|
|
Subscribe / Log in / New account

Security

Stem 1.3 makes hidden services easier to deploy

By Nathan Willis
February 11, 2015

The Tor project recently released a new version of Stem, its Python library for monitoring and controlling a Tor connection. The release includes speed improvements and some new utilities, but the key feature is simplified tools for starting and running Tor hidden services.

Stem has been in development since late 2011. It replaced a older library called PyTorCtl that was designed for Tor's "bandwidth authorities"—a set of trusted Tor directory authorities that actively measure the bandwidth of the network in order to spread the load out as evenly as possible. The older library worked, but lacked the flexibility needed to be useful for many other Python projects. The 1.0 release of Stem arrived in March 2013, and there were 1.1 and 1.2 updates subsequently. 1.3 was announced on December 22, 2014.

Stem is available through the Python Package Index (PyPI) and there are packages available for many Linux distributions as well. Python 2.6 or newer is required, and the library works with Python 3.

The changelog for the new release highlights a handful of new additions. There is a considerable speed-up (on the order of 40%) when parsing the status documents sent out by Tor directory authorities and mirrors. Critically, the update also refreshes the list of Tor directory authorities itself—since Tor is expected to be most useful in environments where the network itself cannot be trusted, it may not be possible to reliably retrieve such a list over the Internet.

There are also new methods for querying the current state of the Tor connection. get_effective_rate() returns the maximum rate supported by the connected Tor relay, while connection_time() returns the Unix timestamp when the current connection was opened (if it is still open) or closed (if the current connection is closed). get_accounting_stats() returns a number of statistics (such as the number of bytes written and read) about the current connection in order to enable connection accounting.

Hidden services

But the big addition is a suite of methods for working with hidden services. For the unfamiliar, a Tor hidden service is a server program whose connection to the network is bound to a Tor node, and not to any port on a public IP address. The most common examples are running a web server or SSH server that is only connected to Tor (and, thus, is reachable only through the .onion pseudo-domain). Historically, setting up a hidden service was not an arduous process, but it did require editing several text configuration files and restarting the tor daemon.

The new method available through Stem is simpler. Stem's core module is the Tor Controller, which provides a high-level API for opening, configuring, and monitoring a Tor connection. Stem 1.3 adds four new methods that allow developers to work with hidden services directly through the Controller interface. They are:

  • create_hidden_service(), which sets up a hidden service on the running Tor connection
  • remove_hidden_service(), which shuts down a hidden service
  • get_hidden_service_conf(), which return information about the currently running services
  • set_hidden_service_conf(), which creates and sets up multiple services at once, based on a configuration file

Creating a new hidden service requires calling the create_hidden_service() method with at least two parameters: the directory path where the hidden service's files are located (for example, the web server configuration and data) and a virtual port number on which the service will be accessible (that is, the "port" on the Tor connection endpoint, analogous to a normal TCP port). One can optionally add two other parameters: the IP address of the host running the service (which, by default, is assumed to be 127.0.0.1) and the port number of the service (which, by default, is assumed to be the same port number as the virtual port parameter provided). If Tor succeeds in setting up the hidden service, it hands back the .onion address of the new service in return.

A hidden service can be shut down by calling 

    remove_hidden_service(ServicePath,ServicePort)

create_hidden_service() returns a dictionary containing the configuration of the newly created service. When get_hidden_service_conf() is called, it will return a dictionary including the state of all active hidden services. Conversely, calling set_hidden_service_conf() with a dictionary will launch all of the services detailed in the dictionary, so it is fairly easy to save and restore the state of a configuration even when managing multiple services.

In earlier Stem releases, the library was usually promoted as a way to automate the connection set-up and tear-down process—much like Tor's now-discontinued GUI tool Vidalia would do. While it is certainly nice to be able to monitor the status of a Tor connection, this new hidden-service functionality may have more wide-reaching impact.

