User: Password:
Subscribe / Log in / New account


ClamAV 0.98.3 adds features and asks for statistics

By Nathan Willis
May 14, 2014

The latest update to the ClamAV open-source antivirus scanner, has been released, bringing with it IPv6 support, improved performance, and an option to contribute virus-detection statistics back to the project. Although virus scanning is a comparatively rare task on Linux desktops, it still remains an important issue for those on other operating systems. Thus, a quality open-source program like ClamAV provides a useful alternative to the proprietary offerings, whether it is deployed on a mail server or run on individual Windows desktop machines.

The new release is numbered 0.98.3, and arrived on May 7. Source is available for download from SourceForge, as are Windows binaries for the ClamAV engine and its official Windows front-end Immunet. There are also unofficial Linux builds available for a variety of distributions.

The release announcement highlights a few functional changes outside of the core virus-recognition task. This includes the fact that ClamAV is now fully compatible with IPv6 addressing. The various components of a ClamAV deployment (such as the clamd scanning daemon, the freshclam virus-database updater, and clamdtop monitoring program) can run over TCP sockets, but adding support for IPv6 has been a slow and piecemeal process, starting with ClamAV 0.94 back in 2008. Its completion in 0.98.3 hopefully means that the feature will be subjected to more rigorous testing.

ClamAV relies on hash functions to test possible virus payloads against its database of known malware. The new release moves from internal implementations of the various hash functions to using the implementations supplied by the OpenSSL library. The OpenSSL implementations are said to amount to a 70% performance speed-up, which is certainly a welcome improvement, but the change also makes OpenSSL a hard dependency. The ClamAV license has also been updated to include a GPL exception permitting the binary to be linked with OpenSSL. Such exceptions are not out of the ordinary (particularly for OpenSSL), but are still noteworthy for anyone who redistributes ClamAV.

The third major change in the new release is an option for users to submit virus-detection statistics back to the project. The feature is opt-in; it must be activated by supplying the appropriate (non-default) parameter to either the clamscan program or clamd daemon. The statistics collected cover the number and names of viruses identified, plus the sizes and hashes of files scanned. Collecting this type of information should, in theory, allow ClamAV to grow as a project; rather than rely solely on external information sources, it can analyze the threats its own users encounter.

Collecting virus-detection numbers is only part of that process, however. In February, the project launched another initiative to collect the actual signatures of viruses caught by ClamAV. Signatures contributed (through a web submission form, not as email attachments, for obvious reasons) by the community will be included in subsequent updates to ClamAV's virus database.

There are also several new features in ClamAV 0.98.3's virus-detection capabilities. The first of these is support for scanning additional raw disk image formats; new is support for master boot record (MBR), GUID Partition Table (GPT), and Apple Partition Map (APM) disks, though only those with 512-byte sectors. There is also improved detection of malware scripts embedded within image files, and the closing of a nasty bug through which a specially-crafted icon in a Windows Portable Executable (PE) file could be used to crash clamscan or clamd.

Finally, ClamAV has added initial support for working with OpenIOC files. OpenIOC is an XML-based format for storing and reporting security threat information (the acronym in the name stands for "Indicators of Compromise"). The OpenIOC format can be used to record a variety of different security issues; ClamAV's support at this time is limited to extracting file hashes from any virus-detection incidents. The extracted information is then added to ClamAV's own signature database. OpenIOC support is marked as experimental; it is not clear whether the ClamAV project has any interest in doing more than reading OpenIOC files.

On the whole, version 0.98.3 is another small but stable update from ClamAV. It is good to see the project take steps toward assembling its own virus database information; if done correctly that is certainly a valuable contribution that the ClamAV community can add. ClamAV's parent company Sourcefire was acquired by Cisco in July 2013; at the time the project made an announcement to reassure users that the acquisition would not weaken the project's commitment to the open-source community. So far, it seems to be a positive move for the project, as stable releases of both the software and virus database continue.

Those of us who live and work entirely within the sphere of Linux and free software can, at times, forget how important virus-scanning programs are to others, merely because of how much more prevalent viruses are on Windows machines. But, as Linux is often the operating system that dominates the server room, projects like ClamAV are critical even if most of the virus they stop are targeting someone else.

Comments (3 posted)

Brief items

Security quotes of the week

The ECJ ruling didn't order the newspaper itself, La Vanguardia, to remove its original article, as [Mario Costeja] González had also requested. Instead, the court simply ordered Google to remove all links to the auction notice from its search engine. Ironically, the ECJ's ruling explicitly mentions González's auction notice and financial trouble. Will the court order that its own decision be made unsearchable online?

The court recognized what some European legislators call "the right to be forgotten"—the idea of giving ordinary citizens more control over their personal data, including its deletion.

Matt Ford at The Atlantic

What we found alarmed us. There were staggering gaps in procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers, such as Russia. These attacks could alter votes or leave election outcomes in dispute. We have confirmed these attacks in our lab — they are real threats. We urgently recommend that Estonia discontinue use of the system.
— A report on the security of Estonia's internet voting system

The moral of the story is clear: be very cautious about poisoning the banquet you serve your guests, lest you end up accidentally ingesting it yourself. And there's an unpalatable (to spooks) corollary: we the public aren't going to get a crime-free secure internet unless we re-engineer it to be NSA-proof. And because of the current idiotic fad for outsourcing key competences from the public to the private sector, the security-industrial contractors who benefit from the 80% of the NSA's budget that is outsourced are good for $60-80Bn a year. That means we can expect a firehose of lobbying slush funds to be directed against attempts to make the internet NSA-proof.

Worse. Even though the pursuit of this obsession with surveillance in the name of security is rendering our critical infrastructure insecure by design, making massive denial of service attacks and infrastructure attacks possible, any such attacks will be interpreted as a rationale to double-down on the very surveillance-friendly policies that make them possible. It's a self-reinforcing failure mode, and the more it fails the worse it will get. Sort of like the war on drugs, if the war on drugs had the capability to overflow and reprogram your next car's autopilot and drive you into a bridge support, or to fry your insulin pump, or empty your bank account, or cause grid blackouts and air traffic control outages. Because that's what the internet of things means: the secret police have installed locks in everything and the criminals are now selling each other skeleton keys.

Charles Stross

But just that very admission highlights that the auditing system the NSA keeps insisting we should trust is completely broken. As we've noted, if the NSA can't tell how its own systems are being used, then it has no idea how they're being abused. Even worse, the NSA has no idea if other people with powers similar to [Edward] Snowden may have taken other documents and given them to those who actually mean to do us harm, rather than reporters looking to serve the public interest.

In admitting that the NSA has no way of knowing what Snowden did, [former NSA head Keith] Alexander is admitting that all this talk of the infallible audit system is all smoke and mirrors. And, because of that, the claims that we can trust the NSA not to abuse its systems are equally untrustworthy.

Mike Masnick

Comments (3 posted)

Defeating memory comparison timing oracles (Red Hat Security Blog)

Over at the Red Hat Security Blog, Florian Weimer looks at timing oracles in memory comparison functions and how to stop them. Timing oracles can allow attackers to extract keys or other secret data by timing code that compares input data to the secret. "Of course, there are other architectures (and x86 implementations), so we will have to perform further research to see if we can remove the timing oracle from their implementations at acceptable (read: zero) cost. For architectures where super-scalar, pipelined implementations are common, this is likely the case. But the GNU C library will probably not be a in a position to commit to an oracle-free memcmp by default (after all, future architectures might have different requirements). But I hope that we can promise that in -D_FORTIFY_SOURCE=2 mode, memcmp is oracle-free."

Comments (25 posted)

Linux gets fix for code-execution flaw (Ars Technica)

Ars Technica takes a look at serious bug in the Linux kernel that was introduced in 2009. "The memory-corruption vulnerability, which was introduced in version 2.6.31-rc3, released no later than 2009, allows unprivileged users to crash or execute malicious code on vulnerable systems, according to the notes accompanying proof-of-concept code available here. The flaw resides in the n_tty_write function controlling the Linux pseudo tty device." This flaw has been identified as CVE-2014-0196. The LWN vulnerability report is here.

Comments (32 posted)

RFC 7258

The Internet Engineering Task Force has adopted RFC 7258, titled "Pervasive monitoring is an attack." It commits the IETF to work against pervasive monitoring (PM) in the design of its protocols going forward. "In particular, architectural decisions, including which existing technology is reused, may significantly impact the vulnerability of a protocol to PM. Those developing IETF specifications therefore need to consider mitigating PM when making architectural decisions. Getting adequate, early review of architectural decisions including whether appropriate mitigation of PM can be made is important. Revisiting these architectural decisions late in the process is very costly."

Comments (43 posted)

New vulnerabilities

abrt: could not be used by server systems

Package(s):abrt CVE #(s):
Created:May 14, 2014 Updated:May 14, 2014
Description: From the Red Hat bugzilla:

The ABRT polkit policy is completely desktop-centric and expects that the admin user is logged in an active local session (ie: a seat in logind parlance, with a monitor and keyboard).

This prevents use of ABRT when logged in via ssh (and using pkttyagent as your polkit agent) or via Cockpit.

The <allow_any> tag in polkit policy applies to non-local sessions. It should be set to something other than 'no' unless the action directly affects hardware of the login seat.

Fedora FEDORA-2014-6128 abrt 2014-05-13

Comments (none posted)

android-tools: code execution

Package(s):android-tools CVE #(s):CVE-2014-1909
Created:May 13, 2014 Updated:February 16, 2015
Description: From the Red Hat bugzilla:

Joshua J. Drake of discovered a stack-based buffer overflow flaw in the ADB client code:

Connecting to a malicious ADB server could result in arbitrary code execution. A patch is available from the above link.

Fedora FEDORA-2015-0938 android-tools 2015-02-15
openSUSE openSUSE-SU-2014:0636-1 android-tools 2014-05-13
openSUSE openSUSE-SU-2014:0637-1 android-tools 2014-05-13

Comments (none posted)

fish: insecure tmpfile use

Package(s):fish CVE #(s):CVE-2014-3219
Created:May 8, 2014 Updated:October 9, 2014
Description: From the Red Hat bugzilla entry:

another symlink-based vulnerability

More information can be found in this oss-sec post.

Gentoo 201412-49 fish 2014-12-28
Fedora FEDORA-2014-11850 fish 2014-10-08
Fedora FEDORA-2014-11838 fish 2014-10-08
Fedora FEDORA-2014-5783 fish 2014-05-08

Comments (none posted)

kernel: two vulnerabilities

Package(s):kernel CVE #(s):CVE-2014-0181 CVE-2014-3122
Created:May 12, 2014 Updated:December 8, 2014
Description: From the CVE entry:

The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program. (CVE-2014-0181)

From the Red Hat bugzilla:

Linux kernel kernel's Memory Management Unit(MMU) is vulnerable to a crash caused by unlocked memory pages. It could occur during the memory page migration or while cleaning the swap cache pages.

An unprivileged user/program could use this flaw to crash the system kernel, resulting in DoS. (CVE-2014-3122)

SUSE SUSE-SU-2015:0812-1 kernel 2015-04-30
SUSE SUSE-SU-2015:0736-1 Real Time Linux Kernel 2015-04-20
SUSE SUSE-SU-2015:0652-1 Linux kernel 2015-04-02
SUSE SUSE-SU-2015:0581-1 kernel 2015-03-24
openSUSE openSUSE-SU-2015:0566-1 kernel 2015-03-21
SUSE SUSE-SU-2015:0481-1 kernel 2015-03-11
Oracle ELSA-2015-0290 kernel 2015-03-12
openSUSE openSUSE-SU-2014:1677-1 kernel 2014-12-21
Scientific Linux SLSA-2014:1959-1 kernel 2014-12-05
Oracle ELSA-2014-1959 kernel 2014-12-05
CentOS CESA-2014:1959 kernel 2014-12-04
Red Hat RHSA-2014:1959-01 kernel 2014-12-04
Scientific Linux SLSA-2014:1392-1 kernel 2014-11-03
Oracle ELSA-2014-1392 kernel 2014-10-21
CentOS 2014:X011 kernel 2014-10-01
Ubuntu USN-2336-1 linux-lts-trusty 2014-09-02
Ubuntu USN-2337-1 kernel 2014-09-02
Mandriva MDVSA-2014:201 kernel 2014-10-21
Red Hat RHSA-2014:1392-01 kernel 2014-10-14
Mageia MGASA-2014-0332 kernel-vserver 2014-08-18
Mageia MGASA-2014-0331 kernel-tmb 2014-08-18
Mageia MGASA-2014-0330 kernel-linus 2014-08-18
Oracle ELSA-2014-3067 kernel 2014-08-11
Oracle ELSA-2014-3067 kernel 2014-08-11
Oracle ELSA-2014-1023 kernel 2014-08-06
CentOS CESA-2014:1023 kernel 2014-08-06
Red Hat RHSA-2014:1023-01 kernel 2014-08-06
Red Hat RHSA-2014:0913-01 kernel-rt 2014-07-22
SUSE SUSE-SU-2014:0908-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0909-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0910-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0911-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0912-1 Linux kernel 2014-07-17
openSUSE openSUSE-SU-2014:0856-1 kernel 2014-07-01
Ubuntu USN-2260-1 linux-lts-trusty 2014-06-27
openSUSE openSUSE-SU-2014:0840-1 kernel 2014-06-25
Mageia MGASA-2014-0273 kernel 2014-06-22
SUSE SUSE-SU-2014:0807-1 Linux Kernel 2014-06-18
Ubuntu USN-2236-1 linux-ti-omap4 2014-06-05
Ubuntu USN-2239-1 linux-lts-saucy 2014-06-05
Ubuntu USN-2240-1 kernel 2014-06-05
Ubuntu USN-2235-1 kernel 2014-06-05
Ubuntu USN-2241-1 kernel 2014-06-05
Ubuntu USN-2233-1 kernel 2014-06-05
Ubuntu USN-2234-1 EC2 kernel 2014-06-05
openSUSE openSUSE-SU-2014:0766-1 Evergreen 2014-06-06
Red Hat RHSA-2014:0557-01 kernel-rt 2014-05-27
Ubuntu USN-2224-1 linux-lts-raring 2014-05-27
Ubuntu USN-2223-1 linux-lts-quantal 2014-05-27
SUSE SUSE-SU-2014:0696-1 Linux kernel 2014-05-22
Fedora FEDORA-2014-6354 kernel 2014-05-21
Debian DSA-2926-1 kernel 2014-05-12
Fedora FEDORA-2014-6122 kernel 2014-05-10

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2014-1737 CVE-2014-1738
Created:May 13, 2014 Updated:May 22, 2014
Description: From the Debian advisory:

Matthew Daley discovered that missing input sanitizing in the FDRAWCMD ioctl and an information leak could result in privilege escalation.

Oracle ELSA-2015-0290 kernel 2015-03-12
Oracle ELSA-2014-1392 kernel 2014-10-21
Oracle ELSA-2014-0981 kernel 2014-07-29
Oracle ELSA-2014-0786 kernel 2014-07-23
Red Hat RHSA-2014:0900-01 kernel 2014-07-17
Ubuntu USN-2260-1 linux-lts-trusty 2014-06-27
Red Hat RHSA-2014:0801-01 kernel 2014-06-26
Red Hat RHSA-2014:0800-01 kernel 2014-06-26
Red Hat RHSA-2014:0786-01 kernel 2014-06-24
Scientific Linux SLSA-2014:0771-1 kernel 2014-06-19
Oracle ELSA-2014-0771 kernel 2014-06-19
CentOS CESA-2014:0771 kernel 2014-06-20
Red Hat RHSA-2014:0771-01 kernel 2014-06-19
Red Hat RHSA-2014:0772-01 kernel 2014-06-19
SUSE SUSE-SU-2014:0807-1 Linux Kernel 2014-06-18
Scientific Linux SLSA-2014:0740-1 kernel 2014-06-11
openSUSE openSUSE-SU-2014:0766-1 Evergreen 2014-06-06
Red Hat RHSA-2014:0557-01 kernel-rt 2014-05-27
Ubuntu USN-2227-1 linux-ti-omap4 2014-05-27
Ubuntu USN-2225-1 linux-lts-saucy 2014-05-27
Ubuntu USN-2224-1 linux-lts-raring 2014-05-27
Ubuntu USN-2223-1 linux-lts-quantal 2014-05-27
Ubuntu USN-2228-1 kernel 2014-05-27
Ubuntu USN-2226-1 kernel 2014-05-27
Ubuntu USN-2219-1 kernel 2014-05-26
Ubuntu USN-2221-1 kernel 2014-05-26
Ubuntu USN-2220-1 EC2 kernel 2014-05-26
Mageia MGASA-2014-0238 kernel-vserver 2014-05-24
Mageia MGASA-2014-0234 kernel-tmb 2014-05-23
Mageia MGASA-2014-0236 kernel-tmb 2014-05-24
Mageia MGASA-2014-0237 kernel-rt 2014-05-24
Mageia MGASA-2014-0235 kernel-linus 2014-05-24
SUSE SUSE-SU-2014:0696-1 Linux kernel 2014-05-22
Fedora FEDORA-2014-6354 kernel 2014-05-21
SUSE SUSE-SU-2014:0683-1 Linux kernel 2014-05-20
Mageia MGASA-2014-0229 kernel-vserver 2014-05-19
Mageia MGASA-2014-0227 kernel-rt 2014-05-19
Mageia MGASA-2014-0226 kernel-linus 2014-05-19
Mageia MGASA-2014-0228 kernel 2014-05-19
openSUSE openSUSE-SU-2014:0678-1 kernel 2014-05-19
openSUSE openSUSE-SU-2014:0677-1 kernel 2014-05-19
Mageia MGASA-2014-0225 kernel 2014-05-18
SUSE SUSE-SU-2014:0667-1 Linux Kernel 2014-05-16
Fedora FEDORA-2014-6357 kernel 2014-05-16
Debian DSA-2928-1 linux-2.6 2014-05-14
Debian DSA-2926-1 kernel 2014-05-12
Mandriva MDVSA-2014:124 kernel 2014-06-13
Oracle ELSA-2014-0740 kernel 2014-06-11
CentOS CESA-2014:0740 kernel 2014-06-11
Red Hat RHSA-2014:0740-01 kernel 2014-06-10

Comments (none posted)

ldns: information disclosure

Package(s):ldns CVE #(s):CVE-2014-3209
Created:May 12, 2014 Updated:May 14, 2014
Description: From the Mageia advisory:

ldns-keygen creates a private key with the default permissions according to the users umask, which in most cases will cause the private key to be world-readable.

Mandriva MDVSA-2014:085 ldns 2014-05-12
Mageia MGASA-2014-0212 ldns 2014-05-10

Comments (none posted)

libxfont: multiple vulnerabilities

Package(s):libxfont CVE #(s):CVE-2014-0209 CVE-2014-0210 CVE-2014-0211
Created:May 14, 2014 Updated:November 25, 2014
Description: From the X.Org Security Advisory:

- CVE-2014-0209: integer overflow of allocations in font metadata file parsing

When a local user who is already authenticated to the X server adds a new directory to the font path, the X server calls libXfont to open the fonts.dir and fonts.alias files in that directory and add entries to the font tables for every line in it. A large file (~2-4 gb) could cause the allocations to overflow, and allow the remaining data read from the file to overwrite other memory in the heap.

Affected functions: FontFileAddEntry(), lexAlias()

- CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies

When parsing replies received from the font server, these calls do not check that the lengths and/or indexes returned by the font server are within the size of the reply or the bounds of the memory allocated to store the data, so could write past the bounds of allocated memory when storing the returned data.

Affected functions: _fs_recv_conn_setup(), fs_read_open_font(), fs_read_query_info(), fs_read_extent_info(), fs_read_glyphs(), fs_read_list(), fs_read_list_info()

- CVE-2014-0211: integer overflows calculating memory needs for xfs replies

These calls do not check that their calculations for how much memory is needed to handle the returned data have not overflowed, so can result in allocating too little memory and then writing the returned data past the end of the allocated buffer.

Affected functions: fs_get_reply(), fs_alloc_glyphs(), fs_read_extent_info()

Mandriva MDVSA-2015:145-1 libxfont 2015-03-30
Mandriva MDVSA-2015:145 libxfont 2015-03-29
Fedora FEDORA-2015-3948 nx-libs 2015-03-26
Fedora FEDORA-2015-3964 nx-libs 2015-03-26
Scientific Linux SLSA-2014:1893-1 libXfont 2014-11-24
Oracle ELSA-2014-1893 libXfont 2014-11-24
CentOS CESA-2014:1893 libXfont 2014-11-25
Red Hat RHSA-2014:1893-01 libXfont 2014-11-24
Oracle ELSA-2014-1870 libXfont 2014-11-19
Oracle ELSA-2014-1870 libXfont 2014-11-20
Scientific Linux SLSA-2014:1870-1 libXfont 2014-11-18
CentOS CESA-2014:1870 libXfont 2014-11-18
Red Hat RHSA-2014:1870-01 libXfont 2014-11-18
CentOS CESA-2014:1870 libxfont 2014-11-18
Fedora FEDORA-2014-8223 libXfont 2014-07-23
Fedora FEDORA-2014-8208 libXfont 2014-07-16
Mandriva MDVSA-2014:132 libxfont 2014-07-09
Mageia MGASA-2014-0278 libxfont 2014-07-04
openSUSE openSUSE-SU-2014:0711-1 libXfont 2014-05-23
Ubuntu USN-2211-1 libxfont 2014-05-14
Debian DSA-2927-1 libxfont 2014-05-13
Gentoo 201406-11 libXfont 2014-06-14

Comments (none posted)

libxml2: denial of service

Package(s):libxml2 CVE #(s):CVE-2014-0191
Created:May 12, 2014 Updated:April 1, 2015
Description: From the Mageia advisory:

It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substitution in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors

Fedora FEDORA-2015-4719 libxml2 2015-04-11
Fedora FEDORA-2015-4658 libxml2 2015-04-07
CentOS CESA-2015:0749 libxml2 2015-04-01
Oracle ELSA-2015-0749 libxml2 2015-03-30
Scientific Linux SLSA-2015:0749-1 libxml2 2015-03-30
Red Hat RHSA-2015:0749-01 libxml2 2015-03-30
Mandriva MDVSA-2015:111 libxml2 2015-03-29
Debian-LTS DLA-151-1 libxml2 2015-02-07
Debian DSA-2978-2 libxml2 2015-02-06
Fedora FEDORA-2014-17609 mingw-libxml2 2015-01-02
Fedora FEDORA-2014-17573 mingw-libxml2 2015-01-02
Gentoo 201409-08 libxml2 2014-09-19
Oracle ELSA-2014-1655 libxml2 2014-10-17
Debian DSA-2978-1 libxml2 2014-07-11
Ubuntu USN-2214-3 libxml2 2014-06-17
Ubuntu USN-2214-2 libxml2 2014-06-09
openSUSE openSUSE-SU-2014:0753-1 libxml2, 2014-06-04
openSUSE openSUSE-SU-2014:0741-1 libxml2, 2014-06-02
openSUSE openSUSE-SU-2014:0716-1 libxml2, 2014-05-27
openSUSE openSUSE-SU-2014:0701-1 libxml2 2014-05-22
Oracle ELSA-2014-0513 libxml2 2014-05-19
CentOS CESA-2014:0513 libxml2 2014-05-19
Scientific Linux SLSA-2014:0513-1 libxml2 2014-05-19
Red Hat RHSA-2014:0513-01 libxml2 2014-05-19
Ubuntu USN-2214-1 libxml2 2014-05-15
openSUSE openSUSE-SU-2014:0645-1 libxml2 2014-05-15
Mandriva MDVSA-2014:086 libxml2 2014-05-12
Mageia MGASA-2014-0214 libxml2 2014-05-10
Oracle ELSA-2015-2550 libxml2 2015-12-07
openSUSE openSUSE-SU-2015:2372-1 libxml2 2015-12-27

Comments (none posted)

miniupnpc: denial of service

Package(s):miniupnpc CVE #(s):CVE-2014-3985
Created:May 13, 2014 Updated:January 17, 2017
Description: From the Red Hat bugzilla:

Appears to be a DoS crash vector that can be triggered by something on the network.

Ubuntu USN-2280-1 miniupnpc 2014-07-16
openSUSE openSUSE-SU-2014:0815-1 miniupnpc 2014-06-18
Mageia MGASA-2014-0224 miniupnpc 2014-05-17
Fedora FEDORA-2014-5903 miniupnpc 2014-05-13
Fedora FEDORA-2014-5903 megaglest 2014-05-13
Fedora FEDORA-2014-5903 0ad 2014-05-13
Mandriva MDVSA-2014:120 miniupnpc 2014-06-10
Gentoo 201701-41 miniupnpc 2017-01-17

Comments (none posted)

openssh: two vulnerabilities

Package(s):openssh CVE #(s):CVE-2010-4478 CVE-2010-4755
Created:May 12, 2014 Updated:May 14, 2014
Description: From the CVE entries:

OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252. (CVE-2010-4478)

The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. (CVE-2010-4755)

Gentoo 201405-06 openssh 2014-05-11

Comments (none posted)

owncloud: remote users can mount the local file system

Package(s):owncloud CVE #(s):CVE-2014-2585
Created:May 14, 2014 Updated:May 14, 2014
Description: From the CVE entry:

ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration.

Fedora FEDORA-2014-5918 owncloud 2014-05-13

Comments (none posted)

python-eyeD3: insecure tmpfile use

Package(s):python-eyeD3 CVE #(s):CVE-2014-1934
Created:May 8, 2014 Updated:December 2, 2014

From the Novell bugzilla entry:

Jakub Wilk reported a problem with python-eyeD3 on the Debian Bug Tracking system. eyeD3/ creates temporary files in an insecure way.

Fedora FEDORA-2014-15477 python-eyed3 2014-12-01
Fedora FEDORA-2014-15464 python-eyed3 2014-12-01
openSUSE openSUSE-SU-2014:0619-1 python-eyeD3 2014-05-07
openSUSE openSUSE-SU-2014:0620-1 python-eyeD3 2014-05-07

Comments (none posted)

xen: code execution

Package(s):xen CVE #(s):CVE-2014-3124
Created:May 12, 2014 Updated:May 14, 2014
Description: From the CVE entry:

The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM administrators to cause a denial of service (hypervisor crash) or possibly execute arbitrary code by leveraging a separate qemu-dm vulnerability to trigger invalid page table translations for unspecified memory page types.

openSUSE openSUSE-SU-2014:1281-1 xen 2014-10-09
Debian DSA-3006-1 xen 2014-08-18
Gentoo 201407-03 xen 2014-07-16
CentOS CESA-2014:X008 xen 2014-06-16
Fedora FEDORA-2014-5941 xen 2014-05-12
Fedora FEDORA-2014-5915 xen 2014-05-12

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds