default

Drew Yao discovered that libTIFF, a library for handling the Tagged Image File Format, is vulnerable to a programming error allowing malformed tiff files to lead to a crash or execution of arbitrary code.

Andreas Solberg discovered that libxml2, the GNOME XML library, could be forced to recursively evaluate entities, until available CPU and memory resources were exhausted.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution. The Common Vulnerabilities and Exposures project identifies the following problems:

Sebastian Krahmer discovered that Postfix, a mail transfer agent, incorrectly checks the ownership of a mailbox. In some configurations, this allows for appending data to arbitrary files as root.

Brian Dowling discovered that the PowerDNS authoritative name server does not respond to DNS queries which contain certain characters, increasing the risk of successful DNS spoofing (CVE-2008-3337). This update changes PowerDNS to respond with SERVFAIL responses instead.

Chaskiel M Grundman discovered that opensc, a library and utilities to handle smart cards, would initialise smart cards with the Siemens CardOS M4 card operating system without proper access rights. This allowed everyone to change the card's PIN.

Joan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs.

Several remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS). The Common Vulnerabilities and Exposures project identifies the following problems:

Chris Evans discovered that a buffer overflow in the RC4 functions of libexslt may lead to the execution of arbitrary code.

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

It was discovered that newsx, an NNTP news exchange utility, was affected by a buffer overflow allowing remote attackers to execute arbitrary code via a news article containing a large number of lines starting with a period.

Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems:

Several vulnerabilities have been discovered in the interpreter for the Python language. The Common Vulnerabilities and Exposures project identifies the following problems:

Multiple weaknesses have been identified in PyDNS, a DNS client implementation for the Python language. Dan Kaminsky identified a practical vector of DNS response spoofing and cache poisoning, exploiting the limited entropy in a DNS transaction ID and lack of UDP source port randomization in many DNS implementations. Scott Kitterman noted that python-dns is vulnerable to this predictability, as it randomizes neither its transaction ID nor its source port. Taken together, this lack of entropy leaves applications using python-dns to perform DNS queries highly susceptible to response forgery.

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

Damian Put discovered a vulnerability in the ClamAV anti-virus toolkit's parsing of Petite-packed Win32 executables. The weakness leads to an invalid memory access, and could enable an attacker to crash clamav by supplying a maliciously crafted Petite-compressed binary for scanning. In some configurations, such as when clamav is used in combination with mail servers, this could cause a system to "fail open," facilitating a follow-on viral attack.

In DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447). The fix, while correct, was incompatible with the version of SELinux Reference Policy shipped with Debian Etch, which did not permit a process running in the named_t domain to bind sockets to UDP ports other than the standard 'domain' port (53). The incompatibility affects both the 'targeted' and 'strict' policy packages supplied by this version of refpolicy.

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems:

Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems:

Multiple vulnerabilities have been identified in libgd2, a library for programmatic graphics creation and manipulation. The Common Vulnerabilities and Exposures project identifies the following three issues:

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may lead to denial of service or the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified. (CVE-2008-1637 and CVE-2008-3217)

Anders Kaseorg discovered that afuse, an automounting file system in user-space, did not properly escape meta characters in paths. This allowed a local attacker with read access to the filesystem to execute commands as the owner of the filesystem.

It was discovered that gaim, an multi-protocol instant messaging client, was vulnerable to several integer overflows in its MSN protocol handlers. These could allow a remote attacker to execute arbitrary code.

Several local/remote vulnerabilities have been discovered in lighttpd, a fast webserver with minimal memory footprint.

Sergei Golubchik discovered that MySQL, a widely-deployed database server, did not properly validate optional data or index directory paths given in a CREATE TABLE statement, nor would it (under proper conditions) prevent two databases from using the same paths for data or index files. This permits an authenticated user with authorization to create tables in one database to read, write or delete data from tables subsequently created in other databases, regardless of other GRANT authorizations. The Common Vulnerabilities and Exposures project identifies this weakness as CVE-2008-2079.

Several remote vulnerabilities have been discovered in the Iceweasel webbrowser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems:

It was discovered that poppler, a PDF rendering library, did not properly handle embedded fonts in PDF files, allowing attackers to execute arbitrary code via a crafted font object.

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS spoofing and cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.

Tavis Ormandy discovered that PCRE, the Perl-Compatible Regular Expression library, may encounter a heap overflow condition when compiling certain regular expressions involving in-pattern options and branches, potentially leading to arbitrary code execution.

Several remote vulnerabilities have been discovered in Wordpress, the weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems:

It was discovered that sympa, a modern mailing list manager, would crash when processing certain types of malformed messages.

Finnix is a small, self-contained, bootable Linux CD distribution for system administrators, based on Debian testing. Today marks the release of version 92.0 for the x86/AMD64, PowerPC, and UML/Xen platforms.

Finnix 92.0 includes updated software (including a fix for the Debian OpenSSL security vulnerability), a Linux 2.6.25 kernel, and a new, graphical boot menu.

• Home page: http://www.finnix.org/
• Download: http://www.finnix.org/Download
• Release notes: http://www.finnix.org/Finnix_92.0_release_notes

Havoc Pennington discovered that DBus, a simple interprocess messaging system, performs insufficient validation of security policies, which might allow local privilege escalation.

It was discovered that a buffer overflow in the GIF image parsing code of Tk, a cross-platform graphical toolkit, could lead to denial of service and potentially the execution of arbitrary code.

Finnix 92.0 will be released soon. It will have a new 2.6.25 kernel, updated software, and, most visibly, a new boot menu.

There have been suggestions for a new boot menu for awhile now. I liked the idea in theory, but there were various problems with most implementations (no graphics; graphics, but no fallback to text mode; no easy way to add boot options, such as toram, testcd, etc; no way to default to 64-bit boot options). Debian’s recent announcement of debian-installer for lenny beta 2 introduced a new installer boot menu system based on bootmenu.c32, which looked very nice and solved most of the problems I mentioned. However, no default 64-bit option on multi-arch CDs, which the announcement mentioned and lamented.

I used Debian’s configs as a base for a Finnix test. The results were very nice, and I was ready to do as Debian did and accept that the improvements were worth the loss of 64-bit autodetection. However, an acquaintance encouraged me to look into it (”Sounds like it’s time for some OPEN SOURCE MAGIC”), and within a few hours, I had a working patch.

The debian-installer guys loved it and had the patch applied within an hour, and as well, it will be in Finnix 92.0. Here’s a development screenshot:

Three vulnerabilities have been discovered in the mt-daapd DAAP audio server (also known as the Firefly Media Server). The Common Vulnerabilities and Exposures project identifies the following three problems:

Several remote vulnerabilities have been discovered in the TYPO3 content management framework.

Several local vulnerabilities have been discovered in the X Window system. The Common Vulnerabilities and Exposures project identifies the following problems:

Stefan Cornelius discovered two buffer overflows in Imlib's - a powerful image loading and rendering library - image loaders for PNM and XPM images, which may result in the execution of arbitrary code.

Two vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or arbitrary code execution. The Common Vulnerabilities and Exposures project identifies the following problems:

It was discovered that the Host Manager web application performed insufficient input sanitising, which could lead to cross-site scripting.

All versions of Finnix from 89.0 to 91.1 (inclusive) contain the Debian OpenSSL predictable RNG vulnerability. The fix will be included with the next scheduled (approximately quarterly) release of Finnix in the next few weeks. In the meantime, if you use any OpenSSL-related programs (openssl itself, ssh, openvpn, etc) on Finnix, be sure to do the following as soon as you boot Finnix:

apt-get update && apt-get install libssl0.9.8

Finnix does not include any pre-generated keys, but any keys generated on Finnix with a vulnerable OpenSSL will be vulnerable.

Several local (remote) vulnerabilities have been discovered in libvorbis, a library for the Vorbis general-purpose compressed audio codec. The Common Vulnerabilities and Exposures project identifies the following problems:

Alin Rad Pop discovered that Samba contained a buffer overflow condition when processing certain responses received while acting as a client, leading to arbitrary code execution (CVE-2008-1105).

It was discovered that libxslt, an XSLT processing runtime library, could be coerced into executing arbitrary code via a buffer overflow when an XSL style sheet file with a long XSLT "transformation match" condition triggered a large number of steps.

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:

Adam Zabrocki discovered that under certain circumstances mtr, a full screen ncurses and X11 traceroute tool, could be tricked into executing arbitrary code via overly long reverse DNS records.

Multiple vulnerabilities have been discovered in xine-lib, a library which supplies most of the application functionality of the xine multimedia player. The Common Vulnerabilities and Exposures project identifies the following three problems:

It was discovered that speex, the Speex codec command line tools, did not correctly deal with negative offsets in a particular header field. This could allow a malicious file to execute arbitrary code.

It was discovered that libfishsound, a simple programming interface that wraps Xiph.Org audio codecs, didn't correctly handle negative values in a particular header field. This could allow malicious files to execute arbitrary code.

Several remote vulnerabilities have been discovered in Gnome PeerCast, the Gnome interface to PeerCast, a P2P audio and video streaming server. The Common Vulnerabilities and Exposures project identifies the following problems:

Nico Golde discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a buffer overflow in the HTTP Basic Authentication code, allowing a remote attacker to crash PeerCast or execute arbitrary code.

Several remote vulnerabilities have been discovered in GNUTLS, an implementation of the SSL/TLS protocol suite.

It was discovered that phpGedView, an application to provide online access to genealogical data, allowed remote attackers to gain administrator privileges due to a programming error.

A vulnerability was discovered in the GIF reader implementation in netpbm-free, a suite of image manipulation utilities. Insufficient input data validation could allow a maliciously-crafted GIF file to overrun a stack buffer, potentially permitting the execution of arbitrary code.

Several vulnerabilities have been discovered in PHP version 4, a server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems:

Stephen Gran and Mark Hymers discovered that some scripts run by GForge, a collaborative development tool, open files in write mode in a potentially insecure manner. This may be exploited to overwrite arbitary files on the local system.