User: Password:
|
|
Subscribe / Log in / New account

Security

The end of OpenID?

By Jake Edge
February 2, 2011

Last week's Security page had a quote from 37signals about its decision to drop support for OpenID. Since then there have been several postings that purport to explain the problems with OpenID and why it never gained much traction. One of the better analyses comes from Wired's webmonkey blog, which calls OpenID "The Web's Most Successful Failure". So, why hasn't OpenID taken the world by storm?

OpenID set out to solve, or help solve, the "single sign-on" (SSO) problem, so that users could have a single identity that they used with multiple web sites. But OpenID is more than that, because it allows users, rather than web sites, to decide how much personal information needs to be shared. It is this user-centric nature of OpenID that may be leading to its downfall.

We have looked at OpenID several times over the years, including an overview in 2006, and a look at OpenID 2.0 in 2007. By the time we looked at the OpenID Connect proposal back in June, the problems with users being able to control the amount of information provided to web sites was becoming evident. It was, in fact, a major reason that OpenID Connect was proposed.

While OpenID is by no means perfect, the resistance to its adoption is not necessarily completely technical. Other OAuth-based schemes have become much more popular at least in part because web site operators get access to much more personal information by default than they get when users log in with OpenID. Even site-specific registration tends to extract more information (email address, full name, and so on). Because that kind of information is valuable to web site operators—and willingly given up by the vast majority of users—OpenID users are seen to be "less valuable", as OpenID Connect developer Chris Messina pointed out. The Wired blog post put it this way:

Web publishers never warmed to OpenID since it allows a user to log in to a website and leave a comment on a story, a blog post or a photo while essentially remaining anonymous to the publisher. That anonymous aspect has made OpenID less attractive to publishers who want to collect more data about their readers or interact with them — whether that means following them on Twitter, connecting with them on Facebook or sending them e-mail.

But one of the main alternatives to OpenID—one that has seen much more adoption—is Facebook Connect (though the "Connect" part of the name has largely been dropped). As that name would imply, it is run by Facebook, which is an organization that is not noted for its interest in preserving user privacy. One hopes that the pervasiveness of Facebook sign-ons will have some boundaries. While it does solve the SSO problem for Facebook users, in a fairly uncomplicated way, it would be horrifying to be greeted by your bank's log-in screen asking for your Facebook ID.

OpenID suffers from some design flaws, using a URL as the OpenID identifier being one of the most prominent, but its Achilles heel is that it is complicated for users, beyond just remembering their OpenID URL(s). An additional problem is that some of the larger web services were only interested in being OpenID providers (i.e. using their URLs to log in elsewhere), and weren't particularly interested in being "relying parties" (i.e. taking OpenID URLs from elsewhere to allow users to log in). This asymmetric "support" for OpenID further muddied the waters for users.

At this point, though, we may well have seen the crest of the OpenID wave. Wired posits it being incorporated into Mozilla's (and other browser makers') efforts to move identity management into the browser itself. That would allow the browser to route around the individual web site log-in screens and authenticate the user behind the scenes, so OpenID could be used in a far less complicated manner.

In the end, OpenID is targeted at users who value their privacy and want to take control of their internet identities—two traits that seem to be in short supply for many users. Facebook Connect (and the Twitter equivalent) leverage huge user bases to make adoption by other web sites very attractive. Though there is evidently still some user confusion about using those authentication methods, the experience is more straightforward than OpenID.

So, where do we go from here? The US government is starting to make noise about trusted internet identities, which might provide an alternative SSO solution—though not without privacy (and other) concerns of its own. LWN has implemented OpenID relying party support, though there is still some work and testing to do before we can roll it out. The 37signals announcement and the related chatter seems likely to turn off some other sites that were considering OpenID support.

It is tempting to call OpenID a failure, and to some extent it is, but it has some compelling ideas, at least for technically (and privacy) savvy users. But the features that are most attractive to those users are precisely those that web site operators wish to avoid—anonymous/pseudonymous authentication doesn't play well with their business models. For sites like LWN, where registration doesn't require any personal information, the barriers to adoption are likely to be things like available developer time (that's certainly the case here). In addition, there has always been some interest from our readers in OpenID support but it never seemed to garner a critical mass clamoring for it. If OpenID had taken off the way many hoped it would, supporting it would have become a much higher priority for LWN and lots of other sites.

As Wired notes, OpenID was ahead of its time. It suffered from some technical problems—what new protocol doesn't?—but those could have been fixed if there was some groundswell of interest from users or web sites. Since that didn't happen, it's probably time to start thinking about other SSO options that aren't controlled by companies or governments. Without a solution that is under individual control, we risk being herded into systems that cater to the needs of these large organizations—with all the dangers to internet freedom that implies.

Comments (29 posted)

Brief items

Security quote of the week

Shutting WikiLeaks down won't stop government secrets from leaking any more than shutting Napster down stopped illegal filesharing.
-- Bruce Schneier

Comments (none posted)

Sony Wins TRO, Impoundment (Groklaw)

Groklaw has an in-depth look at the temporary restraining order [PDF] granted on January 26 to Sony against George Hotz for restoring the ability to run Linux on PlayStation 3 consoles. "Hotz is also ordered to hand over to Sony "any computers, hard drives, CD-roms, DVDs, USB stick, or any other storage devices on which any Circumvention Devices are stored" in his "possession, custody or control." I guess it's off with his head, too, then, because he surely knows how to do what he did. People who live in countries that don't have the DMCA also know. Just saying. [...] I would have thought Sony would be more technically clueful about the Internet, but what they do well is get the law to help them out. That's the purpose of the DMCA, if you think about it, to scare people so they won't do what they otherwise can do. So Hotz is in some hot water at the moment, I'd say, an object lesson, and it'll stay that way until the hearing, a date for which is not yet chosen. And from my reading, I'd say after that too, at least with this judge."

Comments (22 posted)

Egypt Leaves the Internet (Renesys blog)

In an unprecedented move, Egypt has completely removed itself from the internet, presumably in response to gathering unrest there, as reported by Renesys. US (and other) politicians will undoubtedly look on this as a validation of the "internet kill switch" idea (pushed by Connecticut senator Joe Lieberman among others). "At 22:34 UTC (00:34am local time), Renesys observed the virtually simultaneous withdrawal of all routes to Egyptian networks in the Internet's global routing table. Approximately 3,500 individual BGP routes were withdrawn, leaving no valid paths by which the rest of the world could continue to exchange Internet traffic with Egypt's service providers. Virtually all of Egypt's Internet addresses are now unreachable, worldwide."

Comments (38 posted)

Sourceforge Attack: Full Report

Sourceforge.net briefly reported an attack on its infrastructure on Thursday January 27 that resulted in some services (CVS, interactive ssh shells, and others) being suspended. More details were released on January 29, which show that the attack exploited a privilege escalation to root in one of the Sourceforge services. "It’s better to be safe than sorry, so we’ve decided to perform a comprehensive validation of project data from file releases, to SCM commits. We will compare data [against] pre-attack backups, and will identify changed and added. We will review that data, and will will also refer anything suspicious to individual project teams for further assessment as needed. [...] The validation work is a precaution, because while we don’t have evidence of any data tampering, we’d much prefer to burn a bunch of CPU cycles verifying everything than to discover later that some extra special trickery lead to some undetected badness."

Comments (3 posted)

Nmap 5.50 released

With an amusing title, "Nmap 5.50: Now with Gopher protocol support!", Nmap lead Fyodor announced the most recent release of the network exploration tool on January 28. It does indeed come with Gopher support, but other new features may be of wider interest: "A primary focus of this release is the Nmap Scripting Engine, which has allowed Nmap to expand up the protocol stack and take network discovery to the next level. Nmap can now query all sorts of application protocols, including web servers, databases, DNS servers, FTP, and now even Gopher servers! Remember those? These capabilities are in self-contained libraries and scripts to avoid bloating Nmap's core engine."

Comments (none posted)

New vulnerabilities

calibre: cross-site scripting and file disclosure

Package(s):calibre CVE #(s):
Created:February 2, 2011 Updated:February 2, 2011
Description: The calibre ebook management program suffers from directory traversal and cross-site scripting vulnerabilities; see this advisory for more information.
Alerts:
openSUSE openSUSE-SU-2011:0086-1 calibre 2011-01-31

Comments (none posted)

chm2pdf: two insecure tmp file flaws

Package(s):chm2pdf CVE #(s):CVE-2008-5298 CVE-2008-5299
Created:January 28, 2011 Updated:February 2, 2011
Description:

From the Red Hat bugzilla entries [1, 2]:

chm2pdf 0.9 uses temporary files in directories with fixed names, which allows local users to cause a denial of service (chm2pdf failure) of other users by creating those directories ahead of time. (CVE-2008-5298)

chm2pdf 0.9 allows user-assisted local users to delete arbitrary files via a symlink attack on .chm files in the (1) /tmp/chm2pdf/work or (2) /tmp/chm2pdf/orig temporary directories. (CVE-2008-5299)

Alerts:
Fedora FEDORA-2011-0454 chm2pdf 2011-01-17
Fedora FEDORA-2011-0467 chm2pdf 2011-01-17

Comments (none posted)

kernel: denial of service

Package(s):linux-2.6 kernel CVE #(s):CVE-2010-4342
Created:January 31, 2011 Updated:August 9, 2011
Description: The econet protocol implementation can enable a remote attacker to oops the kernel with a maliciously-crafted UDP packet.
Alerts:
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1167-1 linux 2011-07-13
Ubuntu USN-1159-1 linux-mvl-dove 2011-07-13
Ubuntu USN-1162-1 linux-mvl-dove 2011-06-29
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
Ubuntu USN-1141-1 linux, linux-ec2 2011-05-31
Ubuntu USN-1133-1 linux 2011-05-24
SUSE SUSE-SA:2011:017 kernel 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 kernel 2011-04-18
Ubuntu USN-1111-1 linux-source-2.6.15 2011-05-05
SUSE SUSE-SA:2011:015 kernel 2011-03-24
SUSE SUSE-SA:2011:012 kernel 2011-03-08
Ubuntu USN-1081-1 linux 2011-03-02
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
SUSE SUSE-SA:2011:008 kernel 2011-02-11
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30

Comments (none posted)

kernel: privilege escalation

Package(s):linux-2.6 kernel CVE #(s):CVE-2010-4346
Created:January 31, 2011 Updated:August 9, 2011
Description: A kernel vulnerability allows an attacker to bypass the mmap_min_addr restriction and map user-space memory at the null address.
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1167-1 linux 2011-07-13
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
SUSE SUSE-SA:2011:017 kernel 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 kernel 2011-04-18
CentOS CESA-2011:0429 kernel 2011-04-14
Red Hat RHSA-2011:0429-01 kernel 2011-04-12
Red Hat RHSA-2011:0421-01 kernel 2011-04-07
Ubuntu USN-1105-1 linux 2011-04-05
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Red Hat RHSA-2011:0330-01 kernel-rt 2011-03-10
Fedora FEDORA-2011-2134 kernel 2011-02-24
SUSE SUSE-SA:2011:012 kernel 2011-03-08
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
Ubuntu USN-1080-2 linux-ec2 2011-03-02
Ubuntu USN-1081-1 linux 2011-03-02
Ubuntu USN-1080-1 linux 2011-03-01
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Mandriva MDVSA-2011:029 kernel 2011-02-17
Fedora FEDORA-2011-1138 kernel 2011-02-07
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30

Comments (none posted)

kernel: privilege escalation

Package(s):linux-2.6 kernel CVE #(s):CVE-2010-4527
Created:January 31, 2011 Updated:August 9, 2011
Description: Two vulnerabilities in the OSS sound card drivers can facilitate local information disclosure or privileged code execution.
Alerts:
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1167-1 linux 2011-07-13
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
Scientific Linux SL-kern-20110216 kernel 2011-02-16
Ubuntu USN-1133-1 linux 2011-05-24
SUSE SUSE-SA:2011:017 kernel 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 kernel 2011-04-18
Ubuntu USN-1111-1 linux-source-2.6.15 2011-05-05
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
SUSE SUSE-SA:2011:015 kernel 2011-03-24
SUSE SUSE-SA:2011:012 kernel 2011-03-08
Ubuntu USN-1080-2 linux-ec2 2011-03-02
Ubuntu USN-1081-1 linux 2011-03-02
Ubuntu USN-1080-1 linux 2011-03-01
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
Red Hat RHSA-2011:0263-01 kernel 2011-02-16
SUSE SUSE-SA:2011:008 kernel 2011-02-11
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30

Comments (none posted)

kernel: information disclosure

Package(s):linux-2.6 kernel CVE #(s):CVE-2010-4529
Created:January 31, 2011 Updated:August 9, 2011
Description: A vulnerability in the IrDA socket implementation (on non-x86 systems) can leak some kernel memory to user space.
Alerts:
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1167-1 linux 2011-07-13
Ubuntu USN-1159-1 linux-mvl-dove 2011-07-13
Ubuntu USN-1162-1 linux-mvl-dove 2011-06-29
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
Ubuntu USN-1160-1 kernel 2011-06-28
Ubuntu USN-1141-1 linux, linux-ec2 2011-05-31
Ubuntu USN-1133-1 linux 2011-05-24
SUSE SUSE-SA:2011:017 kernel 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 kernel 2011-04-18
Ubuntu USN-1111-1 linux-source-2.6.15 2011-05-05
SUSE SUSE-SA:2011:015 kernel 2011-03-24
Ubuntu USN-1119-1 linux-ti-omap4 2011-04-20
SUSE SUSE-SA:2011:012 kernel 2011-03-08
SUSE SUSE-SA:2011:008 kernel 2011-02-11
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30

Comments (none posted)

kernel: information disclosure

Package(s):linux-2.6 kernel CVE #(s):CVE-2010-4565
Created:January 31, 2011 Updated:August 9, 2011
Description: The CAN protocol implementation can leak the address of a kernel data structure, possibly making exploitation of another vulnerability easier.
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Ubuntu USN-1202-1 linux-ti-omap4 2011-09-13
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1167-1 linux 2011-07-13
Ubuntu USN-1159-1 linux-mvl-dove 2011-07-13
Ubuntu USN-1162-1 linux-mvl-dove 2011-06-29
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
Ubuntu USN-1160-1 kernel 2011-06-28
Ubuntu USN-1141-1 linux, linux-ec2 2011-05-31
Red Hat RHSA-2011:0330-01 kernel-rt 2011-03-10
Red Hat RHSA-2011:0498-01 kernel 2011-05-10
Mandriva MDVSA-2011:029 kernel 2011-02-17
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30

Comments (none posted)

kernel: denial of service

Package(s):linux-2.6 kernel CVE #(s):CVE-2010-4649
Created:January 31, 2011 Updated:October 24, 2012
Description: A buffer overflow in the InfiniBand subsystem may allow local users to corrupt memory and oops the system.
Alerts:
Ubuntu USN-1204-1 linux-fsl-imx51 2011-09-13
Ubuntu USN-1202-1 linux-ti-omap4 2011-09-13
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1186-1 kernel 2011-08-09
Scientific Linux SL-kern-20110715 kernel 2011-07-15
CentOS CESA-2011:0927 kernel 2011-07-18
Red Hat RHSA-2011:0927-01 kernel 2011-07-15
Ubuntu USN-1167-1 linux 2011-07-13
SUSE SUSE-SA:2011:017 kernel 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 kernel 2011-04-18
Ubuntu USN-1093-1 linux-mvl-dove 2011-03-25
Red Hat RHSA-2011:0330-01 kernel-rt 2011-03-10
Fedora FEDORA-2011-2134 kernel 2011-02-24
Ubuntu USN-1080-2 linux-ec2 2011-03-02
Ubuntu USN-1081-1 linux 2011-03-02
Ubuntu USN-1080-1 linux 2011-03-01
Red Hat RHSA-2011:0498-01 kernel 2011-05-10
Fedora FEDORA-2011-1138 kernel 2011-02-07
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2010-4656
Created:January 31, 2011 Updated:August 9, 2011
Description: A buffer in the I/O-Warrior driver may enable a privilege escalation exploit by local users.
Alerts:
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Ubuntu USN-1202-1 linux-ti-omap4 2011-09-13
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
Ubuntu USN-1160-1 kernel 2011-06-28
Ubuntu USN-1146-1 kernel 2011-06-09
Ubuntu USN-1141-1 linux, linux-ec2 2011-05-31
Red Hat RHSA-2011:0421-01 kernel 2011-04-07
SUSE SUSE-SA:2011:019 kernel 2011-04-28
Red Hat RHSA-2011:0330-01 kernel-rt 2011-03-10
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2011-0521
Created:January 31, 2011 Updated:August 9, 2011
Description: The AV7110 driver does not properly check user input, enabling the corruption of memory and a local denial-of-service attack.
Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Ubuntu USN-1202-1 linux-ti-omap4 2011-09-13
Ubuntu USN-1187-1 kernel 2011-08-09
Ubuntu USN-1167-1 linux 2011-07-13
Ubuntu USN-1164-1 linux-fsl-imx51 2011-07-06
Ubuntu USN-1160-1 kernel 2011-06-28
Scientific Linux SL-kern-20110216 kernel 2011-02-16
Ubuntu USN-1141-1 linux, linux-ec2 2011-05-31
Ubuntu USN-1133-1 linux 2011-05-24
Ubuntu USN-1111-1 linux-source-2.6.15 2011-05-05
SUSE SUSE-SA:2011:017 kernel 2011-04-18
openSUSE openSUSE-SU-2011:0346-1 kernel 2011-04-18
CentOS CESA-2011:0429 kernel 2011-04-14
Red Hat RHSA-2011:0429-01 kernel 2011-04-12
Red Hat RHSA-2011:0421-01 kernel 2011-04-07
SUSE SUSE-SA:2011:019 kernel 2011-04-28
SUSE SUSE-SA:2011:015 kernel 2011-03-24
openSUSE openSUSE-SU-2011:0416-1 kernel 2011-04-29
Red Hat RHSA-2011:0330-01 kernel-rt 2011-03-10
Fedora FEDORA-2011-2134 kernel 2011-02-24
Red Hat RHSA-2011:0263-01 kernel 2011-02-16
Fedora FEDORA-2011-1138 kernel 2011-02-07
openSUSE openSUSE-SU-2011:0399-1 kernel 2011-04-28
Debian DSA-2153-1 linux-2.6 kernel 2011-01-30

Comments (none posted)

myproxy: invalid certificate hostname check

Package(s):myproxy CVE #(s):
Created:January 27, 2011 Updated:February 2, 2011
Description:

From the MyProxy advisory:

The myproxy-logon program (also called myproxy-get-delegation) in MyProxy versions 5.0 through 5.2 does not abort connections when it finds that the myproxy-server's certificate is valid and signed by a trusted certification authority but the certificate does not contain the expected hostname (or identity given in the MYPROXY_SERVER_DN environment variable), unless the myproxy-logon -T or myproxy-logon -b options are given.

Alerts:
Fedora FEDORA-2011-0514 myproxy 2011-01-18
Fedora FEDORA-2011-0512 myproxy 2011-01-18

Comments (none posted)

openjdk: privilege escalation

Package(s):openjdk CVE #(s):CVE-2011-0025
Created:February 2, 2011 Updated:June 15, 2011
Description: The IcedTea openjdk implementation does not properly verify signatures on JAR files in some situations, allowing an attacker to run code which appears to be from a trusted source.
Alerts:
Gentoo 201406-32 icedtea-bin 2014-06-29
Mandriva MDVSA-2011:054 java-1.6.0-openjdk 2011-03-27
SUSE SUSE-SR:2011:003 gnutls, tomcat6, perl-CGI-Simple, pcsc-lite, obs-server, dhcp, java-1_6_0-openjdk, opera 2011-02-08
Debian DSA-2224-1 openjdk-6 2011-04-20
openSUSE openSUSE-SU-2011:0102-1 java-1_6_0-openjdk 2011-02-07
Ubuntu USN-1055-1 openjdk-6, openjdk-6b18 2011-02-01

Comments (none posted)

pango: code execution

Package(s):pango CVE #(s):CVE-2011-0020
Created:January 27, 2011 Updated:April 1, 2011
Description:

From the Pango advisory:

An input sanitization flaw, leading to a heap-based buffer overflow, was found in the way Pango displayed font files when using the FreeType font engine back end. If a user loaded a malformed font file with an application that uses Pango, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0020)

Alerts:
Gentoo 201405-13 pango 2014-05-17
SUSE SUSE-SR:2011:005 hplip, perl, subversion, t1lib, bind, tomcat5, tomcat6, avahi, gimp, aaa_base, build, libtiff, krb5, nbd, clamav, aaa_base, flash-player, pango, openssl, subversion, postgresql, logwatch, libxml2, quagga, fuse, util-linux 2011-04-01
openSUSE openSUSE-SU-2011:0221-1 pango 2011-03-24
Ubuntu USN-1082-1 pango1.0 2011-03-02
Pardus 2011-42 pango pango-docs 2011-02-14
CentOS CESA-2011:0180 pango 2011-02-04
Red Hat RHSA-2011:0180-01 pango 2011-01-27

Comments (none posted)

perl-CGI-Simple: HTTP response splitting

Package(s):perl-CGI-Simple CVE #(s):CVE-2010-4410
Created:January 28, 2011 Updated:December 9, 2011
Description:

From the CVE entry:

CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172.

Alerts:
Oracle ELSA-2011-1797 perl 2011-12-08
Oracle ELSA-2011-1797 perl 2011-12-08
Scientific Linux SL-perl-20111208 perl 2011-12-08
CentOS CESA-2011:1797 perl 2011-12-09
CentOS CESA-2011:1797 perl 2011-12-09
Red Hat RHSA-2011:1797-01 perl 2011-12-08
SUSE SUSE-SR:2011:005 hplip, perl, subversion, t1lib, bind, tomcat5, tomcat6, avahi, gimp, aaa_base, build, libtiff, krb5, nbd, clamav, aaa_base, flash-player, pango, openssl, subversion, postgresql, logwatch, libxml2, quagga, fuse, util-linux 2011-04-01
SUSE SUSE-SR:2011:003 gnutls, tomcat6, perl-CGI-Simple, pcsc-lite, obs-server, dhcp, java-1_6_0-openjdk, opera 2011-02-08
Red Hat RHSA-2011:0558-01 perl 2011-05-19
Ubuntu USN-1129-1 perl 2011-05-03
Fedora FEDORA-2011-0654 perl-CGI 2011-01-21
Fedora FEDORA-2011-0653 perl-CGI-Simple 2011-01-21
Fedora FEDORA-2011-0631 perl-CGI-Simple 2011-01-21
openSUSE openSUSE-SU-2011:0083-1 perl-CGI-Simple 2011-01-28

Comments (none posted)

proftpd: code execution

Package(s):proftpd CVE #(s):CVE-2010-4652
Created:January 28, 2011 Updated:March 15, 2011
Description:

From the Red Hat bugzilla entry:

A heap-based buffer overflow flaw was found in the way ProFTPD FTP server prepared SQL queries for certain usernames, when the mod_sql module was enabled. A remote, unauthenticated attacker could use this flaw to cause proftpd daemon to crash or, potentially, to execute arbitrary code with the privileges of the user running 'proftpd' via a specially-crafted username, provided in the authentication dialog.

Alerts:
Gentoo 201309-15 proftpd 2013-09-24
Debian DSA-2191-1 proftpd-dfsg 2011-03-14
Mandriva MDVSA-2011:023 proftpd 2011-02-08
Fedora FEDORA-2011-0610 proftpd 2011-01-20
Fedora FEDORA-2011-0613 proftpd 2011-01-20

Comments (none posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):CVE-2011-0445
Created:February 1, 2011 Updated:April 19, 2011
Description:

From the Pardus advisory:

The ASN.1 BER dissector in Wireshark 1.4.0 through 1.4.2 allows remote attackers to cause a denial of service (assertion failure) via crafted packets, as demonstrated by fuzz-2010-12-30-28473.pcap.

Alerts:
Gentoo 201110-02 wireshark 2011-10-09
SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19
Fedora FEDORA-2011-0450 wireshark 2011-01-17
Fedora FEDORA-2011-0460 wireshark 2011-01-17
Pardus 2011-21 wireshark 2011-01-31

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds