|
|
Log in / Subscribe / Register

Security

cvs vulnerabilities - again

Let us start with a correction: last week's cvs vulnerability timeline stated that no update had been issued for CentOS. In fact, this update was posted to the CentOS-devel mailing list on May 19. One could argue that such updates should be posted to a more prominent place, such as the CentOS web site or the (seemingly dormant) security lists mentioned on the mailing lists page; one should not have to follow a development list to get security updates. Nonetheless, we were wrong to say that an update had not been released, and apologize accordingly.

Now, however, the time has come to deal with a new set of cvs security problems, as detailed in this advisory. A whole list of issues has been found; many of those are remotely exploitable. The time has come to apply a new set of updates, quickly. (And, yes, CentOS has released an update already).

Vulnerabilities in cvs are particularly scary. It is possible to run cvs in a chroot mode, which is somewhat helpful in keeping an exploit from leading to a full root compromise of the host system. But cvs servers must have access to the code repositories they serve. It is not all that hard to imagine a cvs exploit being the first step in the insertion of evil code into a free software project's repository. A carefully executed malware insertion could escape detection for a long time.

That sort of episode, beyond the immediate damage it would enable, would not reflect well on the security of the free software development process in general. We cannot afford to let it happen. With enough eyeballs, most of the obvious security problems in cvs can probably be found and fixed. That would help substantially. The simple fact, however, is that cvs is not equipped to detect direct tampering with its repositories. This shortcoming is sure to bite somebody someday; the sooner it is fixed (or avoided by a mass shift to a more contemporary version control system which performs integrity checks on its repositories) the safer we all will be.

Comments (5 posted)

New vulnerabilities

cvs: new vulnerabilities

Package(s):cvs CVE #(s):CAN-2004-0414 CAN-2004-0416 CAN-2004-0417 CAN-2004-0418
Created:June 9, 2004 Updated:June 15, 2004
Description: Several new vulnerabilities have been found in CVS; these include a null-termination error, a double-free vulnerability, a format-string vulnerability, and a few others; see this advisory for the details. Some of these vulnerabilities are remotely exploitable; updating soon would be a good idea.
Alerts:
Debian DSA-519-1 cvs 2004-06-15
Whitebox WBSA-2004:233-01 cvs 2004-06-10
Fedora FEDORA-2004-170 cvs 2004-06-11
Fedora FEDORA-2004-169 cvs 2004-06-11
OpenPKG OpenPKG-SA-2004.027 cvs 2004-06-11
Gentoo 200406-06 cvs 2004-06-10
Debian DSA-517-1 cvs 2004-06-10
Mandrake MDKSA-2004:058 cvs 2004-06-09
Slackware SSA:2004-161-01 cvs 2004-06-09
SuSE SuSE-SA:2004:015 cvs 2004-06-09
Red Hat RHSA-2004:233-01 cvs 2004-06-09

Comments (none posted)

ethereal: more protocol dissector issues

Package(s):ethereal CVE #(s):
Created:June 3, 2004 Updated:June 11, 2004
Description: The 0.10.3 version may crash when you select a SIP packet. See this post to the ethereal-users mailing list for details.
Alerts:
Whitebox WBSA-2004:234-01 Ethereal 2004-06-10
Red Hat RHSA-2004:234-01 ethereal 2004-06-09
Gentoo 200406-01 ethereal 2004-06-04
Fedora FEDORA-2004-153 ethereal 2004-06-03
Fedora FEDORA-2004-152 ethereal 2004-06-03

Comments (1 posted)

krb5: unauthorized root privileges

Package(s):krb5 CVE #(s):CAN-2004-0523
Created:June 3, 2004 Updated:June 29, 2004
Description: Multiple buffer overflows exist in the krb5_aname_to_localname() library function that if exploited could lead to unauthorized root privileges. In order to exploit this flaw, an attacker must first successfully authenticate to a vulnerable service, which must be configured to enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname, which is not a default configuration. See the this MIT krb5 Security Advisory for more information.
Alerts:
Gentoo 200406-21 mit-krb5 2004-06-29
Debian DSA-520-1 krb5 2004-06-16
Whitebox WBSA-2004:236-01 krb5 2004-06-10
Mandrake MDKSA-2004:056-1 krb5 2004-06-09
Red Hat RHSA-2004:236-01 krb5 2004-06-09
Fedora FEDORA-2004-150 krb5 2004-06-04
Fedora FEDORA-2004-149 krb5 2004-06-04
Mandrake MDKSA-2004:056 krb5 2004-06-03

Comments (none posted)

log2mail: format string vulnerability

Package(s):log2mail CVE #(s):CAN-2004-0450
Created:June 3, 2004 Updated:June 9, 2004
Description: jaguar -at- felinemenace.org discovered a format string vulnerability in log2mail, whereby a user able to log a specially crafted message to a logfile monitored by log2mail (for example, via syslog) could cause arbitrary code to be executed with the privileges of the log2mail process. By default, this process runs as user 'log2mail', which is a member of group 'adm' (which has access to read system logfiles).
Alerts:
Debian DSA-513-1 log2mail 2004-06-03

Comments (none posted)

postgresql buffer overflow in ODBC driver

Package(s):postgresql CVE #(s):
Created:June 7, 2004 Updated:July 28, 2004
Description: A buffer overflow has been discovered in the ODBC driver of PostgreSQL, an object-relational SQL database, descended from POSTGRES. It possible to exploit this problem and crash the surrounding application. Hence, a PHP script using php4-odbc can be utilized to crash the surrounding Apache webserver. Other parts of postgresql are not affected.
Alerts:
Mandrake MDKSA-2004:072 postgresql 2004-07-27
Debian DSA-516-1 postgresql 2004-06-07

Comments (none posted)

squid: buffer overflow

Package(s):squid CVE #(s):CAN-2004-0541
Created:June 9, 2004 Updated:September 30, 2004
Description: The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Alerts:
Red Hat RHSA-2004:462-01 squid 2004-09-30
Mandrake MDKSA-2004:093 squid 2004-09-15
Gentoo 200409-04 squid 2004-09-02
Gentoo 200406-13 squid 2004-06-17
Whitebox WBSA-2004:242-01 squid 2004-06-10
Trustix TSLSA-2004-0033 squid 2004-06-10
Mandrake MDKSA-2004:059 squid 2004-06-09
SuSE SuSE-SA:2004:016 squid 2004-06-09
Red Hat RHSA-2004:242-01 squid 2004-06-09
Fedora FEDORA-2004-164 squid 2004-06-09
Fedora FEDORA-2004-163 squid 2004-06-09

Comments (none posted)

tripwire format string vulnerability

Package(s):tripwire CVE #(s):CAN-2004-0536
Created:June 4, 2004 Updated:July 7, 2004
Description: The code that generates email reports contains a format string vulnerability in pipedmailmessage.cpp. With a carefully crafted filename on a local filesystem an attacker could cause execution of arbitrary code with permissions of the user running tripwire, which could be the root user. See this advisory on SecurityFocus for more details.
Alerts:
Mandrake MDKSA-2004:057-1 tripwire 2004-07-06
Red Hat RHSA-2004:244-01 tripwire 2004-06-14
Mandrake MDKSA-2004:057 tripwire 2004-06-07
Gentoo 200406-02 tripwire 2004-06-04

Comments (none posted)

Events

NYC Security Shindig Version 2.0

The second New York City Security Shindig will be held the evening of June 14. Jamie Butler will be speaking on kernel rootkits; additional attractions include free pizza and non-free beer.

Full Story (comments: 1)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds