User: Password:
|
|
Subscribe / Log in / New account

Security

End-To-End webmail encryption

By Nathan Willis
June 25, 2014

In early June, a team at Google released some code that brings support for OpenPGP encryption to webmail clients running in the Chrome/Chromium browser. Called simply End-To-End, the initial release was made in source form only—for the purposes of security review.

End-To-End was announced in a June 3 blog post. It is designed to be compiled as a browser extension for Chrome or Chromium, and it provides webmail clients running in those browsers with OpenPGP-compatible message encryption and decryption—including support for signed messages. The blog post puts End-To-End into the context of Google's ongoing security enhancements for Gmail, but claims End-To-End itself is not a Gmail-specific program. Nevertheless, at the moment there is not an official list of which other webmail services are supported; in fact, the only other one referenced is a bug report indicating some problems using End-To-End with the open-source Zimbra client.

[The welcome screen in End-To-End]

When up and running, End-To-End allows users to compose an outgoing message, then encrypt and sign it locally with an OpenPGP key. End-To-End can import an existing OpenPGP keyring, which it then stores in its own localStorage area so that the keys are accessible from within Chrome/Chromium's sandbox. It can also generate a new key and keyring, though it supports only Elliptic Curve (EC) key generation. Existing keys—both private and public—of non-EC types are still supported for all other operations. End-To-End's keyring is separate from any other OpenPGP keyring the user might already posses, so the public keys of other users must be imported into End-To-End's keyring before they can be used. Users can either import the entire external keyring during setup, or import each key individually (which is an option presented when opening an encrypted message).

The extension differs a bit from other OpenPGP implementations in that it stores the user's private and public keys on a single keyring, and only supports encrypting the entire keyring with a passphrase, rather than individual keys. The FAQ on the main page says that this was a decision made to minimize the number of passphrases users are required to remember.

Usage

At this point, End-To-End is provided as source code only, which users must build and manually install as a browser extension. For those who do not use Chrome/Chromium regularly, note that it is also necessary to enable "Developer mode" in the browser so that one can install a local, un-packaged extension.

When in use, End-To-End provides a button in the browser's extension toolbar that provides access to a pop-up message composition window, a pop-up decryption window, and utility functions (which include key import). If you are logged in to a webmail client and composing a message, the composition window copies the current contents of the in-progress message into its own mini-composer; if the recipient's public key is in the keyring, End-To-End will use it when you click the "Protect this message" button (alternatively, you can enter the recipient's address within the mini-composer or encrypt the message with a passphrase). PGP signatures are also supported; one can even click the "Protect this message" button with no recipients included to add a PGP signature without encrypting the message's contents.

[Message composition in End-To-End]

However you choose to protect the message, clicking on the "Insert into the page" button copies the PGP-protected text back into the webmail composition window. Similarly, if you receive an encrypted message, the End-To-End menu button can copy its contents into its decryption window and unscramble it.

Users who are accustomed to PGP-style encryption will not find the process difficult. The first big question to answer when assessing the project's usefulness is whether or not End-To-End makes email encryption easier for anyone new to the subject. This is not easy to say; some might find the separate End-To-End window that hovers over the main webmail message composer a bit perplexing. Others might notice that if the browser tab loses focus, the End-To-End window and its contents vanish immediately.

Of course, there are security reasons for these behaviors: End-To-End does not work directly in the page contents so that it is isolated from other elements in the page (which, intentionally or not, could interfere and risk a security breach) and there are good reasons not to leave the contents of the window available if the user is away doing something else.

Security

The other big question concerning End-To-End is whether or not it is genuinely safe to use. In the blog announcement and on the project's home page, the team emphasizes that this is a project still in development and that the release is meant to attract more scrutiny of End-To-End's security. The page even asks developers not to download the code, compile it, and submit the result to the official Chrome extension "store," on the grounds that it still requires further vetting.

Historically, PGP encryption for webmail has been a thorny issue. One of the main reasons was that an encryption library (in JavaScript) delivered in a web page is regarded as suspect, since it (like other page content) could be modified by an attacker at the server (or even en-route), the content and the JavaScript execution environment can be modified by other JavaScript on the page, and there are potential information leaks (such as reliance on the JavaScript interpreter's garbage collection rather than any real "secure delete" facility).

But End-To-End does not rely on encryption routines or secrets sent with the page content itself. In that sense, it is as secure as composing a message in a text editor, encrypting it on the command line, then pasting it into the webmail client. There are still risks, of course, but the bigger concerns for a built-in PGP function or extension are concepts like key management and sandboxing—along with implementation details of the core routines, which still should be audited.

The project FAQ supplies a few basic answers to common questions. For example, as mentioned above, End-To-End uses a single keyring to store the user's private key and all collected public keys. The encryption keys are also stored in memory unencrypted, which the FAQ notes could mean that key material is sent to Google in a crash report if the browser's "send crash reports" feature is enabled. That is certainly a problem one would hope to see fixed before End-To-End becomes more widespread or a built-in feature.

As always, one is dependent on the browser's implementation of features like sandboxing and secure localStorage to be free of serious errors. Perhaps to that end, the blog post notes that End-To-End, although still experimental, is eligible for Google's vulnerability bounty program.

On the other hand, End-To-End does implement its own cryptographic functions and OpenPGP routines, rather than using an existing library like OpenPGP.js. Of course, OpenPGP.js may not be a widely-scrutinized project in the grand scheme of things; if Google chooses to invest further in End-To-End it could attract more eyes. But OpenPGP.js is already in use by other projects with similar aims, such as Mailvelope—which also has the advantage of being usable in Firefox as well as Chrome. If Google persists in maintaining End-To-End as a Chrome/Chromium-only tool, there would be competing implementations in webmail encryption, with the possibility of incompatibilities. As Enigmail has seen, even adhering to the relevant RFCs does not protect one from all possible compatibility problems.

Perhaps there are valid reasons for maintaining a new in-browser OpenPGP tool; End-To-End makes some implementation choices that other OpenPGP projects might not agree with. For example, it does not support fetching public keys from a keyserver (perhaps because doing so would complicate the sandboxing process). Similarly, End-To-End opts for a single passphrase for the entire keyring for the sake of simplicity, but not every user will find that trade-off worthwhile.

The landscape of webmail-encryption tools is sparse as it is; the other major approach is WebPG, which is built around the Netscape Plugin API (NPAPI) that, these days, is used less and less even by Mozilla. But WebPG does call out to the system's GnuPG library, which is ostensibly a more widely-tested PGP implementation than either End-To-End or OpenPGP.js. But even if the security community does thoroughly vet and enhance End-To-End's cryptographic features, as Google hopes it will, the project will still face the challenge of winning over a non-trivial percentage of webmail users. And that may be an unsolvable problem, regardless of the implementation details.

Comments (6 posted)

Brief items

Security quotes of the week

That is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together. Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. A conclusion that inspecting the contents of an arrestee’s pockets works no substantial additional intrusion on privacy beyond the arrest itself may make sense as applied to physical items, but any extension of that reasoning to digital data has to rest on its own bottom.

Cell phones differ in both a quantitative and a qualitative sense from other objects that might be kept on an arrestee’s person. The term “cell phone” is itself misleading shorthand; many of these devices are in fact minicomputers that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.

— US Supreme Court Chief Justice John Roberts [PDF] in a unanimous opinion that search warrants are required to search mobile phones

I used to think of the whole one-kernel-branch-per-device wild-west ways of android as a bit of a headache. Now I realize it is a security nightmare. An important part of platform security is being able to react quickly when (not if) vulnaribilites are found. In the desktop/server world, CVEs are usually not embargoed for more than a week.. that is all you need, since fortunately we don't need a different kernel for each different make and model of server, laptop, etc. In the mobile device world, it is quite a different story!
Rob Clark

Americans want fraudsters to be punished on two criteria: for the value of the damage they do, with steadily tougher punishments for more damage, and for their motivation, where they want people who hack for profit to be punished more harshly than people who hack for political protest.

So Americans, thankfully, are rational. Let’s hope that legislators and prosecutors start listening to their voters.

Ross Anderson

Comments (8 posted)

New vulnerabilities

castor: XML injection

Package(s):castor CVE #(s):CVE-2014-3004
Created:June 20, 2014 Updated:December 31, 2014
Description:

From the CVE entry: The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

Alerts:
Mageia MGASA-2014-0556 castor 2014-12-31
Fedora FEDORA-2014-16346 castor 2014-12-15
Fedora FEDORA-2014-16446 castor 2014-12-15
openSUSE openSUSE-SU-2014:0822-1 castor 2014-06-20

Comments (none posted)

ctdb: insecure temporary files

Package(s):ctdb CVE #(s):CVE-2013-4159
Created:June 25, 2014 Updated:March 30, 2015
Description: From the openSUSE advisory:

ctdb was updated to version 2.3 to fix several temp file vulnerabilities

Alerts:
Mandriva MDVSA-2015:177 ctdb 2015-03-30
Fedora FEDORA-2014-16742 ctdb 2014-12-20
Mageia MGASA-2014-0274 ctdb 2014-06-27
openSUSE openSUSE-SU-2014:0842-1 ctdb 2014-06-25

Comments (none posted)

dbus: denial of service

Package(s):dbus CVE #(s):CVE-2014-3477
Created:June 19, 2014 Updated:December 22, 2014
Description: From the Mageia advisory:

A denial of service vulnerability in D-Bus before 1.6.20 allows a local attacker to cause a bus-activated service that is not currently running to attempt to start, and fail, denying other users access to this service Additionally, in highly unusual environments the same flaw could lead to a side channel between processes that should not be able to communicate (CVE-2014-3477).

Alerts:
Mandriva MDVSA-2015:176 dbus 2015-03-30
Fedora FEDORA-2014-17595 mingw-dbus 2015-01-02
Fedora FEDORA-2014-17570 mingw-dbus 2015-01-02
Fedora FEDORA-2014-16227 dbus 2014-12-19
Gentoo 201412-12 dbus 2014-12-13
openSUSE openSUSE-SU-2014:1239-1 dbus-1 2014-09-28
openSUSE openSUSE-SU-2014:1228-1 dbus-1 2014-09-28
Ubuntu USN-2275-1 dbus 2014-07-08
Fedora FEDORA-2014-8059 dbus 2014-07-08
openSUSE openSUSE-SU-2014:0874-1 dbus-1 2014-07-05
Debian DSA-2971-1 dbus 2014-07-02
openSUSE openSUSE-SU-2014:0821-1 dbus-1 2014-06-20
Mageia MGASA-2014-0266 dbus 2014-06-18

Comments (none posted)

firefox: code execution

Package(s):MozillaFirefox CVE #(s):CVE-2014-1539 CVE-2014-1543
Created:June 20, 2014 Updated:June 25, 2014
Description:

From the CVE entry:

Multiple heap-based buffer overflows in the navigator.getGamepads function in the Gamepad API in Mozilla Firefox before 30.0 allow remote attackers to execute arbitrary code by using non-contiguous axes with a (1) physical or (2) virtual Gamepad device. (CVE-2014-1543)

Alerts:
Gentoo 201504-01 firefox 2015-04-07
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
openSUSE openSUSE-SU-2014:0855-1 seamonkey 2014-07-01
openSUSE openSUSE-SU-2014:0819-1 MozillaFirefox, 2014-06-20

Comments (none posted)

foreman-proxy: shell command injection

Package(s):foreman-proxy CVE #(s):CVE-2014-0007
Created:June 19, 2014 Updated:June 25, 2014
Description: From the Red Hat advisory:

A shell command injection flaw was found in the way foreman-proxy verified URLs in the TFTP module. A remote attacker could use this flaw to execute arbitrary shell commands on the system with the privileges of the user running foreman-proxy. (CVE-2014-0007)

Alerts:
Red Hat RHSA-2014:0770-01 foreman-proxy 2014-06-19

Comments (none posted)

gnupg: denial of service

Package(s):gnupg CVE #(s):CVE-2014-4617
Created:June 25, 2014 Updated:April 23, 2015
Description: From the Slackware advisory:

This release includes a security fix to stop a denial of service using garbled compressed data packets which can be used to put gpg into an infinite loop.

Alerts:
Fedora FEDORA-2015-5969 gnupg2 2015-04-22
Mandriva MDVSA-2015:154 gnupg 2015-03-29
openSUSE openSUSE-SU-2014:0952-1 gpg2 2014-07-30
Gentoo 201407-04 gnupg 2014-07-16
Mandriva MDVSA-2014:127 gnupg 2014-07-09
openSUSE openSUSE-SU-2014:0866-1 gpg2 2014-07-03
Fedora FEDORA-2014-7797 gnupg2 2014-07-01
Fedora FEDORA-2014-7796 gnupg2 2014-06-29
Ubuntu USN-2258-1 gnupg, gnupg2 2014-06-26
Mageia MGASA-2014-0276 gnupg, gnupg2 2014-06-27
Fedora FEDORA-2014-7676 gnupg 2014-06-27
Debian DSA-2968-1 gnupg2 2014-06-27
Debian DSA-2967-1 gnupg 2014-06-25
Slackware SSA:2014-175-03 gnupg2 2014-06-24
Slackware SSA:2014-175-02 gnupg 2014-06-24

Comments (none posted)

heat: information leak

Package(s):heat CVE #(s):CVE-2014-3801
Created:June 19, 2014 Updated:October 23, 2014
Description: From the Ubuntu advisory:

Jason Dunsmore discovered that OpenStack heat did not properly restrict access to template information. A remote authenticated attacker could exploit this to see URL provider templates of other tenants for a limited time.

Alerts:
Red Hat RHSA-2014:1687-02 openstack-heat 2014-10-22
Ubuntu USN-2249-1 heat 2014-06-18

Comments (none posted)

iodine: authentication bypass

Package(s):iodine CVE #(s):CVE-2014-4168
Created:June 23, 2014 Updated:August 18, 2014
Description: From the Debian advisory:

Oscar Reparaz discovered an authentication bypass vulnerability in iodine, a tool for tunneling IPv4 data through a DNS server. A remote attacker could provoke a server to accept the rest of the setup or also network traffic by exploiting this flaw.

Alerts:
Fedora FEDORA-2014-9279 iodine 2014-08-16
Fedora FEDORA-2014-9265 iodine 2014-08-16
Mandriva MDVSA-2014:128 iodine 2014-07-09
Mageia MGASA-2014-0277 iodine 2014-06-27
Debian DSA-2964-1 iodine 2014-06-21

Comments (none posted)

kernel: privilege escalation

Package(s):kernel CVE #(s):CVE-2014-4014
Created:June 19, 2014 Updated:June 25, 2014
Description: From discoverer Andy Lutomirski's description:

The bug is that, if you created a user namespace and retained capabilities in that namespace, then you could use chmod to set the setgid bit on any file you owned, including files with, say, group 0.

The impact depends on what files are available that have gids that shouldn't be available to the users who own the file. For example, the existence of a uid != 0, gid == 0 file would allow that uid to escalate privileges to gid 0, which is likely good enough for full root.

Alerts:
Oracle ELSA-2015-2152 kernel 2015-11-25
Mageia MGASA-2015-0077 kernel-rt 2015-02-19
Oracle ELSA-2014-3096 kernel 2014-12-04
Oracle ELSA-2014-3096 kernel 2014-12-04
CentOS 2014:X011 kernel 2014-10-01
Ubuntu USN-2336-1 linux-lts-trusty 2014-09-02
Ubuntu USN-2337-1 kernel 2014-09-02
Mageia MGASA-2014-0332 kernel-vserver 2014-08-18
Mageia MGASA-2014-0337 kernel-tmb 2014-08-18
Mageia MGASA-2014-0331 kernel-tmb 2014-08-18
Mageia MGASA-2014-0336 kernel-linus 2014-08-18
Mageia MGASA-2014-0330 kernel-linus 2014-08-18
openSUSE openSUSE-SU-2014:0985-1 kernel 2014-08-11
openSUSE openSUSE-SU-2014:0957-1 kernel 2014-08-01
Mageia MGASA-2014-0316 kernel 2014-08-05
Ubuntu USN-2287-1 linux-lts-saucy 2014-07-16
Ubuntu USN-2286-1 linux-lts-raring 2014-07-16
Ubuntu USN-2285-1 linux-lts-quantal 2014-07-16
Ubuntu USN-2289-1 kernel 2014-07-16
Mageia MGASA-2014-0273 kernel 2014-06-22
Fedora FEDORA-2014-7426 kernel 2014-06-22
Fedora FEDORA-2014-7430 kernel 2014-06-18

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2014-0203
Created:June 20, 2014 Updated:June 25, 2014
Description:

From the Red Hat advisory: It was discovered that the proc_ns_follow_link() function did not properly return the LAST_BIND value in the last pathname component as is expected for procfs symbolic links, which could lead to excessive freeing of memory and consequent slab corruption. A local, unprivileged user could use this flaw to crash the system.

Alerts:
SUSE SUSE-SU-2014:1138-1 kernel 2014-09-16
Ubuntu USN-2332-1 kernel 2014-09-02
Ubuntu USN-2333-1 EC2 kernel 2014-09-02
Oracle ELSA-2014-1392 kernel 2014-10-21
Oracle ELSA-2014-0981 kernel 2014-07-29
Scientific Linux SLSA-2014:0771-1 kernel 2014-06-19
Oracle ELSA-2014-0771 kernel 2014-06-19
CentOS CESA-2014:0771 kernel 2014-06-20
Red Hat RHSA-2014:0771-01 kernel 2014-06-19

Comments (none posted)

kernel: information disclosure

Package(s):kernel CVE #(s):CVE-2014-0206
Created:June 25, 2014 Updated:July 25, 2014
Description: From the Red Hat advisory:

It was found that the aio_read_events_ring() function of the Linux kernel's Asynchronous I/O (AIO) subsystem did not properly sanitize the AIO ring head received from user space. A local, unprivileged user could use this flaw to disclose random parts of the (physical) memory belonging to the kernel and/or other processes.

Alerts:
Mageia MGASA-2015-0077 kernel-rt 2015-02-19
Oracle ELSA-2015-0290 kernel 2015-03-12
openSUSE openSUSE-SU-2014:1677-1 kernel 2014-12-21
CentOS 2014:X011 kernel 2014-10-01
Ubuntu USN-2336-1 linux-lts-trusty 2014-09-02
Ubuntu USN-2337-1 kernel 2014-09-02
Mageia MGASA-2014-0332 kernel-vserver 2014-08-18
Mageia MGASA-2014-0337 kernel-tmb 2014-08-18
Mageia MGASA-2014-0331 kernel-tmb 2014-08-18
Mageia MGASA-2014-0336 kernel-linus 2014-08-18
Mageia MGASA-2014-0330 kernel-linus 2014-08-18
Mageia MGASA-2014-0318 kernel 2014-08-05
Mageia MGASA-2014-0316 kernel 2014-08-05
Fedora FEDORA-2014-8487 kernel 2014-07-25
Oracle ELSA-2014-0786 kernel 2014-07-23
Red Hat RHSA-2014:0913-01 kernel-rt 2014-07-22
Fedora FEDORA-2014-7863 kernel 2014-06-30
Red Hat RHSA-2014:0786-01 kernel 2014-06-24

Comments (none posted)

libreoffice: unexpected VBA macro execution

Package(s):libreoffice CVE #(s):CVE-2014-0247
Created:June 23, 2014 Updated:July 3, 2014
Description: From the Ubuntu advisory:

It was discovered that LibreOffice unconditionally executed certain VBA macros, contrary to user expectations.

Alerts:
Scientific Linux SLSA-2015:0377-1 libreoffice 2015-03-25
Red Hat RHSA-2015:0377-01 libreoffice 2015-03-05
Mageia MGASA-2014-0447 libreoffice 2014-11-14
Gentoo 201408-19 openoffice-bin 2014-08-31
Fedora FEDORA-2014-7679 libreoffice 2014-07-03
openSUSE openSUSE-SU-2014:0860-1 libreoffice 2014-07-01
Ubuntu USN-2253-1 libreoffice 2014-06-23

Comments (none posted)

musl: code execution

Package(s):musl CVE #(s):CVE-2014-3484
Created:June 19, 2014 Updated:June 25, 2014
Description: From the Mageia advisory:

A remote stack-based buffer overflow has been found in musl libc's dns response parsing code. The overflow can be triggered in programs linked against musl libc and making dns queries via one of the standard interfaces (getaddrinfo, getnameinfo, gethostbyname, gethostbyaddr, etc.) if one of the configured nameservers in resolv.conf is controlled by an attacker, or if an attacker can inject forged udp packets with control over their contents. Denial of service is also possible via a related failure in loop detection (CVE-2014-3484).

Alerts:
Mageia MGASA-2014-0262 musl 2014-06-18

Comments (none posted)

pdns: denial of service

Package(s):pdns CVE #(s):
Created:June 23, 2014 Updated:June 25, 2014
Description: From the Mageia advisory:

PowerDNS recursor is vulnerable to a denial of service due to a bug that causes it to exhaust the maximum number of file descriptors that are available to a process.

Alerts:
Mageia MGASA-2014-0272 pdns 2014-06-20

Comments (none posted)

rb_libtorrent: stop UPNP from opening port 0

Package(s):rb_libtorrent CVE #(s):
Created:June 23, 2014 Updated:September 5, 2014
Description: From the Fedora advisory:

stop UPNP from opening port 0

Alerts:
Mageia MGASA-2014-0364 libtorrent-rasterbar 2014-09-05
Fedora FEDORA-2014-7413 rb_libtorrent 2014-06-24
Fedora FEDORA-2014-7406 rb_libtorrent 2014-06-22

Comments (none posted)

rubygem-openshift-origin-node: code execution

Package(s):rubygem-openshift-origin-node CVE #(s):CVE-2014-3496
Created:June 19, 2014 Updated:June 25, 2014
Description: From the Red Hat advisory:

A command injection flaw was found in rubygem-openshift-origin-node. A remote, authenticated user permitted to install cartridges via the web interface could use this flaw to execute arbitrary code with root privileges on the Red Hat OpenShift Enterprise node server. (CVE-2014-3496)

Alerts:
Red Hat RHSA-2014:0762-01 rubygem-openshift-origin-node 2014-06-18
Red Hat RHSA-2014:0763-01 rubygem-openshift-origin-node 2014-06-18
Red Hat RHSA-2014:0764-01 rubygem-openshift-origin-node 2014-06-18

Comments (none posted)

samba: multiple vulnerabilities

Package(s):samba CVE #(s):CVE-2014-0178 CVE-2014-0244 CVE-2014-3493
Created:June 23, 2014 Updated:July 31, 2014
Description: From the Debian advisory:

CVE-2014-0178: Information leak vulnerability in the VFS code, allowing an authenticated user to retrieve eight bytes of uninitialized memory when shadow copy is enabled.

CVE-2014-0244: Denial of service (infinite CPU loop) in the nmbd Netbios name service daemon. A malformed packet can cause the nmbd server to enter an infinite loop, preventing it to process later requests to the Netbios name service.

CVE-2014-3493: Denial of service (daemon crash) in the smbd file server daemon. An authenticated user attempting to read a Unicode path using a non-Unicode request can force the daemon to overwrite memory at an invalid address.

Alerts:
Mandriva MDVSA-2015:082 samba 2015-03-28
Gentoo 201502-15 samba 2015-02-25
Oracle ELSA-2014-1009 samba4 2014-08-05
openSUSE openSUSE-SU-2014:0944-1 samba 2014-07-30
Oracle ELSA-2014-0867 samba 2014-07-23
Mandriva MDVSA-2014:136 samba 2014-07-11
Scientific Linux SLSA-2014:0866-1 samba and samba3x 2014-07-09
Oracle ELSA-2014-0866 samba, samba3x 2014-07-09
Oracle ELSA-2014-0866 samba, samba3x 2014-07-09
CentOS CESA-2014:0866 samba, samba3x 2014-07-09
CentOS CESA-2014:0866 samba, samba3x 2014-07-09
CentOS CESA-2014:0867 samba 2014-07-09
Red Hat RHSA-2014:0866-01 samba, samba3x 2014-07-09
Red Hat RHSA-2014:0867-01 samba 2014-07-09
Fedora FEDORA-2014-7654 samba 2014-07-09
Mageia MGASA-2014-0279 samba 2014-07-04
openSUSE openSUSE-SU-2014:0857-1 samba 2014-07-01
openSUSE openSUSE-SU-2014:0859-1 samba 2014-07-01
Ubuntu USN-2257-1 samba 2014-06-26
Fedora FEDORA-2014-7672 samba 2014-06-26
Slackware SSA:2014-175-04 samba 2014-06-24
Debian DSA-2966-1 samba 2014-06-23

Comments (none posted)

samba: denial of service

Package(s):samba CVE #(s):CVE-2014-0239
Created:June 25, 2014 Updated:June 25, 2014
Description: From the CVE entry:

The internal DNS server in Samba 4.x before 4.0.18 does not check the QR field in the header section of an incoming DNS message before sending a response, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged response packet that triggers a communication loop, a related issue to CVE-1999-0103.

Alerts:
Gentoo 201502-15 samba 2015-02-25
openSUSE openSUSE-SU-2014:0859-1 samba 2014-07-01
Ubuntu USN-2257-1 samba 2014-06-26
Slackware SSA:2014-175-04 samba 2014-06-24

Comments (none posted)

tomcat: multiple vulnerabilities

Package(s):tomcat CVE #(s):CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119
Created:June 25, 2014 Updated:February 23, 2015
Description:

From the Mageia advisory:

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data (CVE-2014-0075).

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096).

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header (CVE-2014-0099).

Apache Tomcat before 6.0.40 and 7.x before 7.0.54 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or read files associated with different web applications on a single Tomcat instance via a crafted web application (CVE-2014-0119).

Alerts:
Ubuntu USN-2654-1 tomcat7 2015-06-25
Mandriva MDVSA-2015:084 tomcat 2015-03-28
Mandriva MDVSA-2015:052 tomcat 2015-03-03
Fedora FEDORA-2015-2109 tomcat 2015-02-23
Mandriva MDVSA-2015:053 tomcat6 2015-03-03
Gentoo 201412-29 tomcat 2014-12-14
Scientific Linux SLSA-2014:1038-1 tomcat6 2014-08-11
Oracle ELSA-2014-1038 tomcat6 2014-08-11
CentOS CESA-2014:1038 tomcat6 2014-08-11
Red Hat RHSA-2014:1038-01 tomcat6 2014-08-11
Ubuntu USN-2302-1 tomcat6, tomcat7 2014-07-30
Oracle ELSA-2014-1034 tomcat 2014-08-07
CentOS CESA-2014:1034 tomcat 2014-08-07
Red Hat RHSA-2014:1034-01 tomcat 2014-08-07
Oracle ELSA-2014-0827 tomcat 2014-07-23
Scientific Linux SLSA-2014:0865-1 tomcat6 2014-07-09
Oracle ELSA-2014-0865 tomcat6 2014-07-09
CentOS CESA-2014:0865 tomcat6 2014-07-09
Red Hat RHSA-2014:0865-01 tomcat6 2014-07-09
Red Hat RHSA-2014:0827-01 tomcat 2014-07-02
Mageia MGASA-2014-0268 tomcat 2014-06-19
Debian DSA-3530-1 tomcat6 2016-03-25
Debian DSA-3552-1 tomcat7 2016-04-17

Comments (none posted)

wireshark: denial of service

Package(s):wireshark CVE #(s):CVE-2014-4020
Created:June 19, 2014 Updated:June 25, 2014
Description: From the Mageia advisory:

The frame metadissector could crash (CVE-2014-4020).

Alerts:
Gentoo 201406-33 wireshark 2014-06-29
Fedora FEDORA-2014-7359 wireshark 2014-06-24
openSUSE openSUSE-SU-2014:0836-1 wireshark 2014-06-24
Mageia MGASA-2014-0264 wireshark 2014-06-18

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds