Security
Another look at response times
Two weeks ago, this page compared the response times of several distributors to a small set of recent security issues. That article generated a number of comments and a fair amount of mail from people who felt that its conclusions were inaccurate. As before, the table shows the number of days required for each distributor to issue an update. For the purposes of this table, the clock starts when a vulnerability is disclosed, or when the first distributor alert is issued, whichever comes first. So, here is a new version of the response times table which takes those comments - and alerts issued after publication - into account:
Vulnerability Distributor Debian Fedora Gentoo Red Hat SUSE Ubuntu Apache mod_ssl 14 9 21 11 14 12 clamav 22 3 3 n/a 5 -- evolution -- 1 13 19 6 1 fetchmail 22 0 4 4 7 5 PCRE 13 4 14 18 16 3 PHP XML-RPC 9 4 5 6 7 4 PHP XML-RPC 2 18 10 9 4 15 5 ProFTPd 35 -- 4 n/a n/a n/a vim modeline -- 16 n/a? 28 n/a? 1
In the above table, numbers which are underlined reflect alerts issued after the previous version. Those which are, instead, bold are corrections for erroneous entries published two weeks ago.
As one can see, a number of corrections were required. One might conclude from this that your editor was being even more clueless than usual when compiling the previous version of the table. One would probably be right, but there is a little more to it than that. It turns out that putting together a table like this is a hard thing to do.
The previous version stated that Fedora had not issued an advisory for clamav. That is, in fact, true; no advisory ever came out. The clamav package in Fedora Extras was quietly replaced, however, shortly after the vulnerability was disclosed. In the presence of silent fixes, it is hard for users to know if they are vulnerable or not; this is doubly true in cases where security fixes are backported to previous releases of the affected package. Fedora Extras does not do backporting, but it still requires an alert administrator to know that, while clamav has been fixed, ProFTPd in Extras remains vulnerable.
Speaking of ProFTPd, your editor had seen that package in a SUSE distribution he had at hand, and assumed it was still distributed. That turns out not to be the case.
Both SUSE and Gentoo claim to not be affected by the vim modeline vulnerability because they ship versions with the modeline feature turned off by default. Turning off a possibly insecure feature is a good thing to do; it reflects a concern by the distributor for the security of its users. Some of those users, however, will certainly turn the feature back on. Others will be concerned by the fact that they are running software with a known, unpatched vulnerability, even if that vulnerability does not directly affect them. In such cases, it would make sense for the distributor to, at a minimum, issue an advisory explaining the situation. Putting out a fix would be better.
Other corrections above reflect simple screwups on your editor's part. Sorry.
The corrected table still shows some real patterns in the relative response times for security updates. There is value in this information. As time permits, LWN will be making changes to its security database to make the generation of this sort of table an easier and more accurate process. But a task which, in the presence of nice things like CVE numbers, should be relatively straightforward is likely to require a fair amount of time (and iterations) for the foreseeable future.
Brief items
Mozilla Linux Command Line URL Parsing Security Flaw Reported (MozillaZine)
MozillaZine warns of a new firefox security problem; this one has to do with command line parsing. "For example, consider a Linux user who uses Firefox as his or her default Web browser and Mozilla Thunderbird as his or her default email client. An attacker could send an email to this user containing a link to http://local`find`host. When the user clicks on this link in Thunderbird, Firefox's URL-parsing shell script will be invoked and will execute the find command before calling Firefox to open the URL." The firefox 1.0.7 release contains the fix for this problem (and a few others).
New vulnerabilities
clamav: multiple vulnerabilities
| Package(s): | clamav | CVE #(s): | CAN-2005-2919 CAN-2005-2920 | ||||||||||||||||||||||||
| Created: | September 19, 2005 | Updated: | September 29, 2005 | ||||||||||||||||||||||||
| Description: | The release notes for ClamAV 0.87 note that this version fixes vulnerabilities in the handling of UPX and FSG compressed executables. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
Mailutils: format string vulnerability in imap4d
| Package(s): | mailutils | CVE #(s): | CAN-2005-2878 | ||||||||||||
| Created: | September 19, 2005 | Updated: | October 13, 2005 | ||||||||||||
| Description: | The imap4d server contains a format string bug in the handling of IMAP SEARCH requests. | ||||||||||||||
| Alerts: |
| ||||||||||||||
masqmail: input sanitizing and symlink vulnerabilities
| Package(s): | masqmail | CVE #(s): | CAN-2005-2662 CAN-2005-2663 | ||||||||
| Created: | September 21, 2005 | Updated: | October 10, 2005 | ||||||||
| Description: | Masqmail fails to properly sanitize addresses when sending failed mail, allowing a local attacker to run arbitrary commands as the mail user. There is also a symlink vulnerability which can be exploited to overwrite files. | ||||||||||
| Alerts: |
| ||||||||||
Py2Play: remote execution of arbitrary Python code
| Package(s): | Py2Play | CVE #(s): | CAN-2005-2875 | ||||||||||||
| Created: | September 19, 2005 | Updated: | September 6, 2006 | ||||||||||||
| Description: | Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send malicious Python pickles, resulting in the execution of arbitrary Python code on the targeted game client. | ||||||||||||||
| Alerts: |
| ||||||||||||||
turqstat: buffer overflow
| Package(s): | turqstat | CVE #(s): | CAN-2005-2658 | ||||
| Created: | September 15, 2005 | Updated: | September 21, 2005 | ||||
| Description: | Turquoise SuperStat is a Fidonet and Usenet statistics gathering application. A malicious NNTP server can cause a buffer overflow condition. | ||||||
| Alerts: |
| ||||||
Zebedee: Denial of Service vulnerability
| Package(s): | zebedee | CVE #(s): | |||||
| Created: | September 20, 2005 | Updated: | September 21, 2005 | ||||
| Description: | Zebedee crashes when "0" is received as the port number in the protocol option header. By performing malformed requests a remote attacker could cause Zebedee to crash. | ||||||
| Alerts: |
| ||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>