In the past few years, Tor has been a wild success story in many places around the globe, but that success has almost always been on the "read" site of the network pipe—in other words, Tor allowing a user to access the Internet with privacy and anonymity. Hidden services are meant to be the flip side of that coin: allowing users even in hostile environments to publish web sites and provide network services of their own. Stem 1.3's advancements in this area may not make running hidden services trivial, but they do at least provide a means for other software projects to make hidden services more available to Tor users.

Comments (1 posted)

Brief items

Security quotes of the week

After all, these careless firms usually have pretty easy outs when big breaches occur. They offer you free "credit monitoring" after the fact. Gee, thanks guys. They usually manage to pass along associated costs and fines to their customers. Another big thank you punch to the gut.

How to really get their attention?

Maybe they'd notice potential prison time for top executives of firms that deal primarily with sensitive consumer personal information (like banks, insurance companies, and so on) who voluntarily refuse to implement appropriate, modern internal security controls -- such as strong multiple factor logins -- and then suffer mass consumer data hacks as a result.

Lauren Weinstein

Raspberry Pi officials investigated the report and were able to determine the cause. The U16—the chip responsible for regulating processor core power inside the new Raspberry Pi—has an extreme reaction when exposed to intense bursts of light, such as those produced by Xenon flashes and laser pointers. The flashes trigger a core voltage drop, causing the device to immediately power down. The behavior is the result of the photoelectric effect, which causes metals to emit electrons when hit by certain types of light.
Dan Goodin on an interesting Raspberry Pi 2 denial of service vulnerability

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.
Samsung SmartTV privacy policy

Comments (20 posted)

New vulnerabilities

bind: denial of service

Package(s):bind CVE #(s):CVE-2014-3214 CVE-2014-8680
Created:February 9, 2015 Updated:February 11, 2015
Description: From the CVE entries:

The prefetch implementation in named in ISC BIND 9.10.0, when a recursive nameserver is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a DNS query that triggers a response with unspecified attributes. (CVE-2014-3214)

The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote attackers to cause a denial of service (assertion failure and named exit) via vectors related to (1) the lack of GeoIP databases for both IPv4 and IPv6, or (2) IPv6 support with certain options. (CVE-2014-8680)

Alerts:
Slackware SSA:2015-111-01 bind 2015-04-21
Gentoo 201502-03 bind 2015-02-07

Comments (none posted)

chromium-browser: multiple vulnerabilities

Package(s):chromium-browser CVE #(s):CVE-2015-1209 CVE-2015-1210 CVE-2015-1211 CVE-2015-1212
Created:February 11, 2015 Updated:March 16, 2015
Description: From the CVE entries:

Use-after-free vulnerability in the VisibleSelection::nonBoundaryShadowTreeRootNode function in core/editing/VisibleSelection.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper handling of a shadow-root anchor. (CVE-2015-1209)

The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. (CVE-2015-1210)

The OriginCanAccessServiceWorkers function in content/browser/service_worker/service_worker_dispatcher_host.cc in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android does not properly restrict the URI scheme during a ServiceWorker registration, which allows remote attackers to gain privileges via a filesystem: URI. (CVE-2015-1211)

Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2015-1212)

Alerts:
Arch Linux ASA-201503-5 chromium 2015-03-05
openSUSE openSUSE-SU-2015:0505-1 chromium 2015-03-16
openSUSE openSUSE-SU-2015:0441-1 chromium 2015-03-06
Gentoo 201502-13 chromium 2015-02-17
Mageia MGASA-2015-0062 chromium-browser-stable 2015-02-11
Ubuntu USN-2495-1 oxide-qt 2015-02-10
Red Hat RHSA-2015:0163-01 chromium-browser 2015-02-10

Comments (none posted)

e2fsprogs: code execution

Package(s):e2fsprogs CVE #(s):CVE-2015-0247
Created:February 9, 2015 Updated:January 2, 2017
Description: From the Red Hat bugzilla:

A heap buffer overflow was found in e2fsprgos lib/ext2fs/openfs.c. It allows a trivial arbitrary memory write under certain conditions.

Given that fsck is affected, and that an ext2/3/4 image can force a filesystem check on mount, this will allow code execution on systems that have automount enabled by just plugging a device.

Alerts:
Gentoo 201701-06 e2fsprogs 2017-01-01
SUSE SUSE-SU-2015:1103-1 e2fsprogs 2015-06-23
openSUSE openSUSE-SU-2015:1006-1 e2fsprogs 2015-06-05
Mandriva MDVSA-2015:068 e2fsprogs 2015-03-27
Mandriva MDVSA-2015:067 e2fsprogs 2015-03-27
Mageia MGASA-2015-0088 e2fsprogs 2015-02-26
Ubuntu USN-2507-1 e2fsprogs 2015-02-23
Fedora FEDORA-2015-2279 e2fsprogs 2015-02-21
Debian DSA-3166-1 e2fsprogs 2015-02-22
Debian-LTS DLA-153-1 e2fsprogs 2015-02-16
Mandriva MDVSA-2015:045 e2fsprogs 2015-02-12
Mageia MGASA-2015-0061 e2fsprogs 2015-02-11
Fedora FEDORA-2015-1840 e2fsprogs 2015-02-09

Comments (none posted)

hexchat: SSL spoofing

Package(s):hexchat CVE #(s):CVE-2013-7449
Created:February 6, 2015 Updated:April 7, 2016
Description:

From the Mageia advisory:

HexChat did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.

Alerts:
Mageia MGASA-2015-0050 hexchat 2015-02-05

Comments (1 posted)

java: multiple unspecified vulnerabilities

Package(s):java-1.5.0-ibm CVE #(s):CVE-2014-8891 CVE-2014-8892
Created:February 6, 2015 Updated:March 2, 2015
Description:

CVE-2014-8891: unspecified vulnerability.

CVE-2014-8892: unspecified vulnerability.

Alerts:
SUSE SUSE-SU-2015:1073-1 java-1_7_0-ibm 2015-06-16
SUSE SUSE-SU-2015:0343-2 java-1_6_0-ibm 2015-02-25
SUSE SUSE-SU-2015:0376-1 java-1_5_0-ibm 2015-02-25
SUSE SUSE-SU-2015:0344-1 java-1_7_0-ibm 2015-02-21
SUSE SUSE-SU-2015:0343-1 java-1_7_0-ibm 2015-02-21
SUSE SUSE-SU-2015:0345-1 java-1_6_0-ibm 2015-02-21
SUSE SUSE-SU-2015:0304-1 java-1_7_1-ibm 2015-02-17
SUSE SUSE-SU-2015:0306-1 java-1_6_0-ibm 2015-02-17
Red Hat RHSA-2015:0133-01 java-1.7.1-ibm 2015-02-05
Red Hat RHSA-2015:0134-01 java-1.7.0-ibm 2015-02-05
Red Hat RHSA-2015:0135-01 java-1.6.0-ibm 2015-02-05
Red Hat RHSA-2015:0136-01 java-1.5.0-ibm 2015-02-05
SUSE SUSE-SU-2015:0392-1 java-1_6_0-ibm 2015-02-27

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2015-0239 CVE-2015-1465
Created:February 6, 2015 Updated:July 30, 2015
Description:

From the Red Hat bug reports:

CVE-2015-0239: It was found that the Linux kernel KVM subsystem's sysenter instruction emulation was not sufficient. An unprivileged guest user could use this flaw to escalate their privileges by tricking the hypervisor to emulate a SYSENTER instruction in 16-bit mode, if the guest OS does not initialize the SYSENTER MSRs.

CVE-2015-1465: It was found that routing packets to too many different dsts/too fast can lead to a excessive resource consumption. A remote attacker can use this flaw to crash the system.

Alerts:
Scientific Linux SLSA-2015:2152-2 kernel 2015-12-21
Oracle ELSA-2015-2152 kernel 2015-11-25
Red Hat RHSA-2015:2152-02 kernel 2015-11-19
openSUSE openSUSE-SU-2015:1382-1 kernel 2015-08-14
Scientific Linux SLSA-2015:1272-1 kernel 2015-08-03
Oracle ELSA-2015-3064 kernel 3.8.13 2015-07-31
Oracle ELSA-2015-3064 kernel 3.8.13 2015-07-31
Oracle ELSA-2015-3055 kernel 2.6.32 2015-08-01
Oracle ELSA-2015-3055 kernel 2.6.32 2015-08-01
Oracle ELSA-2015-3054 kernel 2.6.39 2015-08-01
Oracle ELSA-2015-3054 kernel 2.6.39 2015-08-01
SUSE SUSE-SU-2015:1488-1 kernel 2015-09-04
Oracle ELSA-2015-3053 kernel 3.8.13 2015-07-29
Oracle ELSA-2015-3053 kernel 3.8.13 2015-07-29
Oracle ELSA-2015-1272 kernel 2015-07-29
SUSE SUSE-SU-2015:1489-1 kernel 2015-09-04
Red Hat RHSA-2015:1272-01 kernel 2015-07-22
Mageia MGASA-2015-0219 kernel-tmb 2015-05-13
Mageia MGASA-2015-0221 kernel-linus 2015-05-13
Mageia MGASA-2015-0210 kernel 2015-05-11
Ubuntu USN-2562-1 linux-lts-trusty 2015-04-08
Ubuntu USN-2563-1 kernel 2015-04-08
SUSE SUSE-SU-2015:1071-1 kernel 2015-06-16
Ubuntu USN-2545-1 linux-lts-utopic 2015-03-24
Ubuntu USN-2546-1 kernel 2015-03-24
Mandriva MDVSA-2015:058 kernel 2015-03-13
Ubuntu USN-2514-1 linux-ti-omap4 2015-02-26
Ubuntu USN-2517-1 linux-lts-utopic 2015-02-26
Ubuntu USN-2515-1 linux-lts-trusty 2015-02-26
Ubuntu USN-2513-1 kernel 2015-02-26
Ubuntu USN-2516-1 kernel 2015-02-26
Ubuntu USN-2518-1 kernel 2015-02-26
Debian DSA-3160-1 kernel 2015-02-23
Ubuntu USN-2516-2 kernel 2015-02-28
Mageia MGASA-2015-0078 kernel-vserver 2015-02-19
Mageia MGASA-2015-0076 kernel-tmb 2015-02-19
Mageia MGASA-2015-0077 kernel-rt 2015-02-19
Mageia MGASA-2015-0070 kernel 2015-02-17
Ubuntu USN-2515-2 linux-lts-trusty 2015-03-04
Fedora FEDORA-2015-1672 kernel 2015-02-07
Fedora FEDORA-2015-1657 kernel 2015-02-06
Ubuntu USN-2516-3 kernel 2015-03-04

Comments (none posted)

krb5: denial of service

Package(s):krb5 CVE #(s):CVE-2014-5354
Created:February 11, 2015 Updated:February 11, 2015
Description: From the CVE entry:

plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command.

Alerts:
openSUSE openSUSE-SU-2015:0542-1 krb5 2015-03-19
Ubuntu USN-2498-1 krb5 2015-02-10
Oracle ELSA-2015-0439 krb5 2015-03-12

Comments (none posted)

llvm: insecure temporary files

Package(s):llvm CVE #(s):CVE-2014-2893
Created:February 10, 2015 Updated:February 11, 2015
Description: From the CVE entry:

The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names.

Alerts:
openSUSE openSUSE-SU-2015:0245-1 llvm 2015-02-09

Comments (none posted)

mantis: multiple vulnerabilities

Package(s):mantis CVE #(s):CVE-2014-9571 CVE-2014-9572 CVE-2014-9573
Created:February 9, 2015 Updated:February 11, 2015
Description: From the CVE entries:

Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. (CVE-2014-9571)

MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. (CVE-2014-9572)

SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. (CVE-2014-9573)

Alerts:
Fedora FEDORA-2015-1364 mantis 2015-02-07
Fedora FEDORA-2015-1419 mantis 2015-02-07

Comments (none posted)

mediawiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CVE-2013-6454 CVE-2014-9477 CVE-2014-9478 CVE-2014-9479 CVE-2014-9480 CVE-2014-9481 CVE-2014-9487 CVE-2014-9507
Created:February 9, 2015 Updated:February 11, 2015
Description: From the CVE entries:

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute. (CVE-2013-6454)

Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter. (CVE-2014-9477)

Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. (CVE-2014-9478)

Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. (CVE-2014-9479)

Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. (CVE-2014-9480)

MediaWiki 1.21.x, 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS. (CVE-2014-9507)

CVE-2014-9481 and CVE-2014-9487 are unspecified.

Alerts:
Gentoo 201502-04 mediawiki 2015-02-07

Comments (none posted)

moodle: information disclosure

Package(s):moodle CVE #(s):CVE-2015-1493
Created:February 10, 2015 Updated:April 6, 2015
Description: From the Mageia advisory:

In Moodle before 2.6.8, parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS's are affected, but especially vulnerable are Windows servers.

Alerts:
Fedora FEDORA-2015-4530 moodle 2015-04-05
Fedora FEDORA-2015-4724 moodle 2015-04-05
Mageia MGASA-2015-0057 moodle 2015-02-09

Comments (none posted)

ntp: multiple vulnerabilities

Package(s):ntp CVE #(s):CVE-2014-9297 CVE-2014-9298
Created:February 6, 2015 Updated:February 16, 2015
Description:

From the Debian advisory:

CVE-2014-9297 - Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (ntpd crash).

CVE-2014-9298 - Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 addresses can be bypassed.

Alerts:
Scientific Linux SLSA-2015:2231-4 ntp 2015-12-21
Oracle ELSA-2015-2231 ntp 2015-11-23
Red Hat RHSA-2015:2231-04 ntp 2015-11-19
Scientific Linux SLSA-2015:1459-1 ntp 2015-08-03
Red Hat RHSA-2015:1459-01 ntp 2015-07-22
Mandriva MDVSA-2015:140 ntp 2015-03-29
SUSE SUSE-SU-2015:0322-1 xntp 2015-02-19
SUSE SUSE-SU-2015:0259-3 ntp 2015-02-16
SUSE SUSE-SU-2015:0259-2 ntp 2015-02-13
Fedora FEDORA-2015-1759 ntp 2015-02-15
Fedora FEDORA-2015-1736 ntp 2015-02-15
SUSE SUSE-SU-2015:0274-1 ntp 2015-02-12
SUSE SUSE-SU-2015:0259-1 ntp 2015-02-12
Mandriva MDVSA-2015:046 ntp 2015-02-12
Mageia MGASA-2015-0063 ntp 2015-02-11
Ubuntu USN-2497-1 ntp 2015-02-09
Debian-LTS DLA-149-1 ntp 2015-02-07
Debian DSA-3154-2 ntp 2015-02-07
Debian DSA-3154-1 ntp 2015-02-05

Comments (none posted)

postgresql: multiple vulnerabilities

Package(s):postgresql-9.1 CVE #(s):CVE-2014-8161 CVE-2015-0241 CVE-2015-0243 CVE-2015-0244
Created:February 6, 2015 Updated:April 1, 2015
Description:

From the Debian advisory:

CVE-2014-8161: Information leak A user with limited clearance on a table might have access to information in columns without SELECT rights on through server error messages.

CVE-2015-0241: Out of boundaries read/write The function to_char() might read/write past the end of a buffer. This might crash the server when a formatting template is processed.

CVE-2015-0243: Buffer overruns in contrib/pgcrypto The pgcrypto module is vulnerable to stack buffer overrun that might crash the server.

CVE-2015-0244: SQL command injection Emil Lenngren reported that an attacker can inject SQL commands when the synchronization between client and server is lost.

Alerts:
Gentoo 201507-20 postgresql 2015-07-18
CentOS CESA-2015:0750 postgresql 2015-04-01
Oracle ELSA-2015-0750 postgresql 2015-03-30
Oracle ELSA-2015-0750 postgresql 2015-03-30
Scientific Linux SLSA-2015:0750-1 postgresql 2015-03-30
CentOS CESA-2015:0750 postgresql 2015-03-30
Red Hat RHSA-2015:0750-01 postgresql 2015-03-30
Mandriva MDVSA-2015:110 postgresql 2015-03-29
Red Hat RHSA-2015:0699-01 postgresql92-postgresql 2015-03-18
openSUSE openSUSE-SU-2015:0499-1 postgresql 2015-03-14
openSUSE openSUSE-SU-2015:0414-1 postgresql93 2015-03-03
Mageia MGASA-2015-0069 postgresql 2015-02-17
Fedora FEDORA-2015-1728 postgresql 2015-02-15
Ubuntu USN-2499-1 postgresql-8.4, postgresql-9.1, postgresql-9.3, postgresql-9.4 2015-02-11
Mandriva MDVSA-2015:048 postgresql 2015-02-12
Debian-LTS DLA-152-1 postgresql-8.4 2015-02-12
Fedora FEDORA-2015-1745 postgresql 2015-02-08
Debian DSA-3155-1 postgresql-9.1 2015-02-06

Comments (none posted)

rsync: code execution

Package(s):rsync CVE #(s):CVE-2014-9512
Created:February 10, 2015 Updated:January 22, 2016
Description: Edited version of the Baidu X-team bug report:

In the newest version, rsync(3.1.1), directly modifying the file path into an absolute path can not be hijacked successfully due to the security checks,but using symbolic links an attacker can bypass security checks and spoofing client.When a client uses parameter -a to synchronize files of the server-side(default),for example:

1 rsync -avzP 127.0.0.1::share /tmp/share

Rsync recursively synchronizes all files. An attacker can hijack the file path by modifying the code of the server-side, which allows remote servers to write to arbitrary files, and consequently execute arbitrary code .

Alerts:
Gentoo 201605-04 rsync 2016-05-30

Comments (none posted)

virtualbox: multiple unspecified vulnerabilities

Package(s):virtualbox CVE #(s):CVE-2014-6588 CVE-2014-6589 CVE-2014-6590 CVE-2014-6595 CVE-2015-0427
Created:February 9, 2015 Updated:February 12, 2015
Description: From the CVE entries:

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. (CVE-2014-6588)

(Imagine the same text, repeated with only the CVE numbers permuted, for the rest).

Alerts:
Gentoo 201612-27 virtualbox 2016-12-12
openSUSE openSUSE-SU-2015:0229-1 virtualbox 2015-02-06

Comments (none posted)

xen: multiple vulnerabilities

Package(s):xen CVE #(s):CVE-2014-9065 CVE-2014-9066
Created:February 6, 2015 Updated:February 11, 2015
Description:

From the CVE entries:

CVE-2014-9065: common/spinlock.c in Xen 4.4.x and earlier does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read requests, a different vulnerability to CVE-2014-9066.

CVE-2014-9066: Xen 4.4.x and earlier, when using a large number of VCPUs, does not properly handle read and write locks, which allows local x86 guest users to cause a denial of service (write denial or NMI watchdog timeout and host crash) via a large number of read request, a different vulnerability than CVE-2014-9065.

Alerts:
Gentoo 201504-04 xen 2015-04-11
SUSE SUSE-SU-2015:0613-1 Xen 2015-03-27
openSUSE openSUSE-SU-2015:0256-1 xen 2015-02-11
openSUSE openSUSE-SU-2015:0226-1 xen 2015-02-06

Comments (none posted)

zarafa: denial of service

Package(s):zarafa CVE #(s):CVE-2014-9465
Created:February 6, 2015 Updated:April 27, 2015
Description:

From the Mageia advisory:

Robert Scheck discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp that could allow a remote unauthenticated attacker to exhaust the disk space of /tmp.

Alerts:
Fedora FEDORA-2015-5864 zarafa 2015-04-27
Fedora FEDORA-2015-5823 zarafa 2015-04-27
Mandriva MDVSA-2015:040 zarafa 2015-02-10
Mageia MGASA-2015-0049 zarafa 2015-02-05

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2015, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds