User: Password:
Subscribe / Log in / New account


Stability v. security fixes

May 9, 2007

This article was contributed by Jake Edge.

A whole pile of security fixes for Red Hat Enterprise Linux 4 (RHEL4) was released at the beginning of May; this event might not be noteworthy except that some of the vulnerabilities were nearly two years old. This stands in contrast to a recent Red Hat article describing the security track record of RHEL4, which was covered on this page, and made no mention of delays of this sort. Digging in a bit deeper to try and understand why seems logical.

Of the thirteen fixes listed by LWN for that day, eleven are categorized as having low severity by Red Hat, one is moderate and one is important. The latter is a recently reported vulnerability in xscreensaver that was given a CVE number less than a month ago. Of the dozen others, eight had CVE numbers from 2006 and four from 2005.

Red Hat classifies security issues based on their analysis of their impact; both "low" and "moderate" vulnerabilities are unlikely to be exploitable, with "moderate" vulnerabilities having worse consequences if it does happen. Under those definitions, it would certainly seem less important to get those fixes out, but it would also seem like a headache to keep track of them. Fedora Core released fixes for these issues ages ago and those seem to have worked out, why did Red Hat sit on them for RHEL4 for so long? Mark Cox, from the Red Hat Security Response Team explains:

So for example CVE-2005-4268 relies on an attacker giving a victim a carefully crafted rather large cpio file, and getting the victim to open it using the cpio command on a 64-bit platform. Even if the attacker manages that, the ability to lead to code execution is unlikely. So we defer these issues; customers don't want to go through an update and test cycle just to fix such an issue. Then, when other issues of a higher severity come up in the same package, or if we are to release an update to that package for any other reason, we also pick up any fixes we previously deferred.

Red Hat Enterprise Linux errata are batched into periodic 'updates'; what was released this week was Update 5 for Red Hat Enterprise Linux 4.

So, for low and some moderate impact bugs, RHEL4 users must wait for patches until some other issue with that package requires attention and then await the next batch of fixes as an update release. An intervening update cycle is not necessarily enough to push these fixes out as there have been several update releases to RHEL4 since they were reported. RHEL customers prize stability, and delayed security updates is part of Red Hat's process for delivering that stability.

Security issues (and bugs in general) are funny beasts and sometimes their implications do not become clear for a long time. Something that seems to have a low impact is suddenly used in an unexpected way by a worm or some other exploit and the impact needs to be recalculated. By holding back these fixes for seemingly trivial security issues, Red Hat could be setting itself up for an unpleasant security surprise someday.

Some customers may also feel that they are more at risk for a particular issue than Red Hat thinks they are. Perhaps they use cpio frequently on possibly untrusted data on their 64-bit machines. As things currently stand, they had no fix available to them (at least via the normal Red Hat update means) for more than a year; there was no easy way for them to even know there is a problem. Red Hat tracks these bugs via bugzilla which is open for anyone to use, but they only put out announcements when they release a fix. It is hard to argue that customers should be trolling security lists and/or bugzilla looking for security issues that might affect them; this is, after all, what they pay Red Hat for.

As with seemingly everything in the world of computers, there is a trade-off here; very few customers would want to be upgrading their production systems frequently for low impact bugs. On the other hand, they may not want to be exposed forever to those same low impact bugs. Batching these kinds of fixes up into security updates once or twice a year seems like a reasonable plan, but holding on to updates for over a year may be just a bit more stability than some customers were looking for.

Comments (8 posted)

New vulnerabilities

dovecot: directory traversal

Package(s):dovecot CVE #(s):CVE-2007-2231
Created:May 8, 2007 Updated:May 21, 2008
Description: Directory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.
Red Hat RHSA-2008:0297-02 dovecot 2008-05-21
Debian DSA-1359-1 dovecot 2007-08-28
Ubuntu USN-487-1 dovecot 2007-07-17
Fedora FEDORA-2007-493 dovecot 2007-05-07

Comments (none posted)

elinks: code execution

Package(s):elinks CVE #(s):CVE-2007-2027
Created:May 7, 2007 Updated:October 30, 2009
Description: Arnaud Giersch discovered that elinks incorrectly attempted to load gettext catalogs from a relative path. If a user were tricked into running elinks from a specific directory, a local attacker could execute code with user privileges.
Oracle ELSA-2013-0250 elinks 2013-02-11
Red Hat RHSA-2009:1471-01 elinks 2009-10-01
CentOS CESA-2009:1471 elinks 2009-10-06
CentOS CESA-2009:1471 elinks 2009-10-30
Gentoo 200706-03 elinks 2007-06-06
Ubuntu USN-457-1 elinks 2007-05-07

Comments (none posted)

gimp: symlink issue

Package(s):gimp CVE #(s):
Created:May 8, 2007 Updated:May 9, 2007
Description: The GIMP package in Fedora includes a helper script /usr/sbin/gimp-plugin-mgr for plugins contained in other packages, for example, xsane-gimp. This script manages symlinks from the GIMP plugin directory (which may change between upgrades) to the actual location of the plugins. A bug has been fixed in this erratum of GIMP that was in all older GIMP packages. The bug concerns the execution order in which the symlinks are installed and removed, causing the symlinks to vanish when the GIMP package is updated.
Fedora FEDORA-2007-491 gimp 2007-05-07
Fedora FEDORA-2007-489 gimp 2007-05-07

Comments (none posted)

ldap-account-manager: privilege escalation, possible cross-site scripting

Package(s):ldap-account-manager CVE #(s):CVE-2006-7191 CVE-2007-1840
Created:May 7, 2007 Updated:May 9, 2007
Description: An untrusted search path vulnerability in in LDAP Account Manager (LAM) before 1.0.0 allows local users to gain privileges via a modified PATH that points to a malicious rm program. (CVE-2006-7191)

lib/ in LDAP Account Manager (LAM) before 1.3.0 does not escape HTML special characters in LDAP data, which allows remote attackers to have an unknown impact, probably cross-site scripting (XSS). (CVE-2007-1840)

Debian DSA-1287-1 ldap-account-manager 2007-05-07

Comments (none posted)

lftp: shell command execution

Package(s):lftp CVE #(s):CVE-2007-2348
Created:May 4, 2007 Updated:September 16, 2009
Description: mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files.
CentOS CESA-2009:1278 lftp 2009-09-15
Red Hat RHSA-2009:1278-02 lftp 2009-09-02
rPath rPSA-2007-0085-1 lftp 2007-05-03

Comments (none posted)

moin: arbitrary JavaScript execution

Package(s):moin CVE #(s):CVE-2007-2423
Created:May 8, 2007 Updated:March 10, 2008
Description: A flaw was discovered in MoinMoin's error reporting when using the AttachFile action. By tricking a user into viewing a crafted MoinMoin URL, an attacker could execute arbitrary JavaScript as the current MoinMoin user, possibly exposing the user's authentication information for the domain where MoinMoin was hosted.
Debian DSA-1514-1 moin 2008-03-09
Ubuntu USN-458-1 moin 2007-05-07

Comments (none posted)

php: several vulnerabilities

Package(s):php CVE #(s):CVE-2007-1864 CVE-2007-2509 CVE-2007-2510
Created:May 8, 2007 Updated:July 18, 2007
Description: A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864)

A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509)

A buffer overflow flaw was found in the PHP 'soap' extension, regarding the handling of an HTTP redirect response when using the SOAP client provided by this extension with an untrusted SOAP server. No mechanism to trigger this flaw remotely is known. (CVE-2007-2510)

Ubuntu USN-485-1 php5 2007-07-17
SuSE SUSE-SA:2007:044 php4,php5 2007-07-12
Debian DSA-1331-1 php4 2007-07-07
Debian DSA-1330-1 php5 2007-07-07
Gentoo 200705-19 php 2007-05-26
Debian-Testing DTSA-39-1 php5 2007-05-28
Debian-Testing DTSA-40-1 php4 2007-05-28
Ubuntu USN-462-1 php5 2007-05-22
Debian DSA-1296-1 php4 2007-05-21
Debian DSA-1295-1 php5 2007-05-19
Fedora FEDORA-2007-503 php 2007-05-14
Mandriva MDKSA-2007:103 php4 2007-05-10
Mandriva MDKSA-2007:102 php 2007-05-10
Red Hat RHSA-2007:0355-01 PHP 2007-05-10
Red Hat RHSA-2007:0349-01 PHP 2007-05-09
Red Hat RHSA-2007:0348-01 PHP 2007-05-08

Comments (none posted)

pop mail man-in-the-middle attacks

Package(s):evolution thunderbird mutt fetchmail CVE #(s):CVE-2007-1558
Created:May 8, 2007 Updated:July 3, 2009
Description: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird, (2) Evolution, (3) mutt, and (4) fetchmail.
CentOS CESA-2009:1140 ruby 2009-07-02
Red Hat RHSA-2009:1140-02 ruby 2009-07-02
Fedora FEDORA-2007-1447 balsa 2007-08-06
rPath rPSA-2007-0127-1 fetchmail 2007-06-19
Foresight FLEA-2007-0026-1 evolution-data-server 2007-06-18
rPath rPSA-2007-0122-1 evolution-data-server 2007-06-14
Red Hat RHSA-2007:0385-01 fetchmail 2007-06-07
rPath rPSA-2007-0114-1 mutt 2007-06-04
Mandriva MDKSA-2007:113 mutt 2007-06-04
Red Hat RHSA-2007:0386-01 mutt 2007-06-04
Fedora FEDORA-2007-0001 mutt 2007-06-01
Fedora FEDORA-2007-552 epiphany 2007-05-31
Fedora FEDORA-2007-552 yelp 2007-05-31
Fedora FEDORA-2007-552 devhelp 2007-05-31
Fedora FEDORA-2007-552 seamonkey 2007-05-31
Fedora FEDORA-2007-550 thunderbird 2007-05-31
Fedora FEDORA-2007-551 thunderbird 2007-05-31
Red Hat RHSA-2007:0401-01 thunderbird 2007-05-30
Fedora FEDORA-2007-539 mutt 2007-05-30
Fedora FEDORA-2007-540 mutt 2007-05-30
Red Hat RHSA-2007:0344-01 evolution-data-server 2007-05-30
Mandriva MDKSA-2007:107 evolution 2007-05-19
Mandriva MDKSA-2007:105 fetchmail 2007-05-17
Red Hat RHSA-2007:0353-01 evolution 2007-05-17
Fedora FEDORA-2007-484 evolution-data-server 2007-05-07
Fedora FEDORA-2007-485 evolution-data-server 2007-05-07

Comments (none posted)

pptpd: denial of service

Package(s):pptpd CVE #(s):CVE-2007-0244
Created:May 9, 2007 Updated:September 3, 2007
Description: The PoPToP server daemon contains a bug which allows an attacker to tear down a connection through a malformed GRE packet.
Debian DSA-1288-2 pptpd 2007-09-02
Ubuntu USN-459-2 pptpd 2007-05-21
Gentoo 200705-18 pptpd 2007-05-20
Ubuntu USN-459-1 pptpd 2007-05-14
SuSE SUSE-SR:2007:010 postgresql, pptpd, freeradius, xfsdump 2007-05-11
Debian DSA-1288-1 pptpd 2007-05-08

Comments (none posted)

python: information disclosure

Package(s):python CVE #(s):CVE-2007-2052
Created:May 9, 2007 Updated:July 30, 2009
Description: Python 2.4 and 2.5 contain a bug in PyLocale_strxfrm() which could enable an attacker to read portions of unrelated memory.
CentOS CESA-2009:1176 python 2009-07-29
Red Hat RHSA-2009:1176-01 python 2009-07-27
Debian DSA-1620-1 python2.5 2008-07-27
Debian DSA-1551-1 python2.4 2008-04-19
Ubuntu USN-585-1 python2.4/2.5 2008-03-11
Red Hat RHSA-2007:1076-02 python 2007-12-10
Red Hat RHSA-2007:1077-01 python 2007-12-10
Foresight FLEA-2007-0019-1 python 2007-05-21
rPath rPSA-2007-0104-1 python 2007-05-17
Mandriva MDKSA-2007:099 python 2007-05-08

Comments (none posted)

tetex: buffer overflow

Package(s):tetex CVE #(s):CVE-2007-0650
Created:May 8, 2007 Updated:May 13, 2008
Description: A buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in teTeX might allow user-assisted remote attackers to overwrite files and possibly execute arbitrary code via a long filename. NOTE: other overflows exist but might not be exploitable, such as a heap-based overflow in the check_idx function.
Gentoo 200805-13 ptex 2008-05-12
Gentoo 200709-17 tetex 2007-09-27
Mandriva MDKSA-2007:109 tetex 2007-05-23
rPath rPSA-2007-0092-1 tetex 2007-05-07

Comments (1 posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds