Security
Brief items
IPv4 mapped address considered harmful
Jun-ichiro itojun Hagino has submitted this draft to IETF urging vendors who ship IPv4/v6 dual stack nodes/routers, to consider "if they have made a secure choice."At a glance, it appears that at least some of the problems can be addressed with appropriate filtering rules. Given the current deployment of IPv4/v6 dual stacks changing the protocol definition may not be necessary or desirable.
Security reports
PHP: vulnerabilities in the mail() function
Wojciech Purczynski reports arbitrary code execution and open-relay script vulnerabilities in PHP 4.x up to 4.2.2.
Two vulnerabilities exists in mail() PHP function. The first one allows to
execute any program/script bypassing safe_mode restriction, the second one
may give an open-relay script if mail() function is not carefully used in
PHP scripts.
Lynx CRLF injection vulnerability
Ulf Harnhammar reports a CRLF injection vulnerability in Lynx which may be used to break out of restricted realms and communicate with other types of servers than HTTP servers.The problem is also present in links and elinks.
Both the links and the elinks maintainers were notified on the 13th of
August, but as they both live in the Czech Republic, they have been
affected by the recent floods in Central Europe. Because of this dilemma,
it is possible that they would appreciate a patch for this security hole
from some experienced C programmer.
Information disclosure vulnerabilities fixed in Mantis 0.17.5
Mantis 0.17.5 fixes information disclosure vulnerabilites described in Mantis Advisories 2002-06 and 2002-07.
Mantis is an Open Source web-based bugtracking system, written in PHP, which
uses the MySQL database server. It is being actively developed by a small
group of developers, and is considered to be in the beta stage.
Abyss 1.0.3 directory traversal and administration vulnerabilities
Auriemma Luigi reports directory traversal and administration vulnerabilites in Abyss 1.0.3. A patch is available to close the administration vulnerability is available from Aprelium Technologies.
Abyss is a free webserver that runs on Win32 and Linux x86 systems.
It is tiny and it has some interesting features like for example the
use of a "console" for administrate the server remotely.
Unfortunately the usage of this console is the most dangerous thing in
this webserver because an attacker can do what he want without any
password.
This bug was found by Aprelium in June and has been fixed in the
patch 2 release.
Arbitrary code execution vulnerability fixed in Achievo 0.8.2
Achievo is a web-based project management tool for business-environments. Versions prior to 0.8.2 are vulnerable to an arbitrary code execution attack.
This vulnerability allows an attacker to execute arbitrary PHP code under
the permissions of the web server. The only condition is that the attacker
must be able to store code on a server that is accessible by the web server.
Unless the web server is behind a firewall which blocks outbound connections
from the web server, this is usually not a problem.
New vulnerabilities
Locally exploitable buffer overflow in linuxconf
| Package(s): | linuxconf | CVE #(s): | |
| Created: | August 28, 2002 | Updated: | August 28, 2002 |
| Description: | The widely-shipped linuxconf system administration utility has a buffer overflow vulnerability which can be exploited by a local user to obtain a root shell. This exploit only matters, of course, if linuxconf is installed setuid root, but a number of distributions do exactly that. If you have linuxconf installed on systems with untrusted local users, you will probably want to remove the setuid bit until a fix comes out.
For more information check out the full advisory from iDEFENSE. | ||
| Alerts: | (No alerts in the database for this vulnerability) | ||
Remote arbitrary code execution vulnerability in gaim
| Package(s): | gaim | CVE #(s): | |||||||||||||||||
| Created: | August 28, 2002 | Updated: | September 4, 2002 | ||||||||||||||||
| Description: | gaim versions prior to 0.59.1
contained a arbitrary code execution vulnerabilty in the
the hyperlink handling code.
The 'Manual' browser command passes an untrusted
string to the shell without escaping or reliable quoting, permitting
an attacker to execute arbitrary commands on the users machine.
Unfortunately, Gaim doesn't display the hyperlink before the user
clicks on it. Users who use other inbuilt browser commands aren't
vulnerable.
The problem is fixed in gaim 0.59.1 which is available here. Versions prior to 0.58 also contained a buffer overflow in the Jabber plug-in module which, of course, is still fixed in 0.59.1. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL." | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Mailman 2.0.12 closes cross-site scripting vulnerability
| Package(s): | mailman | CVE #(s): | CAN-2002-0855 | ||||||||
| Created: | August 28, 2002 | Updated: | September 4, 2002 | ||||||||
| Description: | Mailman 2.0.12, released on July 2nd, closed a minor cross-site scripting vulnerabilty and implemented "a guard against some reply loops and 'bot subscription attacks." Upgrading to Mailman 2.0.13, which also fixes some Python 1.5.2 incompatabilities, is recommended. | ||||||||||
| Alerts: |
| ||||||||||
Buffer overflow vulnerabilities in PostgreSQL
| Package(s): | PostgreSQL | CVE #(s): | |||||||||||||||||||||||||||||||||||||
| Created: | August 21, 2002 | Updated: | January 27, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | PostgreSQL 7.2.2 has been released in response to a number of buffer
overrun vulnerabilities which have been identified recently. "...it should be noted that these vulnerabilities are only critical on 'open' or 'shared' systems, as they require the ability to be able to connect to the database before they can be exploited." Buffer overflow vulnerabilities fixed include those reported by "Sir Mordred The Traitor" in the cash_words, repeat, and lpad and rpad functions. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Light remotely-exploitable code vulnerability
| Package(s): | epic4-script-light | CVE #(s): | |||||
| Created: | August 28, 2002 | Updated: | August 28, 2002 | ||||
| Description: | J. S. Connell recently discovered
that "the IRC script for EPIC4 that I maintain is
vulnerable to a fairly easy remote attack."
All versions of Light prior to 2.7.30p5 (on the 2.7 branch) or 2.8pre10 (on
the 2.8 branch) running under any version of EPIC4 on any platform are
vulnerable to a remotely-exploitable bug that can execute nearly-arbitrary
code. All Light users are very strongly urged to upgrade to stable release
2.7.30p5 or beta 2.8pre10 immediately.
| ||||||
| Alerts: |
| ||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
Kernel update for RedHat 7.3 i810 video
| Package(s): | kernel | CVE #(s): | |||||
| Created: | August 28, 2002 | Updated: | September 4, 2002 | ||||
| Description: | Red Hat has issued a kernel update that fixes an "i810 video oops".
"Updated kernel packages are now available which fix an oops in the i810 3D kernel code. This kernel update also fixes a difficult to trigger race in the dcache (filesystem cache) code, as well as some potential security holes, although we are not currently aware of any exploits." | ||||||
| Alerts: |
| ||||||
Denial of service vulnerability in irssi IRC client
| Package(s): | irssi-text | CVE #(s): | |||||
| Created: | August 28, 2002 | Updated: | August 28, 2002 | ||||
| Description: | When a user attempts to join a channel that has an overly long topic description,and a specific string is appended to the topic, the irssi IRC client will crash. | ||||||
| Alerts: |
| ||||||
Resources
Linux Security Week and Advisory Watch
The August 26th Linux Security Week and August 24th Linux Advisory Watch newsletters from LinuxSecurity.com are available.Metis 1.4 released
Sacha Faust announces the release of Metis 1.4. "This is a tool I wrote to collect information from web servers." Metis was written for the Open Source Security Testing Methodology (OSSTM). .Internet anonymity for Linux newbies (Register)
The register has published a tutorial for newbies on how to secure your home system. "For most home PC users, fairly secure is perfectly adequate, and that's what we'll be concentrating on below. In a week or two I'll get into details for power users, but for now I'm going to concentrate on a particular presumed reader: a home user who's fairly new to the Linux desktop, who's using a packaged distro, and who's not intimately familiar with PC security -- a 'recovering Windows user', let's say."
Events
ToorCon Computer Security Conference 2002 Pre-registration Closing
ToorCon 2002 has "recently released our finalized speaker lineup and it looks like it'll be one of ToorCon's best years yet. Pre-registration and RSVP will be closing shortly, so register today!"ToorCon 2002 will be held September 27-29th in San Diego, CA, USA.
Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| August 29 - 30, 2002 | Workshop on Information Security Applications(WISA 2002) | Jeju Island, Korea |
| September 19 - 20, 2002 | SEcurity of Communications on the Internet 2002(SECI'02) | Tunis, Tunisia |
| September 23 - 26, 2002 | New Security Paradigms Workshop 2002 | (The Chamberlain Hotel)Hampton, Virginia, USA |
| September 23 - 25, 2002 | University of Idaho Workshop on Computer Forensics | (University of Idaho)Moscow, Idaho, USA |
| September 26 - 27, 2002 | HiverCon 2002 | (Hilton Hotel)Dublin, Ireland |
| September 27 - 29, 2002 | ToorCon 2002 | (San Diego Concourse)San Diego, CA, USA |
| October 16 - 18, 2002 | Recent Advances in Intrusion Detection 2002(RAID 2002) | Zurich, Switzerland |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Next page:
Kernel development>>