Security
Bandit: multi-protocol identity management
The Novell-sponsored Bandit project is a relatively new entry into the somewhat crowded digital identity space. Bandit is trying to unify the disparate protocols and mechanisms for authentication into a consistent view for users and applications. This would allow a user to be independent of the underlying authentication method used, while allowing them full control over what information is released to a site requesting personal information.
One of the more annoying "features" of the web is the necessity of signing up with various sites, often using the same information (name, email address, mailing address, etc.). Once that is done, users need to remember their password at each site, which often means taking a very insecure shortcut by using the same one everywhere. Even a quick correction or pointer added into a comment thread will often require creating an account and logging in, definitely a barrier to quick and easy internet discourse. LWN is as "guilty" as most other sites, as there is no other simple solution to reducing comment spam.
The idea behind Bandit, and the other identity management systems, is to provide a means for users to manage this information, present it to sites they wish to use, without retyping their full name and contact information all over the place. It can also store more sensitive information, credit card numbers and the like. Unlike other, centralized schemes, the user information can be stored locally, with external servers used to validate a connection between an identity and the credentials presented.
Where Bandit is different is that it intends to try and encompass various other free authentication mechanisms and interoperate with them. In some ways it is like a web browser, in that it incorporates multiple different protocols (http, ftp, local file access, etc.) into a single view for the user. Bandit extends the browser by providing a plug-in for Firefox that communicates with their DigitalMe identity manager.
DigitalMe will do the heavy lifting of keeping track of the identities, where and how they are stored, as well as how to communicate that to the requesting site (aka relying party). The Firefox plug-in will present the stored identities to the user allowing them to choose one. It will also display the information requested by the relying party and allow the user to select which they will allow to be sent, keeping the user firmly in control.
An auditing framework is also part of Bandit, to allow companies to ensure that the identities are used in compliance with regulations or company standards. One of the use cases described for Bandit is for a company with identity cards that their employees use to log in to their systems. All of the identity information for those users would be stored by the company, rather than the employee, which would allow the company to recover them when an employee leaves. The identities would correspond to various company-run services as well as vendor or customer systems that are used by the employee.
Because it incorporates so many different standards and protocols, Bandit is even more of an alphabet soup than other identity systems. It is difficult to see, yet, whether it lives up to its grand vision. The project has released some code, but DigitalMe is currently only packaged for SuSE Linux distributions. But it is all free software, mostly licensed under the LGPL and certainly has some interesting ideas.
Windows has its own idea of identity management, CardSpace, that Bandit can also interoperate with in some fashion. Novell is demonstrating the technology and its interoperability with CardSpace at the Digital ID World conference this week. In conjunction with the conference, Novell is also promoting a "Control Your Identity" campaign that is encouraging users to get Bandit cards.
Like much of the work in this area, Bandit shows a lot of promise, but in order for it, or any other identity management framework, to succeed, there must be user interest. Plenty of complaints are heard about identity handling and the need to sign on seemingly everywhere on the web, but so far, no solution has really made a lot of headway. Because it intends to incorporate most of the solutions out there, Bandit may have a better chance than most.
New vulnerabilities
bugzilla: unauthorized account creation
| Package(s): | bugzilla | CVE #(s): | CVE-2007-5038 | ||||
| Created: | September 25, 2007 | Updated: | September 26, 2007 | ||||
| Description: | The offer_account_by_email function in User.pm in the WebService for Bugzilla before 3.0.2, and 3.1.x before 3.1.2, does not check the value of the createemailregexp parameter, which allows remote attackers to bypass intended restrictions on account creation. | ||||||
| Alerts: |
| ||||||
elinks: remote data sniffing
| Package(s): | elinks | CVE #(s): | CVE-2007-5034 | ||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | October 9, 2007 | ||||||||||||||||||||||||
| Description: | ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
fuse: incorrect file access permissions
| Package(s): | fuse | CVE #(s): | |||||
| Created: | September 26, 2007 | Updated: | September 26, 2007 | ||||
| Description: | It was discovered that members of the group fuse can get access to devices which they normally should not have access to. For ntfs-3g mounts, this was because /sbin/mount.ntfs-3g was setuid root. This update fixes /sbin/mount.ntfs-3g so that it is no longer has the setuid bit enabled. The fuse package is also being updated to correct an error in the previous testing package which incorrectly changed the permissions on /dev/fuse. | ||||||
| Alerts: |
| ||||||
httpd: denial of service, cross-site scripting
| Package(s): | apache httpd | CVE #(s): | CVE-2007-3847 CVE-2007-4465 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | February 15, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A flaw was found in the mod_proxy module. On sites where a reverse proxy is
configured, a remote attacker could send a carefully crafted request that
would cause the Apache child process handling that request to crash. On
sites where a forward proxy is configured, an attacker could cause a
similar crash if a user could be persuaded to visit a malicious site using
the proxy. This could lead to a denial of service if using a threaded
Multi-Processing Module. (CVE-2007-3847)
A flaw was found in the mod_autoindex module. On sites where directory listings are used, and the AddDefaultCharset directive has been removed from the configuration, a cross-site-scripting attack may be possible against browsers which do not correctly derive the response character set following the rules in RFC 2616. (CVE-2007-4465) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
JRockit: multiple vulnerabilities
| Package(s): | jrockit-jdk-bin | CVE #(s): | CVE-2007-2788 CVE-2007-4381 CVE-2007-3716 CVE-2007-2789 CVE-2007-3004 CVE-2007-3005 CVE-2007-3503 CVE-2007-3698 CVE-2007-3922 | ||||||||||||||||||||||||||||
| Created: | September 24, 2007 | Updated: | June 24, 2008 | ||||||||||||||||||||||||||||
| Description: | An integer overflow vulnerability exists in the embedded ICC profile image parser (CVE-2007-2788), an unspecified vulnerability exists in the font parsing implementation (CVE-2007-4381), and an error exists when processing XSLT stylesheets contained in XSLT Transforms in XML signatures (CVE-2007-3716), among other vulnerabilities. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
kdebase: kdm passwordless login vulnerability
| Package(s): | kdebase kdm | CVE #(s): | CVE-2007-4569 | ||||||||||||||||||||||||||||||||
| Created: | September 21, 2007 | Updated: | November 13, 2007 | ||||||||||||||||||||||||||||||||
| Description: | According to this KDE advisory KDM can be tricked into performing a password-less login even for accounts with a password set under certain circumstances, namely autologin to be configured and "shutdown with password" enabled. KDE versions 3.3.0 up to including 3.5.7 are vulnerable. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
kernel: out-of-bounds access
| Package(s): | kernel | CVE #(s): | CVE-2007-4573 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | December 6, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libsndfile: heap-based buffer overflow
| Package(s): | libsndfile | CVE #(s): | CVE-2007-4974 | ||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | January 9, 2008 | ||||||||||||||||||||||||
| Description: | Heap-based buffer overflow in libsndfile 1.0.17 and earlier might allow remote attackers to execute arbitrary code via a FLAC file with crafted PCM data containing a block with a size that exceeds the previous block size. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
postgresql: several vulnerabilities
| Package(s): | postgresql | CVE #(s): | CVE-2007-3278 CVE-2007-3279 CVE-2007-3280 | ||||||||||||||||||||||||||||||||
| Created: | September 25, 2007 | Updated: | February 1, 2008 | ||||||||||||||||||||||||||||||||
| Description: | PostgreSQL 8.1 and probably later and earlier versions, when local trust
authentication is enabled and the Database Link library (dblink) is
installed, allows remote attackers to access arbitrary accounts and execute
arbitrary SQL queries via a dblink host parameter that proxies the
connection from 127.0.0.1. (CVE-2007-3278)
PostgreSQL 8.1 and probably later and earlier versions, when the PL/pgSQL (plpgsql) language has been created, grants certain plpgsql privileges to the PUBLIC domain, which allows remote attackers to create and execute functions, as demonstrated by functions that perform local brute-force password guessing attacks, which may evade intrusion detection. (CVE-2007-3279) The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access. (CVE-2007-3280) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
t1lib: buffer overflow
| Package(s): | t1lib | CVE #(s): | CVE-2007-4033 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 20, 2007 | Updated: | February 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | T1lib, an enhanced rasterizer for X11 Type 1 fonts, does not properly perform bounds checking. An attacker can send specially crafted input to applications linked against the library in order to create a buffer overflow, resulting in a denial of service or the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
tomcat: multiple vulnerabilities
| Package(s): | tomcat | CVE #(s): | CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 26, 2007 | Updated: | September 13, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Tomcat was found treating single quote characters -- ' -- as delimiters in
cookies. This could allow remote attackers to obtain sensitive information,
such as session IDs, for session hijacking attacks (CVE-2007-3382).
It was reported Tomcat did not properly handle the following character sequence in a cookie: \" (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385). A cross-site scripting (XSS) vulnerability existed in the Host Manager Servlet. This allowed remote attackers to inject arbitrary HTML and web script via crafted requests (CVE-2007-3386). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>