Security
SPF on vger
A recent announcement about adding Sender Policy Framework (SPF) capabilities to the machine hosting the linux-kernel mailing list (lkml) has sparked a lively debate. The first step, it seems, is to add an SPF record for vger.kernel.org and later this summer to enable SPF checking on incoming email. Both steps are controversial and the majority of posters seem to be against the change, but Matti Aarnio, one of the postmasters for vger, plans to go ahead with the changes.
SPF is a technique that allows a domain to specify which hosts are allowed to send email that have an envelope sender (i.e. SMTP MAIL FROM) using that domain. A domain administrator adds a TXT record to the DNS entry for the domain that describes all hosts allowed to send mail. This allows receiving Mail Transfer Agents (MTAs) to look up the SPF record and determine whether the domain in the envelope has been forged -- at least in theory.
Unfortunately, there are a number of problems with this scheme, most having to do with email forwarding. Consider the case where a user has a yahoo.com email account that they are forwarding to their ISP. When yahoo forwards email that it receives, it uses the original envelope sender, but that domain has almost certainly not listed yahoo.com as an authorized sender. The same issue occurs if a user is trying to use their yahoo.com email as the sender, but are required to use their ISP's SMTP server. In that case, Yahoo will rightly not have the ISP listed as a legitimate sender for their domain.
The SPF folks have suggested solutions for these problems, but many of them require fundamental changes in how MTAs operate. The Sender Rewriting Scheme (SRS) proposal in particular breaks longstanding email tradition by having forwarding MTAs change the envelope sender as they forward email. Opponents of SPF not only argue that changing this tradition is a bad idea, but also that it is very unlikely to be widely implemented any time soon. Additionally, Mail User Agents (MUAs) would need to learn about SRS encoding in order to parse sender addresses for filtering email at the user end.
SPF does provide a way to definitively determine that an email is coming from an authorized host, but failing the SPF check does not in any way imply that the email is invalid, as the mail could have been forwarded by a non-SRS compliant MTA. The main benefit for domains that publish SPF records may be a reduction in the blowback from a 'joe job' (a spammer uses a victim domain as the sender on a large amount of spam, some of which bounces, leaving the victim to deal with all the bounce messages).
Opponents point out that because of the forwarding problems, publishing an SPF record for your domain essentially asks other MTAs to mark perfectly valid mail as suspicious at best and forged at worst. Worse yet, some mail administrators are configuring their MTAs to reject mail that fails SPF checking.
For the lkml, the immediate impact will be minimal, but still annoying to some. People who have subscribed using addresses that are forwarded to SPF-checking ISPs may no longer receive emails from the list. Some list archiving software may also be affected. Once SPF checking is enabled, some users may find their mail getting rejected depending on how strictly the SPF policy is enforced. Expect another hue and cry on the lkml when and if that happens.
New vulnerabilities
courier: denial of service
| Package(s): | courier | CVE #(s): | CVE-2006-2659 | ||||||||||||
| Created: | June 9, 2006 | Updated: | August 4, 2006 | ||||||||||||
| Description: | A denial of service vulnerability has been found in the function for encoding email addresses. Addresses containing a '=' before the '@' character caused the Courier to hang in an endless loop, rendering the service unusable. | ||||||||||||||
| Alerts: |
| ||||||||||||||
dhcdbd: denial of service
| Package(s): | dhcdbd | CVE #(s): | |||||
| Created: | June 14, 2006 | Updated: | June 14, 2006 | ||||
| Description: | The dhcbcd daemon can be made to crash by invalid DHCP responses, causing NetworkManager to fail to work. | ||||||
| Alerts: |
| ||||||
freetype: integer overflows
| Package(s): | freetype | CVE #(s): | CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | June 1, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gdm: privilege escalation
| Package(s): | gdm | CVE #(s): | CVE-2006-2452 | ||||||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | June 14, 2006 | ||||||||||||||||||||||||
| Description: | gdm has a privilege escalation vulnerability that is tied to the face browser feature. If face browser is enabled, arbitrary users can access the gdm configuration screen, a feature that is normally accessible only to root. Other user accounts, and possibly the root account can then be subverted. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gforge: cross-site scripting
| Package(s): | gforge | CVE #(s): | CVE-2005-2430 | ||||
| Created: | June 9, 2006 | Updated: | June 14, 2006 | ||||
| Description: | Joxean Koret discovered several cross-site scripting vulnerabilities in Gforge, an online collaboration suite for software development, which allow injection of web script code. | ||||||
| Alerts: |
| ||||||
libgd2: denial of service
| Package(s): | libgd2 | CVE #(s): | CVE-2006-2906 | ||||||||||||||||||||
| Created: | June 14, 2006 | Updated: | January 16, 2007 | ||||||||||||||||||||
| Description: | Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
libjpeg: Denial of Service
| Package(s): | jpeg libjpeg | CVE #(s): | |||||
| Created: | June 12, 2006 | Updated: | June 14, 2006 | ||||
| Description: | Tavis Ormandy of the Gentoo Linux Auditing Team discovered that the vulnerable JPEG library ebuilds compile JPEG without the --maxmem feature which is not recommended. By enticing a user to load a specially crafted JPEG image file an attacker could cause a denial of service, due to memory exhaustion. | ||||||
| Alerts: |
| ||||||
openldap: stack-based buffer overflow
| Package(s): | openldap | CVE #(s): | CVE-2006-2754 | ||||||||||||||||
| Created: | June 8, 2006 | Updated: | June 27, 2006 | ||||||||||||||||
| Description: | OpenLDAP is vulnerable to a stack-based buffer overflow in the st.c file from slurpd. Attackers may be able to use a long hostname to execute arbitrary code. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
squirrelmail: file inclusion vulnerability
| Package(s): | squirrelmail | CVE #(s): | CVE-2006-2842 | ||||||||||||||||||||
| Created: | June 8, 2006 | Updated: | July 11, 2006 | ||||||||||||||||||||
| Description: | Squirrelmail, a PHP-based webmail package, has a file inclusion vulnerability. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
tor: multiple vulnerabilities
| Package(s): | tor | CVE #(s): | CVE-2006-0414 | ||||
| Created: | June 8, 2006 | Updated: | June 14, 2006 | ||||
| Description: | Tor, an anonymizing communication service implementation, has multiple vulnerabilities including a buffer overflow, a denial of service vulnerability and an information leak problem. | ||||||
| Alerts: |
| ||||||
webcalendar: uninitialized variable
| Package(s): | webcalendar | CVE #(s): | CVE-2006-2762 | ||||
| Created: | June 13, 2006 | Updated: | June 14, 2006 | ||||
| Description: | A vulnerability has been discovered in webcalendar, a PHP-based multi-user calendar, that allows a remote attacker to execute arbitrary PHP code when register_globals is turned on. | ||||||
| Alerts: |
| ||||||
wordpress: arbitrary command execution
| Package(s): | wordpress | CVE #(s): | CVE-2006-2667 CVE-2006-2702 | ||||
| Created: | June 12, 2006 | Updated: | June 14, 2006 | ||||
| Description: | WordPress insufficiently checks the format of cached username data. An attacker could exploit this vulnerability to execute arbitrary commands by sending a specially crafted username. As of Wordpress 2.0.2 the user data cache is disabled as the default. | ||||||
| Alerts: |
| ||||||
xine-lib: buffer overflow
| Package(s): | xine-lib | CVE #(s): | CVE-2006-2802 | ||||||||||||||||||||||||||||||||||||
| Created: | June 9, 2006 | Updated: | September 29, 2006 | ||||||||||||||||||||||||||||||||||||
| Description: | Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input module. By tricking an user into opening a malicious remote media location, a remote attacker could exploit this to crash Xine library frontends (like totem-xine, gxine, or xine-ui) and possibly even execute arbitrary code with the user's privileges. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
xine-ui: format string vulnerabilities
| Package(s): | xine-ui | CVE #(s): | CVE-2006-2230 | ||||||||
| Created: | June 9, 2006 | Updated: | January 24, 2007 | ||||||||
| Description: | Several format string vulnerabilities have been discovered in xine-ui, the user interface of the xine video player, which may cause a denial of service. | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>