User: Password:
|
|
Subscribe / Log in / New account

Security

Tor offers SSL obfuscation for users behind censorship walls

February 15, 2012

This article was contributed by Nathan Willis

On February 10, the Tor project posted reports from users inside Iran that the country's government had begun blocking all SSL/TLS traffic, a major escalation of firewall policies that had already cut off users from specific services. Tor responded by pointing readers to obfsproxy, its comparatively-little-known project that can disguise SSL traffic to evade detection by the deep packet inspection (DPI) filters used to flag and shut down encrypted connections.

Word from users in Iran was that the government SSL-blocking effort appeared to be DPI-based, because of the fact that connections were being terminated only after the first few steps of the SSL handshake. Other methods to bypass the firewall, including VPNs, were still functional, although they are an impractical (and sometimes expensive) solution for the majority of Iranian Internet users. However, the block prevents standard Tor usage in particular, because the system relies on an encrypted connection between the user's machine and the first relay in the Tor network.

Earlier filtering techniques, such as blocking access to specific IP addresses, had been bypassed by using bridges — Tor relays that ran on unpublished IPs. Reports indicated that the SSL-block varies by ISP, and had not affected the entire country, but the project's metrics showed a sharp decline in the number of Tor users originating from Iran, starting around February 9. Alongside the announcement of obfsproxy, the Tor project asked users to help restore connectivity for people in the region by setting up obfuscated bridges — but cautioned that drawing too much public attention to the project could prompt authorities to implement countermeasures.

It rolls right off the tongue: "obfsproxy"

Obfsproxy — which, although just announced to the public, has been in development since early 2011 — offers relief from DPI filtering. It is a transport proxy that encapsulates protocol traffic between endpoints within an "innocent-looking" wrapper. The system is modular enough that the project says it can be used with a variety of protocols, but the default usage is designed to wrap SSL traffic between a Tor client and Tor bridge inside another application-layer connection. Furthermore, within those faux application-layer packets, the genuine SSL packets are encrypted by a stream cipher, making their contents immune to detection by DPI filters (which catch protocols by matching characteristic strings or regular expressions in the TCP stream).

Obfsproxy's default module is called obfs2, and merely disguises SSL traffic as unencrypted SOCKS traffic. It does not itself provide authentication, confidentiality, or guarantee data integrity. Those features must be provided by the traffic being obfuscated (e.g., SSL and Tor). Nor does it protect against protocol fingerprinting using other means (such as timing or packet size), nor against attackers looking specifically for obfsproxy itself. The threat model document in the project's Git repository outlines the assumptions and characteristics in specific detail, and argues that although the scope is limited: it "protects against many real-life Tor traffic detection methods currently deployed, since most of them currently use static SSL handshake strings as signatures."

Tor executive director Andrew Lewman told Forbes magazine that other protocol wrappers are a possibility for future releases, including XMPP and vanilla HTTP, and described a simpler client-side interface. At the moment, however, he described the project as "very much a work in progress, and the various pluggable transports are still in design and development."

The anatomy of obfs2

Obfsproxy is a recent addition to Tor, and although the project has released updated Tor Browser Bundle binaries pre-configured to use it, for most existing Tor users it requires compiling and running the client code — as well as knowledge of a Tor bridge also configured to run obfsproxy. Still, Tor reports that users in Iran are taking advantage of the code to successfully restore their lost connectivity.

Masking a Tor connection between client and bridge requires both participants to be running obfsproxy, but the client-bridge connection is the only one involved in the obfuscation — no general-purpose Tor nodes (including exit nodes) are required to install obfsproxy or need to alter their configuration.

Interested client and bridge users should fetch obfsproxy from the Tor project's Git repository and compile it with Autogen and GNU make. All versions of Tor newer than 0.2.3.11 can be configured to use obfsproxy simply by editing the Tor configuration file. Clients must add the IP address and port number of an obfsproxy-aware bridge and path to the obfsproxy executable. Bridge operators must start Tor and watch their logs, because Tor randomly selects an open, higher-numbered TCP port for obfsproxy to listen on the first time it is run. Older versions of Tor can use obfsproxy, too, using additional steps to configure a localhost-only relay between Tor and the obfsproxy program.

Whichever setup is involved, the obfs2 protocol operates in the same manner. It is based on Bruce Leidl's older work to obfuscate SSH handshakes. The client and the bridge first exchange session keys with each other, after which they "superencipher" their SSL session by encrypting it with 128-bit AES.

By default the protocol uses a relatively weak key-exchange method that could be compromised by an eavesdropper listening to both sides of the conversation — although the use of a pre-shared secret to strengthen this step is supported as well. It may sound as if the weak key exchange method undermines the whole process, but the important thing to remember is that the obfuscation protocol's only goal is to defeat automatic detection by pattern-matching DPI filters. Furthermore, the seed values that the client and bridge exchange are concatenated with constants and then hashed with SHA256, a step that does not make them unrecoverable, but that is computationally expensive to perform on the class of high-throughput networking hardware generally used to do DPI traffic analysis.

Obfuscation for all

To the paranoid, obfs2 may sound like an imperfect solution to the filtering crisis. After all, it could be defeated by closer inspection of packets or filtering out SOCKS traffic. In that sense, obfsproxy might be likened to steganography — its goal is to hide the traffic of estimated tens-of-thousands of Tor users in a censored region like Iran among the connections of millions.

The Tor project reports that it has performed experiments of its own, and found obfsproxy to be effective "in all censored countries" when used as-is. However, as Jacob Appelbaum mentioned in the call for obfsproxy bridges, "it might even only last for a few days at the rate the arms race is progressing, if you could call it progress." Then again, thanks to the modular design of obfsproxy, the obfs2 module itself can be replaced or upgraded in future releases, both to disguise traffic better, or to implement completely different security features. The sudden crackdown on all SSL traffic in Iran might have hit before a perfect system was in place, but obfsproxy is still a welcome relief for those who are affected, and have no other practical options.

Comments (8 posted)

Brief items

Security quotes of the week

Sorry, that was not correct. The "1" was actually an upper-case, sans-serif "I." Please try again by typing the following letters and numbers, this time using your nondominant hand and with one eye closed:

[...] Sorry, the second "X" was also lowercase. It looked larger because it was closer to the screen than the first. Please try again by retyping the words you see in this box:

-- The New York Times has some fun with CAPTCHA

As shown in the movie, the tool has a database that contains city profiles including Paris, Berlin, Amsterdam, Brussels, and Geneva. The tool runs on the right and on the left is the browser accessing Google Maps over SSL. In the first attempt, I load the city of Paris and zoom in a couple of times. On the second attempt I navigate to Berlin and zoom in a few times. On both occasions the tool manages to correctly guess the locations that the browser is accessing.

Please note that it is a shoddy proof of concept, but it shows the concept of SSL traffic analysis pretty well. It also might be easier to understand for less technically inclined people, as in "An attacker can still figure out what you're looking at on Google Maps" (with the addendum that it's never going to be a 100% perfect and that my shoddy proof of concept has lots of room for improvement).

-- Vincent Berg

The publication, citing a former 19-year Nortel employee who oversaw the investigation into the hack, said Nortel did nothing to keep out the hackers except to change seven compromised passwords that belonged to the CEO and other executives. The company "made no effort to determine if its products were also compromised by hackers," the WSJ [Wall Street Journal] said. Nortel, which sold off parts of its business as part of a 2009 bankruptcy filing, spent about six months investigating the breach and didn't disclose it to prospective buyers.
-- ars technica reports on a 2000 infiltration of Nortel

Comments (8 posted)

Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

Here's a variant on the "untrustworthy SSL certificate authority" theme: this ComputerWorld story describes how Trustwave issued a "subordinate root" certificate to a private company. That allowed said company to stamp out certificates for any domains it liked and conduct man-in-the-middle attacks against SSL traffic from its internal network. "Trustwave defended itself by saying that the issuing of subordinate roots to private companies, so they can inspect the SSL-encrypted traffic that passes through their networks, is a common practice in the industry."

Comments (40 posted)

Horde Groupware contains backdoor (The H)

The H is reporting that a backdoor was inserted into installation packages of the Horde groupware. The affected versions are "Horde 3.3.12, Groupware 1.2.10 and the webmail edition of the groupware product". An intrusion into the FTP server back in November led to the problem. "Users who have installed a hacked version onto a server have thrown their systems wide open to the hackers – the backdoor enables them to execute arbitrary PHP code. By exploiting additional vulnerabilities, attackers could use this to gain complete control of the server."

Comments (none posted)

Garrett: Some things you may have heard about Secure Boot which aren't entirely true

Matthew Garrett clears up some Secure Boot myths on his blog:

It's only a problem for hobbyist Linux, not the real Linux market:

Untrue. It's unclear whether even the significant Linux vendors can implement Secure Boot in a way that meets the needs of their customers and still allows them to boot on commodity hardware. A naive implementation removes many of the benefits of Linux for enterprise customers, such as the ability to use local modifications to micro-optimise systems for specific workloads. One of the key selling points of Linux is the ability to make use of local expertise when adapting the product for your needs. Secure Boot makes that more difficult.

Comments (2 posted)

New vulnerabilities

apr: denial of service

Package(s):apr CVE #(s):CVE-2012-0840
Created:February 14, 2012 Updated:March 1, 2012
Description: From the Mandriva advisory:

tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

Alerts:
Gentoo 201405-24 apr 2014-05-18
Fedora FEDORA-2012-1709 apr 2012-03-01
Fedora FEDORA-2012-1656 apr 2012-03-01
Mandriva MDVSA-2012:019 apr 2012-02-14

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2012-0440 CVE-2012-0448
Created:February 13, 2012 Updated:February 15, 2012
Description: From the CVE entries:

Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 allows remote attackers to hijack the authentication of arbitrary users for requests that use the JSON-RPC API. (CVE-2012-0440)

Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address. (CVE-2012-0448)

Alerts:
Fedora FEDORA-2012-1189 bugzilla 2012-02-10
Fedora FEDORA-2012-1218 bugzilla 2012-02-10

Comments (none posted)

cvs: remote code execution

Package(s):cvs CVE #(s):CVE-2012-0804
Created:February 9, 2012 Updated:January 20, 2017
Description:

From the Debian advisory:

It was discovered that a malicious CVS server could cause a heap overflow in the CVS client, potentially allowing the server to execute arbitrary code on the client.

Alerts:
Mandriva MDVSA-2012:044 cvs 2012-03-29
Oracle ELSA-2012-0321 cvs 2012-03-09
Scientific Linux SL-cvs-20120306 cvs 2012-03-06
openSUSE openSUSE-SU-2012:0310-1 cvs 2012-02-27
Red Hat RHSA-2012:0321-01 cvs 2012-02-21
Oracle ELSA-2012-0321 cvs 2012-02-21
CentOS CESA-2012:0321 cvs 2012-02-22
Ubuntu USN-1371-1 cvs 2012-02-22
Fedora FEDORA-2012-1400 cvs 2012-02-15
Fedora FEDORA-2012-1383 cvs 2012-02-15
Debian DSA-2407-1 cvs 2012-02-09
Gentoo 201701-44 cvs 2017-01-19

Comments (none posted)

devscripts: multiple vulnerabilities

Package(s):devscripts CVE #(s):CVE-2012-0210 CVE-2012-0211 CVE-2012-0212
Created:February 15, 2012 Updated:February 15, 2012
Description: From the Debian advisory:

CVE-2012-0210: Paul Wise discovered that due to insufficient input sanitising when processing .dsc and .changes files, it is possible to execute arbitrary code and disclose system information.

CVE-2012-0211: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when processing source packages with specially-named tarballs in the top-level directory of the .orig tarball, allowing arbitrary code execution.

CVE-2012-0212: Raphael Geissert discovered that it is possible to inject or modify arguments of external commands when passing as argument to debdiff a specially-named file, allowing arbitrary code execution.

Alerts:
Ubuntu USN-1593-1 devscripts 2012-10-02
Ubuntu USN-1366-1 devscripts 2012-02-15
Debian DSA-2409-1 devscripts 2012-02-15

Comments (none posted)

ettercap: insecure settings file

Package(s):ettercap CVE #(s):CVE-2010-3843
Created:February 9, 2012 Updated:April 9, 2013
Description:

From the Red Hat bugzilla entry:

The GTK version of ettercap uses a global settings file at /tmp/.ettercap_gtk and does not verify ownership of this file. When parsing this file for settings in gtkui_conf_read() (src/interfaces/gtk/ec_gtk_conf.c), an unchecked sscanf() call allows a maliciously placed settings file to overflow a statically-sized buffer on the stack. Stack-smashing protection catches it, but it still should be fixed.

Verify with: $ perl -e 'print "A"x500' > /tmp/.ettercap_gtk && ettercap -G

Firstly, the settings file should not be globally accessible without checking ownership, which still gets hairy because an attacker could create a symlink or hard link to a victim-controlled file (unless you're using YAMA :p). The best thing would probably be to keep this file in the user's home directory instead.

Secondly, parsing configuration files should be robust against malformed input and not susceptible to trivial buffer overflows.

Alerts:
Gentoo 201405-12 ettercap 2014-05-17
Mandriva MDVSA-2013:077 ettercap 2013-04-09
Mageia MGASA-2012-0214 ettercap 2012-08-12
Fedora FEDORA-2012-1054 ettercap 2012-02-08
Fedora FEDORA-2012-1066 ettercap 2012-02-08

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):MozillaFirefox CVE #(s):CVE-2012-0443 CVE-2012-0445 CVE-2012-0446 CVE-2012-0447 CVE-2012-0450
Created:February 9, 2012 Updated:February 15, 2012
Description:

From the openSUSE advisory:

CVE-2012-0443: Ben Hawkes, Christian Holler, Honza Bombas, Jason Orendorff, Jesse Ruderman, Jan Odvarko, Peter Van Der Beken, and Bill McCloskey reported memory safety problems that were fixed in Firefox 10.

MFSA 2012-03/CVE-2012-0445: Alex Dvorov reported that an attacker could replace a sub-frame in another domain's document by using the name attribute of the sub-frame as a form submission target. This can potentially allow for phishing attacks against users and violates the HTML5 frame navigation policy.

MFSA 2012-05/CVE-2012-0446: Mozilla security researcher moz_bug_r_a4 reported that frame scripts bypass XPConnect security checks when calling untrusted objects. This allows for cross-site scripting (XSS) attacks through web pages and Firefox extensions. The fix enables the Script Security Manager (SSM) to force security checks on all frame scripts.

MFSA 2012-06/CVE-2012-0447: Mozilla developer Tim Abraldes reported that when encoding images as image/vnd.microsoft.icon the resulting data was always a fixed size, with uninitialized memory appended as padding beyond the size of the actual image. This is the result of mImageBufferSize in the encoder being initialized with a value different than the size of the source image. There is the possibility of sensitive data from uninitialized memory being appended to a PNG image when converted fron an ICO format image. This sensitive data may then be disclosed in the resulting image.

MFSA 2012-09/CVE-2012-0450: magicant starmen reported that if a user chooses to export their Firefox Sync key the "Firefox Recovery Key.html" file is saved with incorrect permissions, making the file contents potentially readable by other users on Linux and OS X systems.

Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
openSUSE openSUSE-SU-2012:0567-1 firefox, thunderbird, seamonkey, xulrunner 2012-04-27
Ubuntu USN-1369-1 thunderbird 2012-02-17
Fedora FEDORA-2012-1147 thunderbird-lightning 2012-02-10
Fedora FEDORA-2012-1147 gnome-python2-extras 2012-02-10
Fedora FEDORA-2012-1147 libvpx 2012-02-10
Fedora FEDORA-2012-1147 gstreamer-plugins-bad-free 2012-02-10
Fedora FEDORA-2012-1147 perl-Gtk2-MozEmbed 2012-02-10
Fedora FEDORA-2012-1147 xulrunner 2012-02-10
Fedora FEDORA-2012-1147 thunderbird 2012-02-10
Fedora FEDORA-2012-1147 firefox 2012-02-10
openSUSE openSUSE-SU-2012:0234-1 MozillaFirefox 2012-02-09

Comments (none posted)

glpi: file inclusion vulnerability

Package(s):glpi CVE #(s):CVE-2012-1037
Created:February 13, 2012 Updated:February 20, 2012
Description: GLPI v 0.78 to 0.80.61 fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file. This has been fixed in GLPI 0.80.7. See this post on the Full Disclosure mailing list for additional details.
Alerts:
Fedora FEDORA-2012-1534 glpi 2012-02-19
Fedora FEDORA-2012-1519 glpi 2012-02-19
Mandriva MDVSA-2012:016 glpi 2012-02-10

Comments (none posted)

gnutls: denial of service

Package(s):gnutls CVE #(s):CVE-2011-4128
Created:February 9, 2012 Updated:March 30, 2012
Description:

From the openSUSE advisory:

Large server tickets could crash gnutls clients.

Alerts:
Slackware SSA:2013-287-03 gnutls 2013-10-14
Gentoo 201206-18 gnutls 2012-06-23
Fedora FEDORA-2012-4569 gnutls 2012-04-11
Ubuntu USN-1418-1 gnutls13, gnutls26 2012-04-05
Mandriva MDVSA-2012:045 gnutls 2012-03-30
Oracle ELSA-2012-0429 gnutls 2012-03-28
Oracle ELSA-2012-0428 gnutls 2012-03-28
Scientific Linux SL-gnut-20120328 gnutls 2012-03-28
Scientific Linux SL-gnut-20120328 gnutls 2012-03-28
CentOS CESA-2012:0429 gnutls 2012-03-28
CentOS CESA-2012:0428 gnutls 2012-03-28
Red Hat RHSA-2012:0429-01 gnutls 2012-03-27
Red Hat RHSA-2012:0428-01 gnutls 2012-03-27
openSUSE openSUSE-SU-2012:0215-1 gnutls 2012-02-09

Comments (none posted)

java: multiple vulnerabilities

Package(s):java-1.6.0-openjdk CVE #(s):CVE-2011-3563 CVE-2011-3571 CVE-2011-5035 CVE-2012-0497 CVE-2012-0501 CVE-2012-0502 CVE-2012-0503 CVE-2012-0505 CVE-2012-0506
Created:February 15, 2012 Updated:February 6, 2013
Description:

From the Red Hat advisory:

It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497)

It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505)

The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571)

It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503)

The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially-crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035)

The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563)

A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502)

It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506)

An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially-crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501)

Alerts:
Gentoo 201406-32 icedtea-bin 2014-06-29
Gentoo 201401-30 oracle-jdk-bin 2014-01-26
Fedora FEDORA-2013-1898 java-1.6.0-openjdk 2013-02-05
Fedora FEDORA-2012-16351 java-1.6.0-openjdk 2012-10-18
openSUSE openSUSE-SU-2012:1323-1 virtualbox 2012-10-10
SUSE SUSE-SU-2012:1013-1 java-1_4_2-ibm-sap 2012-08-21
SUSE SUSE-SU-2012:0881-1 java-1_4_2-ibm-sap 2012-07-16
SUSE SUSE-SU-2012:0603-1 IBM Java 1.6.0 2012-05-09
SUSE SUSE-SU-2012:0602-1 IBM Java 1.5.0 2012-05-09
Red Hat RHSA-2012:0514-01 java-1.6.0-ibm 2012-04-24
Red Hat RHSA-2012:0508-01 java-1.5.0-ibm 2012-04-23
Oracle ELSA-2012-0322 java-1.6.0-openjdk 2012-03-09
Ubuntu USN-1373-2 openjdk-6b18 2012-03-01
Debian DSA-2420-1 openjdk-6 2012-02-28
SUSE SUSE-SU-2012:0308-1 Java 1.6.0 2012-02-27
Scientific Linux SL-java-20120228 java-1.6.0-openjdk 2012-02-28
openSUSE openSUSE-SU-2012:0309-1 java-1_6_0-openjdk 2012-02-27
Scientific Linux SL-java-20120227 java-1.6.0-sun 2012-02-27
Ubuntu USN-1373-1 openjdk-6 2012-02-24
Red Hat RHSA-2012:0322-01 java-1.6.0-openjdk 2012-02-21
Fedora FEDORA-2012-1721 java-1.6.0-openjdk 2012-02-22
Fedora FEDORA-2012-1711 java-1.6.0-openjdk 2012-02-17
Mandriva MDVSA-2012:021 java-1.6.0-openjdk 2012-02-17
Red Hat RHSA-2012:0139-01 java-1.6.0-sun 2012-02-16
Oracle ELSA-2012-0135 java-1.6.0-openjdk 2012-02-15
Fedora FEDORA-2012-1690 java-1.7.0-openjdk 2012-02-15
Scientific Linux SL-java-20120215 java-1.6.0-openjdk 2012-02-15
CentOS CESA-2012:0135 java-1.6.0-openjdk 2012-02-15
Red Hat RHSA-2012:0135-01 java-1.6.0-openjdk 2012-02-15
Red Hat RHSA-2012:0702-01 java-1.4.2-ibm 2012-05-30
SUSE SUSE-SU-2012:0734-1 IBM Java 2012-06-13

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2011-4087
Created:February 9, 2012 Updated:February 15, 2012
Description:

From the openSUSE advisory:

CVE-2011-4087: A local denial of service when using bridged networking via a flood ping was fixed.

Alerts:
openSUSE openSUSE-SU-2012:0236-1 kernel 2012-02-09

Comments (none posted)

kernel: memory corruption

Package(s):kernel CVE #(s):CVE-2011-4604
Created:February 9, 2012 Updated:February 15, 2012
Description:

From the openSUSE advisory:

CVE-2011-4604: If root does read() on a specific socket, it's possible to corrupt (kernel) memory over network, with an ICMP packet, if the B.A.T.M.A.N. mesh protocol is used.

Alerts:
openSUSE openSUSE-SU-2013:0925-1 kernel 2013-06-10
SUSE SUSE-SU-2013:0786-1 Linux kernel 2013-05-14
openSUSE openSUSE-SU-2012:0236-1 kernel 2012-02-09
openSUSE openSUSE-SU-2012:0206-1 kernel 2012-02-09

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2011-4086 CVE-2012-0028
Created:February 9, 2012 Updated:June 1, 2012
Description:

From the Red Hat advisory:

A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled buffer head states. On systems that have an ext4 file system with a journal mounted, a local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-4086, Moderate)

A flaw was found in the way the Linux kernel handled robust list pointers of user-space held futexes across exec() calls. A local, unprivileged user could use this flaw to cause a denial of service or, eventually, escalate their privileges. (CVE-2012-0028, Important)

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2012:1439-1 kernel 2012-11-05
Oracle ELSA-2012-0862 kernel 2012-07-02
openSUSE openSUSE-SU-2012:0799-1 kernel 2012-06-28
Oracle ELSA-2012-2014 kernel 2012-05-21
CentOS CESA-2012:0571 kernel 2012-05-16
Red Hat RHSA-2012:0670-01 kernel-rt 2012-05-15
Red Hat RHSA-2012:0571-01 kernel 2012-05-15
SUSE SUSE-SU-2012:0616-1 Linux kernel 2012-05-14
Ubuntu USN-1458-1 linux-ti-omap4 2012-05-31
Debian DSA-2469-1 linux-2.6 2012-05-10
Ubuntu USN-1440-1 linux-lts-backport-natty 2012-05-08
Ubuntu USN-1432-1 linux 2012-05-07
Ubuntu USN-1433-1 linux-lts-backport-oneiric 2012-04-30
Ubuntu USN-1454-1 linux 2012-05-25
Scientific Linux SL-kern-20120518 kernel 2012-05-18
Ubuntu USN-1431-1 linux 2012-04-30
SUSE SUSE-SU-2012:0554-2 kernel 2012-04-26
SUSE SUSE-SU-2012:0554-1 Linux kernel 2012-04-23
openSUSE openSUSE-SU-2012:0540-1 kernel 2012-04-20
Ubuntu USN-1445-1 linux 2012-05-17
Oracle ELSA-2012-0150 kernel 2012-03-07
Ubuntu USN-1390-1 linux 2012-03-06
Red Hat RHSA-2012:0358-01 kernel 2012-03-06
Fedora FEDORA-2012-1503 kernel 2012-02-11
Fedora FEDORA-2012-1497 kernel 2012-02-10
Oracle ELSA-2012-0107 kernel 2012-02-10
Scientific Linux SL-kern-20120213 kernel 2012-02-13
CentOS CESA-2012:0107 kernel 2012-02-09
Ubuntu USN-1453-1 linux-ec2 2012-05-25
Oracle ELSA-2012-0571 kernel 2012-05-21
Oracle ELSA-2012-2013 kernel 2012-05-21
Oracle ELSA-2012-2013 kernel 2012-05-21
Red Hat RHSA-2012:0107-01 kernel 2012-02-09
Oracle ELSA-2012-2014 kernel 2012-05-21

Comments (none posted)

kernel: unauthorized file access

Package(s):kernel CVE #(s):CVE-2012-0055
Created:February 13, 2012 Updated:February 15, 2012
Description: From the Ubuntu advisory:

Andy Whitcroft discovered a that the Overlayfs filesystem was not doing the extended permission checks needed by cgroups and Linux Security Modules (LSMs). A local user could exploit this to by-pass security policy and access files that should not be accessible.

Alerts:
Ubuntu USN-1384-1 linux-lts-backport-oneiric 2012-03-06
Ubuntu USN-1364-1 linux-ti-omap4 2012-02-13
Ubuntu USN-1363-1 linux 2012-02-13

Comments (none posted)

mozilla: code execution

Package(s):mozilla-thunderbird, firefox CVE #(s):CVE-2012-0452
Created:February 13, 2012 Updated:February 16, 2012
Description: From the Mandriva advisory:

Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector's access to a hash table containing a stale XBL binding

Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
openSUSE openSUSE-SU-2012:0567-1 firefox, thunderbird, seamonkey, xulrunner 2012-04-27
Ubuntu USN-1369-1 thunderbird 2012-02-17
SUSE SUSE-SU-2012:0261-1 Mozilla Firefox 2012-02-16
openSUSE openSUSE-SU-2012:0258-1 MozillaFirefox 2012-02-14
Ubuntu USN-1360-1 firefox 2012-02-13
Mandriva MDVSA-2012:017 firefox 2012-02-12
Mandriva MDVSA-2012:018 mozilla-thunderbird 2012-02-13

Comments (none posted)

mysql: multiple unspecified vulnerabilities

Package(s):mysql CVE #(s):CVE-2012-0117 CVE-2012-0486 CVE-2012-0487 CVE-2012-0488 CVE-2012-0489 CVE-2012-0491 CVE-2012-0493 CVE-2012-0494 CVE-2012-0495 CVE-2012-0496
Created:February 13, 2012 Updated:February 16, 2012
Description: From the CVE entries:

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0117)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0486)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0487)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0489, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0488)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0489)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0493, and CVE-2012-0495. (CVE-2012-0491)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, and CVE-2012-0495. (CVE-2012-0493)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows local users to affect availability via unknown vectors. (CVE-2012-0494)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, and CVE-2012-0493. (CVE-2012-0495)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect confidentiality and integrity via unknown vectors. (CVE-2012-0496)

Alerts:
Gentoo 201308-06 mysql 2013-08-29
Gentoo GLSA 201308-06:02 mysql 2013-08-30
Fedora FEDORA-2012-0987 mysql 2012-02-12

Comments (1 posted)

mysql: multiple unspecified vulnerabilities

Package(s):mysql CVE #(s):CVE-2011-2262 CVE-2012-0075 CVE-2012-0087 CVE-2012-0101 CVE-2012-0102 CVE-2012-0112 CVE-2012-0113 CVE-2012-0114 CVE-2012-0115 CVE-2012-0116 CVE-2012-0118 CVE-2012-0119 CVE-2012-0120 CVE-2012-0484 CVE-2012-0485 CVE-2012-0490 CVE-2012-0492
Created:February 9, 2012 Updated:August 13, 2012
Description:

From the Red Hat advisory:

CVE-2011-2262 mysql: Unspecified vulnerability allows remote attackers to affect availability

CVE-2012-0075 mysql: Unspecified vulnerability allows remote authenticated users to affect integrity

CVE-2012-0087 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0101 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0102 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0112 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0113 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and availability

CVE-2012-0114 mysql: Unspecified vulnerability allows local users to affect confidentiality and integrity

CVE-2012-0115 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0116 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and integrity

CVE-2012-0118 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality and availability

CVE-2012-0119 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0120 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0484 mysql: Unspecified vulnerability allows remote authenticated users to affect confidentiality

CVE-2012-0485 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0490 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

CVE-2012-0492 mysql: Unspecified vulnerability allows remote authenticated users to affect availability

Alerts:
Gentoo 201308-06 mysql 2013-08-29
Gentoo GLSA 201308-06:02 mysql 2013-08-30
SUSE SUSE-SU-2012:0984-1 MySQL 2012-08-13
openSUSE openSUSE-SU-2012:0619-1 mariadb 2012-05-14
openSUSE openSUSE-SU-2012:0618-1 mysql-community-server 2012-05-14
Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12
Debian DSA-2429-1 mysql-5.1 2012-03-07
Scientific Linux SL-mysq-20120214 mysql 2012-02-14
Oracle ELSA-2012-0127 mysql 2012-02-14
CentOS CESA-2012:0127 mysql 2012-02-14
Red Hat RHSA-2012:0127-01 mysql 2012-02-13
Fedora FEDORA-2012-0987 mysql 2012-02-12
Scientific Linux SL-mysq-20120209 mysql 2012-02-09
Oracle ELSA-2012-0105 mysql 2012-02-09
Fedora FEDORA-2012-0972 mysql 2012-02-08
CentOS CESA-2012:0105 mysql 2012-02-08
Red Hat RHSA-2012:0105-01 mysql 2012-02-08

Comments (none posted)

php: multiple vulnerabilities

Package(s):php5 CVE #(s):CVE-2011-4153 CVE-2012-0788 CVE-2012-0831
Created:February 10, 2012 Updated:February 28, 2013
Description: From the Ubuntu advisory:

It was discovered that PHP did not always check the return value of the zend_strndup function. This could allow a remote attacker to cause a denial of service. (CVE-2011-4153)

It was discovered that PHP did not properly enforce that PDORow objects could not be serialized and not be saved in a session. A remote attacker could use this to cause a denial of service via an application crash. (CVE-2012-0788)

It was discovered that PHP allowed the magic_quotes_gpc setting to be disabled remotely. This could allow a remote attacker to bypass restrictions that could prevent an SQL injection. (CVE-2012-0831)

Alerts:
Scientific Linux SLSA-2013:1307-1 php53 2013-10-10
Oracle ELSA-2013-1307 php53 2013-10-02
Red Hat RHSA-2013:1307-01 php53 2013-09-30
SUSE SUSE-SU-2013:1351-1 PHP5 2013-08-16
CentOS CESA-2013:0514 php 2013-03-09
Scientific Linux SL-php-20130228 php 2013-02-28
Oracle ELSA-2013-0514 php 2013-02-28
Red Hat RHSA-2013:0514-02 php 2013-02-21
Gentoo 201209-03 php 2012-09-23
CentOS CESA-2012:1046 php 2012-07-10
Scientific Linux SL-php-20120709 php 2012-07-09
Scientific Linux SL-php5-20120705 php53 2012-07-05
Scientific Linux SL-php-20120705 php 2012-07-05
Oracle ELSA-2012-1046 php 2012-06-30
Oracle ELSA-2012-1047 php53 2012-06-28
Oracle ELSA-2012-1045 php 2012-06-28
CentOS CESA-2012:1047 php53 2012-06-27
CentOS CESA-2012:1045 php 2012-06-27
Red Hat RHSA-2012:1047-01 php53 2012-06-27
Red Hat RHSA-2012:1046-01 php 2012-06-27
Red Hat RHSA-2012:1045-01 php 2012-06-27
Mandriva MDVSA-2012:071 php 2012-05-10
Fedora FEDORA-2012-6911 php-eaccelerator 2012-05-07
Fedora FEDORA-2012-6907 php-eaccelerator 2012-05-07
Fedora FEDORA-2012-6911 maniadrive 2012-05-07
Fedora FEDORA-2012-6907 maniadrive 2012-05-07
Fedora FEDORA-2012-6911 php 2012-05-07
Fedora FEDORA-2012-6907 php 2012-05-07
Mandriva MDVSA-2012:065 php 2012-04-27
SUSE SUSE-SU-2012:0496-1 PHP5 2012-04-12
SUSE SUSE-SU-2012:0472-1 PHP5 2012-04-06
openSUSE openSUSE-SU-2012:0426-1 php5 2012-03-29
SUSE SUSE-SU-2012:0411-1 PHP5 2012-03-24
Ubuntu USN-1358-2 php 2012-02-13
Debian DSA-2408-1 php5 2012-02-13
Ubuntu USN-1358-1 php5 2012-02-09

Comments (none posted)

phpldapadmin: cross-site scripting

Package(s):phpldapadmin CVE #(s):CVE-2012-0834
Created:February 14, 2012 Updated:February 15, 2012
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the base parameter in a query_engine action to cmd.php.

Alerts:
Mandriva MDVSA-2012:020 phpldapadmin 2012-02-15
Fedora FEDORA-2012-1267 phpldapadmin 2012-02-14
Fedora FEDORA-2012-1253 phpldapadmin 2012-02-14

Comments (none posted)

puppet: unintended access to resources

Package(s):Puppet CVE #(s):CVE-2011-0528
Created:February 14, 2012 Updated:February 15, 2012
Description: From the Ubuntu advisory:

It was discovered that Puppet would allow remote ralsh under certain circumstances. An attacker on an authenticated puppet node could exploit this to view or manipulate resources on other Puppet nodes.

Alerts:
Ubuntu USN-1365-1 Puppet 2012-02-14

Comments (none posted)

samba: denial of service

Package(s):samba CVE #(s):CVE-2012-0817
Created:February 9, 2012 Updated:February 15, 2012
Description:

From the Red Hat bugzilla entry:

A memory leak leading to denial of service (smbd crash) was found in the way smbd daemon of the Samba suite performed management of file descriptors related to socket connections. A remote attacker could use this flaw to cause excessive CPU use, or, potentially denial of service via loop of incoming connections.

Alerts:
SUSE SUSE-SU-2012:0515-1 Samba 2012-04-17
SUSE SUSE-SU-2012:0502-1 Samba 2012-04-14
Fedora FEDORA-2012-1098 samba 2012-02-08

Comments (none posted)

selinux-policy: policy enhancements

Package(s):selinux-policy CVE #(s):
Created:February 14, 2012 Updated:February 15, 2012
Description: From the Scientific Linux advisory: An incorrect SELinux policy prevented the qpidd service from starting. These selinux-policy packages contain updated SELinux rules, which allow the qpidd service to be started correctly.

With SELinux in enforcing mode, the ssh-keygen utility was prevented from access to various applications and thus could not be used to generate SSH keys for these programs. With this update, the "ssh_keygen_t" SELinux domain type has been implemented as unconfined, which ensures the ssh-keygen utility to work correctly.

Alerts:
Scientific Linux SL-seli-20120214 selinux-policy 2012-02-14

Comments (none posted)

sysconfig: code execution

Package(s):sysconfig CVE #(s):CVE-2011-4182
Created:February 9, 2012 Updated:February 15, 2012
Description:

From the openSUSE advisory:

sysconfig hook script for NetworkManager did not properly quote shell meta characters when processing ESSIDs. Specially crafted network names could therefore lead to execution of shell code (CVE-2011-4182).

Alerts:
openSUSE openSUSE-SU-2012:0242-1 sysconfig 2012-02-09

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark CVE #(s):
Created:February 9, 2012 Updated:February 15, 2012
Description:

From the Mandriva advisory:

Multiple file parser and NULL pointer vulnerabilities including a RLC dissector buffer overflow was found and corrected in Wireshark.

Alerts:
Mandriva MDVSA-2012:015 wireshark 2012-02-09

Comments (none posted)

xchat-ruby: null pointer dereference, remote DoS

Package(s):xchat-ruby CVE #(s):
Created:February 13, 2012 Updated:February 15, 2012
Description: From the Red Hat bugzilla:

In src/xchat-ruby.c functions

 static_ruby_custom_command_hook(char *word[], char *word_eol[], void *userdata)
 static_ruby_custom_server_hook(char *word[], char *word_eol[], void *userdata)

parameter 'word' used in a for cycle without break [1]
 for( i = 1; word[i][0] != '\0'; i++ )
The problem is word[PDIWORDS] always set to NULL by xchat. So if the input contains more words than PDIWORDS (32) [2], the NULL pointer will be dereferenced.

This bug remote triggerable over IRC networks if one or more ruby plugin uses hook_server().

Alerts:
Fedora FEDORA-2012-1325 xchat-ruby 2012-02-12
Fedora FEDORA-2012-1334 xchat-ruby 2012-02-12

Comments (none posted)

znc: denial of service

Package(s):znc CVE #(s):CVE-2012-0033
Created:February 10, 2012 Updated:November 2, 2015
Description: From the Red Hat bugzilla:

A denial of service flaw was reported in ZNC versions 0.200 and 0.202. A DCC RESUME received by znc can cause a crash in the bouncedcc module.

Alerts:
openSUSE openSUSE-SU-2015:1886-1 znc 2015-11-02
Fedora FEDORA-2012-0921 znc-infobot 2012-02-10
Fedora FEDORA-2012-0921 znc 2012-02-10
Fedora FEDORA-2012-0917 znc 2012-02-10

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds