User: Password:
|
|
Subscribe / Log in / New account

Security

Certificates and "authorities"

By Jake Edge
September 7, 2011

The more we hear about the DigiNotar certificate situation, the worse it seems to get. What started out looking something like the Comodo incident from last March—a serious breach in its own right—has now turned into damning evidence of almost unimaginably lax security at the DigiNotar certificate authority (CA). That led browser makers to do something unprecedented: not to just blacklist the known-bad certificates that had been issued, but to blacklist any DigiNotar-issued certificate. As it turns out, that was the right response (modulo a short-lived whitelisting of some Dutch government certificates) as the scope of the compromise has just continued to grow.

The certificates in question are SSL/TLS certificates that are used to authenticate and deliver the keys used to encrypt HTTPS traffic. CAs issue certificates for secure web sites and sign them with their own private keys so that browsers can ensure that the certificates are valid. The public half of those CA keys are stored in a browser's "root store". When they decide to include a given CA's root key, browser makers are explicitly trusting certificates signed by those CAs. In the wrong hands, a certificate signed by a trusted root can be easily used to perform man-in-the-middle attacks against users who are accessing the secure site.

Compromise and discovery

The compromise of DigiNotar's certificate signing systems evidently occurred on or before July 19 and once the CA detected the problem, it issued revocations for the certificates that it was able to determine were wrongly issued. DigiNotar evidently did not notify browser makers or others of the compromise and essentially swept the whole thing under the rug. But the attackers, who may have compromised parts of DigiNotar's systems as far back as May 2009, were able to issue certificates that were not detected when the compromise was uncovered.

One of those fake certificates, for *.google.com, was reported to the Gmail help forum by a user in Iran. The user was able to do so because of a Chrome/Chromium browser feature called public key pinning. Essentially, Chrome has a list of the hashes of public keys that are allowed to be used to sign certificates for Google's servers. If one of those public keys is not found in the certificate presented, it is a fatal error, which is what the user observed.

It is fortunate for that user—and now the rest of the internet—that Chrome has that feature. Without it, browsers like Firefox, IE, Safari, and others happily accept the bogus certificate. The evidence seems to point to an effort emanating from Iran—likely sponsored or run by the Iranian government—to generate and then use these certificates for man-in-the-middle attacks against Iranians, particularly those who might be involved in protests or other dissent. The evident link to Iran is one that both the Comodo and DigiNotar attacks share.

Dutch government sites

Once the problem was reported, Google then alerted other browser makers who were generally quick to issue updates (though Safari seems to have lagged) that removed the DigiNotar root certificates from the root store, effectively blacklisting all DigiNotar-issued certificates. There is a wrinkle, however, because some Dutch government sites use certificates that are signed by DigiNotar (which is a Dutch company). A blanket ban of DigiNotar-signed certificates would have affected these sites, so, at the request of the Dutch government, an exemption to the ban was added for Firefox and Chrome. As a Mozilla blog update puts it:

These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden). The Dutch government's Computer Emergency Response Team (GovCERT) indicated that these certificates are issued independently of DigiNotar's other processes and that, in their assessment, these had not been compromised. The Dutch government therefore requested that we exempt these certificates from the removal of trust, which we agreed to do in our initial security update early this week.

But it seems that the government was a bit hasty in that assessment, because it was fairly quickly revoked. Mozilla described it this way in the update: "The Dutch government has since audited DigiNotar's performance and rescinded this assessment. We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products." In fact, since then, the Dutch government has taken over operational management of DigiNotar, and explicitly "denounces trust in certificates issued by DigiNotar".

This is ugly stuff. The CA model relies on trust and part of that trust is that CAs will zealously guard access to their signing authority. In two recent cases—and it is certainly possible there are other compromises as yet unknown—we have seen that some CAs are not taking enough precautions. As it stands, every time another compromise is discovered, browser makers will have to race around to patch their browsers, then Linux distributions need to get updates out (for Firefox and others), and, finally, users actually need to apply the update.

Unfortunately, it is not just a Google certificate that is out there in the wild. Early reports were that it was just a handful of bad certificates, but as time went on, the number of certificates issued by the attackers using the DigiNotar keys have risen: first to around 200 and now there are reports of as many as 500. Not only were its signing systems compromised, but it would seem that DigiNotar's logging and audit procedures were circumvented as well.

A pastebin posting purporting to be from the attacker (of both DigiNotar and the Comodo affiliate back in March) sheds some light on the extent and motives for the attack. It also indicates that there are four other CAs that have been penetrated, including one that is named: GlobalSign. Since that posting, GlobalSign has, at least temporarily, stopped issuing certificates. Whether that's just based on prudence or whether GlobalSign found evidence of a compromise is unclear. If the pastebin posting is real, however, there are other CAs that are also at risk.

Going forward

For obvious reasons, this recent spate of attacks has raised the profile of the problems inherent in the centralized CA model that is in use today. The central authorities are supposed to reduce the attack surface against SSL/TLS keys, but that depends on the vigilance of those CAs. The number of different CAs trusted by a modern browser is rather eye-opening, and hoping that they will all keep their systems secure is pretty clearly forlorn.

Small CAs, like DigiNotar, can be blacklisted when—if—compromises are discovered, but that's much harder to do for large CAs like Comodo or Verisign, for example. Luckily, detecting bad certificates is relatively easy—easier than figuring out if CAs have been compromised. Since web sites must present their certificate each time an encrypted connection is made, both detection and evidence gathering are fairly straightforward. Chrome's "pinning" feature does that in a limited way, though it still places trust in the CAs that do have signing authority for Google's keys; should any of those CAs be compromised, pinning would not catch them.

The pinning feature is one that other browsers will likely consider adding. Google has made it clear that it will allow other sites to pin their certificates to specific CA keys, and presumably any other browsers that implement it will do the same. However, that may turn Google, Mozilla, and others into the de facto arbiters of certificate authenticity, which may not be a desirable outcome. It is also possible that Chrome and the other browsers could provide a way for sites to do their own pinning via HTTP Strict Transport Security (HSTS) or some other means.

But, other alternatives to the centralized model are certainly being looked at. One that seems to have attracted some attention recently is Moxie Marlinspike's Convergence, which uses "trust notaries" in place of hard-coded lists of CA root keys. These notaries are in multiple locations and compare notes on the certificates that get presented to them, which is an effective way to recognize a certificate-based man-in-the-middle attack. Convergence is a Firefox add-on that is based on ideas from the Perspectives project, along with some of Marlinspike's ideas on trust agility.

We will certainly see more problems with compromised CAs down the road, particularly because governments have shown an interest in acquiring "fake" certificates—and using them against their citizens. It's a problem that is not going away soon and one that needs to be addressed. Building webs of trust implicitly via Convergence/Perspectives or more explicitly using something like Monkeysphere is one possible solution, or piece of a solution. Removing or reducing the trust that we currently place in CAs is pretty much required to be part of any solution, but we've known that for quite some time now. The CAs may not like it, but their stranglehold over the issuance of trusted certificates is likely on its way out.

Comments (52 posted)

Brief items

Security quotes of the week

If you want to be really evil, however, *.google.com is the wrong SSL certificate to forge. The right one? ssl.google-analytics.com.
-- Colin Percival

The Certificate Authority system as it stands today is a house of cards and we're witnessing in public what many have known for years in private. The entire system is soaked in petrol and waiting for a light.
-- Jacob Appelbaum

Given that essentially the whole population of Chrome users would use the default notary settings, those notaries will get a large amount of traffic. Also, we have a very strong interest for the notaries to function, otherwise Chrome stops working. Combined, that means that Google would end up running the notaries. So the design boils down to Chrome phoning home for certificate validation. That has both unacceptable privacy implications and very high uptime requirements on the notary service.
-- Adam Langley on Convergence for Chrome

Comments (1 posted)

New Free Tools Simplify Analysis Of Android Malware (Dark Reading)

Dark Reading looks at two Google Summer of Code (GSoC) projects that target Android malware analysis: APKInspector and DroidBox. "DroidBox is a sandbox of sorts that lets a researcher or analyst safely run and observe a malicious app. 'It lets you look and see if the app is doing something [malicious] ... and how it's doing it,' [GSoC mentor Ryan] Smith says. 'Once you have a profile of it, and you want to dig into the how and where in the code it's doing something, then you use APKInspector to review the code.' [...] Both tools are aimed at researchers who perform malware reverse-engineering as well as security analysts, he says. And that's a first step toward better securing the Android platform, according to Smith."

Comments (none posted)

New vulnerabilities

bcfg2: arbitrary command execution with root privileges

Package(s):bcfg2 CVE #(s):CVE-2011-3211
Created:September 8, 2011 Updated:October 10, 2011
Description: From the Debian advisory:

It has been discovered that the bcfg2 server, a configuration management server for bcfg2 clients, is not properly sanitizing input from bcfg2 clients before passing it to various shell commands. This enables an attacker in control of a bcfg2 client to execute arbitrary commands on the server with root privileges.

Alerts:
Fedora FEDORA-2011-13181 bcfg2 2011-09-25
Fedora FEDORA-2011-13214 bcfg2 2011-09-25
Fedora FEDORA-2011-12303 bcfg2 2011-09-08
Fedora FEDORA-2011-12298 bcfg2 2011-09-08
Debian DSA-2302-1 bcfg2 2011-09-07

Comments (none posted)

coreutils: command injection

Package(s):coreutils CVE #(s):
Created:September 7, 2011 Updated:September 9, 2011
Description: From the openSUSE advisory:

When running "su -c" to execute commands as different user the target user could inject command back into the calling user's terminal via the TIOCSTI ioctl.

Alerts:
openSUSE openSUSE-SU-2011:1014-1 coreutils 2011-09-07

Comments (none posted)

grid components: privilege escalation

Package(s):grid components CVE #(s):CVE-2011-2925
Created:September 8, 2011 Updated:September 9, 2011
Description: From the Red Hat advisory:

A flaw was discovered in Cumin where it would log broker authentication credentials to the Cumin log file. A local user exploiting this flaw could connect to the broker outside of Cumin's control and perform certain operations such as scheduling jobs, setting attributes on jobs, as well as holding, releasing or removing jobs. The user could also use this to, depending on the defined ACLs of the broker, manipulate message queues and other privileged operations. (CVE-2011-2925)

Alerts:
Red Hat RHSA-2011:1249-01 grid components 2011-09-07
Red Hat RHSA-2011:1250-01 grid components 2011-09-07

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-2700 CVE-2011-2909 CVE-2011-2918
Created:September 1, 2011 Updated:October 10, 2011
Description:

From the SUSE advisory:

CVE-2011-2700: A small buffer overflow in the radio driver si4713-i2c was fixed that could potentially used by local attackers to crash the kernel or potentially execute code.

CVE-2011-2909: A kernel information leak in the comedi driver from kernel to userspace was fixed.

CVE-2011-2918: In the perf framework software event overflows could deadlock or delete an uninitialized timer.

Alerts:
openSUSE openSUSE-SU-2012:1439-1 kernel 2012-11-05
openSUSE openSUSE-SU-2012:0799-1 kernel 2012-06-28
SUSE SUSE-SU-2012:0364-1 Real Time Linux Kernel 2012-03-14
Red Hat RHSA-2012:0333-01 kernel-rt 2012-02-23
Oracle ELSA-2011-2037 enterprise kernel 2011-12-15
Ubuntu USN-1285-1 linux 2011-11-29
Ubuntu USN-1281-1 linux-ti-omap4 2011-11-24
Ubuntu USN-1279-1 linux-lts-backport-natty 2011-11-24
Ubuntu USN-1256-1 linux-lts-backport-natty 2011-11-09
openSUSE openSUSE-SU-2011:1222-1 kernel 2011-11-08
openSUSE openSUSE-SU-2011:1221-1 kernel 2011-11-08
Ubuntu USN-1246-1 linux 2011-10-25
Ubuntu USN-1244-1 linux-ti-omap4 2011-10-25
Ubuntu USN-1243-1 linux 2011-10-25
Ubuntu USN-1242-1 linux-lts-backport-maverick 2011-10-25
Ubuntu USN-1241-1 linux-fsl-imx51 2011-10-25
Ubuntu USN-1228-1 linux-ti-omap4 2011-10-12
Ubuntu USN-1227-1 kernel 2011-10-11
Fedora FEDORA-2011-12874 kernel 2011-09-18
Scientific Linux SL-kern-20111005 kernel 2011-10-05
Red Hat RHSA-2011:1350-01 kernel 2011-10-05
Ubuntu USN-1220-1 linux-ti-omap4 2011-09-29
Ubuntu USN-1219-1 linux-lts-backport-maverick 2011-09-29
Ubuntu USN-1218-1 linux 2011-09-29
Ubuntu USN-1216-1 linux-ec2 2011-09-26
Ubuntu USN-1211-1 linux 2011-09-21
Ubuntu USN-1212-1 linux-ti-omap4 2011-09-21
Ubuntu USN-1208-1 linux-mvl-dove 2011-09-14
Ubuntu USN-1204-1 linux-fsl-imx51 2011-09-13
Ubuntu USN-1203-1 linux-mvl-dove 2011-09-13
Ubuntu USN-1202-1 linux-ti-omap4 2011-09-13
Debian DSA-2303-2 linux-2.6 2011-09-10
Debian DSA-2303-1 linux-2.6 2011-09-08
SUSE SUSE-SU-2011:0984-3 kernel 2011-09-02
SUSE SUSE-SU-2011:0984-2 Linux kernel 2011-09-02
SUSE SUSE-SA:2011:038 kernel 2011-09-01

Comments (none posted)

mongoose: arbitrary code execution

Package(s):mongoose CVE #(s):CVE-2011-2900
Created:September 8, 2011 Updated:September 9, 2011
Description: From the CVE entry:

Stack-based buffer overflow in the (1) put_dir function in mongoose.c in Mongoose 3.0, (2) put_dir function in yasslEWS.c in yaSSL Embedded Web Server (yasslEWS) 0.2, and (3) _shttpd_put_dir function in io_dir.c in Simple HTTPD (shttpd) 1.42 allows remote attackers to execute arbitrary code via an HTTP PUT request, as exploited in the wild in 2011.

Alerts:
Fedora FEDORA-2011-11825 mongoose 2011-08-31
Fedora FEDORA-2011-11823 mongoose 2011-08-31

Comments (none posted)

ncpfs: /etc/mtab truncation

Package(s):ncpfs CVE #(s):CVE-2011-1679 CVE-2011-1680
Created:September 1, 2011 Updated:May 29, 2012
Description:

From the openSUSE advisory:

The ncpfs mount and umount programs were affected by the /etc/mtab truncation problems on RLIMIT_FSIZE. (CVE-2011-1679)

Also on errors, the mtab lock was not removed, blocking other applications from modifying /etc/mtab. (CVE-2011-1680)

Alerts:
Mandriva MDVSA-2013:048 ncpfs 2013-04-05
Mandriva MDVSA-2012:084 ncpfs 2012-05-29
openSUSE openSUSE-SU-2011:0985-1 ncpfs 2011-09-01

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2011-3388 CVE-2011-3389
Created:September 8, 2011 Updated:February 16, 2015
Description: From the CVE entries:

Opera before 11.51 allows remote attackers to cause an insecure site to appear secure or trusted via unspecified actions related to Extended Validation and loading content from trusted sources in an unspecified sequence that causes the address field and page information dialog to contain security information based on the trusted site, instead of the insecure site. (CVE-2011-3388)

Unspecified vulnerability in Opera before 11.51 has unknown attack vectors and a "low severity" impact. (CVE-2011-3389)

Alerts:
Debian-LTS DLA-154-1 nss 2015-02-16
Fedora FEDORA-2014-13764 Pound 2014-11-07
Gentoo 201406-32 icedtea-bin 2014-06-29
Gentoo 201301-01 firefox 2013-01-07
Red Hat RHSA-2012:0508-01 java-1.5.0-ibm 2012-04-23
SUSE SUSE-SU-2012:0114-2 IBM Java 1.6.0 2012-03-06
Gentoo 201206-03 opera 2012-06-15
Fedora FEDORA-2011-17399 gnome-python2-extras 2012-01-22
Fedora FEDORA-2011-17399 nss-softokn 2012-01-22
Fedora FEDORA-2011-17399 nss 2012-01-22
Fedora FEDORA-2011-17399 perl-Gtk2-MozEmbed 2012-01-22
Fedora FEDORA-2011-17399 xulrunner 2012-01-22
Fedora FEDORA-2011-17399 nspr 2012-01-22
Fedora FEDORA-2011-17399 thunderbird-lightning 2012-01-22
Fedora FEDORA-2011-17399 nss-util 2012-01-22
Fedora FEDORA-2011-17399 thunderbird 2012-01-22
Fedora FEDORA-2011-17399 firefox 2012-01-22
Fedora FEDORA-2011-17400 thunderbird 2011-12-23
Fedora FEDORA-2011-17400 nss-util 2011-12-23
Fedora FEDORA-2011-17400 nss-softokn 2011-12-23
Fedora FEDORA-2011-17400 nss 2011-12-23
Fedora FEDORA-2011-17400 firefox 2011-12-23
Debian DSA-2358-1 openjdk-6 2011-12-05
Gentoo 201111-02 sun-jdk 2011-11-05
openSUSE openSUSE-SU-2011:1196-1 java-1_6_0-openjdk 2011-10-28
Scientific Linux SL-java-20111018 java-1.6.0-openjdk 2011-10-18
Fedora FEDORA-2011-14648 java-1.6.0-openjdk 2011-10-20
Fedora FEDORA-2011-14638 java-1.6.0-openjdk 2011-10-20
Red Hat RHSA-2011:1380-01 java-1.6.0-openjdk 2011-10-18
openSUSE openSUSE-SU-2011:1025-1 opera 2011-09-08

Comments (none posted)

otrs: arbitrary file access

Package(s):otrs CVE #(s):CVE-2011-2746
Created:September 7, 2011 Updated:September 9, 2011
Description: From the CVE entry:

Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.x before 2.4.11 and 3.x before 3.0.10 allows remote authenticated administrators to read arbitrary files via unknown vectors.

Alerts:
openSUSE openSUSE-SU-2011:1017-1 otrs 2011-09-07

Comments (none posted)

perl-Data-FormValidator: taint mode protection bypass

Package(s):perl-Data-FormValidator CVE #(s):CVE-2011-2201
Created:September 8, 2011 Updated:August 20, 2012
Description: From the Red Hat bugzilla:

It was found that perl-Data-FormValidator, a HTML form user input validator, used to treat certain invalid fields as valid, when the untaint_all_constraints directive was used (default for majority of Data-FormValidator routines). A remote attacker could use this flaw to bypass perl Taint mode protection mechanism via specially-crafted input provided to the HTML form.

Alerts:
Mageia MGASA-2012-0225 perl-Data-FormValidator 2012-08-18
Fedora FEDORA-2011-11805 perl-Data-FormValidator 2011-08-31
Fedora FEDORA-2011-11756 perl-Data-FormValidator 2011-08-31

Comments (none posted)

pidgin: denial of service

Package(s):pidgin CVE #(s):CVE-2011-3184 CVE-2011-2943
Created:September 5, 2011 Updated:September 9, 2011
Description: Pidgin suffers from two denial of service vulnerabilities, both of which have been fixed in the 2.10.0 release.
Alerts:
Ubuntu USN-1273-1 pidgin 2011-11-21
Fedora FEDORA-2011-11595 pidgin 2011-08-26
Mandriva MDVSA-2011:132 pidgin 2011-09-06
Pardus 2011-111 pidgin 2011-09-05

Comments (none posted)

rails: SQL injection, cross-site scripting, and HTTP response splitting

Package(s):rails CVE #(s):CVE-2011-2930 CVE-2011-2931 CVE-2011-3186
Created:September 5, 2011 Updated:September 9, 2011
Description: The rails package has been found to contain an SQL injection vulnerability (CVE-2011-2930), a cross-site scripting vulnerability (CVE-2011-2931), and a newline injection vulnerability that could lead to an HTTP response splitting attack (CVE-2011-3186).
Alerts:
Gentoo 201412-28 rails 2014-12-14
Debian DSA-2392-1 rails 2012-01-23
openSUSE openSUSE-SU-2011:1305-1 ruby 2011-12-07
Fedora FEDORA-2011-11567 rubygem-actionpack 2011-08-26
Fedora FEDORA-2011-11572 rubygem-actionpack 2011-08-26
Debian DSA-2301-1 rails 2011-09-05

Comments (none posted)

rsyslog: denial of service

Package(s):rsyslog CVE #(s):CVE-2011-3200
Created:September 2, 2011 Updated:October 4, 2011
Description: From the Red Hat advisory:

A two byte buffer overflow flaw was found in the rsyslog daemon's parseLegacySyslogMsg function. An attacker able to submit log messages to rsyslogd could use this flaw to crash the daemon.

Alerts:
Ubuntu USN-1224-1 rsyslog 2011-10-03
Fedora FEDORA-2011-12616 rsyslog 2011-09-13
Mandriva MDVSA-2011:134-1 rsyslog 2011-09-17
Fedora FEDORA-2011-12282 rsyslog 2011-09-08
Mandriva MDVSA-2011:134 rsyslog 2011-09-09
openSUSE openSUSE-SU-2011:1020-1 rsyslog 2011-09-07
Scientific Linux SL-rsys-20110901 rsyslog 2011-09-01
Red Hat RHSA-2011:1247-01 rsyslog 2011-09-01

Comments (none posted)

rubygem-actionpack: filter skipping

Package(s):rubygem-actionpack CVE #(s):CVE-2011-2929
Created:September 7, 2011 Updated:September 9, 2011
Description: From the CVE entry:

The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."

Alerts:
Gentoo 201412-28 rails 2014-12-14
Fedora FEDORA-2011-11572 rubygem-actionpack 2011-08-26

Comments (none posted)

rubygem-activesupport: cross-site scripting

Package(s):rubygem-activesupport CVE #(s):CVE-2011-2932
Created:September 7, 2011 Updated:March 29, 2013
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."

Alerts:
Gentoo 201412-28 rails 2014-12-14
Debian DSA-2655-1 rails 2013-03-28
Fedora FEDORA-2011-11600 rubygem-activesupport 2011-08-26
Fedora FEDORA-2011-11579 rubygem-activesupport 2011-08-26

Comments (none posted)

squid3: buffer overflow

Package(s):squid3 CVE #(s):CVE-2011-3205
Created:September 7, 2011 Updated:September 15, 2011
Description: From the SUSE advisory:

This update of squid3 fixes a buffer overflow vulnerability in the Gopher reply parser code.

Alerts:
Gentoo 201110-24 squid 2011-10-26
Mandriva MDVSA-2011:150 squid 2011-10-15
Red Hat RHSA-2011:1293-01 squid 2011-09-14
Scientific Linux SL-squi-20110914 squid 2011-09-14
Debian DSA-2304-1 squid3 2011-09-11
Fedora FEDORA-2011-11854 squid 2011-08-31
Fedora FEDORA-2011-11817 squid 2011-08-31
openSUSE openSUSE-SU-2011:1018-1 squid 2011-09-07
SUSE SUSE-SU-2011:1019-1 squid3 2011-09-07
SUSE SUSE-SU-2016:1996-1 squid3 2016-08-09
SUSE SUSE-SU-2016:2089-1 squid3 2016-08-16

Comments (none posted)

tomcat6: information leak

Package(s):tomcat6 CVE #(s):CVE-2011-2204 CVE-2011-2526
Created:September 2, 2011 Updated:February 2, 2012
Description: From the CVE entries:

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. (CVE-2011-2204)

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. (CVE-2011-2526)

Alerts:
Mageia MGASA-2012-0189 tomcat6 2012-08-02
Gentoo 201206-24 tomcat 2012-06-24
Oracle ELSA-2012-0474 tomcat5 2012-04-12
Debian DSA-2401-1 tomcat6 2012-02-02
CentOS CESA-2011:1780 tomcat6 2011-12-22
CentOS CESA-2011:1845 tomcat5 2011-12-20
Oracle ELSA-2011-1845 tomcat5 2011-12-20
Scientific Linux SL-tomc-20111220 tomcat5 2011-12-20
Red Hat RHSA-2011:1845-01 tomcat5 2011-12-20
Scientific Linux SL-tomc-20111205 tomcat6 2011-12-05
Oracle ELSA-2011-1780 tomcat6 2011-12-05
Red Hat RHSA-2011:1780-01 tomcat6 2011-12-05
Ubuntu USN-1252-1 tomcat6 2011-11-08
Fedora FEDORA-2011-13456 tomcat6 2011-09-29
Fedora FEDORA-2011-13457 tomcat6 2011-09-29
Mandriva MDVSA-2011:156 tomcat5 2011-10-18
openSUSE openSUSE-SU-2011:0988-1 tomcat6 2011-09-02

Comments (none posted)

xen: denial of service

Package(s):Xen CVE #(s):CVE-2011-2901
Created:September 1, 2011 Updated:September 9, 2011
Description:

From the SUSE advisory:

This update fixes a denial of service (Host Crash) in the XEN hypervisor. (CVE-2011-2901)

Alerts:
Gentoo 201309-24 xen 2013-09-27
Oracle ELSA-2012-0150 kernel 2012-03-07
Red Hat RHSA-2011:1813-01 kernel 2011-12-13
CentOS CESA-2011:1212 kernel 2011-09-22
SUSE SUSE-SU-2011:1057-1 Xen 2011-09-21
Scientific Linux SL-kern-20110906 kernel 2011-09-06
Red Hat RHSA-2011:1212-01 kernel 2011-09-06
SUSE SUSE-SU-2011:0983-1 Xen 2011-09-01

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2011, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds