User: Password:
|
|
Subscribe / Log in / New account

Security

MySQL flaw leaves some systems wide open

By Jake Edge
June 13, 2012

For all their faults, passwords are the dominant means of authentication used by computers and applications today. That makes it a little disconcerting to see reports of various longstanding bugs in password handling recently. Obviously it's good that they are being fixed, but it does make one wonder about how much testing we are doing of this critical link in authentication.

Most of the recent password problems (e.g. the multi-package Crypt-DES vulnerability) don't rise to the level of the MySQL/MariaDB flaw reported on June 9, however. Due to an incorrect cast of the return value from memcmp(), the wrong password will be accepted for an existing account with a probability of 1/256. That means that with a fairly small number of tries, an attacker can gain access to a MySQL database server if they know a valid account name (and "root" almost always exists).

While the problem is serious, it is not as bad as it might at first appear. First, it only affects MySQL and MariaDB packages that have been built in a certain way, specifically with GCC using the SSE (Streaming SIMD Extensions) optimization. In that case, memcmp() can return values outside the range of a signed character (-128 to 127) and the MySQL code will sometimes treat that as a password match—even if it isn't. The return value from memcmp() is cast to a char, so if the value has a low-order zero byte (which happens 1/256 of the time), it is seen as a match. While it is the SSE optimization that shows the flaw, assuming that memcmp() will always return values in that range is clearly a bug.

Based on the report and an analysis by HD Moore, it would seem that it is only some Linux distributions that are affected. The official builds from the projects are not vulnerable, and only certain (mostly 64-bit) distributions are vulnerable (Ubuntu, openSUSE, Debian unstable, Fedora, and Arch Linux, according to Moore).

Any affected MySQL server is locally exploitable, but the server must be listening on an external interface for it to be remotely exploitable. Moore did a survey of exposed servers to try to determine the impact of the problem. Without actually trying to log in, it is difficult to get a full accounting, but it is clear that there are at least tens of thousands of affected systems out there listening on the internet.

Sergei Golubchik discovered the bug in MariaDB on April 4 and reported it to MySQL on April 6. It was fixed in MariaDB on April 4, and MySQL followed suit right after the report.

Oracle released a MySQL update as part of its April critical patch update, but makes no mention of the problem (it does list six other CVEs addressed), so either it was silently fixed or is not present there. The release notes for MySQL 5.5.24 and 5.1.63 do mention a security fix for bug 64884, but the bug was presumably still private at that point. MariaDB released several versions on April 6 with the fix as shown in its bug report.

Given that the code was fixed in various public repositories and released much earlier, it is unclear why the details were withheld until recently. Also, it would seem that the Linux distributions—those most affected by the bug—did not release updates in the interim. As of this writing, only Ubuntu has released a security update for the problem. That's a little puzzling as Red Hat was clearly aware of the problem and requested a CVE on April 20, though RHEL is believed to be unaffected. Fedora and other distribution updates seem like they should be coming soon.

While the PostgreSQL/PHP/BSD Crypt-DES flaw only affected users who chose to use a particular authentication scheme, this MySQL flaw is more wide-ranging. In both cases, though, some amount of password fuzz testing would have spotted the problems in short order. It would seem that kind of testing isn't being done with any frequency in some of our communities, which could lead to rather serious bugs that aren't detected for long periods of time.

One guesses that "everyone" thinks the password handling code has been shaken out since it is such an important part of the authentication path, but these bugs show that isn't always the case. This problem has existed in MySQL going back to at least 5.1 (which was released in beta in 2005) and the Crypt-DES flaw goes back further than that. It is certainly not just database systems that are affected by these kinds of flaws, one hopes that other applications and systems that use passwords are either already fuzz testing or will be doing so soon.

Comments (10 posted)

Brief items

Security quotes of the week

If the UN/ITU do for the Internet what the UN has done for world peace and prosperity, we might as well go back to tin cans and string.
-- Lauren Weinstein

Teach yourself and your students to cheat. We’ve always been taught to color inside the lines, stick to the rules, and never, ever, cheat. In seeking cyber security, we must drop that mindset. It is difficult to defeat a creative and determined adversary who must find only a single flaw among myriad defensive measures to be successful. We must not tie our hands, and our intellects, at the same time. If we truly wish to create the best possible information security professionals, being able to think like an adversary is an essential skill. Cheating exercises provide long term remembrance, teach students how to effectively evaluate a system, and motivate them to think imaginatively. Cheating will challenge students’ assumptions about security and the trust models they envision. Some will find the process uncomfortable. That is OK and by design.
-- Gregory Conti and James Caroland [PDF] in Embracing the Kobayashi Maru: Why You Should Teach Your Students to Cheat

As much as I love revelation, it is unacceptable to be using in its current form. Anyone using or distributing it should consider it as effectively compromised until it is fixed.
-- Kieran Clancy on the Revelation password manager

Comments (6 posted)

Doctorow: The Curious Case of Internet Privacy (Technology Review)

Over at Technology Review, Cory Doctorow argues that browser-makers can reclaim user privacy by snuffing out cookie-based tracking. When advertisers say the idea can't work, he says, consider that the same tactic successfully stamped out pop-ups. "When Mozilla's Firefox turned on pop-up blocking by default, it began to be wildly successful. The other browser vendors had no choice but to follow suit. Today, pop-ups are all but gone."

Comments (77 posted)

New vulnerabilities

asterisk: denial of service

Package(s):asterisk CVE #(s):CVE-2012-2947
Created:June 11, 2012 Updated:June 18, 2012
Description: From the CVE entry:

chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1, when a certain mohinterpret setting is enabled, allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold.

Alerts:
Gentoo 201206-05 asterisk 2012-06-20
Debian DSA-2493-1 asterisk 2012-06-12
Fedora FEDORA-2012-8685 asterisk 2012-06-15
Fedora FEDORA-2012-8692 asterisk 2012-06-15
Fedora FEDORA-2012-8670 asterisk 2012-06-10

Comments (none posted)

asterisk: denial of service

Package(s):asterisk CVE #(s):CVE-2012-2948
Created:June 13, 2012 Updated:June 13, 2012
Description: From the CVE entry:

chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode.

Alerts:
Gentoo 201206-05 asterisk 2012-06-20
Debian DSA-2493-1 asterisk 2012-06-12

Comments (none posted)

flash-player: multiple vulnerabilities

Package(s):flash-player CVE #(s):CVE-2012-2034 CVE-2012-2035 CVE-2012-2036 CVE-2012-2037 CVE-2012-2038 CVE-2012-2039 CVE-2012-2040
Created:June 11, 2012 Updated:June 13, 2012
Description: From the openSUSE advisory:

Adobe Flash Player was updated to 11.2.202.236, fixing lots of bugs and critical security issues.

Alerts:
Gentoo 201206-21 adobe-flash 2012-06-23
Red Hat RHSA-2012:0722-01 flash-plugin 2012-06-12
openSUSE openSUSE-SU-2012:0723-1 flash-player 2012-06-11
SUSE SUSE-SU-2012:0724-1 flash-player 2012-06-11

Comments (none posted)

FlightGear: multiple vulnerabilities

Package(s):FlightGear CVE #(s):CVE-2012-2090 CVE-2012-2091
Created:June 11, 2012 Updated:March 14, 2016
Description: From the Red Hat bugzilla: [1], [2]:

[1] Multiple format string flaws were reported in the way Flight Gear, the flight simulator, and SimGear, a simulation library components performed retrieval of various data chunk values from XML aircraft (FlightGear) or scene graph (SimGear) model data files. A remote attacker could provide a specially-crafted XML model file, which once opened by a local, unsuspecting user in FlightGear / in an application linked against SimGear, would lead to that particular executable crash.

[2] A potential out-of stack-based buffer bounds write flaw was reported in the way Flight Gear, the flight simulator, retrieved rotor name for certain rotor models. A remote attacker could provide a specially-crafted rotor model XML data file, which once opened by a local, unsuspecting user in FlightGear would lead to 'fgfs' executable crash.

Alerts:
Mageia MGASA-2012-0191 flightgear 2012-08-02
Fedora FEDORA-2012-8615 FlightGear 2012-06-09
Fedora FEDORA-2012-8647 FlightGear 2012-06-08
Fedora FEDORA-2012-8650 FlightGear 2012-06-08
Fedora FEDORA-2012-8615 SimGear 2012-06-09
Fedora FEDORA-2012-8647 SimGear 2012-06-08
Fedora FEDORA-2012-8650 SimGear 2012-06-08
Gentoo 201603-12 flightgear 2016-03-13

Comments (none posted)

groff: multiple vulnerabilities

Package(s):groff CVE #(s):CVE-2009-5080 CVE-2009-5081
Created:June 8, 2012 Updated:June 13, 2012
Description:

From the Fedora advisory:

older security fixes:

- CVE-2009-5080: improper handling of failed attempts to create temporary directories in eqn2graph/pic2graph/grap2graph

- CVE-2009-5081: roff2.pl and groffer.pl use easy-to-guess temporary file names

Alerts:
Gentoo 201310-14 groff 2013-10-25
Mandriva MDVSA-2013:086 groff 2013-04-09
Mandriva MDVSA-2013:085 groff 2013-04-09
Mageia MGASA-2012-0164 groff 2012-07-14
Fedora FEDORA-2012-8596 groff 2012-06-07
Fedora FEDORA-2012-8590 groff 2012-06-07
Fedora FEDORA-2012-8577 groff 2012-06-07

Comments (none posted)

hostapd: insecure default permissions

Package(s):hostapd CVE #(s):CVE-2012-2389
Created:June 8, 2012 Updated:June 19, 2012
Description:

From the Fedora advisory:

Tighten-up default permissions for hostapd.conf (CVE-2012-2389)

References:

[ 1 ] Bug #826109 - CVE-2012-2389 hostapd: insecure default permissions on /etc/hostapd/hostapd.conf [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=826109

Alerts:
Mandriva MDVSA-2012:168 hostapd 2012-10-22
Mageia MGASA-2012-0291 hostapd 2012-10-11
Fedora FEDORA-2012-9137 hostapd 2012-06-19
Fedora FEDORA-2012-8611 hostapd 2012-06-07
Fedora FEDORA-2012-9206 hostapd 2012-06-19

Comments (none posted)

java: multiple vulnerabilities

Package(s):java-1.6.0-openjdk CVE #(s):CVE-2012-1711 CVE-2012-1713 CVE-2012-1716 CVE-2012-1717 CVE-2012-1718 CVE-2012-1719 CVE-2012-1723 CVE-2012-1724 CVE-2012-1725
Created:June 13, 2012 Updated:September 28, 2012
Description: From the Red Hat advisory:

Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data. (CVE-2012-1711, CVE-2012-1719)

It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions. (CVE-2012-1716)

Multiple flaws were discovered in the font manager's layout lookup implementation. A specially-crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine. (CVE-2012-1713)

Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially-crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)

It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially-crafted XML file could use this flaw to make the XML parser enter an infinite loop. (CVE-2012-1724)

It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored. (CVE-2012-1718)

It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files. (CVE-2012-1717)

Alerts:
Gentoo 201406-32 icedtea-bin 2014-06-29
Gentoo 201401-30 oracle-jdk-bin 2014-01-26
SUSE SUSE-SU-2012:1265-1 IBM Java 2012-09-28
SUSE SUSE-SU-2012:1231-1 IBM Java 2012-09-25
Red Hat RHSA-2012:1289-01 java-1.7.0-ibm 2012-09-18
SUSE SUSE-SU-2012:1204-1 IBM Java 2012-09-18
SUSE SUSE-SU-2012:1177-1 IBM Java 2012-09-14
Red Hat RHSA-2012:1467-01 java-1.7.0-ibm 2012-11-15
Red Hat RHSA-2012:1245-01 java-1.5.0-ibm 2012-09-07
Red Hat RHSA-2012:1243-01 java-1.4.2-ibm 2012-09-07
Red Hat RHSA-2012:1238-01 java-1.6.0-ibm 2012-09-06
Ubuntu USN-1505-2 icedtea-web 2012-08-29
Ubuntu USN-1505-1 icedtea-web, openjdk-6 2012-07-12
CentOS CESA-2012:1009 java-1.7.0-openjdk 2012-07-10
Scientific Linux SL-java-20120705 java-1.6.0-sun 2012-07-05
Debian DSA-2507-1 openjdk-6 2012-07-04
openSUSE openSUSE-SU-2012:0828-1 java 2012-07-04
Oracle ELSA-2012-1009 java-1.7.0-openjdk 2012-06-30
Mageia MGASA-2012-0130 java-1.6.0-openjdk 2012-06-27
Red Hat RHSA-2012:0734-01 java-1.6.0-sun 2012-06-13
Red Hat RHSA-2012:0729-01 java-1.6.0-openjdk 2012-06-13
Fedora FEDORA-2012-9593 java-1.7.0-openjdk 2012-06-17
Fedora FEDORA-2012-9590 java-1.7.0-openjdk 2012-06-17
Red Hat RHSA-2012:1019-01 java-1.7.0-oracle 2012-06-20
Red Hat RHSA-2012:1009-01 java-1.7.0-openjdk 2012-06-20
Fedora FEDORA-2012-9541 java-1.6.0-openjdk 2012-06-16
Scientific Linux SL-java-20120613 java-1.6.0-openjdk 2012-06-13
Scientific Linux SL-java-20120613 java-1.6.0-openjdk 2012-06-13
Mandriva MDVSA-2012:095 java-1.6.0-openjdk 2012-06-18
Fedora FEDORA-2012-9545 java-1.6.0-openjdk 2012-06-16
SUSE SUSE-SU-2012:0762-1 java-1_6_0-openjdk 2012-06-19
Oracle ELSA-2012-0729 java-1.6.0-openjdk 2012-06-14
Oracle ELSA-2012-0730 java-1.6.0-openjdk 2012-06-14
CentOS CESA-2012:0729 java-1.6.0-openjdk 2012-06-13
CentOS CESA-2012:0730 java-1.6.0-openjdk 2012-06-13
Red Hat RHSA-2012:0730-01 java-1.6.0-openjdk 2012-06-13

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2012-2390 CVE-2012-2372
Created:June 7, 2012 Updated:September 11, 2012
Description:

From the Fedora advisory:

The 3.4 kernel contains a large number of bug fixes

* Wed May 30 2012 Josh Boyer

- CVE-2012-2390 huge pages: memory leak on mmap failure (rhbz 824352 824345)

* Thu May 24 2012 Josh Boyer

- CVE-2012-2372 mm: 32bit PAE pmd walk vs populate SMP race (rhbz 822821 822825)

Alerts:
SUSE SUSE-SU-2014:0908-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0909-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0910-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0911-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0912-1 Linux kernel 2014-07-17
Oracle ELSA-2013-1645 kernel 2013-11-26
openSUSE openSUSE-SU-2013:0927-1 kernel 2013-06-10
Oracle ELSA-2012-1540 kernel 2012-12-05
Scientific Linux SL-kern-20121206 kernel 2012-12-06
Oracle ELSA-2012-2038 kernel 2012-10-20
Oracle ELSA-2012-2038 kernel 2012-10-19
Oracle ELSA-2012-2035 enterprise kernel 2012-09-28
Oracle ELSA-2012-2035 enterprise kernel 2012-09-28
Oracle ELSA-2012-2034 kernel 2012-09-27
Oracle ELSA-2012-2034 kernel 2012-09-28
Oracle ELSA-2012-1304 kernel 2012-09-26
Scientific Linux SL-kern-20120926 kernel 2012-09-26
CentOS CESA-2012:1304 kernel 2012-09-26
Red Hat RHSA-2012:1304-01 kernel 2012-09-25
CentOS CESA-2012:1540 kernel 2012-12-05
Red Hat RHSA-2012:1540-01 kernel 2012-12-04
Ubuntu USN-1563-1 linux-lts-backport-oneiric 2012-09-10
Ubuntu USN-1558-1 linux-ti-omap4 2012-09-06
Ubuntu USN-1556-1 linux-ec2 2012-09-06
Ubuntu USN-1555-1 linux 2012-09-05
Ubuntu USN-1554-1 linux 2012-09-05
Mageia MGASA-2012-0237 kernel 2012-08-23
Ubuntu USN-1529-1 linux 2012-08-10
Ubuntu USN-1515-1 linux 2012-07-23
Ubuntu USN-1538-1 linux-lts-backport-natty 2012-08-14
Ubuntu USN-1535-1 linux 2012-08-10
Ubuntu USN-1531-1 linux 2012-08-10
Ubuntu USN-1530-1 linux-ti-omap4 2012-08-10
Ubuntu USN-1514-1 linux-ti-omap4 2012-08-10
Red Hat RHSA-2012:1150-01 kernel-rt 2012-08-08
Ubuntu USN-1534-1 linux-ec2 2012-08-10
Ubuntu USN-1508-1 linux-ti-omap4 2012-07-16
Oracle ELSA-2012-0862 kernel 2012-07-02
SUSE SUSE-SU-2012:0789-1 Linux kernel 2012-06-26
Oracle ELSA-2012-0743 kernel 2012-06-21
Scientific Linux SL-kern-20120619 kernel 2012-06-19
CentOS CESA-2012:0743 kernel 2012-06-19
Red Hat RHSA-2012:0743-01 kernel 2012-06-18
Fedora FEDORA-2012-8890 kernel 2012-06-13
Fedora FEDORA-2012-8824 kernel 2012-06-07

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2012-0217
Created:June 12, 2012 Updated:July 23, 2012
Description: From the Red Hat advisory:

It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level.

Alerts:
Gentoo 201309-24 xen 2013-09-27
Debian DSA-2508-1 kfreebsd-8 2012-07-22
openSUSE openSUSE-SU-2012:0886-1 xen 2012-07-18
Fedora FEDORA-2012-9430 xen 2012-06-26
Fedora FEDORA-2012-9399 xen 2012-06-26
Fedora FEDORA-2012-9386 xen 2012-06-26
Debian DSA-2501-1 xen 2012-06-24
Scientific Linux SL-kern-20120613 kernel 2012-06-13
CentOS CESA-2012:0721 kernel 2012-06-13
Red Hat RHSA-2012:0721-01 kernel 2012-06-12
Red Hat RHSA-2012:0720-01 kernel 2012-06-12
SUSE SUSE-SU-2012:0730-1 Xen 2012-06-12
Oracle ELSA-2012-0721 kernel 2012-06-15

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2012-2934
Created:June 12, 2012 Updated:November 13, 2012
Description: From the Red Hat advisory:

It was found that guests could trigger a bug in earlier AMD CPUs, leading to a CPU hard lockup, when running on the Xen hypervisor implementation. An unprivileged user in a 64-bit para-virtualized guest could use this flaw to crash the host. Warning: After installing this update, hosts that are using an affected AMD CPU (refer to Red Hat Bugzilla bug #824966 for a list) will fail to boot. In order to boot such hosts, the new kernel parameter, allow_unsafe, can be used ("allow_unsafe=on"). This option should only be used with hosts that are running trusted guests, as setting it to "on" reintroduces the flaw (allowing guests to crash the host).

Alerts:
Gentoo 201309-24 xen 2013-09-27
openSUSE openSUSE-SU-2012:1573-1 XEN 2012-11-26
openSUSE openSUSE-SU-2012:1572-1 XEN 2012-11-26
CentOS CESA-2012:1445 kernel 2012-11-13
Red Hat RHSA-2012:1445-01 kernel 2012-11-13
openSUSE openSUSE-SU-2012:0886-1 xen 2012-07-18
Fedora FEDORA-2012-9430 xen 2012-06-26
Fedora FEDORA-2012-9399 xen 2012-06-26
Fedora FEDORA-2012-9386 xen 2012-06-26
Debian DSA-2501-1 xen 2012-06-24
Red Hat RHSA-2012:0721-01 kernel 2012-06-12
Scientific Linux SL-kern-20120613 kernel 2012-06-13
CentOS CESA-2012:0721 kernel 2012-06-13
SUSE SUSE-SU-2012:0730-1 Xen 2012-06-12
Oracle ELSA-2012-0721 kernel 2012-06-15

Comments (none posted)

kernel: denial of service and possible privilege escalation

Package(s):kernel CVE #(s):CVE-2012-2383 CVE-2012-2384
Created:June 13, 2012 Updated:June 13, 2012
Description: From the Ubuntu advisory:

Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of cliprect on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2383)

Xi Wang discovered a flaw in the Linux kernel's i915 graphics driver handling of buffer_count on 32 bit systems. An unprivileged local attacker could leverage this flaw to cause a denial of service or potentially gain root privileges. (CVE-2012-2384)

Alerts:
Oracle ELSA-2013-1645 kernel 2013-11-26
Oracle ELSA-2012-1304 kernel 2012-09-26
Scientific Linux SL-kern-20120926 kernel 2012-09-26
CentOS CESA-2012:1304 kernel 2012-09-26
Red Hat RHSA-2012:1304-01 kernel 2012-09-25
Oracle ELSA-2012-1156 kernel 2012-08-15
Scientific Linux SL-kern-20120815 kernel 2012-08-15
CentOS CESA-2012:1156 kernel 2012-08-15
Red Hat RHSA-2012:1156-01 kernel 2012-08-14
Oracle ELSA-2012-2022 kernel 2012-07-02
Oracle ELSA-2012-2022 kernel 2012-07-02
Ubuntu USN-1473-1 linux 2012-06-13
Ubuntu USN-1476-1 linux-ti-omap4 2012-06-15
Ubuntu USN-1474-1 linux-ti-omap4 2012-06-13
Ubuntu USN-1472-1 linux 2012-06-12
Ubuntu USN-1471-1 linux-lts-backport-oneiric 2012-06-12

Comments (none posted)

mysql: authentication bypass

Package(s):mysql-5.1, mysql-5.5, mysql-dfsg-5.0, mysql-dfsg-5.1 CVE #(s):CVE-2012-2122
Created:June 12, 2012 Updated:August 13, 2012
Description: From the Ubuntu advisory:

It was discovered that certain builds of MySQL incorrectly handled password authentication on certain platforms. A remote attacker could use this issue to authenticate with an arbitrary password and establish a connection.

Alerts:
Gentoo 201308-06 mysql 2013-08-29
Gentoo GLSA 201308-06:02 mysql 2013-08-30
Mandriva MDVSA-2013:008 mysql 2013-02-06
Scientific Linux SL-mysq-20130123 mysql 2013-01-23
Oracle ELSA-2013-0180 mysql 2013-01-22
CentOS CESA-2013:0180 mysql 2013-01-22
Red Hat RHSA-2013:0180-01 mysql 2013-01-22
SUSE SUSE-SU-2012:0984-1 MySQL 2012-08-13
openSUSE openSUSE-SU-2012:0860-1 mysql 2012-07-11
Fedora FEDORA-2012-9324 mysql 2012-06-26
Debian DSA-2496-1 mysql-5.1 2012-06-18
Ubuntu USN-1467-1 mysql-5.1, mysql-5.5, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-06-11
Fedora FEDORA-2012-9308 mysql 2012-06-17

Comments (none posted)

nova: group policy restriction

Package(s):nova CVE #(s):CVE-2012-2654
Created:June 7, 2012 Updated:June 26, 2012
Description:

From the Ubuntu advisory:

It was discovered that, when defining security groups in Nova using the EC2 or OS APIs, specifying the network protocol (e.g. 'TCP') in the incorrect case would cause the security group to not be applied correctly. An attacker could use this to bypass Nova security group restrictions.

Alerts:
Fedora FEDORA-2012-9550 openstack-nova 2012-06-26
Fedora FEDORA-2012-9425 openstack-nova 2012-06-22
Ubuntu USN-1466-2 nova 2012-06-12
Ubuntu USN-1466-1 nova 2012-06-06

Comments (none posted)

nss: denial of service

Package(s):nss CVE #(s):CVE-2012-0441
Created:June 8, 2012 Updated:August 21, 2012
Description:

From the Debian advisory:

Kaspar Brand discovered that Mozilla's Network Security Services (NSS) library did insufficient length checking in the QuickDER decoder, allowing to crash a program using the library.

For the stable distribution (squeeze), this problem has been fixed in version 3.12.8-1+squeeze5.

For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in version 2:3.13.4-3.

Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
Oracle ELSA-2012-1091 nss, nspr, nss-util 2012-07-18
Ubuntu USN-1540-2 nss 2012-08-21
Ubuntu USN-1540-1 nss 2012-08-16
Oracle ELSA-2012-1090 nss, nspr 2012-07-18
Scientific Linux SL-nss-20120718 nss, nspr 2012-07-18
Scientific Linux SL-nss-20120718 nss, nspr, nss-util 2012-07-18
CentOS CESA-2012:1090 nss, nspr 2012-07-17
CentOS CESA-2012:1091 nss, nspr, nss-util 2012-07-18
Red Hat RHSA-2012:1091-01 nss, nspr, nss-util 2012-07-17
Red Hat RHSA-2012:1090-01 nss, nspr 2012-07-17
Ubuntu USN-1463-6 thunderbird 2012-06-26
Ubuntu USN-1463-5 unity-2d 2012-06-26
Mandriva MDVSA-2012:088-1 mozilla 2012-06-23
Ubuntu USN-1463-4 thunderbird 2012-06-22
Debian DSA-2490-1 nss 2012-06-07
Mandriva MDVSA-2012:088 mozilla 2012-06-09
Ubuntu USN-1463-3 firefox 2012-06-20
openSUSE openSUSE-SU-2012:0760-1 mozilla 2012-06-19
SUSE SUSE-SU-2012:0746-1 Mozilla Firefox 2012-06-15

Comments (none posted)

php: multiple vulnerabilities

Package(s):PHP5 CVE #(s):CVE-2012-2335 CVE-2012-2336
Created:June 11, 2012 Updated:July 5, 2012
Description: From the CVE entries:

php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence. (CVE-2012-2335)

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. (CVE-2012-2336)

Alerts:
SUSE SUSE-SU-2013:1351-1 PHP5 2013-08-16
Gentoo 201209-03 php 2012-09-23
CentOS CESA-2012:1046 php 2012-07-10
Scientific Linux SL-php-20120709 php 2012-07-09
Scientific Linux SL-php5-20120705 php53 2012-07-05
Scientific Linux SL-php-20120705 php 2012-07-05
SUSE SUSE-SU-2012:0840-1 PHP5 2012-07-05
Oracle ELSA-2012-1046 php 2012-06-30
Oracle ELSA-2012-1047 php53 2012-06-28
Oracle ELSA-2012-1045 php 2012-06-28
CentOS CESA-2012:1047 php53 2012-06-27
CentOS CESA-2012:1045 php 2012-06-27
Red Hat RHSA-2012:1047-01 php53 2012-06-27
Red Hat RHSA-2012:1046-01 php 2012-06-27
Red Hat RHSA-2012:1045-01 php 2012-06-27
SUSE SUSE-SU-2012:0721-1 PHP5 2012-06-09
Ubuntu USN-1481-1 php5 2012-06-19

Comments (none posted)

ubuntuone-client: information leak

Package(s):ubuntuone-client CVE #(s):CVE-2011-4409
Created:June 6, 2012 Updated:June 13, 2012
Description: From the Ubuntu advisory:

It was discovered that the Ubuntu One Client incorrectly validated server certificates when using HTTPS connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to alter or compromise confidential information.

Alerts:
Ubuntu USN-1465-2 ubuntuone-storage-protocol 2012-06-06
Ubuntu USN-1465-1 ubuntuone-client 2012-06-06
Ubuntu USN-1465-3 ubuntuone-client 2012-06-06

Comments (none posted)

ubuntu-sso-client: information leak

Package(s):ubuntu-sso-client CVE #(s):CVE-2011-4408
Created:June 6, 2012 Updated:June 13, 2012
Description: From the Ubuntu advisory:

It was discovered that the Ubuntu Single Sign On Client incorrectly validated server certificates when using HTTPS connections. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to alter or compromise confidential information.

Alerts:
Ubuntu USN-1464-1 ubuntu-sso-client 2012-06-06

Comments (none posted)

xen: denial of service

Package(s):Xen CVE #(s):CVE-2012-0218
Created:June 13, 2012 Updated:June 26, 2012
Description: From the SUSE advisory:

A guest user could crash the guest XEN kernel due to a protection fault bounce.

Alerts:
Gentoo 201309-24 xen 2013-09-27
openSUSE openSUSE-SU-2012:0886-1 xen 2012-07-18
Fedora FEDORA-2012-9430 xen 2012-06-26
Fedora FEDORA-2012-9399 xen 2012-06-26
Fedora FEDORA-2012-9386 xen 2012-06-26
Debian DSA-2501-1 xen 2012-06-24
SUSE SUSE-SU-2012:0730-1 Xen 2012-06-12

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds