User: Password:
|
|
Subscribe / Log in / New account

Security

Decentralized storage with Camlistore

By Nathan Willis
April 23, 2014

Reducing reliance on proprietary web services has been a major target of free-software developers for years now. But it has taken on increased importance in the wake of Edward Snowden's disclosures about service providers cooperating with government mass-surveillance programs—not to mention the vulnerability that many providers have to surveillance techniques whether they cooperate or not. While some projects (such as Mailpile, ownCloud, or Diaspora) set out to create a full-blown service that users can be in complete control of, others, such as the Tahoe Least-Authority Filesystem, focus on more general functionality like decentralized data storage. Camlistore is a relative newcomer to the space; like Tahoe-LAFS it implements a storage system, but its creators are particularly interested in its use as a storage layer for blogs, content-management systems (CMSes), filesharing, and other web services.

Camlistore is a content-addressable storage (CAS) system with an emphasis on decentralized data storage. Specifically, the rationale for the project notes that it should be usable on a variety of storage back-ends, including Amazon's S3, local disk, Google Drive, or even mobile devices, with full replication of content between different locations.

Content addressability means that objects can be stored without assigning them explicit file names or placing them in a directory hierarchy. Instead, the "identity" of each object is a hash or digest calculated over the content of the object itself; subsequent references to the object are made by looking up the object's digest—where it is stored is irrelevant. As the rationale document notes, this property is a perfect fit for a good many objects used in web services today: photos, blog comments, bookmarks, "likes," and so on. These objects are increasing created in large numbers, and rarely does a file name or storage location come into play. Rather, they are accessed through a search interface or a visual browsing feature.

The Camlistore project produces both an implementation of such a decentralized storage system and a schema for representing various types of content. The schema would primarily be of interest to those wishing to use Camlistore as a storage layer for other applications.

The project's most recent release is version 0.7, from February 27. The storage server (with several available back-ends) is included in the release, as are a web-based interface, a Filesystem in Userspace (FUSE) module for accessing Camlistore as a filesystem, several tools for interoperating with existing web services, and mobile clients for Android and iOS.

The architecture of a Camlistore repository includes storage nodes (referred to by the charming name "blob servers") and indexing/search nodes, which index uploaded items by their digests and provide a basic search interface. The various front-end applications (including the mobile and web interfaces) handle both connecting to a blob server for object upload and retrieval and connecting to a search server for finding objects.

There can be several blob servers that fully synchronize with one another by automatically mirroring all data; the existing implementations can use hard disk storage or any of several online storage services. At the blob-server level, the only items that are tracked are blobs: immutable byte sequences that are uploaded to the service. Each blob is indexed by its digest (also called a blobref); Camlistore supports SHA1, MD5, and SHA256 as digest functions. Blobs themselves are encrypted (currently with AES-128, although other ciphers may be added in the future).

Semantically speaking, a blob does not contain any metadata—it is just a bunch of bytes. Metadata is attached to a blob by associating the blob with a data type from the schema, then cryptographically signing the result. Subsequently, an application can alter the attributes of a blob by creating a new signed schema blob (called a "claim"). For any blob, then, all of the claims on it are saved in the data store and can be replayed or backed up at will. That way, stored objects are mutable, but the changes to them are non-destructive. The current state of an object is the application of all of the claims associated with a blob, applied in the order of their timestamps.

This storage architecture allows for, potentially, a wide variety of front-end clients. Index servers already exist that use SQLite, LevelDB, MySQL, PostgreSQL, MongoDB, and Google App Engine's data store to manage the indexed blobs. Since an index server is logically separate from the blob servers that it indexes, it is possible to run an index on a portable device that sports little built-in storage, and still be able to transparently access all of the content maintained in the remote storage locations. In addition, Camlistore has the concept of a "graph sync," in which only a subset of the total blob storage is synchronized to a particular device. While full synchronization is useful to preserve the data in the event that a web service like Amazon S3 unexpectedly becomes unreachable, there are certainly many scenarios when it makes sense to keep only some of the data on hand.

As far as using the blob storage is concerned, at present Camlistore only implements two models: the basic storage/search/retrieval approach one would use to manage the entire collection, and directly sharing a particular item with another user. By default, each Camlistore server is private to a single user; users can share an object by generating a signed assertion that another user is permitted to access the object. This signed assertion is just one more type of claim for the underlying blob in the database. Several user-authentication options are supported, but for now the recipient of the share needs to have an account on the originating Camlistore system.

It may be a while before Camlistore is capable of serving as a storage layer for a blog, photo-hosting site, or other web service, but when it is ready, it will bring some interesting security properties with it. As mentioned, all claims on items in the database are signed—using GPG keys. That not only allows for verification of important operations (like altering the metadata of a blob), but it means it would be possible to perform identity checks for common operations like leaving comments. Camlistore does have some significant competition from other decentralized storage projects, Tahoe-LAFS included, but it will be an interesting project to watch.

Comments (none posted)

Brief items

Security quotes of the week

This time I set the country code correctly, rebooted and now I can actually watch Monkey Dust again. Hurrah! But, at the same time, concerning. This software has been written without any concern for security, and it listens on the network by default. If it took me this little time to find two entirely independent ways to run arbitrary code on the device, it doesn't seem like a stretch to believe that there are probably other vulnerabilities that can be exploited with less need for physical access.

The depressing part of this is that there's no reason to believe that Panasonic are especially bad here - especially since a large number of vendors are shipping much the same Mediatek code, and so probably have similar (if not identical) issues. The future is made up of network-connected appliances that are using your electricity to mine somebody else's Dogecoin. Our nightmarish dystopia may be stranger than expected.

Matthew Garrett pokes at his Panasonic BDT-230

I returned home Monday night and wanted nothing more than to take a shower, but my bathroom was flooded with water from a broken water heater from an apartment above. I had nothing better to do while waiting for maintenance than poke around with malloc.conf. If it hadn’t been for that, I probably never would have bothered. So there you have it, a broken water heater is the true cause of the libressl fork.
Ted Unangst (Thanks to Cesar Eduardo Barros.)

Heartbleed is getting its fifteen minutes of fame, but what may matter most is that so much of what is being deployed now is in the embedded systems space — network-capable microcontrollers inside everything that has a power cord or a fuel tank. No one watches these and they are treated as if immortal. They have no remote management capability. There is not even a guarantee that their maker knows with precision what went into any one of them after the model year is over. The option suggested by the honeymoon effect is thus impossible, so the longer lived the devices really are, the surer it will be that they will be hijacked within their lifetime. Their manufacturers may die before they do, a kind of unwanted legacy much akin to space junk and Superfund sites.
Dan Geer

Comments (none posted)

OpenSSL code beyond repair, claims creator of “LibreSSL” fork (Ars Technica)

Ars Technica takes a look at the LibreSSL fork of OpenSSL created by the OpenBSD project. "The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess. "Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself.""

Comments (77 posted)

New vulnerabilities

cacti: multiple vulnerabilities

Package(s):cacti CVE #(s):CVE-2014-2708 CVE-2014-2709 CVE-2014-2326 CVE-2014-2328 CVE-2014-2327
Created:April 17, 2014 Updated:June 30, 2014
Description: From the Red Hat bugzilla entries [1, 2]:

CVE-2014-2708 is for the SQL injection issues in graph_xport.php.

CVE-2014-2709 is for the shell escaping issues in lib/rrd.php

A posting to bugtraq from Deutsche Telekom noted multiple flaws in Cacti 0.8.7g:

CVE-2014-2326: stored XSS "The Cacti application is susceptible to stored XSS attacks. This is mainly the result of improper output encoding."

CVE-2014-2327: missing CSRF token "The Cacti application does not implement any CSRF tokens. More about CSRF attacks, risks and mitigations see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). This attack has a vast impact on the security of the Cacti application, as multiple configuration parameters can be changed using a CSRF attack. One very critical attack vector is the modification of several binary files in the Cacti configuration, which may then be executed on the server. This results in full compromise of the Cacti host by just clicking a web link. A proof of concept exploit has been developed, which allows this attack, resulting in full (system level) access of the Cacti system. Further attack scenarios include the modification of the Cacti configuration and adding arbitrary (admin) users to the application."

CVE-2014-2328: use of exec-like function calls without safety checks allow arbitrary command execution "Cacti makes use of exec-like method PHP function calls, which execute command shell code without any safety checks in place. In combination with a CSRF weakness this can be triggered without the knowledge of the Cacti user. Also, for more elaborate attacks, this can be combined with a XSS attack. Such an attack will result in full system (Cacti host) access without any interaction or knowledge of the Cacti admin."

Alerts:
Gentoo 201509-03 cacti 2015-09-24
openSUSE openSUSE-SU-2015:0479-1 cacti 2015-03-11
Mageia MGASA-2014-0302 cacti 2014-07-26
Debian DSA-2970-1 cacti 2014-06-29
openSUSE openSUSE-SU-2014:0600-1 cacti 2014-05-02
Fedora FEDORA-2014-4928 cacti 2014-04-17
Fedora FEDORA-2014-4892 cacti 2014-04-17

Comments (none posted)

java: three unspecified vulnerabilities

Package(s):java-1.7.0-oracle CVE #(s):CVE-2014-0432 CVE-2014-0448 CVE-2014-2422
Created:April 17, 2014 Updated:May 14, 2014
Description: Yet again more unspecified Java vulnerabilities.
Alerts:
Gentoo 201502-12 oracle-jre-bin 2015-02-15
SUSE SUSE-SU-2014:0733-2 IBM Java 7 2014-06-02
SUSE SUSE-SU-2014:0733-1 IBM Java 7 2014-05-30
Red Hat RHSA-2014:0486-01 java-1.7.0-ibm 2014-05-13
Red Hat RHSA-2014:0412-01 java-1.7.0-oracle 2014-04-17
Red Hat RHSA-2014:0413-02 java-1.7.0-oracle 2014-04-17

Comments (none posted)

java: multiple unspecified vulnerabilities

Package(s):java-1.6.0-sun CVE #(s):CVE-2014-0449 CVE-2014-2401 CVE-2014-2409 CVE-2014-2420 CVE-2014-2428
Created:April 17, 2014 Updated:June 3, 2014
Description: More in a long series of unspecified Java vulnerabilities.
Alerts:
Gentoo 201502-12 oracle-jre-bin 2015-02-15
SUSE SUSE-SU-2014:0733-2 IBM Java 7 2014-06-02
SUSE SUSE-SU-2014:0728-3 IBM Java 6 2014-06-03
SUSE SUSE-SU-2014:0733-1 IBM Java 7 2014-05-30
SUSE SUSE-SU-2014:0728-2 IBM Java 6 2014-05-30
SUSE SUSE-SU-2014:0728-1 IBM Java 6 2014-05-29
Red Hat RHSA-2014:0508-01 java-1.6.0-ibm 2014-05-15
Red Hat RHSA-2014:0509-01 java-1.5.0-ibm 2014-05-15
Red Hat RHSA-2014:0486-01 java-1.7.0-ibm 2014-05-13
Red Hat RHSA-2014:0412-01 java-1.7.0-oracle 2014-04-17
Red Hat RHSA-2014:0413-02 java-1.7.0-oracle 2014-04-17
Red Hat RHSA-2014:0414-01 java-1.6.0-sun 2014-04-17

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2014-2851
Created:April 18, 2014 Updated:May 6, 2014
Description:

From the CVE entry:

Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.

Alerts:
Oracle ELSA-2015-0290 kernel 2015-03-12
Oracle ELSA-2014-1392 kernel 2014-10-21
openSUSE openSUSE-SU-2014:1246-1 kernel 2014-09-28
Red Hat RHSA-2014:1101-01 kernel 2014-08-27
CentOS CESA-2014:0981 kernel 2014-07-31
Scientific Linux SLSA-2014:0981-1 kernel 2014-07-29
Oracle ELSA-2014-0981 kernel 2014-07-29
Red Hat RHSA-2014:0981-01 kernel 2014-07-29
Oracle ELSA-2014-0786 kernel 2014-07-23
SUSE SUSE-SU-2014:0908-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0909-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0910-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0911-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0912-1 Linux kernel 2014-07-17
openSUSE openSUSE-SU-2014:0856-1 kernel 2014-07-01
Ubuntu USN-2260-1 linux-lts-trusty 2014-06-27
openSUSE openSUSE-SU-2014:0840-1 kernel 2014-06-25
Red Hat RHSA-2014:0786-01 kernel 2014-06-24
Red Hat RHSA-2014:0557-01 kernel-rt 2014-05-27
Ubuntu USN-2227-1 linux-ti-omap4 2014-05-27
Ubuntu USN-2225-1 linux-lts-saucy 2014-05-27
Ubuntu USN-2224-1 linux-lts-raring 2014-05-27
Ubuntu USN-2223-1 linux-lts-quantal 2014-05-27
Ubuntu USN-2228-1 kernel 2014-05-27
Ubuntu USN-2226-1 kernel 2014-05-27
Ubuntu USN-2221-1 kernel 2014-05-26
Mageia MGASA-2014-0238 kernel-vserver 2014-05-24
Mageia MGASA-2014-0234 kernel-tmb 2014-05-23
Mageia MGASA-2014-0236 kernel-tmb 2014-05-24
Mageia MGASA-2014-0237 kernel-rt 2014-05-24
Mageia MGASA-2014-0235 kernel-linus 2014-05-24
Mageia MGASA-2014-0229 kernel-vserver 2014-05-19
Mageia MGASA-2014-0228 kernel 2014-05-19
Debian DSA-2926-1 kernel 2014-05-12
Mageia MGASA-2014-0208 kernel-rt 2014-05-08
Mageia MGASA-2014-0206 kernel 2014-05-08
Fedora FEDORA-2014-5609 kernel 2014-05-06
Fedora FEDORA-2014-5235 kernel 2014-04-18
Oracle ELSA-2014-3018 kernel 2014-04-17
Oracle ELSA-2014-3019 kernel 2014-04-17
Oracle ELSA-2014-3019 kernel 2014-04-17
Mandriva MDVSA-2014:124 kernel 2014-06-13

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2014-0155
Created:April 21, 2014 Updated:May 6, 2014
Description: From the CVE entry

The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced.

Alerts:
Ubuntu USN-2336-1 linux-lts-trusty 2014-09-02
Ubuntu USN-2337-1 kernel 2014-09-02
SUSE SUSE-SU-2014:0908-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0909-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0910-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0911-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0912-1 Linux kernel 2014-07-17
Ubuntu USN-2239-1 linux-lts-saucy 2014-06-05
Ubuntu USN-2241-1 kernel 2014-06-05
Mageia MGASA-2014-0238 kernel-vserver 2014-05-24
Mageia MGASA-2014-0234 kernel-tmb 2014-05-23
Mageia MGASA-2014-0236 kernel-tmb 2014-05-24
Mageia MGASA-2014-0237 kernel-rt 2014-05-24
Mageia MGASA-2014-0235 kernel-linus 2014-05-24
Mageia MGASA-2014-0229 kernel-vserver 2014-05-19
Mageia MGASA-2014-0227 kernel-rt 2014-05-19
Mageia MGASA-2014-0226 kernel-linus 2014-05-19
Mageia MGASA-2014-0228 kernel 2014-05-19
Mageia MGASA-2014-0225 kernel 2014-05-18
Fedora FEDORA-2014-5609 kernel 2014-05-06
Fedora FEDORA-2014-5235 kernel 2014-04-18
CentOS CESA-2014:X009 kernel 2014-06-16

Comments (none posted)

mysql: multiple unspecified vulnerabilities

Package(s):mysql-5.5 CVE #(s):CVE-2014-0384 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2436 CVE-2014-2438 CVE-2014-2440
Created:April 23, 2014 Updated:July 24, 2014
Description: From the CVE entries:

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via vectors related to XML. (CVE-2014-0384)

Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. (CVE-2014-2419)

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect availability via unknown vectors related to Performance Schema. (CVE-2014-2430)

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect availability via unknown vectors related to Options. (CVE-2014-2431)

Unspecified vulnerability Oracle the MySQL Server component 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Federated. (CVE-2014-2432)

Unspecified vulnerability in Oracle MySQL Server 5.5.36 and earlier and 5.6.16 and earlier allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RBR. (CVE-2014-2436)

Unspecified vulnerability in Oracle MySQL Server 5.5.35 and earlier and 5.6.15 and earlier allows remote authenticated users to affect availability via unknown vectors related to Replication. (CVE-2014-2438)

Unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.5.36 and earlier and 5.6.16 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (CVE-2014-2440)

Alerts:
Mandriva MDVSA-2015:091 mariadb 2015-03-28
Oracle ELSA-2014-1861 mariadb 2014-11-17
Gentoo 201409-04 mysql 2014-09-04
Oracle ELSA-2014-0702 mariadb 2014-07-23
Red Hat RHSA-2014:0702-01 mariadb 2014-06-10
SUSE SUSE-SU-2014:0769-1 MySQL 2014-06-07
Slackware SSA:2014-152-01 mariadb 2014-06-01
Mageia MGASA-2014-0239 mariadb 2014-05-24
Scientific Linux SLSA-2014:0536-1 mysql55-mysql 2014-05-23
Red Hat RHSA-2014:0537-01 mysql55-mysql 2014-05-22
Oracle ELSA-2014-0536 mysql55-mysql 2014-05-22
CentOS CESA-2014:0537 mysql55-mysql 2014-05-22
CentOS CESA-2014:0536 mysql55-mysql 2014-05-22
Red Hat RHSA-2014:0536-01 mysql55-mysql 2014-05-22
CentOS CESA-2014:0522 mariadb55-mariadb 2014-05-21
Red Hat RHSA-2014:0522-01 mariadb55-mariadb 2014-05-20
Mandriva MDVSA-2014:102 mariadb 2014-05-16
Fedora FEDORA-2014-6120 mariadb-galera 2014-05-16
Debian DSA-2919-1 mysql-5.5 2014-05-03
Fedora FEDORA-2014-5409 mariadb 2014-04-29
Fedora FEDORA-2014-5393 mariadb 2014-04-29
Fedora FEDORA-2014-5396 community-mysql 2014-04-29
Fedora FEDORA-2014-5369 community-mysql 2014-04-29
Ubuntu USN-2170-1 mysql-5.5 2014-04-23

Comments (none posted)

openshift-origin-broker: authentication bypass

Package(s):openshift-origin-broker CVE #(s):CVE-2014-0188
Created:April 23, 2014 Updated:April 23, 2014
Description: From the Red Hat advisory:

A flaw was found in the way openshift-origin-broker handled authentication requests via the remote user authentication plug-in. A remote attacker able to submit a request to openshift-origin-broker could set the X-Remote-User header, and send the request to a passthrough trigger, resulting in a bypass of the authentication checks to gain access to any OpenShift user account on the system.

Alerts:
Red Hat RHSA-2014:0423-01 openshift-origin-broker 2014-04-23
Red Hat RHSA-2014:0422-01 openshift-origin-broker 2014-04-23

Comments (none posted)

openssl: denial of service

Package(s):openssl CVE #(s):CVE-2010-5298
Created:April 18, 2014 Updated:July 24, 2014
Description:

From the Debian advisory:

A read buffer can be freed even when it still contains data that is used later on, leading to a use-after-free. Given a race condition in a multi-threaded application it may permit an attacker to inject data from one connection into another or cause denial of service.

Alerts:
SUSE SUSE-SU-2015:0743-1 mariadb 2015-04-21
Mandriva MDVSA-2015:062 openssl 2015-03-27
Fedora FEDORA-2014-17576 mingw-openssl 2015-01-02
Fedora FEDORA-2014-17587 mingw-openssl 2015-01-02
Oracle ELSA-2014-1652 openssl 2014-10-16
Gentoo 201407-05 openssl 2014-07-28
Oracle ELSA-2014-0679 openssl 2014-07-23
Red Hat RHSA-2014:0679-01 openssl 2014-06-10
Slackware SSA:2014-156-03 openssl 2014-06-05
Scientific Linux SLSA-2014:0625-1 openssl 2014-06-05
Oracle ELSA-2014-0625 openssl 2014-06-05
Fedora FEDORA-2014-7102 openssl 2014-06-05
Fedora FEDORA-2014-7101 openssl 2014-06-05
CentOS CESA-2014:0625 openssl 2014-06-05
Red Hat RHSA-2014:0625-01 openssl 2014-06-05
Mandriva MDVSA-2014:090 openssl 2014-05-16
Ubuntu USN-2192-1 openssl 2014-05-05
openSUSE openSUSE-SU-2014:0592-1 OpenSSL 2014-05-02
Mageia MGASA-2014-0187 openssl 2014-04-23
Debian DSA-2908-1 openssl 2014-04-17

Comments (none posted)

otrs: cross-site scripting

Package(s):otrs CVE #(s):CVE-2014-2553 CVE-2014-2554
Created:April 22, 2014 Updated:June 10, 2014
Description: From the SUSE bug report:

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.

Alerts:
Mageia MGASA-2014-0194 otrs 2014-04-24
openSUSE openSUSE-SU-2014:0561-1 otrs 2014-04-22
Mandriva MDVSA-2014:111 otrs 2014-06-10

Comments (none posted)

python-django: multiple vulnerabilities

Package(s):python-django CVE #(s):CVE-2014-0472 CVE-2014-0473 CVE-2014-0474
Created:April 22, 2014 Updated:May 5, 2014
Description: From the Ubuntu advisory:

Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. (CVE-2014-0472)

Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions. (CVE-2014-0473)

Michael Koziarski discovered that Django did not always perform explicit conversion of certain fields when using a MySQL database. An attacker could possibly use this issue to obtain unexpected results. (CVE-2014-0474)

Alerts:
openSUSE openSUSE-SU-2014:1132-1 python-django 2014-09-16
Gentoo 201406-26 django 2014-06-26
Mandriva MDVSA-2014:113 python-django 2014-06-10
Mandriva MDVSA-2014:112 python-django 2014-06-10
Debian DSA-2934-1 python-django 2014-05-19
Fedora FEDORA-2014-5562 python-django 2014-05-02
Fedora FEDORA-2014-5486 python-django15 2014-05-01
Fedora FEDORA-2014-5475 python-django14 2014-05-01
Fedora FEDORA-2014-5503 python-django 2014-05-01
Red Hat RHSA-2014:0457-01 Django 2014-04-30
Red Hat RHSA-2014:0456-01 Django 2014-04-30
Mageia MGASA-2014-0196 python-django 2014-04-28
Ubuntu USN-2169-2 python-django 2014-04-23
Ubuntu USN-2169-1 python-django 2014-04-22

Comments (none posted)

python-django-horizon: cross-site scripting

Package(s):python-django-horizon CVE #(s):CVE-2014-0157
Created:April 23, 2014 Updated:May 30, 2014
Description: From the CVE entry:

Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template.

Alerts:
openSUSE openSUSE-SU-2015:0078-1 openstack-dashboard 2015-01-19
Red Hat RHSA-2014:0581-01 python-django-horizon 2014-05-29
Ubuntu USN-2206-1 horizon 2014-05-06
Fedora FEDORA-2014-5002 python-django-horizon 2014-04-23

Comments (none posted)

qemu: code execution

Package(s):qemu CVE #(s):CVE-2014-0150
Created:April 18, 2014 Updated:December 12, 2014
Description:

From the Debian advisory:

Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest. A privileged guest user could use this flaw to corrupt qemu process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the qemu process.

Alerts:
Mandriva MDVSA-2015:061 qemu 2015-03-13
Fedora FEDORA-2014-15951 xen 2014-12-12
Fedora FEDORA-2014-15503 xen 2014-12-01
Fedora FEDORA-2014-15521 xen 2014-12-01
Mandriva MDVSA-2014:220 qemu 2014-11-21
Mageia MGASA-2014-0426 qemu 2014-10-28
Gentoo 201408-17 qemu 2014-08-30
Fedora FEDORA-2014-5825 qemu 2014-05-01
Ubuntu USN-2182-1 qemu, qemu-kvm 2014-04-28
Red Hat RHSA-2014:0434-01 qemu-kvm-rhev 2014-04-24
Red Hat RHSA-2014:0435-01 qemu-kvm-rhev 2014-04-24
Scientific Linux SLSA-2014:0420-1 qemu-kvm 2014-04-22
Oracle ELSA-2014-0420 qemu-kvm 2014-04-22
CentOS CESA-2014:0420 qemu-kvm 2014-04-22
Red Hat RHSA-2014:0420-01 qemu-kvm 2014-04-22
Debian DSA-2910-1 qemu-kvm 2014-04-18
Debian DSA-2909-1 qemu 2014-04-18

Comments (none posted)

qemu-kvm: multiple vulnerabilities

Package(s):qemu-kvm CVE #(s):CVE-2014-0142 CVE-2014-0143 CVE-2014-0144 CVE-2014-0145 CVE-2014-0146 CVE-2014-0147 CVE-2014-0148
Created:April 23, 2014 Updated:April 23, 2014
Description: From the Red Hat advisory:

Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147)

A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0142)

A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0146)

It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0148)

Alerts:
Mandriva MDVSA-2015:061 qemu 2015-03-13
Mandriva MDVSA-2014:220 qemu 2014-11-21
Mageia MGASA-2014-0426 qemu 2014-10-28
Debian DSA-3044-1 qemu-kvm 2014-10-04
Debian DSA-3045-1 qemu 2014-10-04
Ubuntu USN-2342-1 qemu, qemu-kvm 2014-09-08
Gentoo 201408-17 qemu 2014-08-30
SUSE SUSE-SU-2014:0623-1 kvm 2014-05-08
Fedora FEDORA-2014-5825 qemu 2014-05-01
Red Hat RHSA-2014:0434-01 qemu-kvm-rhev 2014-04-24
Red Hat RHSA-2014:0435-01 qemu-kvm-rhev 2014-04-24
Scientific Linux SLSA-2014:0420-1 qemu-kvm 2014-04-22
Oracle ELSA-2014-0420 qemu-kvm 2014-04-22
CentOS CESA-2014:0420 qemu-kvm 2014-04-22
Red Hat RHSA-2014:0420-01 qemu-kvm 2014-04-22

Comments (none posted)

rsync: denial of service

Package(s):rsync CVE #(s):CVE-2014-2855
Created:April 18, 2014 Updated:March 29, 2015
Description:

From the Mageia advisory:

Ryan Finnie discovered that rsync 3.1.0 contains a denial of service issue when attempting to authenticate using a nonexistent username. A remote attacker could use this flaw to cause a denial of service via CPU consumption.

Alerts:
Mandriva MDVSA-2015:131 rsync 2015-03-29
Mageia MGASA-2015-0065 rsync 2015-02-15
openSUSE openSUSE-SU-2014:0595-1 Rsync 2014-05-02
Ubuntu USN-2171-1 rsync 2014-04-23
Fedora FEDORA-2014-5315 rsync 2014-04-20
Mageia MGASA-2014-0179 rsync 2014-04-17

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds