Security
OpenVAS replacing Nessus in Debian
For many years, the Nessus network vulnerability scanner was a tool in the toolbox of most free-software-oriented administrators. It provided a very useful, GPL-licensed scanner to detect various network vulnerabilities, misconfigurations, and other types of security problems in the network. But, starting in late 2005 that all began to change, when Nessus 3.0 switched licenses, so folks looking for a free software network scanner had to turn elsewhere.
There have been a number of attempts to fork the last GPL version of the Nessus software (2.2), but the most successful to date has been the Open Vulnerability Assessment System (or OpenVAS). The forked scanner has been making great strides to the point where Debian's Nessus maintainer, Javier Fernández-Sanguino Peña, asked that Nessus be removed from the unstable branch in favor of OpenVAS. In his message, he noted:
There are really two parts to a vulnerability scanner, a core scanner and a set of plugins that implement network vulnerability tests (or NVTs). Much like virus scanners, NVTs are constantly being added and updated, and are available via network feeds. For a vulnerability scanner to be really usable, NVTs must be available for older vulnerabilities as well as being developed for new ones as they come along. In the thread on the debian-security mailing list, Tim Brown reports that OpenVAS has reached that point:
AFAIK the only plugins that are in Nessus 2 but not in OpenVAS are those which Tenable have since claimed are not GPL and for these the OpenVAS team are actively developing replacements.
Where Debian goes, other distributions are likely to follow, so we may see Nessus removed in favor of OpenVAS elsewhere as well. It is unfortunate that Tenable, the company behind Nessus, was unable to find a way to continue with a GPL-licensed Nessus, but the rise of OpenVAS shows the power of code that is available under a free software license. That is not to say that Tenable did anything wrong, it was their code and thus their choice; in fact, the community should be grateful that they provided the core of a nice tool for as long as they did. But, because the GPL allows forks like OpenVAS, Nessus users still had a free software path to follow once Tenable decided to go in a different direction.
The main stumbling block to getting to this point has been the NVTs released for Nessus. Those are governed by a separate license, that made it somewhat legally dubious, at best, to use them in OpenVAS. So, the OpenVAS developers had to tackle that problem themselves. Based on Brown's message, it would seem they have gotten most of the way there, and have an active community to continue that work into the future.
Brief items
You Deleted Your Cookies? Think Again (Wired)
Wired looks at the use of Flash cookies implemented by Adobe's browser plugin. "Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called re-spawning in homage to video games where zombies come back to life even after being 'killed,' the report found. So even if a user gets rid of a websites tracking cookie, that cookies unique ID will be assigned back to a new cookie again using the Flash data as the 'backup.'" See also this 2008 post from Gnash developer Rob Savoye, as well as an LWN article from last October, for more information on Flash cookies.
New vulnerabilities
apr: arbitrary code execution
| Package(s): | apr | CVE #(s): | CVE-2009-2412 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 6, 2009 | Updated: | May 10, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva alert: A vulnerability has been identified and corrected in apr and apr-util: Fix potential overflow in pools (apr) and rmm (apr-util), where size alignment was taking place (CVE-2009-2412). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
camlimages: arbitrary code execution
| Package(s): | camlimages | CVE #(s): | CVE-2009-2660 | ||||||||||||||||||||
| Created: | August 10, 2009 | Updated: | June 1, 2010 | ||||||||||||||||||||
| Description: | From the Debian advisory: Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of JPEG and GIF Images, while DSA 1832-1 addressed the issue with PNG images. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
fetchmail: SSL impersonation vulnerability
| Package(s): | fetchmail | CVE #(s): | CVE-2009-2666 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 6, 2009 | Updated: | June 2, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the slackware alert: This update fixes an SSL NUL prefix impersonation attack through NULs in a part of a X.509 certificate's CommonName and subjectAltName fields. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
java-1.6.0-openjdk: multiple vulnerabilities
| Package(s): | java-1.6.0-openjdk | CVE #(s): | CVE-2009-2475 CVE-2009-2476 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2674 CVE-2009-2675 CVE-2009-2689 CVE-2009-2690 CVE-2009-1896 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 7, 2009 | Updated: | November 30, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Fedora advisory:
CVE-2009-2475 OpenJDK information leaks in mutable variables CVE-2009-2476 OpenJDK OpenType checks can be bypassed CVE-2009-2625 OpenJDK XML parsing Denial-Of-Service CVE-2009-2670 OpenJDK Untrusted applet System properties access CVE-2009-2671 CVE-2009-2672 OpenJDK Proxy mechanism information leaks CVE-2009-2673 OpenJDK proxy mechanism allows non-authorized socket connections CVE-2009-2674 Java Web Start Buffer JPEG processing integer overflow CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow CVE-2009-2689 OpenJDK JDK13Services grants unnecessary privileges CVE-2009-2690 OpenJDK private variable information disclosure CVE-2009-1896 openjdk/netx grants privileges for signed jars to bundled unsigned jars | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
libvorbis: denial of service
| Package(s): | libvorbis | CVE #(s): | CVE-2009-2663 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 11, 2009 | Updated: | August 17, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and 3.5.x before 3.5.2 and other products, allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .ogg file. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
libxml: multiple vulnerabilities
| Package(s): | libxml | CVE #(s): | CVE-2009-2414 CVE-2009-2416 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 11, 2009 | Updated: | September 22, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
A stack overflow flaw was found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service (application crash). (CVE-2009-2414) Multiple use-after-free flaws were found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service (application crash). (CVE-2009-2416) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mantis: database credentials leak
| Package(s): | mantis | CVE #(s): | |||||
| Created: | August 10, 2009 | Updated: | August 12, 2009 | ||||
| Description: | From the Debian advisory: It was discovered that the Debian Mantis package, a web based bug tracking system, installed the database credentials in a file with world-readable permissions onto the local filesystem. This allows local users to acquire the credentials used to control the Mantis database. | ||||||
| Alerts: |
| ||||||
memcached: heap-based buffer overflow
| Package(s): | memcached | CVE #(s): | CVE-2009-2415 | ||||||||||||||||||||
| Created: | August 7, 2009 | Updated: | December 11, 2009 | ||||||||||||||||||||
| Description: | From the Debian advisory: Ronald Volgers discovered that memcached, a high-performance memory object caching system, is vulnerable to several heap-based buffer overflows due to integer conversions when parsing certain length attributes. An attacker can use this to execute arbitrary code on the system running memcached (on etch with root privileges). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
squid3: multiple denial of service vulnerabilities
| Package(s): | squid3 | CVE #(s): | CVE-2009-2622 CVE-2009-2621 | ||||||||||||||||||||
| Created: | August 10, 2009 | Updated: | August 18, 2009 | ||||||||||||||||||||
| Description: | From the Mandriva advisory: Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses (CVE-2009-2621). Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses (CVE-2009-2622). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
subversion: heap overflows
| Package(s): | subversion | CVE #(s): | CVE-2009-2411 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 7, 2009 | Updated: | December 8, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the subversion advisory: Subversion clients and servers have multiple heap overflow issues in the parsing of binary deltas. This is related to an allocation vulnerability in the APR library used by Subversion. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
wireshark: multiple vulnerabilities
| Package(s): | wireshark | CVE #(s): | CVE-2009-2560 CVE-2009-2562 CVE-2009-2563 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 6, 2009 | Updated: | May 28, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the National Vulnerability Database entries:
CVE-2009-2560:
"
CVE-2009-2562:
"
CVE-2009-2563:
" | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
wordpress: remote admin password reset
| Package(s): | wordpress | CVE #(s): | |||||||||
| Created: | August 12, 2009 | Updated: | August 12, 2009 | ||||||||
| Description: | From the advisory on full-disclosure: A web browser is sufficient to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= The password will be reset without any confirmation. An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3 | ||||||||||
| Alerts: |
| ||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>