User: Password:
|
|
Subscribe / Log in / New account

Security

Google Chrome and master passwords

By Jake Edge
May 19, 2010

Master passwords for browsers provide a measure of security against some common, if weak, attack vectors. Firefox has had master passwords for some time, but Google's Chrome browser does not, nor does it seem to have any kind of priority to be added. That makes some users rather unhappy, to the point of saying that they won't use the browser until it is implemented. Google's position seems to be that master passwords only provide an illusion of security, but that is an oversimplification.

The idea behind a master password is to protect the credentials (username and password) for accessing web sites that are stored by the browser. The master password is required to unlock (really decrypt) the credential storage before the browser can auto-fill login forms. Without a master password, Firefox stores credential information unencrypted on the disk. Chrome does encrypt the credentials using the user's session information—but only on Windows—for Linux it stores them unencrypted.

As Jamie Strandboge describes in a blog posting, it is trivial to extract the credentials stored by Chrome on Linux in a SQLite database file. A bug filed against Chrome in September 2008 requests adding a master password, and, while it has seen many comments, it has also seen little action on the part of the Chrome developers. For Linux users, it is pretty clear that leaving an unencrypted version of all stored passwords on the disk is a security hole; it definitely requires access to the data, either on the machine itself or elsewhere—like a network share or backup of the home directory. Ways to get that access aren't very hard to envision. Since the data is encrypted on Windows, the picture there is a little murkier.

It is certainly true that anyone who gets physical access to your machine can do an amazing amount of harm to it if they want to. But it is also true that many people allow their computer to be used by others to do a quick search or check email. Those uses are typically short in duration and are "semi-supervised" in the sense that the owner is often around and might very well notice someone installing a keylogger or running some kind of password cracker. What may escape notice is someone using the browser interface in fairly standard ways—to look at stored passwords for example.

The answer, according to Chrome developer Peter Kasting is to "lock your desktop (it's two keys!) or close Chrome" if you don't trust those with physical access. Essentially, because of the way Chrome is implemented, there is no secure way to allow someone to use your open browser session—or even to start a new one for them to use. With Firefox, one can start a new browser and not provide the master password (or just log out of the "Software Security Device"), which will allow semi-untrusted users to jump on and do a quick Google—or check Gmail.

Given the sensitivity of stored passwords—though many sensitive web sites, like banks and brokerages, have started disallowing credential storage—a master password protecting them gives users a sense of protection. It may well be that the average user overestimates the amount of protection that a master password provides, but that doesn't mean it provides no protection. There is certainly a big difference between a sophisticated hacker willing to risk jail time by installing a keylogger and a "friend" who thinks it would be funny to update your Facebook status for you. The latter is likely to be thwarted by a master password.

It is a bit hard to understand why the Chrome developers are so unwilling to consider adding the feature. It shouldn't be particularly difficult in a technical sense. The "UI complexity" argument rings a little hollow. The lack of any way to get password encryption on Linux just seems like a bug that needs to be fixed, though there isn't any real indication that it will be. Maybe someone in the community needs to take a crack at it—it is, after all, free software.

Comments (29 posted)

Brief items

Quotes of the week

The Sacramento Credit Union's online banking service appears to have learned some hard lessons about SQL code-injection attacks as they apply to "secret questions":

The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words "insert," "delete," "drop," "update," "null," or "select."

-- Boing Boing looks at a since-changed credit union online banking FAQ

Actually, you can. You can refuse to fly because of the possibility of plane crashes. You can lock your children in the house because of the possibility of child predators. You can eschew all contact with people because of the possibility of hurt. Steven Hawking wants to avoid trying to communicate with aliens because they might be hostile; does he want to turn off all the planet's television broadcasts because they're radiating into space? It isn't hard to parody worst-case thinking, and at its extreme it's a psychological condition.

-- Bruce Schneier on worst-case thinking

Among many privacy thinkers (at least in the US) there is a view that the current "notice and consent" framework doesn't work very well. Jonathan Zittrain has written much about this already, as well as many others. The online privacy environment is more complex than ever before in part because of:
  • new ways to share, track, and analyze information (and accompanying new questions about the definition of "user information");
  • users who want to connect and share (Facebook didn't get 400M users accidentally); and
  • an increasing expectation that users, when they do intend to share, also expect some reasonable control of their information and information about them.

-- Harvey Anderson, Mozilla Corporation VP and General Counsel

Some of these factors are Android specific, in particular the device always has a TCP connection open to google servers. So switching from WIFI -> 3G for example causes us to generate extra network traffic as we try to establish our SSL connection to google servers.

-- Mike Chan about Android's always-on "phone home" connection

Comments (4 posted)

Morris: SELinux Notebook Edition 2 Released

Over at SELinux News, James Morris announces the second edition of The SELinux Notebook. "Richard Haines has released the 2nd edition of The SELinux Notebook, an extensive work of documentation aimed at explaining SELinux to newcomers. It is also intended to be a reference document for the policy language and configuration. The Notebook has now been split into two volumes: The Foundations and Sample Policy Source, and updated to the latest implementation of SELinux in the Fedora 12 distribution. New topics in this edition include virtualization (sVirt), SE-PostgreSQL, XSELinux and Apache/SELinux Plus."

Comments (3 posted)

New vulnerabilities

aria2: insufficient input sanitizing

Package(s):aria2 CVE #(s):CVE-2010-1512
Created:May 18, 2010 Updated:January 17, 2011
Description: From the Debian advisory:

A vulnerability was discovered in aria2, a download client. The "name" attribute of the "file" element of metalink files is not properly sanitised before using it to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory.

Alerts:
Gentoo 201101-04 aria2 2011-01-15
SUSE SUSE-SR:2010:017 java-1_4_2-ibm, sudo, libpng, php5, tgt, iscsitarget, aria2, pcsc-lite, tomcat5, tomcat6, lvm2, libvirt, rpm, libtiff, dovecot12 2010-09-21
openSUSE openSUSE-SU-2010:0338-2 aria2 2010-09-13
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
Pardus 2010-75 aria2 2010-06-04
Mandriva MDVSA-2010:106 aria2 2010-05-24
Fedora FEDORA-2010-8915 aria2 2010-05-22
Fedora FEDORA-2010-8908 aria2 2010-05-22
Debian DSA-2047-1 aria2 2010-05-17
MeeGo MeeGo-SA-10:05 aria2 2010-07-07

Comments (none posted)

fetchmail: denial of service

Package(s):fetchmail CVE #(s):CVE-2010-1167
Created:May 17, 2010 Updated:June 7, 2011
Description: From the CVE entry:

fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3 UIDL list.

Alerts:
Mandriva MDVSA-2011:107 fetchmail 2011-06-07
Slackware SSA:2010-136-01 fetchmail 2010-05-17

Comments (3 posted)

kdenetwork: arbitrary code execution

Package(s):kdenetwork CVE #(s):CVE-2010-1000
Created:May 13, 2010 Updated:May 26, 2011
Description:

From the Ubuntu advisory:

It was discovered that KGet did not properly perform input validation when processing metalink files. If a user were tricked into opening a crafted metalink file, a remote attacker could overwrite files via directory traversal, which could eventually lead to arbitrary code execution.

Alerts:
Gentoo 201412-08 insight, perl-tk, sourcenav, tk, partimage, bitdefender-console, mlmmj, acl, xinit, gzip, ncompress, liblzw, splashutils, m4, kdm, gtk+, kget, dvipng, beanstalkd, pmount, pam_krb5, gv, lftp, uzbl, slim, iputils, dvbstreamer 2014-12-11
Pardus 2011-80 kdenetwork 2011-05-11
Red Hat RHSA-2011:0465-01 kdenetwork 2011-04-21
Fedora FEDORA-2011-5211 kdenetwork 2011-04-12
Mandriva MDVSA-2011:081 kdenetwork4 2011-05-02
SUSE SUSE-SR:2010:024 clamav, subversion, python, krb5, otrs, moonlight, OpenOffice_org, kdenetwork4, zope, xpdf, gnutls, and opera 2010-12-23
openSUSE openSUSE-SU-2010:1085-1 kdenetwork 2010-12-21
openSUSE openSUSE-SU-2010:1077-1 kdenetwork 2010-12-17
openSUSE openSUSE-SU-2010:1076-1 kdenetwork 2010-12-17
Fedora FEDORA-2010-8577 oxygen-icon-theme 2010-05-15
Fedora FEDORA-2010-8544 oxygen-icon-theme 2010-05-15
Fedora FEDORA-2010-8547 oxygen-icon-theme 2010-05-15
Fedora FEDORA-2010-8577 kdeutils 2010-05-15
Fedora FEDORA-2010-8544 kdeutils 2010-05-15
Fedora FEDORA-2010-8547 kdeutils 2010-05-15
Fedora FEDORA-2010-8577 kdetoys 2010-05-15
Fedora FEDORA-2010-8544 kdetoys 2010-05-15
Fedora FEDORA-2010-8547 kdetoys 2010-05-15
Fedora FEDORA-2010-8577 kdesdk 2010-05-15
Fedora FEDORA-2010-8544 kdesdk 2010-05-15
Fedora FEDORA-2010-8547 kdesdk 2010-05-15
Fedora FEDORA-2010-8577 kdeplasma-addons 2010-05-15
Fedora FEDORA-2010-8544 kdeplasma-addons 2010-05-15
Fedora FEDORA-2010-8547 kdeplasma-addons 2010-05-15
Fedora FEDORA-2010-8577 kdepim-runtime 2010-05-15
Fedora FEDORA-2010-8544 kdepim-runtime 2010-05-15
Fedora FEDORA-2010-8547 kdepim-runtime 2010-05-15
Fedora FEDORA-2010-8577 kdepimlibs 2010-05-15
Fedora FEDORA-2010-8544 kdepimlibs 2010-05-15
Fedora FEDORA-2010-8547 kdepimlibs 2010-05-15
Fedora FEDORA-2010-8577 kdepim 2010-05-15
Fedora FEDORA-2010-8544 kdepim 2010-05-15
Fedora FEDORA-2010-8547 kdepim 2010-05-15
Fedora FEDORA-2010-8577 kdenetwork 2010-05-15
Fedora FEDORA-2010-8544 kdenetwork 2010-05-15
Fedora FEDORA-2010-8547 kdenetwork 2010-05-15
Fedora FEDORA-2010-8577 kdemultimedia 2010-05-15
Fedora FEDORA-2010-8544 kdemultimedia 2010-05-15
Fedora FEDORA-2010-8547 kdemultimedia 2010-05-15
Fedora FEDORA-2010-8577 kdelibs 2010-05-15
Fedora FEDORA-2010-8544 kdelibs 2010-05-15
Fedora FEDORA-2010-8547 kdelibs 2010-05-15
Fedora FEDORA-2010-8577 kde-l10n 2010-05-15
Fedora FEDORA-2010-8544 kde-l10n 2010-05-15
Fedora FEDORA-2010-8547 kde-l10n 2010-05-15
Fedora FEDORA-2010-8577 kdegraphics 2010-05-15
Fedora FEDORA-2010-8544 kdegraphics 2010-05-15
Fedora FEDORA-2010-8547 kdegraphics 2010-05-15
Fedora FEDORA-2010-8577 kdegames 2010-05-15
Fedora FEDORA-2010-8544 kdegames 2010-05-15
Fedora FEDORA-2010-8547 kdegames 2010-05-15
Fedora FEDORA-2010-8547 kdeedu 2010-05-15
Fedora FEDORA-2010-8544 kdebindings 2010-05-15
Fedora FEDORA-2010-8577 kdeedu 2010-05-15
Fedora FEDORA-2010-8544 kdeedu 2010-05-15
Fedora FEDORA-2010-8577 kdebindings 2010-05-15
Fedora FEDORA-2010-8547 kdebindings 2010-05-15
Fedora FEDORA-2010-8577 kdebase-workspace 2010-05-15
Fedora FEDORA-2010-8544 kdebase-workspace 2010-05-15
Fedora FEDORA-2010-8547 kdebase-workspace 2010-05-15
Fedora FEDORA-2010-8577 kdebase-runtime 2010-05-15
Fedora FEDORA-2010-8544 kdebase-runtime 2010-05-15
Fedora FEDORA-2010-8547 kdebase-runtime 2010-05-15
Fedora FEDORA-2010-8577 kdebase 2010-05-15
Fedora FEDORA-2010-8544 kdebase 2010-05-15
Fedora FEDORA-2010-8547 kdebase 2010-05-15
Fedora FEDORA-2010-8577 kdeartwork 2010-05-15
Fedora FEDORA-2010-8544 kdeartwork 2010-05-15
Fedora FEDORA-2010-8547 kdeartwork 2010-05-15
Fedora FEDORA-2010-8577 kdeadmin 2010-05-15
Fedora FEDORA-2010-8544 kdeadmin 2010-05-15
Fedora FEDORA-2010-8547 kdeadmin 2010-05-15
Fedora FEDORA-2010-8577 kdeaccessibility 2010-05-15
Fedora FEDORA-2010-8544 kdeaccessibility 2010-05-15
Fedora FEDORA-2010-8547 kdeaccessibility 2010-05-15
Mandriva MDVSA-2010:098 kdenetwork4 2010-05-18
Ubuntu USN-938-1 kdenetwork 2010-05-13
Pardus 2010-68 kdenetwork 2010-06-04

Comments (none posted)

krb5: denial of service

Package(s):krb5 CVE #(s):CVE-2010-1321
Created:May 19, 2010 Updated:May 3, 2011
Description: The Kerberos GSS-API library contains a null pointer dereference vulnerability; an remote authenticated attacker could use this vulnerability to crash the server.
Alerts:
Gentoo 201201-13 mit-krb5 2012-01-23
SUSE SUSE-SU-2012:0042-1 krb5 2012-01-05
SUSE SUSE-SU-2012:0010-1 krb5 2012-01-05
SUSE SUSE-SR:2011:008 java-1_6_0-ibm, java-1_5_0-ibm, java-1_4_2-ibm, postfix, dhcp6, dhcpcd, mono-addon-bytefx-data-mysql/bytefx-data-mysql, dbus-1, libtiff/libtiff-devel, cifs-mount/libnetapi-devel, rubygem-sqlite3, gnutls, libpolkit0, udisks 2011-05-03
SUSE SUSE-SA:2011:014 java-1_6_0-ibm,java-1_5_0-ibm,java-1_4_2-ibm 2011-03-22
SUSE SUSE-SA:2011:006 java-1_6_0-ibm 2011-01-25
Red Hat RHSA-2011:0152-01 java-1.4.2-ibm 2011-01-17
Red Hat RHSA-2010:0987-01 java-1.6.0-ibm 2010-12-15
Red Hat RHSA-2010:0935-01 java-1.4.2-ibm 2010-12-01
Red Hat RHSA-2010:0873-02 java-1.5.0-ibm 2010-11-10
Red Hat RHSA-2010:0807-01 java-1.5.0-ibm 2010-10-27
openSUSE openSUSE-SU-2010:0754-1 java-1_6_0-sun 2010-10-22
SUSE SUSE-SR:2010:015 gpg2, krb5, kvirc, libpcsclite1/pcsc-lite, libpython2_6-1_0, libvorbis, libwebkit, squidGuard, strongswan 2010-08-17
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25
rPath rPSA-2010-0065-1 krb5 2010-10-17
Red Hat RHSA-2010:0770-01 java-1.6.0-sun 2010-10-14
Mandriva MDVSA-2010:130 heimdal 2010-07-07
CentOS CESA-2010:0423 krb5 2010-06-01
Pardus 2010-71 mit-kerberos 2010-06-04
Debian DSA-2052-1 krb5 2010-05-24
CentOS CESA-2010:0423 krb5 2010-05-22
CentOS CESA-2010:0423 krb5 2010-05-22
Ubuntu USN-940-1 krb5 2010-05-19
Fedora FEDORA-2010-8805 krb5 2010-05-19
Fedora FEDORA-2010-8796 krb5 2010-05-19
Mandriva MDVSA-2010:100 krb5 2010-05-19
Red Hat RHSA-2010:0423-01 krb5 2010-05-18
Mandriva MDVSA-2010:129 heimdal 2010-07-07
Ubuntu USN-940-2 krb5 2010-07-21
SuSE SUSE-SR:2010:013 apache2-mod_php5/php5, bytefx-data-mysql/mono, flash-player, fuse, java-1_4_2-ibm, krb5, libcmpiutil/libvirt, libmozhelper-1_0-0/mozilla-xulrunner190, libopenssl-devel, libpng12-0, libpython2_6-1_0, libtheora, memcached, ncpfs, pango, puppet, python, seamonkey, te_ams, texlive 2010-06-14

Comments (none posted)

libxext: application crash

Package(s):libxext CVE #(s):
Created:May 19, 2010 Updated:May 19, 2010
Description:

From the Mandriva advisory:

A vulnerability has been discovered and fixed in libxext: There's a race condition in libXext that causes apps that use the X shared memory extensions to occasionally crash.

Alerts:
Mandriva MDVSA-2010:095 libxext 2010-05-12

Comments (none posted)

mysql: forced data loss

Package(s):mysql CVE #(s):CVE-2010-1626
Created:May 19, 2010 Updated:November 16, 2010
Description: It is possible to cause a DROP TABLE command on one MyISAM table to remove data and index files from a different table.
Alerts:
Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12
Gentoo 201201-02 mysql 2012-01-05
SUSE SUSE-SR:2010:021 mysql, dhcp, monotone, moodle, openssl 2010-11-16
openSUSE openSUSE-SU-2010:0730-1 mysql 2010-10-18
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25
openSUSE openSUSE-SU-2010:0731-1 mysql 2010-10-18
CentOS CESA-2010:0442 mysql 2010-05-28
Ubuntu USN-950-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-06-09
Pardus 2010-73 mysql-server 2010-06-04
Red Hat RHSA-2010:0442-01 mysql 2010-05-26
Mandriva MDVSA-2010:101 mysql 2010-05-19
Debian DSA-2057-1 mysql-dfsg-5.0 2010-06-07

Comments (none posted)

mysql: privilege escalation

Package(s):mysql CVE #(s):CVE-2010-1621
Created:May 14, 2010 Updated:October 18, 2010
Description: From the Red Hat bugzilla:

UNINSTALL PLUGIN, looking in the mysql_uninstall_plugin() function shows that there is no code at all for checking required privileges. This means that ANY user, even a user with no privileges, can uninstall ANY plugin. (At least plugins that are loaded dynamically.)

Alerts:
Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12
Gentoo 201201-02 mysql 2012-01-05
openSUSE openSUSE-SU-2010:0730-1 mysql 2010-10-18
Ubuntu USN-950-1 mysql-dfsg-5.0, mysql-dfsg-5.1 2010-06-09
Pardus 2010-73 mysql-server 2010-06-04
Fedora FEDORA-2010-7414 mysql 2010-04-27
Fedora FEDORA-2010-7355 mysql 2010-04-27

Comments (none posted)

phpgroupware: multiple vulnerabilities

Package(s):phpgroupware CVE #(s):CVE-2010-0403 CVE-2010-0404
Created:May 14, 2010 Updated:May 19, 2010
Description: From the Debian advisory:

Several remote vulnerabilities have been discovered in phpgroupware, a Web based groupware system written in PHP. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2010-0403: A local file inclusion vulnerability allows remote attackers to execute arbitrary PHP code and include arbitrary local files.

CVE-2010-0404: Multiple SQL injection vulnerabilities allows remote attackers to execute arbitrary SQL commands.

Alerts:
Debian DSA-2046-1 phpgroupware 2010-05-13

Comments (none posted)

php-ZendFramework: multiple vulnerabilities

Package(s):php-ZendFramework CVE #(s):
Created:May 14, 2010 Updated:May 19, 2010
Description: From the ZendFrameWork advisory:

In mid-March, 2010, the Dojo Foundation issued a Security Advisory indicating potential security issues with specific files in Dojo Toolkit. Details of the advisory may be found on the Dojo website:

http://dojotoolkit.org/blog/post/dylan/2010/03/dojo...

In particular, several files in the Dojo tree were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the tree when deploying to production.

Alerts:
Fedora FEDORA-2010-8498 php-ZendFramework 2010-05-13
Fedora FEDORA-2010-8495 php-ZendFramework 2010-05-13

Comments (none posted)

pidgin: denial of service

Package(s):pidgin CVE #(s):CVE-2010-1624
Created:May 18, 2010 Updated:November 4, 2010
Description: From the Mandriva advisory:

The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote attackers to cause a denial of service (application crash) via a custom emoticon in a malformed SLP message.

Alerts:
Ubuntu USN-1014-1 pidgin 2010-11-04
Red Hat RHSA-2010:0788-01 pidgin 2010-10-21
CentOS CESA-2010:0788 pidgin 2010-10-25
CentOS CESA-2010:0788 pidgin 2010-10-21
Fedora FEDORA-2010-8524 pidgin 2010-05-13
Fedora FEDORA-2010-8523 pidgin 2010-05-13
Slackware SSA:2010-138-01 pidgin 2010-05-19
Mandriva MDVSA-2010:097 pidgin 2010-05-18
Pardus 2010-69 pidgin 2010-06-04
MeeGo MeeGo-SA-10:08 pidgin 2010-07-07

Comments (none posted)

PostgreSQL: possible code execution

Package(s):postgresql CVE #(s):CVE-2010-1169 CVE-2010-1170
Created:May 19, 2010 Updated:October 28, 2010
Description: The PostgreSQL project has released versions 8.4.4, 8.3.11, 8.2.17, 8.1.21, 8.0.25, and 7.4.29. This update fixes potential code execution flaws in the PL/perl and PL/tcl modules.
Alerts:
Gentoo 201110-22 postgresql-base 2011-10-25
Fedora FEDORA-2010-16004 sepostgresql 2010-10-08
SUSE SUSE-SR:2010:014 OpenOffice_org, apache2-slms, aria2, bogofilter, cifs-mount/samba, clamav, exim, ghostscript-devel, gnutls, krb5, kvirc, lftp, libpython2_6-1_0, libtiff, libvorbis, lxsession, mono-addon-bytefx-data-mysql/bytefx-data-mysql, moodle, openldap2, opera, otrs, popt, postgresql, python-mako, squidGuard, vte, w3m, xmlrpc-c, XFree86/xorg-x11, yast2-webclient 2010-08-02
CentOS CESA-2010:0430 postgresql84 2010-05-28
CentOS CESA-2010:0429 postgresql 2010-05-28
Pardus 2010-74 postgresql-server 2010-06-04
Debian DSA-2051-1 postgresql-8.3 2010-05-24
CentOS CESA-2010:0428 postgresql 2010-05-22
CentOS CESA-2010:0427 postgresql 2010-05-22
Ubuntu USN-942-1 postgresql-8.1, postgresql-8.3, postgresql-8.4 2010-05-21
Mandriva MDVSA-2010:103 postgresql 2010-05-20
Red Hat RHSA-2010:0427-01 postgresql 2010-05-19
Red Hat RHSA-2010:0430-01 postgresql84 2010-05-19
Fedora FEDORA-2010-8715 postgresql 2010-05-18
Red Hat RHSA-2010:0429-01 postgresql 2010-05-19
Red Hat RHSA-2010:0428-01 postgresql 2010-05-19
Fedora FEDORA-2010-8723 postgresql 2010-05-18
openSUSE openSUSE-SU-2010:0371-1 postgresql 2010-07-14

Comments (none posted)

qt: multiple vulnerabilities

Package(s):qt CVE #(s):CVE-2010-0648 CVE-2010-0656
Created:May 17, 2010 Updated:March 2, 2011
Description: From the CVE entries:

Mozilla Firefox, possibly before 3.6, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element. (CVE-2010-0648)

WebKit before r51295, as used in Google Chrome before 4.0.249.78, presents a directory-listing page in response to an XMLHttpRequest for a file:/// URL that corresponds to a directory, which allows attackers to obtain sensitive information or possibly have unspecified other impact via a crafted local HTML document. (CVE-2010-0656)

Alerts:
Gentoo 201301-01 firefox 2013-01-07
Mandriva MDVSA-2011:039 webkit 2011-03-02
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0024-1 webkit 2011-01-12
Fedora FEDORA-2010-8379 qt 2010-05-11
Fedora FEDORA-2010-8360 qt 2010-05-11

Comments (3 posted)

quake3: multiple vulnerabilities

Package(s):quake3 CVE #(s):
Created:May 17, 2010 Updated:May 19, 2010
Description: From the Red Hat bugzilla:

Based on search started from http://bugs.gentoo.org/show_bug.cgi?id=222119, it seems that tremulous packages as shipped in Fedora contains multiple unfixed security issues, that were previously addressed in Quake3.

Alerts:
Fedora FEDORA-2010-8558 quake3 2010-05-15

Comments (none posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):CVE-2010-1455
Created:May 18, 2010 Updated:April 19, 2011
Description: From the Pardus advisory:

The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0 through 1.2.7 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed packet trace file.

Alerts:
SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0010-2 wireshark 2011-01-12
SUSE SUSE-SR:2011:001 finch/pidgin, libmoon-devel/moonlight-plugin, libsmi, openssl, perl-CGI-Simple, supportutils, wireshark 2011-01-11
openSUSE openSUSE-SU-2011:0010-1 wireshark 2011-01-04
Fedora FEDORA-2010-13427 wireshark 2010-08-24
CentOS CESA-2010:0625 wireshark 2010-08-27
CentOS CESA-2010:0625 wireshark 2010-08-23
Red Hat RHSA-2010:0625-01 wireshark 2010-08-11
Gentoo 201006-05 wireshark 2010-06-01
Mandriva MDVSA-2010:099 wireshark 2010-05-18
Pardus 2010-61 wireshark 2010-05-18

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds