Security
Stability v. security fixes
A whole pile of security fixes for Red Hat Enterprise Linux 4 (RHEL4) was released at the beginning of May; this event might not be noteworthy except that some of the vulnerabilities were nearly two years old. This stands in contrast to a recent Red Hat article describing the security track record of RHEL4, which was covered on this page, and made no mention of delays of this sort. Digging in a bit deeper to try and understand why seems logical.
Of the thirteen fixes listed by LWN for that day, eleven are categorized as having low severity by Red Hat, one is moderate and one is important. The latter is a recently reported vulnerability in xscreensaver that was given a CVE number less than a month ago. Of the dozen others, eight had CVE numbers from 2006 and four from 2005.
Red Hat classifies security issues based on their analysis of their impact; both "low" and "moderate" vulnerabilities are unlikely to be exploitable, with "moderate" vulnerabilities having worse consequences if it does happen. Under those definitions, it would certainly seem less important to get those fixes out, but it would also seem like a headache to keep track of them. Fedora Core released fixes for these issues ages ago and those seem to have worked out, why did Red Hat sit on them for RHEL4 for so long? Mark Cox, from the Red Hat Security Response Team explains:
Red Hat Enterprise Linux errata are batched into periodic 'updates'; what was released this week was Update 5 for Red Hat Enterprise Linux 4.
So, for low and some moderate impact bugs, RHEL4 users must wait for patches until some other issue with that package requires attention and then await the next batch of fixes as an update release. An intervening update cycle is not necessarily enough to push these fixes out as there have been several update releases to RHEL4 since they were reported. RHEL customers prize stability, and delayed security updates is part of Red Hat's process for delivering that stability.
Security issues (and bugs in general) are funny beasts and sometimes their implications do not become clear for a long time. Something that seems to have a low impact is suddenly used in an unexpected way by a worm or some other exploit and the impact needs to be recalculated. By holding back these fixes for seemingly trivial security issues, Red Hat could be setting itself up for an unpleasant security surprise someday.
Some customers may also feel that they are more at risk for a particular issue than Red Hat thinks they are. Perhaps they use cpio frequently on possibly untrusted data on their 64-bit machines. As things currently stand, they had no fix available to them (at least via the normal Red Hat update means) for more than a year; there was no easy way for them to even know there is a problem. Red Hat tracks these bugs via bugzilla which is open for anyone to use, but they only put out announcements when they release a fix. It is hard to argue that customers should be trolling security lists and/or bugzilla looking for security issues that might affect them; this is, after all, what they pay Red Hat for.
As with seemingly everything in the world of computers, there is a trade-off here; very few customers would want to be upgrading their production systems frequently for low impact bugs. On the other hand, they may not want to be exposed forever to those same low impact bugs. Batching these kinds of fixes up into security updates once or twice a year seems like a reasonable plan, but holding on to updates for over a year may be just a bit more stability than some customers were looking for.
New vulnerabilities
dovecot: directory traversal
| Package(s): | dovecot | CVE #(s): | CVE-2007-2231 | ||||||||||||||||
| Created: | May 8, 2007 | Updated: | May 21, 2008 | ||||||||||||||||
| Description: | Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
elinks: code execution
| Package(s): | elinks | CVE #(s): | CVE-2007-2027 | ||||||||||||||||||||||||
| Created: | May 7, 2007 | Updated: | October 30, 2009 | ||||||||||||||||||||||||
| Description: | Arnaud Giersch discovered that elinks incorrectly attempted to load gettext catalogs from a relative path. If a user were tricked into running elinks from a specific directory, a local attacker could execute code with user privileges. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
gimp: symlink issue
| Package(s): | gimp | CVE #(s): | |||||||||
| Created: | May 8, 2007 | Updated: | May 9, 2007 | ||||||||
| Description: | The GIMP package in Fedora includes a helper script /usr/sbin/gimp-plugin-mgr for plugins contained in other packages, for example, xsane-gimp. This script manages symlinks from the GIMP plugin directory (which may change between upgrades) to the actual location of the plugins. A bug has been fixed in this erratum of GIMP that was in all older GIMP packages. The bug concerns the execution order in which the symlinks are installed and removed, causing the symlinks to vanish when the GIMP package is updated. | ||||||||||
| Alerts: |
| ||||||||||
ldap-account-manager: privilege escalation, possible cross-site scripting
| Package(s): | ldap-account-manager | CVE #(s): | CVE-2006-7191 CVE-2007-1840 | ||||
| Created: | May 7, 2007 | Updated: | May 9, 2007 | ||||
| Description: | An untrusted search path vulnerability in lamdaemon.pl in LDAP Account
Manager (LAM) before 1.0.0 allows local users to gain privileges via a
modified PATH that points to a malicious rm program. (CVE-2006-7191)
lib/modules.inc in LDAP Account Manager (LAM) before 1.3.0 does not escape HTML special characters in LDAP data, which allows remote attackers to have an unknown impact, probably cross-site scripting (XSS). (CVE-2007-1840) | ||||||
| Alerts: |
| ||||||
lftp: shell command execution
| Package(s): | lftp | CVE #(s): | CVE-2007-2348 | ||||||||||||
| Created: | May 4, 2007 | Updated: | September 16, 2009 | ||||||||||||
| Description: | mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files. | ||||||||||||||
| Alerts: |
| ||||||||||||||
moin: arbitrary JavaScript execution
| Package(s): | moin | CVE #(s): | CVE-2007-2423 | ||||||||
| Created: | May 8, 2007 | Updated: | March 10, 2008 | ||||||||
| Description: | A flaw was discovered in MoinMoin's error reporting when using the AttachFile action. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user's authentication information for the domain where MoinMoin was hosted. | ||||||||||
| Alerts: |
| ||||||||||
php: several vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2007-1864 CVE-2007-2509 CVE-2007-2510 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 8, 2007 | Updated: | July 18, 2007 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A
PHP script which implements an XML-RPC server using this extension
could allow a remote attacker to execute arbitrary code as the 'apache'
user. Note that this flaw does not affect PHP applications using the
pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864)
A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509) A buffer overflow flaw was found in the PHP 'soap' extension, regarding the handling of an HTTP redirect response when using the SOAP client provided by this extension with an untrusted SOAP server. No mechanism to trigger this flaw remotely is known. (CVE-2007-2510) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pop mail man-in-the-middle attacks
| Package(s): | evolution thunderbird mutt fetchmail | CVE #(s): | CVE-2007-1558 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 8, 2007 | Updated: | July 3, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
pptpd: denial of service
| Package(s): | pptpd | CVE #(s): | CVE-2007-0244 | ||||||||||||||||||||||||
| Created: | May 9, 2007 | Updated: | September 3, 2007 | ||||||||||||||||||||||||
| Description: | The PoPToP server daemon contains a bug which allows an attacker to tear down a connection through a malformed GRE packet. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
python: information disclosure
| Package(s): | python | CVE #(s): | CVE-2007-2052 | ||||||||||||||||||||||||||||||||||||||||
| Created: | May 9, 2007 | Updated: | July 30, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | Python 2.4 and 2.5 contain a bug in PyLocale_strxfrm() which could enable an attacker to read portions of unrelated memory. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
tetex: buffer overflow
| Package(s): | tetex | CVE #(s): | CVE-2007-0650 | ||||||||||||||||
| Created: | May 8, 2007 | Updated: | May 13, 2008 | ||||||||||||||||
| Description: | A buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in teTeX might allow user-assisted remote attackers to overwrite files and possibly execute arbitrary code via a long filename. NOTE: other overflows exist but might not be exploitable, such as a heap-based overflow in the check_idx function. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>