing this breach as a fact.

Inquiring minds are most curious to see how SCO will respond to this argument. SCO's lawyers would appear to have these options:

  • Argue that SCO could not have breached the GPL, because the GPL is not a valid license. As has been pointed out many times, this argument puts SCO into a position of clear infringement: if the GPL is not a valid license, then SCO has no license to distribute IBM's code.

  • Argue that SCO has adhered to the terms of the GPL. The facts say otherwise in the strongest of terms, however; every time SCO states that Linux cannot be used without an additional license - while still distributing the code in question - is a clear breach of the license.

  • Argue the the GPL gives SCO the right to redistribute the code, but that the GPL's prohibition on additional restrictions does not apply, or cannot be enforced. This argument would be an attempt to get the court to turn the GPL into something closer to the BSD license.

The third alternative above is the only one which holds out any hope for SCO in this case. Given that the U.S. courts have, in general, not been hospitable to the idea of rolling back the rights of copyright holders, it seems unlikely that this court would take a different tack now. It is also hard to see how the court could strike sections of the GPL without creating grave difficulties for many other software licenses.

So SCO is unlikely to prevail in an attempt to disable the operative terms of the GPL - in the long term. What SCO might be able to do is to create enough confusion around the issue that the judge is unable to hand down a summary judgment. In that case, IBM would have to argue its case in a full court trial next year, and SCO would get some breathing room to continue its campaign.

Such an outcome seems improbable, however. The facts seem clear, and SCO appears to be very much on the wrong side of them. In your editor's untrustworthy opinion, IBM seems much more likely to prevail on this motion than on its companion motion regarding the breach of contract claims. That result would clearly paint SCO's actions as an infringement of copyright, and it would put an end to SCO's attempts to put a tax on Linux. At the same time, it would put an end to claims that the GPL has never been tested in court. That would, needless to say, be an interesting day.

Comments (20 posted)

Other happenings on the SCO front

The hearing date for IBM's motion for a partial summary judgment on its tenth counterclaim (seeking a declaration that none of its Linux activities infringe upon SCO's copyrights) and SCO's attempt to dismiss that counterclaim is coming. So the memos to the court are flying in all directions.

SCO has filed its reply memorandum (PDF format) in support of its motion to dismiss or stay count ten. Therein, SCO claims that IBM's counterclaim is not "compulsory," that, instead, it is unrelated to the main case and could be considered separately. SCO says that IBM's counterclaim adds "undue complication and complexity" to the case, and thus should be dismissed. SCO wants the issue to simply go away.

IBM has also filed a reply memorandum (PDF); this one is in support of its motion for a partial summary judgment on the tenth counterclaim. It makes for interesting reading; IBM is putting its full strength into ripping apart SCO's claims. IBM's reasoning is, essentially:

  • SCO has made repeated public claims that the Linux kernel contains code copied directly from Unix, so the issue is relevant.

  • SCO has never shown any evidence that this copying has occurred, and has no such evidence to show.

  • The only thing that was even close to evidence was a declaration by Sandeep Gupta. IBM says it should be ignored because it was filed too late, because Mr. Gupta has no personal knowledge that would make him an expert witness, and the approach he used to compare Unix and Linux code is flawed.

    In support of its position, IBM has submitted a declaration from one Brian Kernighan on the flaws in the code comparison methodology and stating that Mr. Gupta's results are incorrect. When it comes to Unix code, one might assume that Mr. Kernighan has a bit of expertise to draw on.

  • SCO's claims that it needs more time for discovery are bogus because SCO has been saying for over a year that it has tons of evidence already.

  • SCO did not even bother to try to answer most of IBM's "undisputed facts," and its filing was not organized properly.

  • SCO can't even put up convincing evidence that it owns the copyrights on Unix.

The memo goes on for 56 pages; it is an interesting read. It has long been clear that SCO management's public statements would come back to haunt the company; IBM is now doing its best to make that happen.

IBM has also been busy trying to strike the declarations SCO has been filing in support of its positions. IBM's reasoning is usually that the person making the declaration is in no position to know what he is talking about. For some amusement, see this version of John Harrop's declaration posted on Groklaw; all of the portions which IBM wishes to strike have been indicated there. If IBM is successful, little of the declaration will remain.

SCO is due to report its third quarter results. That announcement will, according to this press release, happen on August 31. SCO should be able to show more SCOsource income this time around, since the money from EV1Servers.Net should finally appear in its accounting. It is hard to imagine the numbers as a whole being good, however.

SCO has announced, again, that it has made peace with BayStar. It might have actually happened this time.

Comments (3 posted)

Grokking the Grokster Decision

August 25, 2004

By Pamela Jones, Editor of Groklaw

The best way to understand what a case means if, like me, you aren't a lawyer, is to ask some. In the recent decision in MGM v. Grokster et al, filed on August 19, it's easy to do so, because there were amici briefs filed by law professors on both sides of the question. There is no better way to understand what a case is about than to read such briefs. The Electric Frontier Foundation, which represented StreamCast Networks, Inc., one of the victorious defendants, has made the legal documents available.

On MGM's side, 9 law professors submitted an amicus brief explaining why they felt the lower court had made a mistake in granting Grokster and StreamCast a partial summary judgment and requesting that the Ninth Circuit Court of Appeals reverse the decision. On the other side, 40 law professors submitted an opposing amicus brief, supporting the lower court's decision and urging the Ninth Circuit Court of Appeals to affirm it. Both groups tried to persuade the three-judge panel that the law was on their side.

All of this goes to show you that the law is not reliable like math. You don't ever want to plot a course to Mars based on legal opinions, because you might not arrive safely at your destination. You can always find a lawyer somewhere who will argue a side, both sides, or all sides of any issue. In the Grokster case, some of the finest lawyers in the world contributed their thoughts, on both sides, making it one of the most interesting and significant cases of the year.

The appeals court decision was extraordinary, in that they accepted what can best be described as arguments you can find in Larry Lessig's book, "Free Culture," argued most ably by EFF's Fred von Lohmann for StreamCast and Michael Page of Keker & Van Nest for Grokster. The oral arguments are a delight to listen to, and EFF has them available as Ogg, WMA and MP3 files. Groklaw has made an unofficial transcript of the proceedings.

The court decided to draw a line in the sand and tell the Hollywood copyright forces that their push to extend and morph copyright law beyond its current borders, in effect to rewrite the Supreme Court's 1984 Sony- Betamax decision (Sony Corporation of America v. Universal City Studios, Inc., 464 U.S. 417, 104 S. Ct. 774, 78 L. Ed. 2d 574 ), so as to make it easier to go after contributory infringers, was unacceptable. Sony held that as long as a technology has substantial non-infringing uses, it can't be held liable for copyright infringement by users. The Hollywood copyright forces were trying to get the court to accept instead the new idea that if infringement levels reached a certain percentage, then manufacturers and programmers could be held liable.

Remembering that this is the same appeals court that upheld Napster, it's an extraordinary development and, in my opinion, a most significant victory, particularly for programmers, who stood to lose a great deal had the case gone the other way. Why? Because the copyright forces wanted to hold distributors of software tools -- and that means programmers too, not just companies -- liable for the infringements of end users.

It was nothing less than an attempt, as the ruling put it, to get the judiciary to fashion a new way to go after distributors and programmers for vicarious and contributory copyright infringement. Why? Simply because, as the law professors on MGM's side delicately put it, such a transmogrification would satisfy "the policy interests of indirect liability -- particularly for online infringement, where locating, suing, enjoining and recovering from millions of direct infringers is extremely difficult and inefficient."

In short, MGM and the music industry wanted the courts to make it easy for them. Going after the actual infringers on P2P systems is hard and expensive. So, they asked the court to let them go after those making and distributing software that some might use for the infringement instead. The conceivable consequences of such an expansion of vicarious liability were set forth in oral argument by Mr. Page:

To expand the law of vicarious liability, to attach liability to anyone who in theory could have acted as a policeman, leaves no border on it at all and leaves every technology vendor, every inventor, every merchant at the mercy of copyright holders who want to look around and go, 'You could have done something about this. You're liable.'

The court refused, based on the Sony-Betamax case, telling them to get Congress to fashion a more nuanced remedy than any court can give. Distinguishing the technology of Napster from that of Morpheus and Grokster (the centralized server in the former), the court noted that 10% of files shared on the systems are non-infringing, which is, in the words of Judge Noonan in the oral hearings, "a lot of files".

The court accepted the argument that every new technology is met by the music and entertainment industry with cries of theft and predictions of copyright doom along with demands that courts shut down the new technology. This happened with the invention of cassette recorders, VCRs, radio, and cable, as Lessig points out in "Free Culture". But throughout history, US courts have been loathe to kill a new technology just to satisfy the old, vested interests affected by the new tech. Once again, the court has told those clamoring for a judicial remedy that they must seek a remedy in the legislature, if any is to be found.

Jason Shultz, an attorney with EFF, explains the significance of the Grokster decision, particularly to programmers:

One of the biggest wins in Grokster for programmers was the explicit rejection of two principles that the RIAA and MPAA were pushing the Court to adopt in order to 'update' the Sony Betamax rule. If either rule had been adopted for Peer to Peer companies, it would have applied to programmers as well. Both rules would have been disastrous.

1) The first was that makers of technology (including programmers) should be liable for the infringements of their users based on the proportion of users who use the technology to infringe, instead of whether or not the code is merely capable of substantial non-infringing uses. The Plaintiffs argued that since over 90% of P2P users infringed copyright, that was high enough to hold the programmers and distributors liable. This would have been a very dangerous rule for any programmer, especially those who release open source code, because it is almost impossible to predict all the ways in which your users will employ your code. . . . [T]o hold . . . programmers . . . liable for the future, unpredictable and unintended uses of code would change the legal landscape of programming dramatically and make it a very dangerous road to go down. Fortunately, the Court rejected this attempt to 'update' Sony Betamax and stuck with the time-honored rule that any technology with a substantial non-infringing use cannot be held contributorily liable for infringements by end users.

2) The second major victory was an explicit rejection of the RIAA/MPAA's other proposal --- that under vicarious liability, programmers and distributors of technology should be held liable for end user infringements if they could have re-designed their products to allow less infringement, but didn't. In this case, the MPAA/RIAA argued that the P2P companies could have forced updates on users that installed filters into their programs to filter out copyrighted works, but didn't. This 'willful blindness', Hollywood argued, should make the P2P companies responsible for the infringements of their end users. Such a ruling would have been an absolute nightmare for any programmer, not only because again, it is almost impossible to predict all the ways one will use a program to infringe and then preemptively restrict them, but also because the reality is that no venture capitalist will fund a software project in such a world. If programmers and companies are liable unless they make their programs as incapable of copying as possible, very few programs will ever be written. The only pragmatic way to release a program, then, is to get MPAA/RIAA approval beforehand -- essentially handing Hollywood veto power over any new code or program released. Again, the Court rejected this approach, giving programmers protection from both financial ruin and attempts to undermine their freedom to write code as they see fit.

EFF took the case for just these reasons. We saw how Hollywood wanted to change the law and all the bad precedent it would set. So we defended the P2P companies on these principles in order to protect every technology maker, including open source programmers. Under the eyes of the law, even non-commercial open source programmers are no different that P2P companies and without the legal protections in Grokster, all programmers would suffer. Thus, EFF stepped up to the plate to defend the freedom to code for everyone.

They not only stepped up to the plate. They hit a home run. Of course, the losing side has the option of an appeal to the Supreme Court. And, as it happens -- actually, I'm sure it's no happenstance -- there is already an attempt to overturn Grokster's holding, by means of the Inducing Infringement of Copyrights Act of 2004 [INDUCE], currently working its way though Congress, with the backing of the RIAA/MPAA. It is sponsored by Senators Patrick Leahy and Orrin Hatch, who has said it is explicitly meant to reverse Grokster, so as to accomplish the very things that the Ninth Circuit Court of Appeals just rejected. Such a law would find companies and programmers liable if they release code that makes it easier for copyright infringement to occur, although in light of this stunning Grokster ruling, they may find it is a harder sell now, since its language, as well as Mr. Hatch's in pushing it, contradicts the Ninth Circuit Court of Appeals' decision.

Yes, that Mr. Hatch, the father of one of the attorneys representing SCO, Brent Hatch. The apple doesn't fall very far from the tree.

In a case like this, it makes sense to distribute the result via the available peer-to-peer networks. So, for those whose browsers are set up for such things, the EFF has published a magnet link and an ed2k link for downloading the decision. It doesn't hurt to boost the clearly non-infringing content available on P2P networks. One thing about the Hollywood copyright sharks: you can be sure they'll be circling back around.

Comments (13 posted)

Novell's results

August 25, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

Novell announced its 3rd quarter financial results on Thursday of last week. To get some additional information on Novell's results, we spoke to Novell spokesperson Bruce Lowry about the results, and how the purchase of SUSE Linux and Ximian is working out for Novell.

First on the agenda was Novell's financial results. Novell brought in $305 million in the third quarter, with a profit of $23 million, compared to $283 million in the third quarter of 2003 and a loss of $12 million during that period. Part of Novell's overall profits this quarter resulted from one-time payment of $19 million from The Canopy Group.

Overall, Lowry said that the company was happy with the profit from the third quarter, but "a little disappointed with the top-line revenue number." He explained that the sales of the company's Netware products had slowed their decline in recent quarters, but resumed a 12 percent decline in sales in the third quarter.

While Novell's other product lines have not been meeting expectations, SUSE Linux provided a welcome boost to Novell's bottom line this quarter. SUSE's revenues were up $2 million in the quarter, a 20 percent increase from the second quarter. A big factor in SUSE's increased revenues was a single customer that ordered 12,000 subscriptions to SUSE Enterprise. Lowry wouldn't disclose the customer's name, but said that the customer is a venture-backed company using SUSE in a "ASP sort of environment."

The $12 million in revenue from SUSE products broke down into three parts, $4 million was from subscription revenue, $5 million was from SUSE retail sales, and $3 million included "tech support alliance fees and other software products from SUSE Linux." Lowry noted that the SUSE subscriptions would continue to show revenue in future quarters, as subscription revenue is distributed over the life of the subscription rather than reported entirely in one quarter.

Ximian's revenue is not broken out separately by Novell, as the company mainly purchased Ximian as "a technology buy."

We basically said that the impact on earnings would be negligible...it's almost impossible to do that now. The major products were Ximian Desktop, which we're now combining into SUSE, hopefully later this year. The other main sort of component was Red Carpet Enterprise... what we did was added [that] to ZENworks.

We asked Lowry how the integration of SUSE and Ximian into Novell was going. Lowry said that the Ximian integration into Novell was "totally complete" and that the SUSE integration is "moving forward very rapidly," but noted that there was still work to be done, and that integrating a German company into Novell presented additional complications.

Lowry declined to offer specifics about the upcoming SUSE release with Ximian Desktop integrated into the release, saying that Novell was being "pretty tight-lipped" about the release. However, Lowry said that SUSE will continue to support KDE and GNOME.

It seems to be an issue that people continue to be hooked on, that we're trying to get beyond. But, we're trying to give people choice. We'll be adding the things you'd expect Novell to add... it's obviously going to be focused on the enterprise user.

We also asked whether the company would also be pushing Mono in its SUSE product line in order to help adoption of Mono. Lowry said that Mono is not shipped with SUSE Linux Enterprise Server 9, and said that Novell has "talked very loosely about it appearing in the desktop."

It's still very much an early stage thing, I have heard talk of pilot deployments of Mono in corporate environments. It's still fairly narrow...it's definitely an early stage technology.

He did say that Novell had been using Mono more for internal projects, and mentioned Novell's iFolder, which is now written with Mono. Lowry also mentioned the addition of JBoss to SUSE Linux Enterprise Server 9, and to the next major release of Novell exteNd as a replacement for Novell exteNd Application Server.

We'll be replacing the proprietary application server in the next major release, eating our own dogfood. We're going to look at open source and leverage open source where we can. It makes no sense to try to compete with a proprietary product in the same place... it's a mixed world. It's hard to envision a scenario where everything becomes open source.

It should be interesting to see how Novell continues to balance between open source and proprietary offerings. With iFolder, Ximian's Evolution Connector, and SUSE YaST, Novell has shown that it is willing to open source some of its technology when it makes sense for the company to do so -- and so long as that technology isn't a profit center for Novell.

Unfortunately, Novell does seem to be backing away from support of other distributions with Ximian Desktop, with only SUSE and older versions of Red Hat Linux listed as supported. Overall, though, it seems that Novell's entry into the Linux market has been both successful and beneficial for the community and has certainly been beneficial for Novell. Though Novell's income from SUSE is currently only a small fraction of their revenue, it does seem to be Novell's best chance for growth.

Comments (3 posted)

Page editor: Jonathan Corbet

Security

Distribution of security fixes

The LD_DEBUG environment variable is one of those obscure, useful features found in glibc. By setting LD_DEBUG to one of a few specific values (use help to get the full list), you can get a great deal of information on just how the dynamic library loader is resolving symbols and performing relocation. This information can be most useful for tracking down certain kinds of obscure shareable library problems.

LD_DEBUG can be verbose; it can also provide information about security-critical programs - especially those running setuid - which perhaps should not be made available to just anybody. The large amount of output created by LD_DEBUG can also be used as a sort of poor-man's single-stepping mechanism. If you can control when the standard output will block, you can stop a setuid program at almost any library call. This capability can be most useful if you are trying to exploit a difficult race condition, such as a temporary file vulnerability. The ability to stop a program at an arbitrary point can turn a small, difficult window into a wide-open one which can be exploited at leisure.

Thus, it would make sense to disallow LD_DEBUG for setuid binaries. Unfortunately, this didn't occur to the glibc implementors, who did not add any checks for setuid operation in the LD_DEBUG code. Gentoo has recently issued an update fixing the problem; no other distributors have followed suit as of this writing.

As it turns out, some distributors do not need to. OpenWall fixed this problem over three years ago; ALT Linux also patched glibc in its distribution. Somehow, however, the fixes applied by these distributors never got into wider distribution.

This is not the first time that somebody has discovered a security problem for which a fix had been available for years. These incidents are, at best, a missed opportunity: known holes with available fixes remain unpatched for long periods of time. A less pleasant possibility is that crackers can look at the patches applied by security-conscious distributions (such as OpenWall) in search of holes which have not been fixed elsewhere. Security fixes are best applied universally.

The obvious way to ensure widespread diffusion of security fixes is to submit them back to the package's maintainer. Such patches should almost always be accepted - or the maintainer should come up with a better way to fix the problem. If the maintainer refuses to fix the problem, there is always the time-honored technique of posting an advisory to Bugtraq. What should not be an option is keeping security fixes to ones self.

Comments (16 posted)

New vulnerabilities

Cacti: SQL injection vulnerability

Package(s):cacti CVE #(s):
Created:August 23, 2004 Updated:August 25, 2004
Description: Cacti is vulnerable to a SQL injection attack where an attacker may inject SQL into the Username field. An attacker could use these vulnerabilities to compromise the Cacti service and potentially execute programs with the permissions of the user running Cacti.
Alerts:
Gentoo 200408-21-err 2004-08-23
Gentoo 200408-21 2004-08-23

Comments (none posted)

courier-imap: Remote Format String Vulnerability

Package(s):courier-imap CVE #(s):CAN-2004-0777
Created:August 20, 2004 Updated:August 26, 2004
Description: There is a format string vulnerability in the auth_debug() function which can be exploited remotely, potentially leading to arbitrary code execution as the user running the IMAP daemon (which is often root). A remote attacker may send username or password information containing printf() format tokens (such as "%s"), which will crash the server or cause it to execute arbitrary code. This vulnerability can only be exploited if DEBUG_LOGIN is set to something other than 0 in the imapd config file.

If DEBUG_LOGIN is enabled in the imapd configuration, a remote attacker may execute arbitrary code as the root user.

Alerts:
Trustix TSLSA-2004-0043 2004-08-26
Gentoo 200408-19 2004-08-19

Comments (none posted)

icecast-server: missing escape

Package(s):icecast-server CVE #(s):CAN-2004-0781
Created:August 24, 2004 Updated:August 25, 2004
Description: Markus Wörle discovered a cross site scripting problem in status-display (list.cgi) of the icecast internal webserver, an MPEG layer III streaming server. The UserAgent variable is not properly html_escaped so that an attacker could cause the client to execute arbitrary Java script commands.
Alerts:
Debian DSA-541-1 2004-08-24

Comments (none posted)

qt3: BMP image parser heap overflow

Package(s):qt3/qt3-non-mt/qt3-32bit/qt3-static CVE #(s):CAN-2004-0691 CAN-2004-0692 CAN-2004-0693
Created:August 19, 2004 Updated:May 15, 2005
Description: A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution.
Alerts:
Fedora-Legacy FLSA:152763 2005-05-12
Conectiva CLA-2004:866 2004-09-22
Whitebox WBSA-2004:414-01 2004-09-20
Debian DSA-542-1 2004-08-30
Fedora FEDORA-2004-271 2004-08-23
Fedora FEDORA-2004-270 2004-08-23
Gentoo 200408-20 2004-08-22
Red Hat RHSA-2004:414-01 2004-08-20
Mandrake MDKSA-2004:085 2004-08-18
SuSE SUSE-SA:2004:027 2004-08-19

Comments (none posted)

roundup: remote file access vulnerability

Package(s):roundup CVE #(s):
Created:August 18, 2004 Updated:August 25, 2004
Description: The roundup issue tracker has a vulnerability that allows a remote attacker to read files owned by the user that is running the application.
Alerts:
Gentoo 200408-09 2004-08-11

Comments (none posted)

zlib: denial of service

Package(s):zlib CVE #(s):CAN-2004-0797
Created:August 25, 2004 Updated:June 10, 2005
Description: Versions 1.2.x of the zlib library contain an error handling vulnerability which can enable denial of service attacks.
Alerts:
OpenPKG OpenPKG-SA-2005.007 2005-06-10
Fedora-Legacy FLSA:2043 2005-02-23
Conectiva CLA-2004:878 2004-10-25
Slackware SSA:2004-278-02 2004-10-04
Conectiva CLA-2004:865 2004-09-13
Mandrake MDKSA-2004:090 2004-09-07
SuSE SUSE-SA:2004:029 2004-09-02
Gentoo 200408-26 2004-08-27
OpenPKG OpenPKG-SA-2004.038 2004-08-25

Comments (none posted)

Updated vulnerabilities

acroread: UUDecode filename buffer overflow

Package(s):acroread CVE #(s):
Created:August 16, 2004 Updated:August 17, 2004
Description: acroread contains two errors in the handling of UUEncoded filenames. First, it fails to check the length of a filename before copying it into a fixed size buffer and, secondly, it fails to check for the backtick shell metacharacter in the filename before executing a command with a shell. By enticing a user to open a PDF with a specially crafted filename, an attacker could execute arbitrary code or programs with the permissions of the user running acroread.
Alerts:
Gentoo 200408-14 2004-08-15

Comments (none posted)

Apache mod_proxy: denial of service

Package(s):apache CVE #(s):CAN-2004-0492
Created:June 11, 2004 Updated:October 14, 2004
Description: A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:
Fedora-Legacy FLSA:1737 2004-10-13
Mandrake MDKSA-2004:065 2004-06-29
Debian DSA-525-1 2004-06-24
Gentoo 200406-16 2004-06-21
OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

apache2: stack-based buffer overflow in ssl_util.c

Package(s):apache2 CVE #(s):CAN-2004-0488
Created:June 1, 2004 Updated:October 14, 2004
Description: A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:
Fedora-Legacy FLSA:1888 2004-10-13
Debian DSA-532-2 2004-07-27
Debian DSA-532-1 2004-07-22
Red Hat RHSA-2004:245-01 2004-06-14
Gentoo 200406-05 2004-06-09
Slackware SSA:2004-154-01 2004-06-02
OpenPKG OpenPKG-SA-2004.026 2004-05-27
Trustix TSLSA-2004-0031 2004-06-02
Mandrake MDKSA-2004:054 2004-06-01
Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

aspell: bounds checking problem

Package(s):aspell CVE #(s):CAN-2004-0548
Created:June 17, 2004 Updated:December 20, 2004
Description: Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:
Mandrake MDKSA-2004:153 2004-12-20
OpenPKG OpenPKG-SA-2004.042 2004-09-15
Gentoo 200406-14 2004-06-17

Comments (none posted)

Ethereal: Multiple security problems

Package(s):ethereal CVE #(s):CAN-2004-0633 CAN-2004-0634 CAN-2004-0635
Created:July 9, 2004 Updated:August 19, 2004
Description: There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.5, including:
* In some cases the iSNS dissector could cause Ethereal to abort.
* If there was no policy name for a handle for SMB SID snooping it could cause a crash.
* A malformed or missing community string could cause the SNMP dissector to crash.
See this advisory for more information.
Alerts:
Whitebox WBSA-2004:378-01 2004-08-19
Red Hat RHSA-2004:378-01 2004-08-05
Netwosix NW-2004-0016 2004-07-23
Fedora FEDORA-2004-234 2004-07-22
Debian DSA-528-1 2004-07-17
Fedora FEDORA-2004-220 2004-07-14
Fedora FEDORA-2004-219 2004-07-14
Mandrake MDKSA-2004:067 2004-07-09
Gentoo 200407-08 2004-07-09

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):fam CVE #(s):CAN-2002-0875
Created:August 19, 2002 Updated:January 5, 2005
Description: "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:
Red Hat RHSA-2005:005-01 2005-01-05
Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):flim CVE #(s):CAN-2004-0422
Created:May 5, 2004 Updated:December 16, 2004
Description: The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:
Fedora FEDORA-2004-546 2004-12-15
Red Hat RHSA-2004:344-01 2004-08-18
Debian DSA-500-1 2004-05-01

Comments (none posted)

Gaim: remote code execution vulnerability

Package(s):gaim CVE #(s):CAN-2004-0500
Created:August 12, 2004 Updated:October 18, 2004
Description: The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability in the MSN-protocol parsing functions.
Alerts:
Fedora-Legacy FLSA:1237 2004-10-16
Whitebox WBSA-2004:400-01 2004-09-20
Slackware SSA:2004-239-01 2004-08-26
Fedora FEDORA-2004-279 2004-08-26
Fedora FEDORA-2004-278 2004-08-26
Mandrake MDKSA-2004:081 2004-08-12
SuSE SUSE-SA:2004:025 2004-08-12
Gentoo 200408-12 2004-08-12

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):glibc CVE #(s):CAN-2004-1453
Created:August 17, 2004 Updated:May 26, 2005
Description: Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:
Red Hat RHSA-2005:256-01 2005-05-18
Gentoo 200408-16 2004-08-16

Comments (1 posted)

gnome-vfs: backend script vulnerabilities

Package(s):gnome-vfs CVE #(s):CAN-2004-0494
Created:August 4, 2004 Updated:February 21, 2005
Description: Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:
Fedora-Legacy FLSA:1944 2005-02-20
Whitebox WBSA-2004:373-01 2004-08-19
Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):gtkhtml CVE #(s):CAN-2003-0133 CAN-2003-0541
Created:April 14, 2003 Updated:April 18, 2005
Description: GtkHTML is the HTML rendering widget used by the Evolution mail reader.

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

Alerts:
Debian DSA-710-1 2005-04-18
Mandrake MDKSA-2003:093 2003-09-18
Conectiva CLA-2003:737 2003-09-12
Red Hat RHSA-2003:264-01 2003-09-09
Mandrake MDKSA-2003:046 2003-04-15
Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

gv: unsafe sscanf () buffer overflow vulnerability

Package(s):gv CVE #(s):CAN-2002-0838
Created:August 12, 2004 Updated:August 19, 2004
Description: gv (prior to version 3.5.8-r4) has a buffer overflow vulnerability involving the sscanf() function. An attacker can execute arbitrary code with the permission of the user running gv.
Alerts:
Gentoo 200408-10 2004-08-12

Comments (1 posted)

iproute: local denial of service

Package(s):iproute net-tools CVE #(s):CAN-2003-0856
Created:November 25, 2003 Updated:December 14, 2004
Description: The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:
Mandrake MDKSA-2004:148 2004-12-13
Fedora FEDORA-2004-154 2004-06-03
Fedora FEDORA-2004-115 2004-05-11
Debian DSA-492-1 2004-04-18
Gentoo 200404-10 2004-04-09
Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):ipsec-tools racoon CVE #(s):CAN-2004-0155
Created:April 7, 2004 Updated:August 19, 2004
Description: Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:
Whitebox WBSA-2004:308-01 2004-08-19
Mandrake MDKSA-2004:027 2004-04-08
Gentoo 200404-05 2004-04-07

Comments (none posted)

kdebase: multiple vulnerabilities

Package(s):kdebase CVE #(s):CAN-2004-0689 CAN-2004-0690 CAN-2004-0721 CAN-2004-0746
Created:August 12, 2004 Updated:October 4, 2004
Description: Three separate vulnerabilities have been identified in the KDE 3.2 "kdebase" package; see this advisory for details. These problems include two temporary file vulnerabilities and a "frame injection" problem in konqueror which could help with phishing attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies for certain country specific secondary top level domains.
Alerts:
Red Hat RHSA-2004:412-01 2004-10-04
Conectiva CLA-2004:864 2004-09-13
Fedora FEDORA-2004-293 2004-09-08
Fedora FEDORA-2004-292 2004-09-08
Fedora FEDORA-2004-291 2004-09-08
Fedora FEDORA-2004-290 2004-09-08
Slackware SSA:2004-247-01 2004-09-03
Mandrake MDKSA-2004:086 2004-08-20
Debian DSA-539-1 2004-08-17
Gentoo 200408-13 2004-08-12

Comments (none posted)

kdelibs: cookie disclosure

Package(s):kdelibs CVE #(s):CAN-2003-0592
Created:March 10, 2004 Updated:August 24, 2004
Description: kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:
Gentoo 200408-23 2004-08-24
Red Hat RHSA-2004:074-01 2004-03-10
Red Hat RHSA-2004:075-01 2004-03-10
Mandrake MDKSA-2004:022 2004-03-10
Debian DSA-459-1 2004-03-10

Comments (none posted)

kernel allows unauthorized changes to the group ID

Package(s):kernel CVE #(s):CAN-2004-0497
Created:July 2, 2004 Updated:September 27, 2004
Description: During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances - such as when the files are exported via NFS.
Alerts:
Conectiva CLA-2004:869 2004-09-27
Gentoo 200407-16 2004-07-22
Whitebox WBSA-2004:360-01 2004-07-07
Mandrake MDKSA-2004:066 2004-07-06
SuSE SUSE-SA:2004:020 2004-07-02
Fedora FEDORA-2004-206 2004-07-02
Fedora FEDORA-2004-205 2004-07-02
Red Hat RHSA-2004:354-01 2004-07-02
Red Hat RHSA-2004:360-01 2004-07-02

Comments (none posted)

kernel information leak

Package(s):kernel CVE #(s):CAN-2004-0415
Created:August 3, 2004 Updated:October 26, 2004
Description: Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.

A fix for this problem was added to the fifth 2.4.27 release candidate.

Alerts:
Conectiva CLA-2004:879 2004-10-26
Fedora-Legacy FLSA:1804 2004-10-18
Mandrake MDKSA-2004:087 2004-08-26
Gentoo 200408-24 2004-08-25
Whitebox WBSA-2004:413-01 2004-08-19
Red Hat RHSA-2004:327-01 2004-08-18
Fedora FEDORA-2004-251 2004-08-10
Trustix TSLSA-2004-0041 2004-08-09
SuSE SUSE-SA:2004:024 2004-08-09
Red Hat RHSA-2004:413-01 2004-08-03
Red Hat RHSA-2004:418-01 2004-08-03
Fedora FEDORA-2004-247 2004-08-03

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):kernel-utils CVE #(s):CAN-2003-0019
Created:February 7, 2003 Updated:January 21, 2005
Description: The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

Alerts:
Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):libpng CVE #(s):CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:August 4, 2004 Updated:February 10, 2005
Description: There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:
Fedora-Legacy FLSA:1943 2005-02-08
Red Hat RHSA-2004:421-01 2004-08-04
Gentoo 200408-22 2004-08-23
Whitebox WBSA-2004:402-01 2004-08-19
Mandrake MDKSA-2004:082 2004-08-12
Slackware SSA:2004-223-01 2004-08-09
Slackware SSA:2004-223-02 2004-08-07
Slackware SSA:2004-222-01b 2004-08-10
Slackware SSA:2004-222-01 2004-08-07
Conectiva CLA-2004:856 2004-08-06
Trustix TSLSA-2004-0040 2004-08-05
Gentoo 200408-03 2004-08-05
Debian DSA-536-1 2004-08-04
Mandrake MDKSA-2004:079 2004-08-04
SuSE SUSE-SA:2004:023 2004-08-04
Red Hat RHSA-2004:402-01 2004-08-04
OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

logcheck: symlink vulnerability

Package(s):logcheck CVE #(s):CAN-2004-0404
Created:April 21, 2004 Updated:December 22, 2004
Description: The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:
Mandrake MDKSA-2004:155 2004-12-22
Debian DSA-488-1 2004-04-16

Comments (none posted)

mikmod: buffer overflow

Package(s):mikmod CVE #(s):CAN-2003-0427
Created:June 16, 2003 Updated:June 16, 2005
Description: Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:
Fedora FEDORA-2005-405 2005-06-16
Red Hat RHSA-2005:506-01 2005-06-13
Fedora FEDORA-2005-404 2005-06-09
Gentoo 200307-01 2003-07-02
Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):mod_python CVE #(s):CAN-2003-0973
Created:January 27, 2004 Updated:October 4, 2004
Description: Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent.

The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released.

Users of mod_python 3.0.4 are not affected by this vulnerability.

Alerts:
Fedora-Legacy FLSA:1325 2004-10-03
Conectiva CLA-2004:837 2004-04-12
Whitebox WBSA-2004:058-01 2004-03-01
Debian DSA-452-1 2004-02-29
Red Hat RHSA-2004:058-01 2004-02-26
Red Hat RHSA-2004:063-01 2004-02-26
Gentoo 200401-03 2004-01-27

Comments (none posted)

MoinMoin Group ACL Bypass

Package(s):moinmoin CVE #(s):
Created:July 12, 2004 Updated:August 26, 2004
Description: MoinMoin contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker creates a user with the same name as an administrative group. This flaw may lead to a loss of integrity. See this osvdb entry for additional information.
Alerts:
Gentoo 200407-09 2004-07-11

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):mozilla CVE #(s):CAN-2003-0594 CAN-2003-0564
Created:March 10, 2004 Updated:August 19, 2004
Description: Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:
Whitebox WBSA-2004:421-01 2004-08-19
Whitebox WBSA-2004:110-01 2004-03-29
Red Hat RHSA-2004:112-01 2004-03-17
Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:
Gentoo 200503-34 2005-03-28
Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):mysql CVE #(s):CAN-2004-0381 CAN-2004-0388
Created:April 14, 2004 Updated:August 18, 2004
Description: The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:
Gentoo 200405-20 2004-05-25
Mandrake MDKSA-2004:034 2004-04-19
OpenPKG OpenPKG-SA-2004.014 2004-04-14
Debian DSA-483-1 2004-04-14

Comments (none posted)

MySQL: temporary file vulnerability

Package(s):mysql CVE #(s):CAN-2004-0457
Created:August 18, 2004 Updated:September 1, 2004
Description: The MySQL "mysqlhotcopy" script contains a temporary file vulnerability which could be used by an attacker to overwrite files.
Alerts:
Gentoo 200409-02 2004-09-01
Debian DSA-540-1 2004-08-18

Comments (none posted)

neon: buffer overflow

Package(s):neon CVE #(s):CAN-2004-0398
Created:May 19, 2004 Updated:September 30, 2004
Description: The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:
Fedora-Legacy FLSA:1552 2004-09-29
Mandrake MDKSA-2004:078 2004-07-29
Gentoo 200406-03 2004-06-05
Gentoo 200405-25b 2004-06-02
Gentoo 200405-25 2004-05-30
Conectiva CLA-2004:841 2004-05-25
Gentoo 200405-15 2004-05-20
Gentoo 200405-13 2004-05-20
OpenPKG OpenPKG-SA-2004.024 2004-05-19
Mandrake MDKSA-2004:049 2004-05-19
Fedora FEDORA-2004-130 2004-05-19
Fedora FEDORA-2004-129 2004-05-19
Red Hat RHSA-2004:191-01 2004-05-19
Debian DSA-507-1 2004-05-19
Debian DSA-506-1 2004-05-19

Comments (none posted)

nessus: adduser race condition vulnerability

Package(s):nessus CVE #(s):
Created:August 12, 2004 Updated:August 17, 2004
Description: The nessus security scanner has a temporary file vulnerability that allows a user to perform a privilege escalation attack by way of an adduser race condition.
Alerts:
Gentoo 200408-11 2004-08-12

Comments (none posted)

netpbm: insecure temporary files

Package(s):netpbm CVE #(s):CAN-2003-0924
Created:January 19, 2004 Updated:December 29, 2004
Description: netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:
Conectiva CLA-2004:909 2004-12-29
Gentoo 200410-02 2004-10-04
Mandrake MDKSA-2004:011-1 2004-09-27
Whitebox WBSA-2004:031-01 2004-02-12
Mandrake MDKSA-2004:011 2004-02-11
Red Hat RHSA-2004:030-01 2004-02-05
Fedora FEDORA-2004-068 2004-02-06
Red Hat RHSA-2004:031-01 2004-01-22
Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):openssh CVE #(s):CAN-2003-0190
Created:May 2, 2003 Updated:November 30, 2004
Description: From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:
Ubuntu USN-34-1 2004-11-30
OpenPKG OpenPKG-SA-2003.035 2003-08-06
Red Hat RHSA-2003:222-01 2003-07-29
Gentoo 200305-02 2003-05-13
Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):OpenSSL CVE #(s):CAN-2004-0081 CAN-2003-0851
Created:March 17, 2004 Updated:November 2, 2005
Description: Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:
Red Hat RHSA-2005:830-00 2005-11-02
Red Hat RHSA-2005:829-00 2005-11-02
Fedora FEDORA-2005-1042 2005-10-31
Fedora-Legacy FLSA:1395 2004-05-08
Conectiva CLA-2004:834 2004-03-31
Whitebox WBSA-2004:084-01 2004-03-23
Red Hat RHSA-2004:084-01 2004-03-23
Fedora FEDORA-2004-095 2004-03-19
Whitebox WBSA-2004:120-01 2004-03-22
Trustix TSLSA-2004-0012 2004-03-17
Slackware SSA:2004-077-01 2004-03-17
Red Hat RHSA-2004:121-01 2004-03-17
OpenPKG OpenPKG-SA-2004.007 2004-03-18
Gentoo 200403-03 2004-03-17
Debian DSA-465-1 2004-03-17
Netwosix NW-2004-0005 2004-03-17
Mandrake MDKSA-2004:023 2004-03-17
SuSE SuSE-SA:2004:007 2004-03-17
Red Hat RHSA-2004:120-01 2004-03-17
Red Hat RHSA-2004:119-01 2004-03-17
EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

pavuk: buffer overflow

Package(s):pavuk CVE #(s):CAN-2004-0456
Created:June 30, 2004 Updated:November 11, 2004
Description: Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:
Gentoo 200411-19 2004-11-10
Debian DSA-527-1 2004-07-03
Gentoo 200406-22 2004-06-30

Comments (none posted)

php: remotely exploitable memory errors

Package(s):php CVE #(s):CAN-2004-0594
Created:July 14, 2004 Updated:February 7, 2005
Description: Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:
Debian DSA-669-1 2005-02-07
Whitebox WBSA-2004:392-01 2004-08-19
Fedora FEDORA-2004-223 2004-07-23
Fedora FEDORA-2004-222 2004-07-23
OpenPKG OpenPKG-SA-2004.034 2004-07-22
Slackware SSA:2004-202-01 2004-07-20
Debian DSA-531-1 2004-07-20
Red Hat RHSA-2004:392-01 2004-07-19
Red Hat RHSA-2004:395-01 2004-07-19
Conectiva CLA-2004:847 2004-07-16
SuSE SUSE-SA:2004:021 2004-07-16
Mandrake MDKSA-2004:068 2004-07-14
Gentoo 200407-13 2004-07-15
tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

PuTTY: pre-authentication arbitrary code execution problem

Package(s):putty CVE #(s):
Created:August 5, 2004 Updated:October 28, 2004
Description: PuTTY, a telnet and SSH client, contains a vulnerability that can allow an SSH server to execute arbitrary code on a connecting client.
Alerts:
Gentoo 200410-29 2004-10-27
Gentoo 200408-04 2004-08-05

Comments (none posted)

python: buffer overflow

Package(s):python CVE #(s):CAN-2004-0150
Created:March 10, 2004 Updated:October 11, 2004
Description: Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:
Debian DSA-458-3 2004-10-10
Gentoo 200409-03 2004-09-02
Debian DSA-458-2 2004-08-31
Mandrake MDKSA-2004:019 2004-03-09
Debian DSA-458-1 2004-03-09

Comments (none posted)

rsync: path-sanitizing bug

Package(s):rsync CVE #(s):CAN-2004-0792
Created:August 16, 2004 Updated:November 1, 2004
Description: This August 2004 rsync advisory reports that there is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written.
Alerts:
Conectiva CLA-2004:881 2004-11-01
Slackware SSA:2004-285-01 2004-10-12
Whitebox WBSA-2004:436-01 2004-09-20