Let us start with a correction: last week's
cvs
vulnerability timeline stated that no update had been issued for
CentOS. In fact,
this
update was posted to the CentOS-devel mailing list on May 19. One
could argue that such updates should be posted to a more prominent place,
such as the
CentOS web site or the
(seemingly dormant) security lists mentioned on the
mailing lists page; one
should not have to follow a development list to get security updates. Nonetheless,
we were wrong to say that an update had not been released, and apologize
accordingly.
Now, however, the time has come to deal with a new set of cvs security
problems, as detailed in this advisory. A
whole list of issues has been found; many of those are remotely
exploitable. The time has come to apply a new set of updates, quickly.
(And, yes, CentOS has released
an update already).
Vulnerabilities in cvs are particularly scary. It is possible to run cvs
in a chroot mode, which is somewhat helpful in keeping an exploit from
leading to a full root compromise of the host system. But cvs servers must
have access to the code repositories they serve. It is not all that hard
to imagine a cvs exploit being the first step in the insertion of evil code
into a free software project's repository. A carefully executed malware
insertion could escape detection for a long time.
That sort of episode, beyond the immediate damage it would enable, would
not reflect well on the security of the free software development process
in general. We cannot afford to let it happen. With enough eyeballs, most
of the obvious security problems in cvs can probably be found and fixed.
That would help substantially.
The simple fact, however, is that cvs is not equipped to detect direct
tampering with its repositories. This shortcoming is sure to bite somebody
someday; the sooner it is fixed (or avoided by a mass shift to a more
contemporary version control system which performs integrity checks on its
repositories) the safer we all will be.
Comments (5 posted)
New vulnerabilities
cvs: new vulnerabilities
| Package(s): | cvs |
CVE #(s): | CAN-2004-0414
CAN-2004-0416
CAN-2004-0417
CAN-2004-0418
|
| Created: | June 9, 2004 |
Updated: | June 15, 2004 |
| Description: |
Several new vulnerabilities have been found in CVS; these include a null-termination error, a double-free vulnerability, a format-string vulnerability, and a few others; see this advisory for the details. Some of these vulnerabilities are remotely exploitable; updating soon would be a good idea. |
| Alerts: |
|
Comments (none posted)
ethereal: more protocol dissector issues
| Package(s): | ethereal |
CVE #(s): | |
| Created: | June 3, 2004 |
Updated: | June 11, 2004 |
| Description: |
The 0.10.3 version may crash when you select a SIP packet. See this
post to the ethereal-users mailing list for details. |
| Alerts: |
|
Comments (1 posted)
krb5: unauthorized root privileges
| Package(s): | krb5 |
CVE #(s): | CAN-2004-0523
|
| Created: | June 3, 2004 |
Updated: | June 29, 2004 |
| Description: |
Multiple buffer overflows exist in the krb5_aname_to_localname() library
function that if exploited could lead to unauthorized root privileges. In
order to exploit this flaw, an attacker must first successfully
authenticate to a vulnerable service, which must be configured to enable
the explicit mapping or rules-based mapping functionality of
krb5_aname_to_localname, which is not a default configuration. See the
this MIT krb5 Security Advisory for more information. |
| Alerts: |
|
Comments (none posted)
log2mail: format string vulnerability
| Package(s): | log2mail |
CVE #(s): | CAN-2004-0450
|
| Created: | June 3, 2004 |
Updated: | June 9, 2004 |
| Description: |
jaguar -at- felinemenace.org discovered a format string vulnerability in
log2mail, whereby a user able to log a specially crafted message to a
logfile monitored by log2mail (for example, via syslog) could cause
arbitrary code to be executed with the privileges of the log2mail process.
By default, this process runs as user 'log2mail', which is a member of
group 'adm' (which has access to read system logfiles). |
| Alerts: |
|
Comments (none posted)
postgresql buffer overflow in ODBC driver
| Package(s): | postgresql |
CVE #(s): | |
| Created: | June 7, 2004 |
Updated: | July 28, 2004 |
| Description: |
A buffer overflow has been discovered in the ODBC driver of PostgreSQL,
an object-relational SQL database, descended from POSTGRES. It possible
to exploit this problem and crash the surrounding application. Hence, a
PHP script using php4-odbc can be utilized to crash the surrounding
Apache webserver. Other parts of postgresql are not affected. |
| Alerts: |
|
Comments (none posted)
squid: buffer overflow
| Package(s): | squid |
CVE #(s): | CAN-2004-0541
|
| Created: | June 9, 2004 |
Updated: | September 30, 2004 |
| Description: |
The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable. |
| Alerts: |
|
Comments (none posted)
tripwire format string vulnerability
| Package(s): | tripwire |
CVE #(s): | CAN-2004-0536
|
| Created: | June 4, 2004 |
Updated: | July 7, 2004 |
| Description: |
The code that generates email reports contains a format string
vulnerability in pipedmailmessage.cpp. With a carefully crafted filename
on a local filesystem an attacker could cause execution of arbitrary code
with permissions of the user running tripwire, which could be the root
user. See this advisory on SecurityFocus for more details. |
| Alerts: |
|
Comments (none posted)
Events
The second New York City Security Shindig will be held the evening of
June 14. Jamie Butler will be speaking on kernel rootkits; additional
attractions include free pizza and non-free beer.
Full Story (comments: 1)
Page editor: Jonathan Corbet
Next page:
Kernel development>>
