User: Password:
|
|
Subscribe / Log in / New account

Security

Is my distribution vulnerable?

We recently posted a brief item about an Apache vulnerability which has the potential to be remotely exploitable. A number of distributors have responded to this vulnerability with the appropriate updates, but there is no update for Red Hat Enterprise Linux. Thanks to a helpful comment, we know that this is not a case of Red Hat letting its customers down; instead, RHEL is simply not vulnerable to this particular bug. Since there is no need for an update, none has been issued.

In this case, RHEL users can get information about this (non-) vulnerability from the Red Hat knowledge base - as long as they don't mind the disclaimer that "Red Hat makes no express or implied claims to its validity." In general, however, it remains difficult for users of any distribution to determine whether their installed systems are exposed to any specific vulnerability. The release of an update generally provides a positive answer, but, until that update comes out, users do not know for sure. Linux distributors would do well for their users by providing this information in an easily-found location.

As it happens, there are a couple of distributions which do make some information available:

  • Fedora maintains a list of CVE numbers, along with comments on whether the distribution is vulnerable or not. It fails the "easily found" test, however: the list is maintained as a text file in a CVS repository, and one must go into the CVS web interface to see it. But, once one knows about the file, it is easy to pull it up and get information on specific problems. For the Apache problem, Fedora was indeed vulnerable, and the problem was fixed via a backport.

  • Some time back, LWN received a somewhat indignant message to the effect that we should have looked up a vulnerability in the Debian Security Bug Tracker. There is a lot of good information there on specific vulnerabilities; the CVE-2006-3747 page (for the same Apache vulnerability) notes that stable has been fixed, but that testing and unstable are vulnerable.

    This tracker also fails the "easily found" test: it is not hosted under a debian.org domain, and there is no mention of it on the Debian security information or security FAQ pages. A determined user can find a non-vulnerabilities page which has some useful information, but it does not have the full story.

Most of the time, Linux distributors do a high-quality job of tracking and responding to vulnerabilities. It is rare that users of a high-profile distribution remain without updates for serious vulnerabilities for any serious period of time. They could help their users a bit more, however, if they were to make more of their tracking information available. More visibility into the system will increase confidence that problems are being addressed - especially in cases where a distribution is not vulnerable and the problem does not exist in the first place.

Comments (4 posted)

New vulnerabilities

apache: off-by-one buffer overflow

Package(s):apache apache2 httpd CVE #(s):CVE-2006-3747
Created:July 28, 2006 Updated:August 2, 2006
Description: Mark Dowd discovered an off-by-one buffer overflow in the mod_rewrite module's ldap scheme handling. On systems which activate "RewriteEngine on", a remote attacker could exploit certain rewrite rules to crash Apache, or potentially even execute arbitrary code (this has not been verified).

"RewriteEngine on" is disabled by default. Systems which have this directive disabled are not affected at all.

Alerts:
Gentoo 200608-01 apache 2006-08-01
Debian DSA-1132-1 apache2 2005-08-01
Debian DSA-1131-1 apache 2006-08-01
Slackware SSA:2006-209-01 apache 2006-07-29
rPath rPSA-2006-0139-1 httpd 2006-07-28
Mandriva MDKSA-2006:133 apache 2006-07-28
Fedora FEDORA-2006-863 httpd 2006-07-28
Fedora FEDORA-2006-862 httpd 2006-07-28
SuSE SUSE-SA:2006:043 apache,apache2 2006-07-28
OpenPKG OpenPKG-SA-2006.015 apache, apache2 2006-07-28
Ubuntu USN-328-1 apache2 2006-07-27

Comments (3 posted)

audacious: buffer overflow

Package(s):audacious CVE #(s):CVE-2006-3581 CVE-2006-3582
Created:August 2, 2006 Updated:September 13, 2006
Description: Audacious (prior to version 1.1.0) suffers from a buffer overflow which could be exploitable via a maliciously crafted media file.
Alerts:
Gentoo 200609-06 adplug 2006-09-12
Gentoo 200607-13 audacious 2006-07-29

Comments (none posted)

drupal: arbitrary file execution

Package(s):drupal CVE #(s):CVE-2006-2742 CVE-2006-2743 CVE-2006-2831 CVE-2006-2832 CVE-2006-2833
Created:July 27, 2006 Updated:August 2, 2006
Description: The Drupal web platform has a number of remotely exploitable vulnerabilities including:

An SQL injection vulnerability in the "count" and "from" variables of the database interface.

Incorrect file extension handling in an Apache/mod_mime environment.

A cross-site scripting vulnerability in the upload module.

A cross-site scripting vulnerability in the taxonomy module.

Alerts:
Debian DSA-1125-2 drupal 2006-07-27
Debian DSA-1125-1 drupal 2006-07-26

Comments (none posted)

freeciv: denial of service

Package(s):freeciv CVE #(s):CVE-2006-3913
Created:August 1, 2006 Updated:August 4, 2006
Description: A buffer overflow in Freeciv 2.1.0-beta1 and earlier, and SVN from July 15, 2006 and earlier, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a (1) negative chunk_length or a (2) large chunk->offset value in a PACKET_PLAYER_ATTRIBUTE_CHUNK packet in the generic_handle_player_attribute_chunk function in common/packets.c, and (3) a large packet->length value in the handle_unit_orders function in server/unithand.c.
Alerts:
Debian DSA-1142-1 freeciv 2006-08-04
Mandriva MDKSA-2006:135 freeciv 2006-07-31

Comments (none posted)

heartbeat: permission error

Package(s):heartbeat CVE #(s):CVE-2006-3815
Created:July 28, 2006 Updated:August 15, 2006
Description: Yan Rong Ge discovered that wrong permissions on a shared memory page in heartbeat, the subsystem for High-Availability Linux could be exploited by a local attacker to cause a denial of service.
Alerts:
Mandriva MDKSA-2006:142 heartbeat 2006-08-14
Ubuntu USN-326-1 heartbeat 2006-07-27
Debian DSA-1128-1 heartbeat 2006-07-28

Comments (none posted)

kernel: privilege escalation

Package(s):kernel-source-2.6.8 CVE #(s):CVE-2006-3626
Created:July 27, 2006 Updated:August 23, 2006
Description: The kernel process filesystem has a race condition that can be exploited for the purpose of privilege escalation. This affects multiple architectures.
Alerts:
Red Hat RHSA-2006:0617-01 kernel 2006-08-22
SuSE SUSE-SA:2006:049 kernel 2006-08-18
Debian DSA-1111-2 kernel-source-2.6.8 2006-07-26

Comments (1 posted)

libtiff: buffer overflows

Package(s):libtiff CVE #(s):CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465
Created:August 2, 2006 Updated:September 5, 2006
Description: An audit of the libtiff library (done by Tavis Ormandy at Google) turned up several buffer overflow vulnerabilities.
Alerts:
Red Hat RHSA-2006:0648-01 kdegraphics 2006-08-28
Slackware SSA:2006-230-01 libtiff 2006-08-18
Gentoo 200608-07 tiff 2006-08-04
Ubuntu USN-330-1 tiff 2006-08-02
Red Hat RHSA-2006:0603-01 libtiff 2006-08-02
Debian DSA-1137-1 tiff 2006-08-02
rPath rPSA-2006-0142-1 libtiff 2006-08-01
Mandriva MDKSA-2006:136 kdegraphics 2006-08-01
Mandriva MDKSA-2006:137 libtiff 2006-08-01
Fedora FEDORA-2006-877 libtiff 2006-08-02
Fedora FEDORA-2006-878 libtiff 2006-08-02

Comments (none posted)

mantis: cross-site scripting

Package(s):mantis CVE #(s):CVE-2006-0664 CVE-2006-0665 CVE-2006-0841 CVE-2006-1577
Created:August 2, 2006 Updated:August 2, 2006
Description: The mantis bug tracking system has some cross-site scripting bugs of its own to track.
Alerts:
Debian DSA-1133-1 mantis 2006-08-01

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):firefox seamonkey thunderbird CVE #(s):CVE-2006-3113 CVE-2006-3677 CVE-2006-3801 CVE-2006-3802 CVE-2006-3803 CVE-2006-3804 CVE-2006-3805 CVE-2006-3806 CVE-2006-3807 CVE-2006-3808 CVE-2006-3809 CVE-2006-3810 CVE-2006-3811 CVE-2006-3812
Created:July 27, 2006 Updated:September 15, 2006
Description: This CERT advisory contains details on multiple vulnerabilities in Mozilla products, including Firefox, SeaMonkey and Thunderbird. The most serious vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system.
Alerts:
Debian DSA-1160-2 mozilla 2006-09-15
Debian DSA-1161-2 mozilla-firefox 2006-09-13
Debian DSA-1159-2 mozilla-thunderbird 2006-09-08
Debian DSA-1161-1 mozilla-firefox 2006-08-29
Debian DSA-1160-1 mozilla 2006-08-29
Red Hat RHSA-2006:0594-02 seamonkey 2006-08-28
Debian DSA-1159-1 mozilla-thunderbird 2006-08-28
Mandriva MDKSA-2006:146 mozilla-thunderbird 2006-08-21
Mandriva MDKSA-2006:145 mozilla-firefox 2006-08-21
Mandriva MDKSA-2006:143-1 mozilla-firefox 2006-08-17
Mandriva MDKSA-2006:143 mozilla-firefox 2006-08-16
SuSE SUSE-SA:2006:048 firefox thunderbird seamonkey 2006-08-16
Fedora FEDORA-2006-902 firefox 2006-08-09
Fedora FEDORA-2006-903 thunderbird 2006-08-09
Gentoo 200608-04 thunderbird 2006-08-03
Gentoo 200608-03 firefox 2006-08-03
Gentoo 200608-02 seamonkey 2006-08-03
Red Hat RHSA-2006:0609-01 seamonkey 2006-08-02
Ubuntu USN-327-2 firefox 2006-08-01
Ubuntu USN-329-1 mozilla-thunderbird 2006-07-28
Red Hat RHSA-2006:0611-01 thunderbird 2006-07-28
Red Hat RHSA-2006:0610-01 firefox 2006-07-28
Slackware SSA:2006-208-01 mozilla 2006-07-28
rPath rPSA-2006-0138-1 thunderbird 2006-07-27
Red Hat RHSA-2006:0608-01 seamonkey 2006-07-27
Ubuntu USN-327-1 firefox 2006-07-27
rPath rPSA-2006-0137-1 firefox 2006-07-26

Comments (none posted)

osiris: format string vulnerability

Package(s):orisis CVE #(s):CVE-2006-3120
Created:July 28, 2006 Updated:August 3, 2006
Description: Ulf Harnhammar and Max Vozeler from the Debian Security Audit Project have found several format string security bugs in osiris, a network-wide system integrity monitor control interface. A remote attacker could exploit them and cause a denial of service or execute arbitrary code.
Alerts:
Debian DSA-1129-1 orisis 2006-07-28

Comments (none posted)

sitebar: missing input validation

Package(s):sitebar CVE #(s):CVE-2006-3320
Created:August 1, 2006 Updated:August 2, 2006
Description: A cross-site scripting vulnerability has been discovered in sitebar, a web based bookmark manager written in PHP, which allows remote attackers to inject arbitrary web script or HTML.
Alerts:
Debian DSA-1130-1 sitebar 2006-07-30

Comments (none posted)

Resources

Linux patch problems: Your distro may vary (SearchSecurity.com)

SearchSecurity.com compares the security patch response time across a number of popular Linux distributions. "So, why pick one brand instead of another? One reason is security. Not the security of the code itself, but how fast security patches get applied and published. The faster a security patch can be applied, the smaller the window of opportunity for attacks that exploit those vulnerabilities. Therefore, all other things being equal, security managers would prefer a Linux distribution with a record of speedy publication of fixes for security issues."

Comments (6 posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds