Security
Is my distribution vulnerable?
We recently posted a brief item about an Apache vulnerability which has the potential to be remotely exploitable. A number of distributors have responded to this vulnerability with the appropriate updates, but there is no update for Red Hat Enterprise Linux. Thanks to a helpful comment, we know that this is not a case of Red Hat letting its customers down; instead, RHEL is simply not vulnerable to this particular bug. Since there is no need for an update, none has been issued.
In this case, RHEL users can get information about this (non-)
vulnerability from the Red Hat knowledge
base - as long as they don't mind the disclaimer that "Red Hat
makes no express or implied claims to its validity
". In general,
however, it remains difficult for users of any distribution to determine
whether their installed systems are exposed to any specific vulnerability.
The release of an update generally provides a positive answer, but, until
that update comes out, users do not know for sure. Linux distributors
would do well for their users by providing this information in an
easily-found location.
As it happens, there are a couple of distributions which do make some information available:
- Fedora maintains a
list of CVE numbers, along with comments on whether the
distribution is vulnerable or not. It fails the "easily found" test,
however: the list is maintained as a text file in a CVS repository,
and one must go into the CVS web interface to see it. But, once one
knows about the file, it is easy to pull it up and get information on
specific problems. For the Apache problem, Fedora was indeed
vulnerable, and the problem was fixed via a backport.
- Some time back, LWN received a somewhat indignant message to the
effect that we should have looked up a vulnerability in the Debian Security Bug Tracker.
There is a lot of good information there on specific vulnerabilities;
the CVE-2006-3747
page (for the same Apache vulnerability) notes that stable has
been fixed, but that testing and unstable are vulnerable.
This tracker also fails the "easily found" test: it is not hosted under a debian.org domain, and there is no mention of it on the Debian security information or security FAQ pages. A determined user can find a non-vulnerabilities page which has some useful information, but it does not have the full story.
Most of the time, Linux distributors do a high-quality job of tracking and responding to vulnerabilities. It is rare that users of a high-profile distribution remain without updates for serious vulnerabilities for any serious period of time. They could help their users a bit more, however, if they were to make more of their tracking information available. More visibility into the system will increase confidence that problems are being addressed - especially in cases where a distribution is not vulnerable and the problem does not exist in the first place.
New vulnerabilities
apache: off-by-one buffer overflow
| Package(s): | apache apache2 httpd | CVE #(s): | CVE-2006-3747 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 28, 2006 | Updated: | August 2, 2006 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite
module's ldap scheme handling. On systems which activate
"RewriteEngine on", a remote attacker could exploit certain rewrite
rules to crash Apache, or potentially even execute arbitrary code
(this has not been verified).
"RewriteEngine on" is disabled by default. Systems which have this directive disabled are not affected at all. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
audacious: buffer overflow
| Package(s): | audacious | CVE #(s): | CVE-2006-3581 CVE-2006-3582 | ||||||||
| Created: | August 2, 2006 | Updated: | September 13, 2006 | ||||||||
| Description: | Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file. | ||||||||||
| Alerts: |
| ||||||||||
drupal: arbitrary file execution
| Package(s): | drupal | CVE #(s): | CVE-2006-2742 CVE-2006-2743 CVE-2006-2831 CVE-2006-2832 CVE-2006-2833 | ||||||||
| Created: | July 27, 2006 | Updated: | August 2, 2006 | ||||||||
| Description: | The Drupal web platform has a number of remotely exploitable
vulnerabilities including:
An SQL injection vulnerability in the "count" and "from" variables of the database interface. Incorrect file extension handling in an Apache/mod_mime environment. A cross-site scripting vulnerability in the upload module. A cross-site scripting vulnerability in the taxonomy module. | ||||||||||
| Alerts: |
| ||||||||||
freeciv: denial of service
| Package(s): | freeciv | CVE #(s): | CVE-2006-3913 | ||||||||
| Created: | August 1, 2006 | Updated: | August 4, 2006 | ||||||||
| Description: | A buffer overflow in Freeciv 2.1.0-beta1 and earlier, and SVN from July 15, 2006 and earlier, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a (1) negative chunk_length or a (2) large chunk->offset value in a PACKET_PLAYER_ATTRIBUTE_CHUNK packet in the generic_handle_player_attribute_chunk function in common/packets.c, and (3) a large packet->length value in the handle_unit_orders function in server/unithand.c. | ||||||||||
| Alerts: |
| ||||||||||
heartbeat: permission error
| Package(s): | heartbeat | CVE #(s): | CVE-2006-3815 | ||||||||||||
| Created: | July 28, 2006 | Updated: | August 15, 2006 | ||||||||||||
| Description: | Yan Rong Ge discovered that wrong permissions on a shared memory page in heartbeat, the subsystem for High-Availability Linux could be exploited by a local attacker to cause a denial of service. | ||||||||||||||
| Alerts: |
| ||||||||||||||
kernel: privilege escalation
| Package(s): | kernel-source-2.6.8 | CVE #(s): | CVE-2006-3626 | ||||||||||||
| Created: | July 27, 2006 | Updated: | August 23, 2006 | ||||||||||||
| Description: | The kernel process filesystem has a race condition that can be exploited for the purpose of privilege escalation. This affects multiple architectures. | ||||||||||||||
| Alerts: |
| ||||||||||||||
libtiff: buffer overflows
| Package(s): | libtiff | CVE #(s): | CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 2, 2006 | Updated: | September 5, 2006 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | An audit of the libtiff library (done by Tavis Ormandy at Google) turned up several buffer overflow vulnerabilities. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
mantis: cross-site scripting
| Package(s): | mantis | CVE #(s): | CVE-2006-0664 CVE-2006-0665 CVE-2006-0841 CVE-2006-1577 | ||||
| Created: | August 2, 2006 | Updated: | August 2, 2006 | ||||
| Description: | The mantis bug tracking system has some cross-site scripting bugs of its own to track. | ||||||
| Alerts: |
| ||||||
mozilla: multiple vulnerabilities
| Package(s): | firefox seamonkey thunderbird | CVE #(s): | CVE-2006-3113 CVE-2006-3677 CVE-2006-3801 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 27, 2006 | Updated: | September 15, 2006 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This CERT advisory contains details on multiple vulnerabilities in Mozilla products, including Firefox, SeaMonkey and Thunderbird. The most serious vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
osiris: format string vulnerability
| Package(s): | orisis | CVE #(s): | CVE-2006-3120 | ||||
| Created: | July 28, 2006 | Updated: | August 3, 2006 | ||||
| Description: | Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project have found several format string security bugs in osiris, a network-wide system integrity monitor control interface. A remote attacker could exploit them and cause a denial of service or execute arbitrary code. | ||||||
| Alerts: |
| ||||||
sitebar: missing input validation
| Package(s): | sitebar | CVE #(s): | CVE-2006-3320 | ||||
| Created: | August 1, 2006 | Updated: | August 2, 2006 | ||||
| Description: | A cross-site scripting vulnerability has been discovered in sitebar, a web based bookmark manager written in PHP, which allows remote attackers to inject arbitrary web script or HTML. | ||||||
| Alerts: |
| ||||||
Resources
Linux patch problems: Your distro may vary (SearchSecurity.com)
SearchSecurity.com compares the security patch response time across a number of popular Linux distributions. "So, why pick one brand instead of another? One reason is security. Not the security of the code itself, but how fast security patches get applied and published. The faster a security patch can be applied, the smaller the window of opportunity for attacks that exploit those vulnerabilities. Therefore, all other things being equal, security managers would prefer a Linux distribution with a record of speedy publication of fixes for security issues."
Page editor: Jonathan Corbet
Next page:
Kernel development>>