|
|
Subscribe / Log in / New account

Security

FreeOTP multi-factor authentication

By Nathan Willis
January 22, 2014

Back in 2010, Google rolled out multi-factor authentication for its services using an open source project named Google Authenticator. The system generated one-time pad (OTP) passcodes on a mobile phone; users could log in to their favorite Google service with their usual password plus the passcode. In addition to its availability on Google servers, the open source project included a PAM module that Linux users could run on their own machines. Sadly, Google Authenticator fell victim to the gradual move toward proprietary code of recent "Google Play Services" releases and the open source version was discontinued, without fanfare, in 2013. Fortunately, the community has picked up the challenge and is developing a workalike called FreeOTP.

[Google Authenticator]

As we saw in our look at Google Authenticator, the system consisted of two halves: a mobile application and a server-side authentication plug-in. When provisioned with a key, the mobile app generated either HMAC-based OTP (HOTP) or Time-based OTP (TOTP) passcodes. Since HOTP and TOTP are both open IETF standards, the app could be used with any compliant server and supported storing multiple sets of credentials—the only prerequisite being that the phone would needed to be provisioned with the key for each service. The server-side tools included a key-generation program, and the project was popular enough that multiple third-party projects and web services deployed it.

The turn from free software to proprietary software came after the 2.21 release. The notice for the change was posted only as an update to the Google Authenticator web page at Google Code, which was highlighted in this Reddit discussion from May 2013. The wording change noted simply that the subsequent, closed-source versions of the app "contain Google-specific workflows". FreeOTP was started in August 2013; although it includes bits of code from Google Authenticator, it is predominantly a fresh rewrite—albeit one that does its best to serve as a free-software clone of the original.

The new project is hosted at Fedorahosted.org, and is maintained by Red Hat's Nathaniel McCallum. On the mobile side of the equation, it replicates the Android and iOS client apps, but drops the Blackberry variant. As of right now, the iOS app has not yet been published on Apple's app store, but the Android version is available both through Google Play and through the free-software repository F-Droid.

On the server side, so far FreeOTP is not producing any components. Since any standards-compliant HOTP or TOTP server should work with FreeOTP, there is no absolute need for the project to produce its own server-side code. One of the nice things about Google Authenticator and FreeOTP, of course, is that the server and the client do not talk directly to each other: the client app generates the passcode, then the user types it in. Still, this does mean that the HOTP/TOTP Linux PAM module is now unmaintained. Although it is likely to work, that likelihood certainly comes with no guarantees—particularly since system security is at stake.

The FreeOTP project site points users to FreeIPA as a recommended solution. FreeIPA is an identity-management suite offered by Red Hat that glues together several existing open source components to provide LDAP, Kerberos, RADIUS, and other authentication or authorization services. McCallum, unsurprisingly, works on FreeIPA, and has added HOTP/TOTP support to MIT Kerberos. Work is also underway for a standalone HOTP/TOTP implementation in FreeIPA, though it is still under development.

Two-factorization

[FreeOTP]

FreeOTP replicates the same general workflow used in Google Authenticator. The first step is to provision the device with the key necessary to generate the HOTP or TOTP passcodes. How this step is done varies depending on the service one is trying to connect to, but the simplest option (if available) is to photograph a QR code that is generated by the server; these QR codes encode the key as well as the metadata one needs to keep track of the account (e.g., the server and account username).

FreeOTP is not as visually polished, but it does score some points over Google Authenticator by including the ZXing QR code–reading library within the app; Google requires downloading and installing a ZXing app separately. For services that do not generate QR codes for key provisioning, FreeOTP allows the user to manually enter the key, the key's options (e.g., the hash algorithm used) and information for the issuing service.

Once provisioned, opening the app shows a list of the saved accounts, and opening each account reveals the current one-time pad passcode. TOTP, the time-based passcode variant, is designed so that the codes are only valid for a brief interval of time (say, 30 seconds). The FreeOTP interface displays a little clock animation next to each code showing how much time remains, and automatically updates to the next passcode after every elapsed interval.

[Manual key entry in FreeOTP]

In practice, TOTP seems to be considerably more widespread than HOTP, presumably because HOTP seeds each passcode-generation run with a counter, rather than the current time, which in turn makes the resulting passcode valid for an indefinite length of time. This is of concern for Google Authenticator and FreeOTP because passcodes generated on phones can be compromised—a passcode with an indefinite lifetime allows more attack vectors than one that expires (for example, by jotting down the code and leaving, instead of stealing the phone).

But that is not the whole story; using one's Android phone as if it is a hardware crypto-token is a bit of a fudge regardless of the passcode-generation technique. In reality, since a phone can easily be lost or stolen, the only protection against the attacker using it to take over one's HOTP/TOTP online accounts is securing the phone's contents itself: password-protection, encrypted storage, and so on. What percentage of phone users actually take advantage of these options is anyone's guess.

For those who are concerned about the security of the device itself, it is worth noting that neither the Google Authenticator nor FreeOTP apps are password-protected. In an email, McCallum did mention that encrypted key storage is on the to-do list, but that other items (such as getting the iOS app released) have taken precedence for now.

On the other hand, many (or perhaps most) security schemes can lead into a "the perfect is the enemy of the good" cycle of disagreement that has no simple answer. Usage of two-factor authentication, even if the second "factor" is a software-generated passcode on a phone that could get stolen, is an improvement over user passwords alone. Similarly, while FreeOTP does not offer an expanded feature set over Google Authenticator, the fact that it is open source and thus auditable makes it a better option in absolute terms.

The shift of Google Authenticator to a proprietary app was certainly a step backward for the security-conscious, so it is good to see an open-source alternative arrive with feature parity. Of course, the mobile apps only cover one half of the problem; there is more work that remains to be done implementing multi-factor authentication on applications and servers.

Comments (21 posted)

Brief items

Security quotes of the week

To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension.
Ron Amadeo in ars technica

And it is my considered opinion that the implementation of this process qualifies as idiotic and borderline criminal in terms of gross incompetency.

But then again, we're talking about Network Solutions.

Lauren Weinstein on phishy looking email from Network Solutions

But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS [point-of-sale] software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.
Brian Krebs looks into the Target data breach

In conclusion, while EncFS is a useful tool, it ignores many standard best-practices in cryptography. This is most likely due to it's old age (originally developed before 2005), however, it is still being used today, and needs to be updated.

The EncFS author says that a 2.0 version is being developed. This would be a good time to fix the old problems.

As it is now, EncFS is not suitable for protecting mission-critical data.

Taylor Hornby audits EncFS

Comments (1 posted)

New vulnerabilities

almanah: does not encrypt its database

Package(s):almanah CVE #(s):CVE-2013-1853
Created:January 22, 2014 Updated:January 22, 2014
Description: From the bug report:

It was reported that Almanah does not encrypt its database when it closes, due to GApplication no longer using the quit_main_loop() event since GIO 2.32. This will keep the database unencrypted when it should be encrypted. The upstream bug report has a patch attached which corrects the issue.

Alerts:
openSUSE openSUSE-SU-2014:0118-1 almanah 2014-01-22

Comments (none posted)

augeas: world writable config files

Package(s):augeas CVE #(s):CVE-2013-6412
Created:January 21, 2014 Updated:January 22, 2014
Description: From the Red Hat advisory:

A flaw was found in the way Augeas handled certain umask settings when creating new configuration files. This flaw could result in configuration files being created as world writable, allowing unprivileged local users to modify their content.

Alerts:
Mandriva MDVSA-2014:022 augeas 2014-01-24
Scientific Linux SLSA-2014:0044-1 augeas 2014-01-21
Oracle ELSA-2014-0044 augeas 2014-01-20
CentOS CESA-2014:0044 augeas 2014-01-20
Red Hat RHSA-2014:0044-01 augeas 2014-01-20
Mageia MGASA-2014-0058 augeas 2014-02-12

Comments (none posted)

cups: information disclosure

Package(s):cups CVE #(s):CVE-2013-6891
Created:January 16, 2014 Updated:January 22, 2014
Description: From the Ubuntu advisory:

Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user configuration file in certain configurations. A local attacker could use this to read sensitive information from certain files, bypassing access restrictions.

Alerts:
Mandriva MDVSA-2014:092 cups 2014-05-16
Mandriva MDVSA-2014:015 cups 2014-01-22
Mageia MGASA-2014-0021 cups 2014-01-21
Ubuntu USN-2082-1 cups 2014-01-15

Comments (none posted)

cups: cups.socket is listening on 0.0.0.0

Package(s):cups CVE #(s):
Created:January 22, 2014 Updated:January 22, 2014
Description: From the bug report:

default suse cups setup was always set that cupsd was listening on localhost:631 .. in suse 13.1 systemd creates for cups sockets (and whatver else) and cupsd is started just when something accesses these sockets or listening "init" service as it is recognized by netstat .. now systemd listens on both tcp/udp 0.0.0.0/:::1 which seems wrong to me ..

Alerts:
openSUSE openSUSE-SU-2014:0119-1 cups 2014-01-22

Comments (none posted)

drupal7: multiple vulnerabilities

Package(s):drupal7 CVE #(s):CVE-2014-1475 CVE-2014-1476
Created:January 21, 2014 Updated:February 17, 2014
Description: From the Debian advisory:

CVE-2014-1475: Christian Mainka and Vladislav Mladenov reported a vulnerability in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.

CVE-2014-1476: Matt Vance and Damien Tournoud reported an access bypass vulnerability in the taxonomy module. Under certain circumstances, unpublished content can appear on listing pages provided by the taxonomy module and will be visible to users who should not have permission to see it.

Alerts:
Mageia MGASA-2014-0031 drupal 2014-01-31
Fedora FEDORA-2014-0980 drupal6 2014-01-25
Fedora FEDORA-2014-0999 drupal6 2014-01-25
Fedora FEDORA-2014-0983 drupal7 2014-01-25
Fedora FEDORA-2014-1015 drupal7 2014-01-25
Debian DSA-2847-1 drupal7 2014-01-20
Mandriva MDVSA-2014:031 drupal 2014-02-14
Debian DSA-2851-1 drupal6 2014-02-02

Comments (none posted)

drupal7-entity: multiple vulnerabilities

Package(s):drupal7-entity CVE #(s):CVE-2014-1398 CVE-2014-1399 CVE-2014-1400
Created:January 20, 2014 Updated:January 22, 2014
Description: From the Red Hat bugzilla:

The entity module for Drupal was recently reported to be affected by multiple access bypass vulnerabilities, which could be exploited by an attacker to gain unauthorized access to the data.

See the Drupal advisory for more information.

Alerts:
Fedora FEDORA-2014-0508 drupal7-entity 2014-01-19
Fedora FEDORA-2014-0509 drupal7-entity 2014-01-19

Comments (none posted)

ejabberd: information disclosure

Package(s):ejabberd CVE #(s):CVE-2013-6169
Created:January 17, 2014 Updated:February 13, 2014
Description:

From the CVE entry:

The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack.

Alerts:
Debian DSA-2775-1 ejabberd 2013-10-10
Mandriva MDVSA-2014:005 ejabberd 2014-01-16
Mageia MGASA-2014-0057 ejabberd 2014-02-12

Comments (none posted)

hplip: file overwrites

Package(s):hplip CVE #(s):CVE-2013-6402
Created:January 21, 2014 Updated:January 28, 2014
Description: From the Ubuntu advisory:

It was discovered that the HPLIP Polkit daemon incorrectly handled temporary files. A local attacker could possibly use this issue to overwrite arbitrary files. In the default installation of Ubuntu 12.04 LTS and higher, this should be prevented by the Yama link restrictions.

Alerts:
openSUSE openSUSE-SU-2014:0146-1 hplip 2014-01-28
openSUSE openSUSE-SU-2014:0127-1 hplip 2014-01-24
Mandriva MDVSA-2014:023 hplip 2014-01-24
Ubuntu USN-2085-1 hplip 2014-01-21
Mageia MGASA-2014-0033 hplip 2014-02-05

Comments (none posted)

java-1.7.0: multiple unspecified vulnerabilities

Package(s):java-1.7.0-oracle CVE #(s):CVE-2013-5870 CVE-2013-5887 CVE-2013-5888 CVE-2013-5889 CVE-2013-5895 CVE-2013-5898 CVE-2013-5899 CVE-2013-5902 CVE-2013-5904 CVE-2013-5905 CVE-2013-5906 CVE-2014-0375 CVE-2014-0382 CVE-2014-0387 CVE-2014-0403 CVE-2014-0410 CVE-2014-0415 CVE-2014-0417 CVE-2014-0418 CVE-2014-0424
Created:January 16, 2014 Updated:April 17, 2014
Description:

From the Red Hat advisory:

Bug - CVE-2014-0410 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2014-0415 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2013-5889 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2014-0417 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (2D)

Bug - CVE-2014-0387 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2014-0424 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2013-5904 Oracle JDK: unspecified vulnerability fixed in 7u51 (Deployment)

Bug - CVE-2014-0403 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2014-0375 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2013-5905 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (Install)

Bug - CVE-2013-5906 Oracle JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (Install)

Bug - CVE-2013-5902 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2014-0418 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2013-5887 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2013-5899 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2013-5888 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2013-5898 Oracle JDK: unspecified vulnerability fixed in 6u71 and 7u51 (Deployment)

Bug - CVE-2013-5870 CVE-2013-5895 CVE-2014-0382 Oracle JDK: multiple unspecified vulnerabilities fixed in 7u51 (JavaFX)

Alerts:
Red Hat RHSA-2014:0414-01 java-1.6.0-sun 2014-04-17
SUSE SUSE-SU-2014:0451-1 IBM Java 6 2014-03-26
SUSE SUSE-SU-2014:0266-3 IBM Java 6 2014-02-24
SUSE SUSE-SU-2014:0266-1 IBM Java 6 2014-02-20
SUSE SUSE-SU-2014:0266-2 IBM Java 6 2014-02-21
SUSE SUSE-SU-2014:0246-1 IBM Java 2014-02-18
Red Hat RHSA-2014:0135-01 java-1.6.0-ibm 2014-02-04
Gentoo 201401-30 oracle-jdk-bin 2014-01-26
Fedora FEDORA-2014-0945 java-1.7.0-openjdk 2014-01-16
Fedora FEDORA-2014-0885 java-1.7.0-openjdk 2014-01-16
Red Hat RHSA-2014:0030-01 java-1.7.0-oracle 2014-01-15
Red Hat RHSA-2014:0136-01 java-1.5.0-ibm 2014-02-04
Red Hat RHSA-2014:0134-01 java-1.7.0-ibm 2014-02-04

Comments (none posted)

libpng16: denial of service

Package(s):libpng16 CVE #(s):CVE-2013-6954
Created:January 20, 2014 Updated:June 10, 2014
Description: From the CVE entry:

The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.

Alerts:
Mandriva MDVSA-2015:071 libpng12 2015-03-27
openSUSE openSUSE-SU-2014:1645-1 java-1_7_0-openjdk 2014-12-15
openSUSE openSUSE-SU-2014:1638-1 java-1_7_0-openjdk 2014-12-15
Gentoo 201406-32 icedtea-bin 2014-06-29
Fedora FEDORA-2014-6717 libpng 2014-06-10
SUSE SUSE-SU-2014:0733-2 IBM Java 7 2014-06-02
SUSE SUSE-SU-2014:0728-3 IBM Java 6 2014-06-03
SUSE SUSE-SU-2014:0733-1 IBM Java 7 2014-05-30
SUSE SUSE-SU-2014:0728-2 IBM Java 6 2014-05-30
SUSE SUSE-SU-2014:0728-1 IBM Java 6 2014-05-29
Fedora FEDORA-2014-6631 libpng 2014-05-28
Red Hat RHSA-2014:0508-01 java-1.6.0-ibm 2014-05-15
SUSE SUSE-SU-2014:0639-1 OpenJDK 2014-05-14
Red Hat RHSA-2014:0486-01 java-1.7.0-ibm 2014-05-13
Debian DSA-2923-1 openjdk-7 2014-05-05
Red Hat RHSA-2014:0412-01 java-1.7.0-oracle 2014-04-17
Red Hat RHSA-2014:0413-02 java-1.7.0-oracle 2014-04-17
Red Hat RHSA-2014:0414-01 java-1.6.0-sun 2014-04-17
Fedora FEDORA-2014-4564 mingw-libpng 2014-04-02
openSUSE openSUSE-SU-2014:0100-1 libpng16 2014-01-20
Mageia MGASA-2014-0076 libpng12 2014-02-16
Fedora FEDORA-2014-1803 libpng15 2014-02-11
Fedora FEDORA-2014-1754 libpng10 2014-02-07
Mandriva MDVSA-2014:035 libpng 2014-02-17
Fedora FEDORA-2014-1766 libpng12 2014-02-11
Fedora FEDORA-2014-1770 libpng12 2014-02-11
Mageia MGASA-2014-0075 libpng 2014-02-16
Fedora FEDORA-2014-1778 libpng10 2014-02-07

Comments (none posted)

libvirt: denial of service

Package(s):libvirt CVE #(s):CVE-2013-6458 CVE-2014-1447
Created:January 20, 2014 Updated:February 24, 2014
Description: From the Debian advisory:

CVE-2013-6458: It was discovered that insecure job usage could lead to denial of service against libvirtd.

CVE-2014-1447: It was discovered that a race condition in keepalive handling could lead to denial of service against libvirtd.

Alerts:
Gentoo 201412-04 libvirt 2014-12-09
openSUSE openSUSE-SU-2014:0270-1 libvirt 2014-02-21
openSUSE openSUSE-SU-2014:0268-1 libvirt 2014-02-21
Ubuntu USN-2093-1 libvirt 2014-01-30
Scientific Linux SLSA-2014:0103-1 libvirt 2014-01-28
Oracle ELSA-2014-0103 libvirt 2014-01-28
CentOS CESA-2014:0103 libvirt 2014-01-29
Red Hat RHSA-2014:0103-01 libvirt 2014-01-28
Fedora FEDORA-2014-1090 libvirt 2014-01-26
CentOS CESA-2014:X001 libvirt 2014-01-25
Fedora FEDORA-2014-1042 libvirt 2014-01-21
Debian DSA-2846-1 libvirt 2014-01-17
Mageia MGASA-2014-0051 libvirt 2014-02-11

Comments (none posted)

libxslt: denial of service

Package(s):libxslt CVE #(s):CVE-2013-4520
Created:January 17, 2014 Updated:January 22, 2014
Description:

From the CVE entry:

xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service (crash) via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825.

Alerts:
Mandriva MDVSA-2014:006 libxslt 2014-01-16

Comments (none posted)

memcached: multiple vulnerabilities

Package(s):memcached CVE #(s):CVE-2013-7290 CVE-2013-7291
Created:January 17, 2014 Updated:February 3, 2014
Description:

From the Mandriva advisory:

The do_item_get function in items.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr, a different vulnerability than CVE-2013-0179 (CVE-2013-7290).

memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an unbounded key print during logging, related to an issue that was quickly grepped out of the source tree, a different vulnerability than CVE-2013-0179 and CVE-2013-7290 (CVE-2013-7291).

Alerts:
Debian-LTS DLA-701-1 memcached 2016-11-05
openSUSE openSUSE-SU-2014:0951-1 memcached 2014-07-30
openSUSE openSUSE-SU-2014:0867-1 memcached 2014-07-03
Gentoo 201406-13 memcached 2014-06-14
Mageia MGASA-2014-0018 memcached 2014-01-21
Mandriva MDVSA-2014:010 memcached 2014-01-17
Fedora FEDORA-2014-0934 memcached 2014-02-03
Fedora FEDORA-2014-0926 memcached 2014-02-03

Comments (none posted)

mysql: two unspecified vulnerabilities

Package(s):mysql-5.5, mysql-dfsg-5.1 CVE #(s):CVE-2013-5891 CVE-2014-0420
Created:January 21, 2014 Updated:June 9, 2014
Description: From the CVE entries:

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.33 and earlier and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. (CVE-2013-5891)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.34 and earlier, and 5.6.14 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Replication. (CVE-2014-0420)

Alerts:
Mandriva MDVSA-2015:091 mariadb 2015-03-28
Gentoo 201409-04 mysql 2014-09-04
SUSE SUSE-SU-2014:0769-1 MySQL 2014-06-07
CentOS CESA-2014:0189 mariadb55-mariadb 2014-02-26
CentOS CESA-2014:0173 mysql55-mysql 2014-02-19
Red Hat RHSA-2014:0189-01 mariadb55-mariadb 2014-02-19
Scientific Linux SLSA-2014:0186-1 mysql55-mysql 2014-02-18
Oracle ELSA-2014-0186 mysql55-mysql 2014-02-18
CentOS CESA-2014:0186 mysql55-mysql 2014-02-19
Red Hat RHSA-2014:0186-01 mysql55-mysql 2014-02-18
Debian DSA-2848-1 mysql-5.5 2014-01-23
Ubuntu USN-2086-1 mysql-5.5, mysql-dfsg-5.1 2014-01-21
Mandriva MDVSA-2014:028 mariadb 2014-02-13
Red Hat RHSA-2014:0173-01 mysql55-mysql 2014-02-13

Comments (none posted)

mysql: multiple unspecified vulnerabilities

Package(s):mysql-5.1 CVE #(s):CVE-2013-5908 CVE-2014-0386 CVE-2014-0393 CVE-2014-0401 CVE-2014-0402 CVE-2014-0412 CVE-2014-0437
Created:January 20, 2014 Updated:June 9, 2014
Description: From the CVE entries:

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote attackers to affect availability via unknown vectors related to Error Handling. (CVE-2013-5908)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2014-0386)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect integrity via unknown vectors related to InnoDB. (CVE-2014-0393)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors. (CVE-2014-0401)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.71 and earlier, 5.5.33 and earlier, and 5.6.13 and earlier allows remote authenticated users to affect availability via unknown vectors related to Locking. (CVE-2014-0402)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB. (CVE-2014-0412)

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.72 and earlier, 5.5.34 and earlier, and 5.6.14 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2014-0437)

Alerts:
Mandriva MDVSA-2015:091 mariadb 2015-03-28
Gentoo 201409-04 mysql 2014-09-04
SUSE SUSE-SU-2014:0769-1 MySQL 2014-06-07
CentOS CESA-2014:0189 mariadb55-mariadb 2014-02-26
CentOS CESA-2014:0173 mysql55-mysql 2014-02-19
Red Hat RHSA-2014:0189-01 mariadb55-mariadb 2014-02-19
Scientific Linux SLSA-2014:0186-1 mysql55-mysql 2014-02-18
Oracle ELSA-2014-0186 mysql55-mysql 2014-02-18
CentOS CESA-2014:0186 mysql55-mysql 2014-02-19
Red Hat RHSA-2014:0186-01 mysql55-mysql 2014-02-18
Debian DSA-2848-1 mysql-5.5 2014-01-23
Ubuntu USN-2086-1 mysql-5.5, mysql-dfsg-5.1 2014-01-21
Debian DSA-2845-1 mysql-5.1 2014-01-17
Mandriva MDVSA-2014:028 mariadb 2014-02-13
CentOS CESA-2014:0164 mysql 2014-02-12
Red Hat RHSA-2014:0173-01 mysql55-mysql 2014-02-13
Scientific Linux SLSA-2014:0164-1 mysql 2014-02-12
Oracle ELSA-2014-0164 mysql 2014-02-12
Red Hat RHSA-2014:0164-01 mysql 2014-02-12

Comments (none posted)

nagios: denial of service

Package(s):nagios CVE #(s):CVE-2013-7205
Created:January 17, 2014 Updated:January 22, 2014
Description:

From the CVE entry:

Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read.

Alerts:
Gentoo 201412-23 nagios-core 2014-12-13
Mandriva MDVSA-2014:004 nagios 2014-01-16
Mageia MGASA-2014-0010 nagios 2014-01-17

Comments (none posted)

nss: information disclosure

Package(s):nss CVE #(s):CVE-2013-1740
Created:January 21, 2014 Updated:February 4, 2014
Description: From the Red Hat bugzilla:

A security issue has been reported in NSS, which can be exploited by a malicious user to disclose certain information.

The issue arises due to an error within the "ssl_Do1stHandshake()" function in lib/ssl/sslsecur.c, which can be exploited to potentially return unencrypted and unauthenticated data from PR_Recv. Successful exploitation requires false start to be enabled.

The issue is said to be fixed in NSS 3.15.4.

Alerts:
Oracle ELSA-2014-1948 nss 2014-12-02
CentOS CESA-2014:1246 nss, nspr 2014-09-30
Scientific Linux SLSA-2014:1246-1 nss and nspr 2014-09-26
Oracle ELSA-2014-1246 nss, nspr 2014-09-17
Red Hat RHSA-2014:1246-01 nss, nspr 2014-09-16
Scientific Linux SLSA-2014:0917-1 nss and nspr 2014-07-22
Oracle ELSA-2014-0917 nss, nspr 2014-07-22
Red Hat RHSA-2014:0917-01 nss, nspr 2014-07-22
Fedora FEDORA-2014-1100 nss-util 2014-02-04
Slackware SSA:2014-028-02 mozilla-nss 2014-01-28
Fedora FEDORA-2014-1100 nss-softokn 2014-02-04
Ubuntu USN-2088-1 nss 2014-01-23
Mandriva MDVSA-2014:012 nss 2014-01-20
Mageia MGASA-2014-0024 nss 2014-01-21
Fedora FEDORA-2014-1120 nss-util 2014-01-21
Fedora FEDORA-2014-1120 nss-softokn 2014-01-21
Fedora FEDORA-2014-1120 nss 2014-01-21
Fedora FEDORA-2014-1100 nss 2014-02-04
openSUSE openSUSE-SU-2014:0212-1 firefox 2014-02-08
openSUSE openSUSE-SU-2014:0213-1 Mozilla 2014-02-08

Comments (none posted)

ntp: denial of service

Package(s):ntp CVE #(s):CVE-2013-5211
Created:January 17, 2014 Updated:September 13, 2016
Description:

From the CVE entry:

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

Alerts:
Oracle ELSA-2016-3613 ntp 2016-09-12
Oracle ELSA-2016-3612 ntp 2016-09-12
Oracle ELSA-2017-0252 ntp 2017-02-06
openSUSE openSUSE-SU-2014:1149-1 ntp 2014-09-20
openSUSE openSUSE-SU-2014:0949-1 ntp 2014-07-30
Mageia MGASA-2014-0032 ntp 2014-01-31
SUSE SUSE-SA:2014:001 ntp 2014-01-20
Gentoo 201401-08 ntp 2014-01-17
Slackware SSA:2014-044-02 ntp 2014-02-13

Comments (none posted)

rubygem-will_paginate: cross-site scripting

Package(s):rubygem-will_paginate CVE #(s):CVE-2013-6459
Created:January 21, 2014 Updated:February 12, 2014
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.

Alerts:
Fedora FEDORA-2014-0066 rubygem-will_paginate 2014-01-21
Fedora FEDORA-2014-0094 rubygem-will_paginate 2014-01-21
Mageia MGASA-2014-0054 ruby-will_paginate 2014-02-11

Comments (none posted)

virtualbox: multiple unspecified vulnerabilities

Package(s):virtualbox CVE #(s):CVE-2013-5892 CVE-2014-0404 CVE-2014-0405 CVE-2014-0406 CVE-2014-0407
Created:January 20, 2014 Updated:January 22, 2014
Description: From the CVE entries:

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.22, and 4.3.6 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core. (CVE-2013-5892)

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0406. (CVE-2014-0404)

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core. (CVE-2014-0405)

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect integrity and availability via unknown vectors related to Core, a different vulnerability than CVE-2014-0404. (CVE-2014-0406)

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, and 4.3.4 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core. (CVE-2014-0407)

Alerts:
Mageia MGASA-2014-0184 virtualbox 2014-04-20
Debian DSA-2878-1 virtualbox 2014-03-13
Gentoo 201401-13 virtualbox 2014-01-20

Comments (none posted)

zabbix: SQL injection

Package(s):zabbix CVE #(s):CVE-2013-5743
Created:January 21, 2014 Updated:January 22, 2014
Description: From the Mageia advisory:

Fix SQL injection vulnerability (ZBX-7091)

Alerts:
Fedora FEDORA-2014-5551 zabbix 2014-05-01
Mageia MGASA-2014-0015 zabbix 2014-01-21

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds