|
|
Subscribe / Log in / New account

Security

Living with the surveillance state

By Jake Edge
October 29, 2013
LinuxCon Europe

The final day of LinuxCon Europe had some of the only content that was focused on the largely European audience at the conference. Mikko Hypponen, chief research officer at F-Secure, gave a talk about living in a surveillance state, with an unmistakable slant toward Europe and the rest of the world outside of the US. There is an imbalance in the surveillance being done, not just the imbalance of governments vs. the people, but also that of the US vs. the rest of the world.

Hypponen started with a little personal history. He is from Finland, "where it was snowing on Saturday", and started programming at 13, because he is a Finn and that is "what we do", he said with a chuckle. In 1991, when he was a bit older, he reverse-engineered boot-sector viruses, which was his introduction to the security world.

Cheap data

Over the last few years, we have started realizing that "data is cheap", he said. We don't have to decide what to keep and what not, we can just keep it all forever. It is the "biggest shift" in our thinking that has happened in that time frame, and it has enabled lots of great things. It also has enabled the storage of surveillance data for, essentially, ever.

What we are seeing today is "wholesale blanket surveillance", with the US National Security Agency (NSA) capturing who we talk to, what we search for, who we email with, and on and on. The laws in the US give the NSA the right to do that for "foreigners", which means 96% of the planet, Hypponen said. Everyone in the world uses US-based services "all the time"; from the cloud to web mail and beyond, all of the most popular services are US-based.

To store all of that information, the NSA is building its "infamous" data center in Utah. He could give the estimates for the amount of data it will hold, but thought it would work better with an analogy that can be more easily visualized. Think of the "largest IKEA you have ever seen", and the NSA's new data center is five times that size. Now think about the number of hard disks you can put into one of those IKEAs, he said.

We are more honest with the internet than we are with friends and family, he said. That means we give away a lot of information about ourselves when we use the internet. To illustrate that, his slide showed search autocompletes for various partial phrases such as "should I tell my girlfriend ...".

According to Hypponen, some surveillance is reasonable. For a school shooter, drug lord, or member of terrorist cell, for example, surveillance should be allowed and the authorities should have the technical means to do so. But first, there must be suspicion of the person in question and proper legal papers need to be filed.

That is not what is going on today. Instead, everyone is being surveilled, including many who are known to be innocent. While you may not worry about the current government misusing that information, the government could change at any time. Show me your search history, he said, and I can find something illegal or embarrassing easily.

"Defenses"

Various people will say that we already knew about this surveillance, that it's nothing new. "Don't listen to them", Hypponen said. We may have suspected this was going on, but now we have the facts. The leaks from Edward Snowden are nearly unique because they are "top secret" documents, which almost never leak. They are bigger than anything WikiLeaks has released or the leaks by Private Chelsea Manning, neither of which contained any top-secret information. For example, we did not know that the NSA was subverting cryptographic algorithms—making us all less secure so its job is easier—until the Snowden releases.

Another "defense" is that "all countries spy", but that is something of a red herring. There is a clear imbalance because of the popularity and prevalence of US-based services. Think of the number of Swedish government officials and business leaders who use US-based services or an operating system that comes from the US. Every single one does so every day, he said. Now think of the US equivalents who use Sweden-based services or operating systems: none. That is the imbalance.

There is also the argument made that this is a tool in the "war on terror". It is not, he said. There is an effort being made to find terrorists, but there is much more going on than that. The NSA is monitoring communications at the United Nations (UN) and European Union (EU) headquarters, but he doubts it is looking for terrorists there.

There are terrorists on the planet, Hypponen said, and we should fight them, but are terrorists truly an existential threat? Are we willing to do anything to stop them? Are we willing to throw away the US Constitution and Bill of Rights, the Universal Declaration of Human Rights, and freedom of the press to fight terrorism?

Nothing to hide

Another argument made is that "I have nothing to hide". If that's true, he said, he wants to know because that means he cannot trust you with his secrets. But it is a pervasive argument. For example, he posted a tweet about the PRISM program back in June, which was immediately greeted by "If you have nothing to hide, why does it matter? Sending naked pictures or something???". His response was that it was none of their business, and that it should be none of the government's business either. Think of what the Nixon administration would have done with the information generated from today's surveillance activities, he suggested.

In Finland in the 1970s, it was a crime to be gay, he said. With today's surveillance activities, it would have been easy to round up all of the gay people and put them in jail. Had that happened, it is likely that being gay would still be a crime in Finland today.

Hypponen quoted Dilma Rousseff, President of Brazil, who was making a complaint about the US surveillance regime at the UN: "In the absence of the right to privacy, there can be no true freedom of expression and opinion, and therefore no effective democracy." He also noted that Marcus Ranum, chief security officer at Tenable Network Security, has called the internet "a colony for the US". Hypponen said that those outside the US should note its colonization and start thinking of that country as their "masters".

Something else that we have learned through the Snowden leaks is the "three hop rule". When a target is identified for further analysis, it is not just those who the person is talking to that get looked at, but those who those people talk to, and one more hop beyond. That makes for an extremely wide net. Using the "#friendofafriendofafriend" hashtag, he also tweeted about that: "I'm scared of some of the people I'm three hops away. Actually, make that one hop."

There is a slide from the Snowden trove that lists dates when PRISM access was gained for various providers (like Facebook, Google, Microsoft, Apple, and so on). All of the providers deny giving that access, yet the slide contents have never been denied by the US government. Hypponen thinks we may finally have an explanation for the conflicting stories. More recent disclosures have shown an "Operation Socialist" that describes some "elite hacking units" of the NSA and its UK equivalent, GCHQ.

An effort by GCHQ to attack a Belgian telecom company for surveillance purposes is what is described in the slides. What is particularly galling is how casually this kind of attack is treated in the slides. The slides come with "cheesy" clip art (a stylized "success" for example). There is no mention of team building in a bar, but Hypponen is sure that happened as well. So maybe those dates correspond to when those companies were, sadly, compromised by their own government. It would explain the denials in the face of the "dates of access" slide, he said.

Blaming Snowden

There are a lot of people who are blaming Snowden, he said, which is a bit like blaming Al Gore for global warming. It is interesting to note how little support Snowden has gotten from the rest of the world, and Europe in particular. Hypponen asked the audience to imagine that Snowden had been Chinese and had leaked the same story. Imagine the uproar it would have caused if the Chinese government had charged him with treason—or an allied government destroyed the hard disks of a newspaper as the UK did at The Guardian. We haven't done a very good job of protecting Snowden, he said.

The internet turned out to be a perfect tool for surveillance, unfortunately, he said. Other countries should avoid using US-based services and operating systems to avoid the surveillance that seems to come with them. It is difficult to do, but the alternative is worse. He put up the famous (fake) picture of George Orwell's (of 1984 fame) home in the UK with a closed-circuit TV camera in front of it, noting that "we do have a solution" to loud applause. He continued: "In many ways, Orwell was an optimist."

Hypponen ended his talk with a suggestion. Everyone should be using open source software, which mitigates much of this threat. If every single country were to participate in the creation of open source alternatives to the US-based services that are so prevalent, they would help avoid the surveillance problem—while lifting the rest of us up as well.

The talk seemed to be quite well-received by the largely European audience that it was clearly targeting. Unfortunately for those who were not present, video is not available, evidently due to an audio problem. For those who were there, though, Hypponen gave a rousing talk that certainly proved thought-provoking—exactly the kind of keynote talk one would hope for.

[I would like to thank the Linux Foundation for travel assistance to Edinburgh for LinuxCon.]

Comments (95 posted)

Brief items

Quotes of the week

If you don't do all of this work, there is no way to know for sure where the entropy is coming from. And if you don't know, that's when you have to be very, very conservative, and use a very large engineering safety margin. Currently we use the high resolution CPU counter, plus the interrupted IP, and we mix all of this together from 64 interrupts, and we count this as a single bit of entropy. I *hope* that at least one of those interrupts has sufficient unpredictably, perhaps because the remote attacker can't know when a LAN interrupt has happened, such that have a single bit of entropy.
Ted Ts'o

According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.
Washington Post

I won't trouble you with shaming details of disclosure -- I won't mention which project representative asked for a password-protected zip file of the disclosure, while another filed the issue on a public bug tracker which promptly e-mailed it back in cleartext -- but the the level of preparedness I ran into was pretty troubling. I suspect, rather strongly, that mature security issue handling that you find at organizations like the Apache Foundation or Microsoft is the exception, and not the rule.
Tod Beardsley

Comments (3 posted)

PHP web site compromised

The PHP project has announced that its web site was compromised and used to serve malicious JavaScript code to users. The PHP source distribution was not attacked. "php.net users will have their passwords reset. Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net."

Comments (31 posted)

New vulnerabilities

apport: information leak

Package(s):apport CVE #(s):CVE-2013-1067
Created:October 25, 2013 Updated:October 30, 2013
Description: From the Ubuntu advisory:

Martin Carpenter discovered that Apport set incorrect permissions on core dump files generated by setuid binaries. A local attacker could possibly use this issue to obtain privileged information.

Alerts:
Ubuntu USN-2007-1 apport 2013-10-24

Comments (none posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2013-1734 CVE-2013-1742 CVE-2013-1743
Created:October 29, 2013 Updated:October 30, 2013
Description: From the Red Hat bugzilla: 

Class:       Cross-Site Request Forgery
Versions:    2.16rc1 to 4.0.10, 4.1.1 to 4.2.6, 4.3.1 to 4.4
Fixed In:    4.0.11, 4.2.7, 4.4.1
Description: When an attachment is edited, a token is generated to
             validate changes made by the user. Using a crafted URL,
             an attacker could force the token to be recreated,
             allowing him to bypass the token check and abuse a user
             to commit changes on his behalf.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=913904
CVE Number:  CVE-2013-1734

Class:       Cross-Site Scripting
Versions:    2.17.1 to 4.0.10, 4.1.1 to 4.2.6, 4.3.1 to 4.4
Fixed In:    4.0.11, 4.2.7, 4.4.1
Description: Some parameters passed to editflagtypes.cgi were not
             correctly filtered in the HTML page, which could lead
             to XSS.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=924802
CVE Number:  CVE-2013-1742

Class:       Cross-Site Scripting
Versions:    4.1.1 to 4.2.6, 4.3.1 to 4.4
Fixed In:    4.2.7, 4.4.1
Description: Due to an incomplete fix for CVE-2012-4189, some
             incorrectly filtered field values in tabular reports
             could lead to XSS.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=924932
CVE Number:  CVE-2013-1743
Alerts:
Mageia MGASA-2014-0199 bugzilla 2014-05-02
Mandriva MDVSA-2013:285 bugzilla 2013-11-26
Fedora FEDORA-2013-19480 bugzilla 2013-10-29
Fedora FEDORA-2013-19458 bugzilla 2013-10-29

Comments (none posted)

chromium: multiple vulnerabilities

Package(s):chromium-browser CVE #(s):CVE-2013-2925 CVE-2013-2926 CVE-2013-2927 CVE-2013-2928
Created:October 28, 2013 Updated:November 19, 2013
Description: From the CVE entries:

Use-after-free vulnerability in core/xml/XMLHttpRequest.cpp in Blink, as used in Google Chrome before 30.0.1599.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger multiple conflicting uses of the same XMLHttpRequest object. (CVE-2013-2925)

Use-after-free vulnerability in the IndentOutdentCommand::tryIndentingAsListItem function in core/editing/IndentOutdentCommand.cpp in Blink, as used in Google Chrome before 30.0.1599.101, allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to list elements. (CVE-2013-2926)

Use-after-free vulnerability in the HTMLFormElement::prepareForSubmission function in core/html/HTMLFormElement.cpp in Blink, as used in Google Chrome before 30.0.1599.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to submission for FORM elements. (CVE-2013-2927)

Multiple unspecified vulnerabilities in Google Chrome before 30.0.1599.101 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2013-2928)

Alerts:
Gentoo 201403-01 chromium 2014-03-05
openSUSE openSUSE-SU-2014:0065-1 chromium 2014-01-15
openSUSE openSUSE-SU-2013:1861-1 chromium 2013-12-12
openSUSE openSUSE-SU-2013:1776-1 chromium 2013-11-27
Mageia MGASA-2013-0321 chromium-browser-stable 2013-11-09
openSUSE openSUSE-SU-2013:1729-1 chromium 2013-11-19
Debian DSA-2785-1 chromium-browser 2013-10-26

Comments (none posted)

dropbear: information leak

Package(s):dropbear CVE #(s):CVE-2013-4434
Created:October 28, 2013 Updated:November 18, 2013
Description: From the Mageia advisory:

Inconsistent delays in authorization failures could be used to disclose the existence of valid user accounts in dropbear before 2013.59

Alerts:
openSUSE openSUSE-SU-2013:1696-1 dropbear 2013-11-15
openSUSE openSUSE-SU-2013:1616-1 dropbear 2013-10-31
Mandriva MDVSA-2013:261 dropbear 2013-10-28
Mageia MGASA-2013-0318 dropbear 2013-10-25

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey CVE #(s):CVE-2013-5590 CVE-2013-5595 CVE-2013-5597 CVE-2013-5599 CVE-2013-5600 CVE-2013-5601 CVE-2013-5602 CVE-2013-5604
Created:October 30, 2013 Updated:December 10, 2013
Description: From the Red Hat advisory:

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to terminate unexpectedly or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-5590, CVE-2013-5597, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602)

It was found that the Firefox JavaScript engine incorrectly allocated memory for certain functions. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-5595)

A flaw was found in the way Firefox handled certain Extensible Stylesheet Language Transformations (XSLT) files. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-5604)

Alerts:
Gentoo 201504-01 firefox 2015-04-07
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Fedora FEDORA-2013-22467 seamonkey 2013-12-10
Fedora FEDORA-2013-22456 seamonkey 2013-12-10
openSUSE openSUSE-SU-2013:1788-1 seamonkey 2013-11-29
Mageia MGASA-2013-0329 iceape 2013-11-20
Slackware SSA:2013-322-01 mozilla 2013-11-18
SUSE SUSE-SU-2013:1678-1 Mozilla Firefox 2013-11-15
Debian DSA-2797-1 icedove 2013-11-13
openSUSE openSUSE-SU-2013:1644-1 seamonkey 2013-11-09
Mageia MGASA-2013-0320 firefox 2013-11-09
Fedora FEDORA-2013-20429 xulrunner 2013-11-11
Fedora FEDORA-2013-20429 firefox 2013-11-11
openSUSE openSUSE-SU-2013:1633-1 Mozilla 2013-11-07
openSUSE openSUSE-SU-2013:1634-1 Mozilla 2013-11-07
Slackware SSA:2013-307-01 mozilla 2013-11-03
Slackware SSA:2013-322-04 seamonkey 2013-11-18
Fedora FEDORA-2013-20448 xulrunner 2013-11-01
Fedora FEDORA-2013-20448 firefox 2013-11-01
Ubuntu USN-2010-1 thunderbird 2013-10-31
Scientific Linux SLSA-2013:1480-1 thunderbird 2013-10-30
Oracle ELSA-2013-1480 thunderbird 2013-10-30
Mandriva MDVSA-2013:264 firefox 2013-10-31
Debian DSA-2788-1 iceweasel 2013-10-31
CentOS CESA-2013:1480 thunderbird 2013-10-30
CentOS CESA-2013:1480 thunderbird 2013-10-30
Red Hat RHSA-2013:1480-01 thunderbird 2013-10-30
Ubuntu USN-2009-1 firefox 2013-10-29
Scientific Linux SLSA-2013:1476-1 firefox 2013-10-30
Oracle ELSA-2013-1476 firefox 2013-10-30
Oracle ELSA-2013-1476 firefox 2013-10-29
CentOS CESA-2013:1476 firefox 2013-10-30
CentOS CESA-2013:1476 firefox 2013-10-30
Red Hat RHSA-2013:1476-01 firefox 2013-10-29
Mageia MGASA-2013-0326 thunderbird 2013-11-18

Comments (none posted)

firefox: multiple vulnerabilties

Package(s):firefox CVE #(s):CVE-2013-5591 CVE-2013-5592 CVE-2013-5593 CVE-2013-5596 CVE-2013-5598 CVE-2013-5603
Created:October 30, 2013 Updated:December 1, 2013
Description: From the Ubuntu advisory:

Multiple memory safety issues were discovered in Firefox. If a user were tricked in to opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, or potentially execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2013-5591, CVE-2013-5592)

Jordi Chancel discovered that HTML select elements could display arbitrary content. An attacker could potentially exploit this to conduct URL spoofing or clickjacking attacks (CVE-2013-5593)

Ezra Pool discovered a crash on extremely large pages. An attacked could potentially exploit this to execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2013-5596)

Cody Crews discovered a way to append an iframe in to an embedded PDF object displayed with PDF.js. An attacked could potentially exploit this to read local files, leading to information disclosure. (CVE-2013-5598)

Abhishek Arya discovered a use-after-free when interacting with HTML document templates. An attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2013-5603)

Alerts:
Gentoo 201504-01 firefox 2015-04-07
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
openSUSE openSUSE-SU-2013:1788-1 seamonkey 2013-11-29
Mageia MGASA-2013-0329 iceape 2013-11-20
openSUSE openSUSE-SU-2013:1644-1 seamonkey 2013-11-09
openSUSE openSUSE-SU-2013:1633-1 Mozilla 2013-11-07
openSUSE openSUSE-SU-2013:1634-1 Mozilla 2013-11-07
Fedora FEDORA-2013-20448 xulrunner 2013-11-01
Fedora FEDORA-2013-20448 firefox 2013-11-01
Ubuntu USN-2010-1 thunderbird 2013-10-31
Ubuntu USN-2009-1 firefox 2013-10-29

Comments (none posted)

glance: information leak

Package(s):glance CVE #(s):CVE-2013-4428
Created:October 24, 2013 Updated:November 19, 2013
Description: From the Ubuntu advisory:

Stuart McLaren discovered that Glance did not properly enforce the 'download_image' policy for cached images. An authenticated user could exploit this to obtain sensitive information in an image protected by this setting.

Alerts:
Red Hat RHSA-2013:1525-01 openstack-glance 2013-11-18
Ubuntu USN-2003-1 glance 2013-10-23

Comments (none posted)

gnutls: code execution

Package(s):gnutls CVE #(s):CVE-2013-4466
Created:October 29, 2013 Updated:December 1, 2013
Description: From the Red Hat bugzilla:

Upstream GnuTLS versions 3.1.15 and 3.2.5 correct a buffer overflow in dane_query_tlsa() function used to parse DANE (DNS-based Authentication of Named Entities) DNS records. The function parses DNS server reply into dane_query_st / dane_query_t struct which can hold up to 4 entries, but the function failed to check this and allowed parsing more then 4 entries form the reply, resulting in buffer overflow.

An application using DANE protocol to verify certificates could crash or, possibly, execute arbitrary code when parsing a response from a malicious DNS server.

Alerts:
Mageia MGASA-2013-0354 gnutls 2013-11-30
Fedora FEDORA-2013-20052 gnutls 2013-10-29
Fedora FEDORA-2013-20628 gnutls 2013-11-18

Comments (none posted)

keystone: incorrect token revocation

Package(s):keystone CVE #(s):CVE-2013-4222
Created:October 24, 2013 Updated:November 19, 2013
Description: From the CVE entry:

OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.

Alerts:
Red Hat RHSA-2013:1524-01 openstack-keystone 2013-11-18
Ubuntu USN-2002-1 keystone 2013-10-23

Comments (none posted)

libguestfs: insecure temporary directory

Package(s):libguestfs CVE #(s):CVE-2013-4419
Created:October 28, 2013 Updated:December 4, 2013
Description: From the Red Hat bugzilla:

It was found that guestfish, which enables shell scripting and command line access to libguestfs, insecurely created the temporary directory used to store the network socket when started in server mode (using the "--listen" option). If guestfish were run with the "--listen" option, a local attacker could use this flaw to intercept and modify other users' guestfish commands, allowing them to perform arbitrary guestfish actions (such as modifying virtual machines) with the privileges of a different user, or use this flaw to obtain authentication credentials.

Alerts:
Scientific Linux SLSA-2013:1536-2 libguestfs 2013-12-03
Oracle ELSA-2013-1536 libguestfs 2013-11-27
Oracle ELSA-2013-2584 kernel 2013-11-28
Oracle ELSA-2013-2584 kernel 2013-11-28
Oracle ELSA-2013-2585 kernel 2013-11-28
Oracle ELSA-2013-2585 kernel 2013-11-28
Oracle ELSA-2013-2583 kernel 2013-11-28
Red Hat RHSA-2013:1536-02 libguestfs 2013-11-21
SUSE SUSE-SU-2013:1626-1 guestfs 2013-11-04
Fedora FEDORA-2013-19492 libguestfs 2013-10-27
Fedora FEDORA-2013-19452 libguestfs 2013-10-27

Comments (none posted)

libuv: denial of service

Package(s):libuv CVE #(s):CVE-2013-4450
Created:October 29, 2013 Updated:December 17, 2013
Description: From the CVE entry:

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.

Alerts:
Mageia MGASA-2014-0007 nodejs 2014-01-06
Red Hat RHSA-2013:1842-01 nodejs010-nodejs 2013-12-16
openSUSE openSUSE-SU-2013:1863-1 nodejs 2013-12-12
Fedora FEDORA-2013-19491 nodejs 2013-10-29
Fedora FEDORA-2013-19497 nodejs 2013-10-29
Fedora FEDORA-2013-19491 libuv 2013-10-29
Fedora FEDORA-2013-19497 libuv 2013-10-29

Comments (none posted)

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2013-1816 CVE-2013-1817 CVE-2013-1818 CVE-2013-4304 CVE-2013-4305 CVE-2013-4306 CVE-2013-4307 CVE-2013-4308
Created:October 29, 2013 Updated:October 30, 2013
Description: From the Gentoo advisory:

Multiple vulnerabilities have been discovered in MediaWiki.

A remote attacker may be able to execute arbitrary code, perform man-in-the-middle attacks, obtain sensitive information or perform cross-site scripting attacks.

Alerts:
Gentoo 201310-21 mediawiki 2013-10-28

Comments (none posted)

mysql: unspecified vulnerability

Package(s):mysql CVE #(s):CVE-2013-5807
Created:October 25, 2013 Updated:November 4, 2013
Description: From the CVE entry:

Unspecified vulnerability in Oracle MySQL Server 5.5.x through 5.5.32 and 5.6.x through 5.6.12 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Replication.

Alerts:
Gentoo 201409-04 mysql 2014-09-04
CentOS CESA-2014:0189 mariadb55-mariadb 2014-02-26
CentOS CESA-2014:0173 mysql55-mysql 2014-02-19
Red Hat RHSA-2014:0189-01 mariadb55-mariadb 2014-02-19
Scientific Linux SLSA-2014:0186-1 mysql55-mysql 2014-02-18
Oracle ELSA-2014-0186 mysql55-mysql 2014-02-18
CentOS CESA-2014:0186 mysql55-mysql 2014-02-19
Red Hat RHSA-2014:0186-01 mysql55-mysql 2014-02-18
Red Hat RHSA-2014:0173-01 mysql55-mysql 2014-02-13
Debian DSA-2818-1 mysql-5.5 2013-12-16
Fedora FEDORA-2013-19648 mysql 2013-11-02
Fedora FEDORA-2013-19654 community-mysql 2013-11-02
Ubuntu USN-2006-1 mysql-5.5, mysql-dfsg-5.1 2013-10-24

Comments (none posted)

nova: information leak

Package(s):nova CVE #(s):CVE-2013-4278
Created:October 24, 2013 Updated:October 30, 2013
Description: From the CVE entry:

The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.

Alerts:
Fedora FEDORA-2013-22693 openstack-nova 2013-12-12
Ubuntu USN-2000-1 nova 2013-10-23

Comments (none posted)

pmake: symlink attack

Package(s):pmake CVE #(s):CVE-2011-1920
Created:October 28, 2013 Updated:November 21, 2013
Description: From the CVE entry:

The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and other products, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_depend##### temporary file, related to (1) bsd.lib.mk and (2) bsd.prog.mk.

Alerts:
Mandriva MDVSA-2013:271 pmake 2013-11-21
Mageia MGASA-2013-0331 pmake 2013-11-20
Gentoo 201310-17 pmake 2013-10-28

Comments (none posted)

python-djblets: multiple vulnerabilities

Package(s):python-djblets CVE #(s):CVE-2013-4409 CVE-2013-4410 CVE-2013-4411
Created:October 29, 2013 Updated:October 30, 2013
Description: From the Red Hat bugzilla:

[CVE-2013-4409]: Occasionally objects would be transmitted as a repr() of an object instead of a JSON serialization. In order to restore this representation to python code while parsing the JSON, Djblets would use the eval() routine to execute them, leading to a risk of executing arbitrary code in the Review Board process.

[CVE-2013-4410]: Certain functions within Review Board's REST API were not properly validating authorization decisions against access-control lists.

If the attacker was aware of specific database table IDs, it was possible to gain access to restricted data. This vulnerability does not lead directly to a compromise of a machine or denial of service, but may expose sensitive information such as details about other embargoed security issues or confidential intellectual property.

[CVE-2013-4411]: A flaw in the Review Board dashboard URL-processing logic makes it possible for a user to construct a URL that would reveal review requests for review groups to which the user does not belong.

This flaw is only of particular risk to those deployments relying on review groups to restrict access to private reviews, such as those that may contain confidential intellectual property or provide information about embargoed security issues.

Alerts:
Fedora FEDORA-2013-18911 ReviewBoard 2013-10-29
Fedora FEDORA-2013-18931 ReviewBoard 2013-10-29
Fedora FEDORA-2013-18911 python-djblets 2013-10-29
Fedora FEDORA-2013-18931 python-djblets 2013-10-29

Comments (none posted)

python-oauth2: man-in-the-middle attack

Package(s):python-oauth2 CVE #(s):CVE-2013-4347
Created:October 28, 2013 Updated:September 26, 2014
Description: From the Mageia advisory:

It was found that in python-oauth2, an application for authorization flows for web applications, the nonce value generated isn't sufficiently random. While doing bulk operations the nonce might be repeated, so there is a chance of predictability. This could allow MITM attackers to conduct replay attacks.

Alerts:
Fedora FEDORA-2014-12536 python-oauth2 2014-10-28
Fedora FEDORA-2014-12475 python-oauth2 2014-10-28
Fedora FEDORA-2014-10786 python-oauth2 2014-09-26
Fedora FEDORA-2014-10784 python-oauth2 2014-09-26
Mageia MGASA-2013-0314 python-oauth2 2013-10-25

Comments (none posted)

qspice: denial of service

Package(s):qspice CVE #(s):CVE-2013-4282
Created:October 30, 2013 Updated:May 18, 2015
Description: From the Red Hat advisory:

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application.

Alerts:
openSUSE openSUSE-SU-2015:1750-1 spice 2015-10-15
SUSE SUSE-SU-2015:0884-2 spice 2015-05-16
SUSE SUSE-SU-2015:0884-1 spice 2015-05-15
Mandriva MDVSA-2014:016 spice 2014-01-22
Mageia MGASA-2014-0022 spice 2014-01-21
Debian DSA-2839-1 spice 2014-01-08
Ubuntu USN-2027-1 spice 2013-11-12
Fedora FEDORA-2013-20340 spice 2013-11-08
Fedora FEDORA-2013-20360 spice 2013-11-08
Scientific Linux SLSA-2013:1473-1 spice-server 2013-10-30
Scientific Linux SLSA-2013:1474-1 qspice 2013-10-30
Oracle ELSA-2013-1473 spice-server 2013-10-29
Oracle ELSA-2013-1474 qspice 2013-10-29
CentOS CESA-2013:1473 spice-server 2013-10-30
CentOS CESA-2013:1474 qspice 2013-10-29
Red Hat RHSA-2013:1473-01 spice-server 2013-10-29
Red Hat RHSA-2013:1474-01 qspice 2013-10-29

Comments (none posted)

roundcube: code execution

Package(s):roundcube CVE #(s):CVE-2013-6172
Created:October 28, 2013 Updated:March 14, 2014
Description: From the Debian advisory:

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, does not properly sanitize the _session parameter in steps/utils/save_pref.inc during saving preferences. The vulnerability can be exploited to overwrite configuration settings and subsequently allowing random file access, manipulated SQL queries and even code execution.

Alerts:
openSUSE openSUSE-SU-2014:0365-1 roundcubemail 2014-03-13
Gentoo 201402-15 roundcube 2014-02-11
Fedora FEDORA-2013-19745 roundcubemail 2013-10-31
Mandriva MDVSA-2013:263 roundcubemail 2013-10-29
Fedora FEDORA-2013-19729 roundcubemail 2013-10-26
Debian DSA-2787-1 roundcube 2013-10-27
Mageia MGASA-2013-0325 roundcubemail 2013-11-18

Comments (none posted)

salt: information leak

Package(s):salt CVE #(s):CVE-2013-4439
Created:October 28, 2013 Updated:October 30, 2013
Description: From the Red Hat bugzilla:

Saltstack, a client/server configuration system, was found to have allowed any minion to masquerade itself as any others agents when requesting stuff from the master, which could permit a compromised server to request data from another server, which could lead to potential information leak.

Alerts:
Fedora FEDORA-2013-19354 salt 2013-10-27
Fedora FEDORA-2013-19356 salt 2013-10-27

Comments (none posted)

scipy: insecure temporary directory

Package(s):scipy CVE #(s):CVE-2013-4251
Created:October 28, 2013 Updated:November 21, 2013
Description: From Vincent Danen's comment to the Red Hat bug report:

To summarize, scipy.weave will use /tmp/[username] as persistent storage (cache), but it does not check whether or not this directory already exists, does not check whether it is a directory or a symlink, and also does not verify permissions or ownership, which could allow someone to place code in this directory that would be executed as the user running scipy.weave.
Alerts:
Mageia MGASA-2013-0330 python-scipy 2013-11-20
Fedora FEDORA-2013-19236 scipy 2013-10-27
Fedora FEDORA-2013-19271 scipy 2013-10-27

Comments (none posted)

tptest: multiple vulnerabilities

Package(s):tptest CVE #(s):CVE-2009-0650 CVE-2009-0659
Created:October 28, 2013 Updated:October 30, 2013
Description: From the CVE entries:

Stack-based buffer overflow in the GetStatsFromLine function in TPTEST 3.1.7 and earlier, and possibly 5.02, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a STATS line with a long pwd field. NOTE: some of these details are obtained from third party information. (CVE-2009-0650)

Stack-based buffer overflow in the GetStatsFromLine function in TPTEST 3.1.7 allows remote attackers to have an unknown impact via a STATS line with a long email field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. (CVE-2009-0659)

Alerts:
Gentoo 201310-16 tptest 2013-10-27

Comments (none posted)

x2goserver: code execution

Package(s):x2goserver CVE #(s):CVE-2013-4376
Created:October 28, 2013 Updated:March 18, 2014
Description: From the Gentoo advisory:

A vulnerability in the setgid wrapper x2gosqlitewrapper.c does not hardcode an internal path to x2gosqlitewrapper.pl, allowing a remote attacker to change that path.

A remote attacker may be able to execute arbitrary code with the privileges of the user running the server process.

Alerts:
Mandriva MDVSA-2014:063 x2goserver 2014-03-17
Mageia MGASA-2014-0111 x2goserver 2014-03-01
Fedora FEDORA-2014-0168 x2goserver 2014-01-13
Fedora FEDORA-2014-0202 x2goserver 2014-01-13
Gentoo 201310-19 x2goserver 2013-10-28

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds