User: Password:
|
|
Subscribe / Log in / New account

Security

TCP cookie transactions

By Jake Edge
December 16, 2009

In the currently ongoing Linux kernel merge window, for the kernel which will become 2.6.33, a new TCP feature has been added. TCP cookie transactions [PDF] are meant to eliminate various kinds of attacks, such as denial of service, while making the TCP connection handshake use fewer resources. One of the main motivations for cookie transactions is to avoid some problems that have cropped up in rolling out DNSSEC (Domain Name System Security).

DNSSEC responses are substantially larger than those of DNS, large enough that they have outgrown the default UDP datagram size of 512 bytes. UDP is generally used for DNS today, but large responses from DNSSEC over UDP result in multiple IP fragments. While it is perfectly reasonable to break up UDP packets that way, there are a large number of Network Address Translation (NAT) routers and firewalls that do not properly handle multiple UDP fragments.

When a DNS response is not received—or not received properly—a DNS resolver will typically retry the request over TCP. Because TCP is connection-oriented, there is a handshake that goes on to establish that connection before any data gets transferred. Normally, servers need to save some state between the two client packets that constitute the handshake. When handling an enormous number of requests, as the DNS root servers will for example, the storage of the state information adds up quickly. In addition, the well-known SYN-flood attack sends just the first packet of the handshake, often from a spoofed IP address, and never replies to the server to complete the connection. Enough "half open" connections can exhaust the server's resources, leading to a denial of service.

SYN cookies were created to defend against SYN flood attacks, and have been in the Linux kernel since 1997 when those attacks were raging. But, as Perry Metzger, William Allen Simpson, and Paul Vixie describe in their TCP cookie transactions (TCPCT) paper linked above, SYN cookies are only used when a system is under attack. They are a clever hack that uses the TCP sequence number to allow servers to defer using resources until they receive the second handshake packet from the client. Crucially, SYN cookies did not require client support, so they could be deployed unilaterally on the server side.

Various other mechanisms have been proposed to handle these problems over the years but, as outlined in the paper, failed to completely solve the problem. TCPCT sets out to do just that. It adds a new TCP option that contains a much larger, cryptographically secure cookie that is sent by the client in the initial handshake (SYN) packet. The server can then create a cookie for the reply that only it can decode. When the client uses that cookie in its second handshake (the third overall of the three-way handshake), the server can recover all of the information it needs to establish the connection from the cookie.

In addition, TCPCT allows for a limited amount of data to be sent in the request from the client and reply from the server, which allows for a query/response like DNS to be handled as part of the connection establishment. In those cases, the connection is torn down as soon as it is established.

TCPCT also addresses another problem that heavily used servers often have: port exhaustion. The TCP protocol requires that there be a timeout before port numbers are reused so that old messages that get delivered do not get confused with those of a newly-established connection. This is the TIME_WAIT timeout (usually four minutes) that is often annoying to those who restart server programs frequently (at least those without the SO_REUSEADDR socket flag). There are a limited number of ports available (nominally 64K, but at least 1K are reserved), an active server may have all of its free ports in the TIME_WAIT state. Because TCPCT can distinguish new and old connections based on the cookie data, it no longer has to wait on the server side. Only clients need wait out the TIME_WAIT period.

Obviously, TCPCT requires client support, and it will be some time before most operating systems have that support. As is often the case, Linux is out ahead of the pack by supporting TCPCT in the mainline. But even for Linux, it will be quite some time before 2.6.33 kernels make their way out to users via their distributions. Given that, widespread DNSSEC deployment seems quite a few years off, something that is a bit disheartening given all of the recent DNS server issues.

Comments (7 posted)

Brief items

Kretschmann: The Malware Problem (and a solution)

Amarok hacker Mark Kretschmann looks at the recent malware hidden in a GNOME screen saver. As he points out, it certainly isn't a GNOME-specific problem, as the same thing could happen to KDE and other projects. He and Ian Monroe came up with a way to help alleviate the problem by requiring public version control for Amarok scripts. "With a VCS [version control system], it's very easy to tell who inserted Malware, and when this person did this. This fact alone would provide some accountability, and I think it might prevent a good deal of attempts of messing around with the code. And even if it happened anyway, it would be trivial to revert the change, and we would just ban the person who did this from ever committing to this repository again."

Comments (57 posted)

New vulnerabilities

asterisk: denial of service

Package(s):asterisk CVE #(s):CVE-2009-4055
Created:December 11, 2009 Updated:June 4, 2010
Description: From the CVE entry: rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27.1, 1.6.0.x before 1.6.0.19, and 1.6.1.x before 1.6.1.11; Business Edition B.x.x before B.2.5.13, C.2.x.x before C.2.4.6, and C.3.x.x before C.3.2.3; and s800i 1.3.x before 1.3.0.6 allows remote attackers to cause a denial of service (daemon crash) via an RTP comfort noise payload with a long data length.
Alerts:
Gentoo 201006-20 asterisk 2010-06-04
Fedora FEDORA-2009-12517 asterisk 2009-12-02
Fedora FEDORA-2009-12506 asterisk 2009-12-02
Debian DSA-1952-1 asterisk 2009-12-15
Fedora FEDORA-2009-12461 asterisk 2009-12-02

Comments (none posted)

asterisk: multiple vulnerabilities

Package(s):asterisk CVE #(s):CVE-2008-3903 CVE-2009-3727 CVE-2007-2383
Created:December 15, 2009 Updated:June 4, 2010
Description: From the Debian advisory:

It is possible to determine a valid SIP username, when Digest authentication and authalwaysreject are enabled (AST-2009-003). (CVE-2008-3903)

It is possible to determine a valid SIP username via multiple crafted REGISTER messages (AST-2009-008). (CVE-2009-3727)

It was discovered that asterisk contains an obsolete copy of the Prototype JavaScript framework, which is vulnerable to several security issues. This copy is unused and now removed from asterisk (AST-2009-009). (CVE-2007-2383)

Alerts:
Gentoo 201006-20 asterisk 2010-06-04
Debian DSA-1952-1 asterisk 2009-12-15

Comments (none posted)

cacti: cross-site scripting

Package(s):cacti CVE #(s):CVE-2009-4032
Created:December 16, 2009 Updated:August 24, 2010
Description: Cacti suffers from several cross-site scripting vulnerabilities.
Alerts:
Mandriva MDVSA-2010:160 cacti 2010-08-24
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Fedora FEDORA-2009-12560 cacti 2009-12-03
Fedora FEDORA-2009-12575 cacti 2009-12-03
Debian DSA-1954-1 cacti 2009-12-16

Comments (none posted)

Cacti: privilege escalation

Package(s):cacti CVE #(s):CVE-2009-4112
Created:December 16, 2009 Updated:January 12, 2010
Description: Cacti allows authenticated administrator users to gain access to the host system and execute arbitrary commands via the "Linux: Get Memory Usage" setting. Note that no fix for this problem is available as of this writing; administrative access should simply not be given to untrusted users.
Alerts:
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Debian DSA-1954-1 cacti 2009-12-16

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):firefox seamonkey CVE #(s):CVE-2009-3979 CVE-2009-3981 CVE-2009-3983 CVE-2009-3984 CVE-2009-3985 CVE-2009-3986
Created:December 16, 2009 Updated:June 14, 2010
Description: The firefox 3.5.6 and 3.0.16 and seamonkey 2.0.1 releases fix a new set of security vulnerabilities.
Alerts:
Gentoo 201301-01 firefox 2013-01-07
Mandriva MDVSA-2010:071 mozilla-thunderbird 2010-04-23
Fedora FEDORA-2010-7100 seamonkey 2010-04-21
SuSE SUSE-SR:2010:013 apache2-mod_php5/php5, bytefx-data-mysql/mono, flash-player, fuse, java-1_4_2-ibm, krb5, libcmpiutil/libvirt, libmozhelper-1_0-0/mozilla-xulrunner190, libopenssl-devel, libpng12-0, libpython2_6-1_0, libtheora, memcached, ncpfs, pango, puppet, python, seamonkey, te_ams, texlive 2010-06-14
CentOS CESA-2010:0153 thunderbird 2010-03-26
Ubuntu USN-915-1 thunderbird 2010-03-18
CentOS CESA-2010:0154 thunderbird 2010-03-17
Red Hat RHSA-2010:0153-02 thunderbird 2010-03-17
Red Hat RHSA-2010:0154-02 thunderbird 2010-03-17
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Ubuntu USN-878-1 firefox-3.5 2010-01-08
Ubuntu USN-877-1 firefox-3.0 2010-01-08
Slackware SSA:2009-351-01 firefox 2010-01-06
Mandriva MDVSA-2009:339 firefox 2009-12-22
Mandriva MDVSA-2009:338 firefox 2009-12-22
SuSE SUSE-SA:2009:063 MozillaFirefox 2009-12-22
Ubuntu USN-874-1 firefox-3.5, xulrunner-1.9.1 2009-12-18
Ubuntu USN-873-1 firefox-3.0, xulrunner-1.9 2009-12-18
Slackware SSA:2009-352-01 seamonkey 2009-12-21
CentOS CESA-2009:1673 seamonkey 2009-12-18
Fedora FEDORA-2009-13333 monodevelop 2009-12-18
Fedora FEDORA-2009-13333 yelp 2009-12-18
Fedora FEDORA-2009-13333 epiphany-extensions 2009-12-18
Fedora FEDORA-2009-13333 hulahop 2009-12-18
Fedora FEDORA-2009-13333 google-gadgets 2009-12-18
Fedora FEDORA-2009-13333 pcmanx-gtk2 2009-12-18
Fedora FEDORA-2009-13333 chmsee 2009-12-18
Fedora FEDORA-2009-13333 kazehakase 2009-12-18
Fedora FEDORA-2009-13366 gnome-python2-extras 2009-12-18
Fedora FEDORA-2009-13333 gnome-python2-extras 2009-12-18
Fedora FEDORA-2009-13366 perl-Gtk2-MozEmbed 2009-12-18
Fedora FEDORA-2009-13333 perl-Gtk2-MozEmbed 2009-12-18
Fedora FEDORA-2009-13366 xulrunner 2009-12-18
Fedora FEDORA-2009-13333 xulrunner 2009-12-18
Fedora FEDORA-2009-13366 blam 2009-12-18
Fedora FEDORA-2009-13333 blam 2009-12-18
Fedora FEDORA-2009-13366 mozvoikko 2009-12-18
Fedora FEDORA-2009-13333 mozvoikko 2009-12-18
Fedora FEDORA-2009-13333 ruby-gnome2 2009-12-18
Fedora FEDORA-2009-13366 galeon 2009-12-18
Fedora FEDORA-2009-13333 galeon 2009-12-18
Fedora FEDORA-2009-13366 gnome-web-photo 2009-12-18
Fedora FEDORA-2009-13333 gnome-web-photo 2009-12-18
Fedora FEDORA-2009-13333 evolution-rss 2009-12-18
Fedora FEDORA-2009-13366 Miro 2009-12-18
Fedora FEDORA-2009-13333 Miro 2009-12-18
Fedora FEDORA-2009-13333 epiphany 2009-12-18
Fedora FEDORA-2009-13362 seamonkey 2009-12-18
Fedora FEDORA-2009-13333 firefox 2009-12-18
Fedora FEDORA-2009-13366 firefox 2009-12-18
CentOS CESA-2009:1674 firefox 2009-12-18
Debian DSA-1956-1 xulrunner 2009-12-16
Red Hat RHSA-2009:1673-01 seamonkey 2009-12-15
Red Hat RHSA-2009:1674-01 firefox 2009-12-16
Slackware SSA:2010-060-01 seamonkey 2010-03-02

Comments (none posted)

firefox-sage: insufficient input sanitizing

Package(s):firefox-sage CVE #(s):CVE-2009-4102
Created:December 15, 2009 Updated:December 16, 2009
Description: From the Debian advisory: It was discovered that firefox-sage, a lightweight RSS and Atom feed reader for Firefox, does not sanitize the RSS feed information correctly, which makes it prone to a cross-site scripting and a cross-domain scripting attack.
Alerts:
Debian DSA-1951-1 firefox-sage 2009-12-15

Comments (none posted)

gpdf: buffer overflow

Package(s):gpdf CVE #(s):CVE-2009-4035
Created:December 16, 2009 Updated:February 16, 2010
Description: The type-1 font parser in gpdf suffers from a buffer overflow, exploitable via a maliciously-crafted PDF file.
Alerts:
Gentoo 201402-17 xpdf 2014-02-18
SuSE SUSE-SR:2010:004 moodle, xpdf, pdns-recursor, pango, horde, gnome-screensaver, fuse, gnutls, flash-player 2010-02-16
SuSE SUSE-SR:2010:003 lighttpd, net-snmp/libsnmp15/perl-SNMP, fuse, xpdf 2010-02-09
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
CentOS CESA-2009:1682 kdegraphics 2009-12-18
CentOS CESA-2009:1681 gpdf 2009-12-18
CentOS CESA-2009:1680 xpdf 2009-12-18
Red Hat RHSA-2009:1680-01 xpdf 2009-12-16
Red Hat RHSA-2009:1682-01 kdegraphics 2009-12-16
Red Hat RHSA-2009:1681-01 gpdf 2009-12-16

Comments (none posted)

kdebase-runtime: missing input validation

Package(s):kdebase-runtime CVE #(s):
Created:December 11, 2009 Updated:December 16, 2009
Description: From the Ubuntu advisory: It was discovered that the KIO subsystem of KDE did not properly perform input validation when processing help:// URIs. If a user or KIO application processed a crafted help:// URI, an attacker could trigger JavaScript execution or access files via directory traversal.
Alerts:
Ubuntu USN-872-1 kdebase-runtime 2009-12-11

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2009-4131
Created:December 10, 2009 Updated:January 21, 2010
Description: From the Ubuntu alert:

Akira Fujita discovered that the Ext4 "move extents" ioctl did not correctly check permissions. A local attacker could exploit this to overwrite arbitrary files on the system, leading to root privilege escalation.

Alerts:
Fedora FEDORA-2010-0823 kernel 2010-01-20
SuSE SUSE-SA:2010:001 kernel 2010-01-07
Fedora FEDORA-2009-13039 kernel 2009-12-10
Ubuntu USN-869-1 linux 2009-12-10
Mandriva MDVSA-2009:329 kernel 2009-12-09

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2009-4021
Created:December 14, 2009 Updated:March 1, 2010
Description:

From the SUSE advisory:

CVE-2009-4021: The fuse_direct_io function in fs/fuse/file.c in the fuse subsystem in the Linux kernel might allow attackers to cause a denial of service (invalid pointer dereference and OOPS) via vectors possibly related to a memory-consumption attack.

Alerts:
Red Hat RHSA-2010:0041-01 kernel-rt 2010-01-21
Debian DSA-2004-1 linux-2.6.24 2010-02-27
Debian DSA-2003-1 linux-2.6 2010-02-22
Ubuntu USN-894-1 linux, linux-source-2.6.15 2010-02-05
CentOS CESA-2010:0046 kernel 2010-01-20
Red Hat RHSA-2010:0046-01 kernel 2010-01-19
SuSE SUSE-SA:2010:012 kernel 2010-02-15
SuSE SUSE-SA:2010:001 kernel 2010-01-07
SuSE SUSE-SA:2009:064 kernel 2009-12-22
SuSE SUSE-SA:2009:061 kernel 2009-12-14

Comments (none posted)

merkaartor: symbolic link vulnerability

Package(s):merkaartor CVE #(s):CVE-2009-4193
Created:December 16, 2009 Updated:December 16, 2009
Description: Merkaartor suffers from a symbolic link vulnerability on /tmp/merkaartor.log, allowing a local attacker to append data to arbitrary files.
Alerts:
Fedora FEDORA-2009-13196 merkaartor 2009-12-16
Fedora FEDORA-2009-13195 merkaartor 2009-12-16

Comments (none posted)

moodle: multiple vulnerabilities

Package(s):moodle CVE #(s):
Created:December 11, 2009 Updated:December 16, 2009
Description: From the Red Hat bugzilla: Moodle upstream has released latest stable versions (1.9.7 and 1.8.11), fixing multiple security issues.
Alerts:
Fedora FEDORA-2009-13065 moodle 2009-12-11
Fedora FEDORA-2009-13080 moodle 2009-12-11
Fedora FEDORA-2009-13040 moodle 2009-12-11

Comments (none posted)

mysql: denial of service

Package(s):mysql CVE #(s):CVE-2009-4019
Created:December 11, 2009 Updated:May 10, 2010
Description: From the CVE entry: mysqld in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 does not (1) properly handle errors during execution of certain SELECT statements with subqueries, and does not (2) preserve certain null_value flags during execution of statements that use the GeomFromWKB function, which allows remote authenticated users to cause a denial of service (daemon crash) via a crafted statement.
Alerts:
Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12
Gentoo 201201-02 mysql 2012-01-05
SuSE SUSE-SR:2010:011 dovecot12, cacti, java-1_6_0-openjdk, irssi, tar, fuse, apache2, libmysqlclient-devel, cpio, moodle, libmikmod, libicecore, evolution-data-server, libpng/libpng-devel, libesmtp 2010-05-10
SuSE SUSE-SR:2010:007 cifs-mount/samba, compiz-fusion-plugins-main, cron, cups, ethereal/wireshark, krb5, mysql, pulseaudio, squid/squid3, viewvc 2010-03-30
rPath rPSA-2010-0014-1 mysql 2010-03-07
Mandriva MDVSA-2010:012 mysql 2010-01-17
Mandriva MDVSA-2010:011 mysql 2010-01-17
Red Hat RHSA-2010:0109-01 mysql 2010-02-16
Fedora FEDORA-2009-13466 mysql 2009-12-22
Fedora FEDORA-2009-13504 mysql 2009-12-22
Fedora FEDORA-2009-12180 mysql 2009-11-25
CentOS CESA-2010:0109 mysql 2010-03-01
Debian DSA-1997-1 mysql-dfsg-5.0 2010-02-14
Ubuntu USN-897-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-02-10

Comments (none posted)

postgresql: multiple vulnerabilities

Package(s):postgresql CVE #(s):CVE-2009-4034 CVE-2009-4136
Created:December 15, 2009 Updated:May 28, 2010
Description: From the Mandriva advisory:

NULL Bytes in SSL Certificates can be used to falsify client or server authentication. This only affects users who have SSL enabled, perform certificate name validation or client certificate authentication, and where the Certificate Authority (CA) has been tricked into issuing invalid certificates. The use of a CA that can be trusted to always issue valid certificates is recommended to ensure you are not vulnerable to this issue (CVE-2009-4034).

Privilege escalation via changing session state in an index function. This closes a corner case related to vulnerabilities CVE-2009-3230 and CVE-2007-6600 (CVE-2009-4136).

Alerts:
Gentoo 201110-22 postgresql-base 2011-10-25
CentOS CESA-2010:0429 postgresql 2010-05-28
CentOS CESA-2010:0428 postgresql 2010-05-22
CentOS CESA-2010:0427 postgresql 2010-05-22
Red Hat RHSA-2010:0427-01 postgresql 2010-05-19
Red Hat RHSA-2010:0429-01 postgresql 2010-05-19
Red Hat RHSA-2010:0428-01 postgresql 2010-05-19
rPath rPSA-2010-0012-1 postgresql 2010-03-07
SuSE SUSE-SR:2010:001 expat, postfix, phpMyAdmin, postgresql, dovecot12, msmtp 2010-01-19
Ubuntu USN-876-1 postgresql-8.1, postgresql-8.3, postgresql-8.4 2010-01-04
Debian DSA-1964-1 postgresql-7.4 2009-12-31
Fedora FEDORA-2009-13363 postgresql 2009-12-18
Fedora FEDORA-2009-13381 postgresql 2009-12-18
Mandriva MDVSA-2009:333 postgresql 2009-12-15

Comments (none posted)

rt3: session hijack

Package(s):rt3 CVE #(s):CVE-2009-4151
Created:December 11, 2009 Updated:December 16, 2009
Description: From the CVE entry: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.
Alerts:
Fedora FEDORA-2009-12783 rt3 2009-12-07
Fedora FEDORA-2009-12827 rt3 2009-12-07
Fedora FEDORA-2009-12817 rt3 2009-12-07

Comments (none posted)

rubygem-actionpack: strip_tags function weakness

Package(s):rubygem-actionpack CVE #(s):CVE-2009-4214
Created:December 10, 2009 Updated:September 5, 2011
Description: From the Fedora bug report:

There is a weakness in the strip_tags function in ruby on rails. Due to a bug in the parsing code inside HTML::Tokenizer regarding non-printable ascii characters, an attacker can include values which certain browsers will then evaluate.

Alerts:
Debian DSA-2392-1 rails 2012-01-23
Debian DSA-2301-1 rails 2011-09-05
Debian DSA-2260-1 rails 2011-06-14
SuSE SUSE-SR:2010:006 2010-03-15
Gentoo 200912-02 rails 2009-12-20
Fedora FEDORA-2009-13361 rubygem-actionpack 2009-12-18
Fedora FEDORA-2009-13393 rubygem-actionpack 2009-12-18
Fedora FEDORA-2009-12966 rubygem-actionpack 2009-12-10
SuSE SUSE-SR:2010:005 fetchmail, krb5, rubygem-actionpack-2_1, libexpat0, unbound, apache2-mod_php5/php5 2010-02-23

Comments (none posted)

webkit: multiple vulnerabilities

Package(s):webkit CVE #(s):CVE-2009-1714 CVE-2009-1710 CVE-2009-1697 CVE-2009-1695 CVE-2009-1693 CVE-2009-1694 CVE-2009-1681 CVE-2009-1684 CVE-2009-1692
Created:December 14, 2009 Updated:January 25, 2011
Description:

From the Debian advisory:

CVE-2009-1714: Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to the improper escaping of HTML attributes.

CVE-2009-1710: WebKit allows remote attackers to spoof the browser's display of the host name, security indicators, and unspecified other UI elements via a custom cursor in conjunction with a modified CSS3 hotspot property.

CVE-2009-1697: CRLF injection vulnerability in WebKit allows remote attackers to inject HTTP headers and bypass the Same Origin Policy via a crafted HTML document, related to cross-site scripting (XSS) attacks that depend on communication with arbitrary web sites on the same server through use of XMLHttpRequest without a Host header.

CVE-2009-1695: Cross-site scripting (XSS) vulnerability in WebKit allows remote attackers to inject arbitrary web script or HTML via vectors involving access to frame contents after completion of a page transition.

CVE-2009-1693: WebKit allows remote attackers to read images from arbitrary web sites via a CANVAS element with an SVG image, related to a "cross-site image capture issue."

CVE-2009-1694: WebKit does not properly handle redirects, which allows remote attackers to read images from arbitrary web sites via vectors involving a CANVAS element and redirection, related to a "cross-site image capture issue."

CVE-2009-1681: WebKit does not prevent web sites from loading third-party content into a subframe, which allows remote attackers to bypass the Same Origin Policy and conduct "clickjacking" attacks via a crafted HTML document.

CVE-2009-1684: Cross-site scripting (XSS) vulnerability in WebKit allows remote attackers to inject arbitrary web script or HTML via an event handler that triggers script execution in the context of the next loaded document.

CVE-2009-1692: WebKit allows remote attackers to cause a denial of service (memory consumption or device reset) via a web page containing an HTMLSelectElement object with a large length attribute, related to the length property of a Select object.

Alerts:
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0024-1 webkit 2011-01-12
Mandriva MDVSA-2010:027 kdelibs4 2010-01-27
Mandriva MDVSA-2010:028 kdelibs4 2010-01-27
Debian DSA-1950 webkit 2009-12-12

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds