[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Security

XMPP switches on mandatory encryption

By Nathan Willis
May 21, 2014

The global community of Extensible Messaging and Presence Protocol (XMPP) instant-messaging users took a step toward improved security on May 19, with the operators of a large number of XMPP servers began enforcing a new, mandatory-encryption requirement. The move is one part of a larger effort to secure the global XMPP network; since that network is a federated collection of independent servers, the task is not easy. But whether it is ultimately successful or not, it increases the availability of end-to-end encryption for users, and those developing other Internet communication tools can learn by watching XMPP's example.

In October of 2013, XMPP creator Peter Saint-Andre first published a manifesto calling for ubiquitous encryption of the XMPP network. XMPP (or, as it was known beforehand, Jabber) has supported SSL/TLS encryption of communication channels since the beginning, but that encryption has always been optional. The manifesto argues that encryption should be mandatory "out of respect for the users of our software and services", and lays out a set of policy recommendations for server and client applications.

May 19, 2014 (deemed Open Discussion Day by the signatories) was the "flip the switch" date set out in the manifesto, after a series of four one-day tests earlier in the year. As of the switch-over itself, 70 XMPP server operators and client-application developers had signed the manifesto. The signatories include the administrators of a number of public XMPP services and the teams behind multiple open-source applications (for example, Jitsi, Gajim, Adium, Miranda NG, ejabberd, Prosody IM, and Tigase).

The main conditions of the manifesto were to support STARTTLS connection establishment (including the mandatory cipher suites and certification validation protocol of RFC 6125) and to require TLS encryption for all client-to-server and server-to-server channels. The hard requirement fell to XMPP service operators, who agreed to reject unencrypted XMPP connection requests. Clients, for backward-compatibility reasons, can continue to support unencrypted connections, but make encryption the default.

Several other details were optional: TLS 1.2 was preferred, but negotiation for TLS 1.1, TLS 1.0, and SSLv3 were to be supported, while support for SSLv2 was to be disabled entirely. Likewise, certificate-based authentication and forward-secrecy cipher options were to be available and preferred, but fallback to unauthenticated encryption and other cipher suites must also be supported. Finally, signatories agreed to provide user-configurable options for other security features, (such as cipher selection and forward-secrecy).

The manifesto also notes that "ideally" the implementers should present as much information as possible about the authentication and encryption status of the channel to the user, and that services should use certificates from well-known certificate authorities, although both of these conditions are described as aspirational goals, rather than as mandates.

In essence, then, the participating XMPP networks are requiring an encrypted channel for XMPP connections, supporting all of the recommended options, and making the strongest options the preference. Nevertheless, this set of requirements does not implement ubiquitous encryption, nor does it mandate every strong authentication option possible. The manifesto notes that these remaining requirements are still to come, and that Open Discussion Day event was merely step one.

In particular, running the XMPP connection over TLS is not the same as encrypting the XMPP messages themselves. For that, one would use the Off-the-Record Messaging (OTR) protocol. The use of TLS also does not guarantee channel binding (as in RFC 5056), which enables applications to verify that secure network-layer connections are not hijacked by other programs elsewhere in the protocol stack, nor does it mandate secure DNS or application-level server identity verification.

The XMPP community has invested some of its time in working on these other pieces of the secure-messaging puzzle, though. The IETF's XMPP Working Group has written a number of draft proposals in recent years, covering topics from DNSSEC for XMPP records to server identity verification. Some of these drafts have since expired (in IETF terminology), seemingly without an update or forward progress in several years. However, the argument in the Open Discussion Day community is that forcibly migrating the XMPP network to TLS encryption was a necessary first step; only with that in place it is possible to make meaningful progress on the remaining challenges.

As for the newly activated encryption requirement, though, it is already in effect. Since XMPP servers are federated (and since quite a few of the manifesto signatories run their own server), it is not easy to estimate how many users there are with accounts that will reject unencrypted connection requests. Unless a server advertises how many users it has, there is no way to know how many accounts each server represents—much as is the case with email providers. Fortunately, the IM Observatory site provides some tools for assessing the current state of many clients and servers.

The site provides a tool with which users can test any publicly reachable XMPP server for client-to-server and server-to-server encryption. Recent test results are published on a live-updated page, although only the past few hours are visible at any one time, and multiple test runs against the same server are not filtered out. Each server receives a grade from A (best) to F (worst), based on the same rubric used by SSL Labs' SSL Server Rating Guide. The guide takes into account connection protocol support (e.g., TLS 1.2 is better than TLS 1.1), key-exchange protocol support (e.g., ephemeral key exchange is better than non-ephemeral), and cipher strength (measured by key length).

The site also maintains statistics over the total set of test tested servers. As of today, 59.1% of the tested servers receive an A, while 7.7% receive an F. Most of those in between are skewed toward the A side of the graph. While that is certainly positive news, not all of the servers tested offer accounts to the general public. To that end, the site also provides a list of open-to-the-public XMPP servers that can be sorted by grade. Among these public servers, 59 out of 115 scored an A, or about 51.3%.

All in all, toggling the mandatory-encryption switch for XMPP is clearly a good move from a security standpoint, and the project seems to have implemented it with an admirable degree of success. One might be tempted to view it as a template that other development communities could emulate. In theory, for instance, it would be nice to see email providers make a concerted push for PGP or S/MIME.

But an uncomfortable caveat accompanies the Open Discussion Day success: the fact that XMPP is not nearly as widely deployed as email. There are some large-scale instant-messaging services (like Skype and Facebook) that offer some degree of XMPP compatibility, but the overall size of the XMPP network is small compared to the proprietary alternatives. In fact, Google deactivated its own XMPP compatibility for Google Talk in 2013.

There are still reportedly millions of XMPP users, but it would be considerably harder to implement a similar single-day switchover for other, more widely deployed services. In the early days of TCP/IP, for example, it was possible for all implementers to assemble in one room. But the transition from IPv4 to IPv6 has been many orders of magnitude slower.

Nevertheless, the activation of mandatory XMPP encryption does demonstrate that when like-minded service operators and application developers put their minds together, fixing a widespread security problem is possible. That potentially bodes well for a number of other Internet security issues, from the certificate-authority problem to Do Not Track. When concerned parties coordinate their efforts, they can indeed implement change.

Comments (9 posted)

Brief items

Security quotes of the week

I am regularly asked what is the most surprising thing about the Snowden NSA documents. It's this: the NSA is not made of magic. Its tools are no different from what we have in our world, it's just better-funded. [...]

That, fundamentally, is surprising. If you gave a super-secret Internet exploitation organization $10 billion annually, you'd expect some magic. And my guess is that there is some, around the edges, that has not become public yet. But that we haven't seen any yet is cause for optimism.

Bruce Schneier

This article from Communications of the ACM outlines some of the security measures the NSA could, and should, have had in place to stop someone like Snowden. Mostly obvious stuff, although I'm not sure it would have been effective against such a skilled and tenacious leaker. What's missing is the one thing that would have worked: have fewer secrets.
Bruce Schneier (again)

Does damaging public information become private simply by virtue of the passage of time? How stale does information have to be to be considered “irrelevant or no longer relevant”? And what is the standard for measuring relevance? Relevant to what, to whom, or for what purpose? I can only imagine how the cottage industry of online reputation management will grow in the face of this expanding “right to be forgotten.” Search intermediaries will be more than ever curators of the content they index, which is a development that I, as a consumer of information and a user of search, don’t welcome.
Annemarie Bridy

Comments (4 posted)

New vulnerabilities

botan: insufficiently random cryptographic base

Package(s):botan CVE #(s):
Created:May 21, 2014 Updated:May 21, 2014
Description: From the Botan announcement:

Fix a bug in primality testing introduced in 1.8.3 which caused only a single random base, rather than a sequence of random bases, to be used in the Miller-Rabin test. This increased the probability that a non-prime would be accepted, for instance a 1024 bit number would be incorrectly classed as prime with probability around 2^-40. Reported by Jeff Marrison.

The key length limit on HMAC has been raised to 512 bytes, allowing the use of very long passphrases with PBKDF2.

Alerts:
Fedora FEDORA-2014-6237 botan 2014-05-21
Fedora FEDORA-2014-6263 botan 2014-05-21

Comments (none posted)

charybdis: denial of service

Package(s):charybdis CVE #(s):CVE-2012-6084
Created:May 19, 2014 Updated:May 21, 2014
Description: From the CVE entry:

modules/m_capab.c in (1) ircd-ratbox before 3.0.8 and (2) Charybdis before 3.4.2 does not properly support capability negotiation during server handshakes, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request.

Alerts:
Gentoo 201405-21 charybdis 2014-05-18

Comments (none posted)

chromium-browser: multiple vulnerabilities

Package(s):chromium-browser CVE #(s):CVE-2014-1740 CVE-2014-1741 CVE-2014-1742
Created:May 19, 2014 Updated:May 21, 2014
Description: From the CVE entries:

Multiple use-after-free vulnerabilities in net/websockets/websocket_job.cc in the WebSockets implementation in Google Chrome before 34.0.1847.137 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to WebSocketJob deletion. (CVE-2014-1740)

Multiple integer overflows in the replace-data functionality in the CharacterData interface implementation in core/dom/CharacterData.cpp in Blink, as used in Google Chrome before 34.0.1847.137, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to ranges. (CVE-2014-1741)

Use-after-free vulnerability in the FrameSelection::updateAppearance function in core/editing/FrameSelection.cpp in Blink, as used in Google Chrome before 34.0.1847.137, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper RenderObject handling. (CVE-2014-1742)

Alerts:
Gentoo 201408-16 chromium 2014-08-30
Ubuntu USN-2298-1 oxide-qt 2014-07-23
Mageia MGASA-2014-0232 chromium-browser-stable 2014-05-22
Debian DSA-2930-1 chromium-browser 2014-05-17
openSUSE openSUSE-SU-2014:0783-1 chromium 2014-06-12

Comments (none posted)

cifs-utils: code execution

Package(s):cifs-utils CVE #(s):CVE-2014-2830
Created:May 15, 2014 Updated:December 5, 2016
Description: From the Red Hat bugzilla entry:

Sebastian Krahmer discovered a stack-based buffer overflow flaw in cifskey.c, which is used by pam_cifscreds.

Alerts:
Gentoo 201612-08 cifs-utils 2016-12-04
Mandriva MDVSA-2015:114 cifs-utils 2015-03-29
Fedora FEDORA-2014-6046 cifs-utils 2014-06-10
Mageia MGASA-2014-0242 cifs-utils 2014-05-29
Fedora FEDORA-2014-6068 cifs-utils 2014-05-15

Comments (none posted)

clamav: multiple unspecified vulnerabilities

Package(s):clamav CVE #(s):CVE-2013-7087 CVE-2013-7088 CVE-2013-7089
Created:May 16, 2014 Updated:May 21, 2014
Description: From the Gentoo advisory:

Multiple vulnerabilities have been found in ClamAV, the worst of which could lead to arbitrary code execution.

Alerts:
Gentoo 201405-08 clamav 2014-05-16

Comments (none posted)

dovecot: denial of service

Package(s):dovecot CVE #(s):CVE-2014-3430
Created:May 16, 2014 Updated:March 29, 2015
Description:

From the Mandriva advisory:

Dovecot 1.1 before 2.2.13 and dovecot-ee before 2.1.7.7 and 2.2.x before 2.2.12.12 does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection (CVE-2014-3430).

Alerts:
Mandriva MDVSA-2015:113 dovecot 2015-03-29
Gentoo 201412-03 dovecot 2014-12-08
Oracle ELSA-2014-0790 dovecot 2014-07-23
Scientific Linux SLSA-2014:0790-1 dovecot 2014-06-25
Oracle ELSA-2014-0790 dovecot 2014-06-25
CentOS CESA-2014:0790 dovecot 2014-06-25
Red Hat RHSA-2014:0790-01 dovecot 2014-06-25
Fedora FEDORA-2014-6331 dovecot 2014-06-17
Debian DSA-2954-1 dovecot 2014-06-09
Mageia MGASA-2014-0223 dovecot 2014-05-17
Fedora FEDORA-2014-6338 dovecot 2014-05-18
Ubuntu USN-2213-1 dovecot 2014-05-15
Mandriva MDVSA-2014:099 dovecot 2014-05-16

Comments (none posted)

egroupware: cross site request forgery

Package(s):egroupware CVE #(s):
Created:May 19, 2014 Updated:May 21, 2014
Description: From the Mageia advisory:

eGroupWare before 1.8.007 allows logged in users with administrative privileges to remotely execute arbitrary commands on the server. It is also vulnerable to a cross site request forgery vulnerability that allows creating new administrative users.

Alerts:
Mandriva MDVSA-2014:104 egroupware 2014-05-16
Mageia MGASA-2014-0221 egroupware 2014-05-17

Comments (none posted)

ettercap: code execution

Package(s):ettercap CVE #(s):CVE-2010-3844
Created:May 19, 2014 Updated:May 21, 2014
Description: From the Gentoo advisory:

A format string flaw in Ettercap could cause a buffer overflow.

A remote attacker could entice a user to load a specially crafted configuration file using Ettercap, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

A local attacker could perform symlink attacks to overwrite arbitrary files with the privileges of the user running the application.

Alerts:
Gentoo 201405-12 ettercap 2014-05-17

Comments (none posted)

kernel: multiple vulnerabilities

Package(s):kernel CVE #(s):CVE-2014-3144 CVE-2014-3145
Created:May 16, 2014 Updated:June 5, 2014
Description:

From the Red Hat bug report:

Linux kernel built with the BPF interpreter support in the networking core is vulnerable to an out of bounds buffer access flaw. It occurs when accessing a netlink attribute from the skb->data buffer. It could lead to DoS via kernel crash or leakage of kernel memory bytes to user space.

An unprivileged user/program could use this flaw to crash the system kernel resulting in DoS or leak kernel memory bytes to user space.

Alerts:
Oracle ELSA-2015-0290 kernel 2015-03-12
Oracle ELSA-2014-1392 kernel 2014-10-21
openSUSE openSUSE-SU-2014:1246-1 kernel 2014-09-28
SUSE SUSE-SU-2014:1138-1 kernel 2014-09-16
openSUSE openSUSE-SU-2014:0957-1 kernel 2014-08-01
CentOS CESA-2014:0981 kernel 2014-07-31
Scientific Linux SLSA-2014:0981-1 kernel 2014-07-29
Oracle ELSA-2014-0981 kernel 2014-07-29
Red Hat RHSA-2014:0981-01 kernel 2014-07-29
Oracle ELSA-2014-0786 kernel 2014-07-23
Red Hat RHSA-2014:0913-01 kernel-rt 2014-07-22
Ubuntu USN-2288-1 linux-lts-trusty 2014-07-16
Ubuntu USN-2286-1 linux-lts-raring 2014-07-16
Ubuntu USN-2290-1 kernel 2014-07-16
SUSE SUSE-SU-2014:0908-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0909-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0910-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0911-1 Linux kernel 2014-07-17
SUSE SUSE-SU-2014:0912-1 Linux kernel 2014-07-17
Ubuntu USN-2259-1 kernel 2014-06-27
Ubuntu USN-2263-1 linux-ti-omap4 2014-06-27
Ubuntu USN-2261-1 linux-lts-saucy 2014-06-27
Ubuntu USN-2262-1 linux-lts-quantal 2014-06-27
Ubuntu USN-2264-1 kernel 2014-06-27
openSUSE openSUSE-SU-2014:0840-1 kernel 2014-06-25
Red Hat RHSA-2014:0786-01 kernel 2014-06-24
Ubuntu USN-2251-1 kernel 2014-06-19
Ubuntu USN-2252-1 EC2 kernel 2014-06-19
Debian DSA-2949-1 kernel 2014-06-05
Fedora FEDORA-2014-6354 kernel 2014-05-21
Fedora FEDORA-2014-6357 kernel 2014-05-16
Mandriva MDVSA-2014:124 kernel 2014-06-13

Comments (none posted)

kernel: two vulnerabilities

Package(s):kernel CVE #(s):CVE-2014-0691 CVE-2014-2672
Created:May 19, 2014 Updated:May 21, 2014
Description: From the openSUSE advisory:

cifs: ensure that uncached writes handle unmapped areas correctly (CVE-2014-0691)

ath9k: protect tid->sched check (CVE-2014-2672).

Alerts:
Oracle ELSA-2015-0290 kernel 2015-03-12
Oracle ELSA-2014-1392 kernel 2014-10-21
Red Hat RHSA-2014:1101-01 kernel 2014-08-27
CentOS CESA-2014:0981 kernel 2014-07-31
Scientific Linux SLSA-2014:0981-1 kernel 2014-07-29
Oracle ELSA-2014-0981 kernel 2014-07-29
Oracle ELSA-2014-1023 kernel 2014-08-06
CentOS CESA-2014:1023 kernel 2014-08-06
Red Hat RHSA-2014:1023-01 kernel 2014-08-06
Red Hat RHSA-2014:0981-01 kernel 2014-07-29
Red Hat RHSA-2014:0557-01 kernel-rt 2014-05-27
Ubuntu USN-2227-1 linux-ti-omap4 2014-05-27
Ubuntu USN-2225-1 linux-lts-saucy 2014-05-27
Ubuntu USN-2224-1 linux-lts-raring 2014-05-27
Ubuntu USN-2223-1 linux-lts-quantal 2014-05-27
Ubuntu USN-2228-1 kernel 2014-05-27
Ubuntu USN-2221-1 kernel 2014-05-26
openSUSE openSUSE-SU-2014:0678-1 kernel 2014-05-19
openSUSE openSUSE-SU-2014:0677-1 kernel 2014-05-19
Mandriva MDVSA-2014:124 kernel 2014-06-13

Comments (none posted)

libgadu: code execution

Package(s):libgadu CVE #(s):CVE-2014-3775
Created:May 21, 2014 Updated:July 28, 2014
Description: From the Ubuntu advisory:

It was discovered that libgadu incorrectly handled certain messages from file relay servers. A malicious remote server or a man in the middle could use this issue to cause applications using libgadu to crash, resulting in a denial of service, or possibly execute arbitrary code.

Alerts:
Gentoo 201508-02 libgadu 2015-08-15
Mageia MGASA-2014-0295 pidgin 2014-07-26
Fedora FEDORA-2014-6645 libgadu 2014-06-10
openSUSE openSUSE-SU-2014:0742-1 libgadu 2014-06-02
Fedora FEDORA-2014-6687 libgadu 2014-06-01
Mageia MGASA-2014-0246 libgadu 2014-05-30
openSUSE openSUSE-SU-2014:0722-1 libgadu 2014-05-28
Debian DSA-2935-1 libgadu 2014-05-21
Ubuntu USN-2216-1 pidgin 2014-05-21
Ubuntu USN-2215-1 libgadu 2014-05-21
Mandriva MDVSA-2014:121 libgadu 2014-06-10

Comments (none posted)

libvirt: information disclosure/denial of service

Package(s):libvirt CVE #(s):CVE-2014-0179
Created:May 15, 2014 Updated:September 27, 2014
Description: From the openSUSE advisory:

libvirt was patched to prevent expansion of entities when parsing XML files. This vulnerability allowed malicious users to read arbitrary files or cause a denial of service (CVE-2014-0179).

Alerts:
Mandriva MDVSA-2015:115 libvirt 2015-03-29
Gentoo 201412-04 libvirt 2014-12-09
Ubuntu USN-2366-1 libvirt 2014-09-30
Debian DSA-3038-1 libvirt 2014-09-27
Oracle ELSA-2014-0914 libvirt 2014-07-23
CentOS CESA-2014:0914 libvirt 2014-07-23
Red Hat RHSA-2014:0914-01 libvirt 2014-07-22
Mageia MGASA-2014-0243 libvirt 2014-05-29
Scientific Linux SLSA-2014:0560-1 libvirt 2014-05-27
Oracle ELSA-2014-0560 libvirt 2014-05-27
CentOS CESA-2014:0560 libvirt 2014-05-28
Red Hat RHSA-2014:0560-01 libvirt 2014-05-27
Fedora FEDORA-2014-6586 libvirt 2014-05-24
openSUSE openSUSE-SU-2014:0674-1 libvirt 2014-05-19
Mandriva MDVSA-2014:097 libvirt 2014-05-16
openSUSE openSUSE-SU-2014:0650-1 libvirt 2014-05-15

Comments (none posted)

mcrypt: code execution

Package(s):mcrypt CVE #(s):CVE-2012-4426
Created:May 19, 2014 Updated:May 21, 2014
Description: From the CVE entry:

Multiple format string vulnerabilities in mcrypt 2.6.8 and earlier might allow user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via vectors involving (1) errors.c or (2) mcrypt.c.

Alerts:
Gentoo 201405-19 mcrypt 2014-05-18

Comments (none posted)

mono: denial of service

Package(s):mono CVE #(s):CVE-2012-3543
Created:May 19, 2014 Updated:May 29, 2014
Description: From the Gentoo advisory:

Mono does not properly randomize hash functions for form posts to protect against hash collision attacks.

A remote attacker could send specially crafted parameters, possibly resulting in a Denial of Service condition.

Alerts:
Ubuntu USN-2547-1 mono 2015-03-24
Mageia MGASA-2014-0244 mono 2014-05-29
Gentoo 201405-16 mono 2014-05-18

Comments (none posted)

moodle: multiple vulnerabilities

Package(s):moodle CVE #(s):CVE-2014-0213 CVE-2014-0214 CVE-2014-0215 CVE-2014-0216 CVE-2014-0218
Created:May 20, 2014 Updated:May 30, 2014
Description: From the Mageia advisory:

In Moodle before 2.6.3, Session checking was not being performed correctly in Assignment's quick-grading, allowing forged requests to be made unknowingly by authenticated users (CVE-2014-0213).

In Moodle before 2.6.3, MoodleMobile web service tokens, created automatically in login/token.php, were not expiring and were valid forever (CVE-2014-0214).

In Moodle before 2.6.3, Some student details, including identities, were included in assignment marking pages and would have been revealed to screen readers or through code inspection (CVE-2014-0215).

In Moodle before 2.6.3, Access to files linked on HTML blocks on the My home page was not being checked in the correct context, allowing access to unauthenticated users (CVE-2014-0216).

In Moodle before 2.6.3, There was a lack of filtering in the URL downloader repository that could have been exploited for XSS (CVE-2014-0218).

Alerts:
Fedora FEDORA-2014-10802 moodle 2014-09-25
Fedora FEDORA-2014-6585 moodle 2014-05-29
Fedora FEDORA-2014-6577 moodle 2014-05-29
Mageia MGASA-2014-0230 moodle 2014-05-19

Comments (none posted)

owncloud: multiple unspecified vulnerabilities

Package(s):owncloud CVE #(s):
Created:May 16, 2014 Updated:May 21, 2014
Description:

From the Mandriva advisory:

Owncloud versions 5.0.16 and 6.0.3 fix several unspecified security vulnerabilities, as well as many other bugs.

Alerts:
Mandriva MDVSA-2014:101 owncloud 2014-05-16

Comments (none posted)

python-django: information disclosure

Package(s):python-django CVE #(s):CVE-2014-1418
Created:May 15, 2014 Updated:May 27, 2014
Description: From the Ubuntu advisory:

Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches. This update removes workarounds for bugs in Internet Explorer 6 and 7. (CVE-2014-1418)

Alerts:
openSUSE openSUSE-SU-2014:1132-1 python-django 2014-09-16
Gentoo 201406-26 django 2014-06-26
Mandriva MDVSA-2014:113 python-django 2014-06-10
Fedora FEDORA-2014-6440 python-django15 2014-05-26
Fedora FEDORA-2014-6442 python-django14 2014-05-26
Fedora FEDORA-2014-6454 python-django 2014-05-26
Fedora FEDORA-2014-6449 python-django 2014-05-26
Mageia MGASA-2014-0231 python-django 2014-05-19
Debian DSA-2934-1 python-django 2014-05-19
Mandriva MDVSA-2014:112 python-django 2014-06-10
Ubuntu USN-2212-1 python-django 2014-05-14

Comments (none posted)

python-django: open redirect attacks

Package(s):python-django CVE #(s):CVE-2014-3730
Created:May 20, 2014 Updated:May 27, 2014
Description: From the CVE entry:

The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com."

Alerts:
openSUSE openSUSE-SU-2014:1132-1 python-django 2014-09-16
Mandriva MDVSA-2014:113 python-django 2014-06-10
Fedora FEDORA-2014-6440 python-django15 2014-05-26
Fedora FEDORA-2014-6442 python-django14 2014-05-26
Fedora FEDORA-2014-6454 python-django 2014-05-26
Fedora FEDORA-2014-6449 python-django 2014-05-26
Mageia MGASA-2014-0231 python-django 2014-05-19
Debian DSA-2934-1 python-django 2014-05-19
Mandriva MDVSA-2014:112 python-django 2014-06-10

Comments (none posted)

python-fmn-web: covert redirect

Package(s):python-fmn-web CVE #(s):
Created:May 21, 2014 Updated:May 21, 2014
Description: From the Fedora advisory:

Fix for Covert Redirect.

Alerts:
Fedora FEDORA-2014-5974 python-fmn-web 2014-05-21
Fedora FEDORA-2014-5972 python-fmn-web 2014-05-21

Comments (none posted)

qemu: multiple vulnerabilities

Package(s):qemu CVE #(s):CVE-2014-0182 CVE-2013-4534 CVE-2013-4533 CVE-2013-4535 CVE-2013-4536 CVE-2013-4537 CVE-2013-4538 CVE-2013-4539 CVE-2013-4540 CVE-2013-4541 CVE-2013-4542 CVE-2013-6399 CVE-2013-4531 CVE-2013-4530 CVE-2013-4529 CVE-2013-4527 CVE-2013-4526 CVE-2013-4151 CVE-2013-4150 CVE-2013-4149 CVE-2013-4148
Created:May 16, 2014 Updated:July 25, 2014
Description:

From the Red Hat bug reports:

CVE-2014-0182: An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4534: opp->nb_cpus is read from the wire and used to determine how many IRQDest elements to read into opp->dst[]. If the value exceeds the length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary data from the wire.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4533: s->rx_level is read from the wire and used to determine how many bytes to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the length of s->rx_fifo[] the buffer can be overrun with arbitrary data from the wire.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4535, CVE-2013-4536: Both virtio-block and virtio-serial read, VirtQueueElements are read in as buffers, and passed to virtqueue_map_sg(), where num_sg is taken from the wire and can force writes to indicies beyond VIRTQUEUE_MAX_SIZE.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4537: s->arglen is taken from wire and used as idx in ssi_sd_transfer().

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4538: s->cmd_len used as index in ssd0323_transfer() to store 32-bit field. Possible this field might then be supplied by guest to overwrite a return addr somewhere. Same for row/col fields, which are indicies into framebuffer array.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4539: s->precision, nextprecision, function and nextfunction come from wire and are used as idx into resolution[] in TSC_CUT_RESOLUTION.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4540: Within scoop_gpio_handler_update, if prev_level has a high bit set, then we get bit > 16 and that does a buffer overrun.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4541: s->setup_len and s->setup_index are fed into usb_packet_copy as size/offset into s->data_buf, it's possible for invalid state to exploit this to load arbitrary data.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4542: hw/scsi/scsi-bus.c invokes load_request.

virtio_scsi_load_request does: 

    qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example, make in_num or out_num out-of-bounds, later leading to buffer overrun.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-6399: vdev->queue_sel is read from the wire, and later used in the emulation code as an index into vdev->vq[]. If the value of vdev->queue_sel exceeds the length of vdev->vq[], currently allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun the buffer with arbitrary data.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4531: cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for cpreg_vmstate_array_len will cause a buffer overflow.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4530: pl022.c did not bounds check tx_fifo_head and rx_fifo_head after loading them from file and before they are used to dereference array.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4529: There are two issues in hw/pci/pcie_aer.c:

1. log_max from remote can be larger than on local then buffer will overrun with data coming from state file.

2. log_num can be larger then we get data corrution again with an overflow but not adversary controlled.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4527: hpet is a VARRAY with a uint8 size but static array of 32 and the index (num_timers ) into this array is not checked for sanity.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4526: Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So we use the old version of ports to read the array but then allow any value for ports.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4151: QEMU 1.0 out-of-bounds buffer write in virtio_load@virtio/virtio.c

array of vqs has size VIRTIO_PCI_QUEUE_MAX, so on invalid input this will write beyond end of buffer.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4150: QEMU 1.5.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c

Number of vqs is max_queues, so if we get invalid input here, for example if max_queues = 2, curr_queues = 3, we get write beyond end of the buffer, with data that comes from wire.

This might be used to corrupt qemu memory in hard to predict ways.

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4149: QEMU 1.3.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

CVE-2013-4148: QEMU 1.0 integer conversion in virtio_net_load()@hw/net/virtio-net.c

An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process.

Alerts:
SUSE SUSE-SU-2016:1745-1 xen 2016-07-06
SUSE SUSE-SU-2016:1318-1 xen 2016-05-17
SUSE SUSE-SU-2016:1154-1 xen 2016-04-26
openSUSE openSUSE-SU-2016:0995-1 xen 2016-04-08
SUSE SUSE-SU-2016:0955-1 xen 2016-04-05
openSUSE openSUSE-SU-2016:0914-1 xen 2016-03-30
SUSE SUSE-SU-2016:0873-1 xen 2016-03-24
Mandriva MDVSA-2015:061 qemu 2015-03-13
Oracle ELSA-2015-0349 qemu-kvm 2015-03-12
Mandriva MDVSA-2014:220 qemu 2014-11-21
Mageia MGASA-2014-0426 qemu 2014-10-28
openSUSE openSUSE-SU-2014:1281-1 xen 2014-10-09
openSUSE openSUSE-SU-2014:1279-1 xen 2014-10-09
Red Hat RHSA-2014:1268-01 qemu-kvm-rhev 2014-09-22
Ubuntu USN-2342-1 qemu, qemu-kvm 2014-09-08
CentOS CESA-2014:0927 qemu-kvm 2014-07-25
Red Hat RHSA-2014:0888-01 qemu-kvm-rhev 2014-07-24
Oracle ELSA-2014-0927 qemu-kvm 2014-07-23
Red Hat RHSA-2014:0927-01 qemu-kvm 2014-07-23
Scientific Linux SLSA-2014:0743-1 qemu-kvm 2014-06-11
Red Hat RHSA-2014:0743-01 qemu-kvm 2014-06-10
Fedora FEDORA-2014-6288 qemu 2014-05-16
CentOS CESA-2014:0743 qemu-kvm 2014-06-11
Oracle ELSA-2014-0743 qemu-kvm 2014-06-10

Comments (none posted)

ruby-actionpack: information leak

Package(s):ruby-actionpack-3.2 CVE #(s):CVE-2014-0130
Created:May 16, 2014 Updated:May 28, 2014
Description:

From the Debian advisory:

A directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb allows remote attackers to read arbitrary files.

Alerts:
Mageia MGASA-2014-0303 ruby-actionpack 2014-07-26
openSUSE openSUSE-SU-2014:0720-1 rubygem-actionpack-3_2 2014-05-28
openSUSE openSUSE-SU-2014:0718-1 rubygem-actionpack-3_2 2014-05-28
Fedora FEDORA-2014-6127 rubygem-actionpack 2014-05-23
Fedora FEDORA-2014-6098 rubygem-actionpack 2014-05-23
CentOS CESA-2014:0510 ruby193-rubygem-actionpack 2014-05-21
Red Hat RHSA-2014:0510-01 ruby193-rubygem-actionpack 2014-05-15
Debian DSA-2929-1 ruby-actionpack-3.2 2014-05-16

Comments (none posted)

srm: unspecified vulnerability

Package(s):srm CVE #(s):
Created:May 15, 2014 Updated:May 21, 2014
Description: no information was provided in the Fedora advisory
Alerts:
Fedora FEDORA-2014-5308 srm 2014-05-15

Comments (none posted)

util-linux: corruption of the /etc/mtab file

Package(s):util-linux CVE #(s):CVE-2011-1676
Created:May 19, 2014 Updated:May 21, 2014
Description: From the CVE entry:

mount in util-linux 2.19 and earlier does not remove the /etc/mtab.tmp file after a failed attempt to add a mount entry, which allows local users to trigger corruption of the /etc/mtab file via multiple invocations.

Alerts:
Gentoo 201405-15 util-linux 2014-05-18

Comments (none posted)

x2goserver: privilege escalation

Package(s):x2goserver CVE #(s):CVE-2013-7383
Created:May 19, 2014 Updated:May 21, 2014
Description: From the Gentoo advisory:

X2Go Server is prone to a local privilege-escalation vulnerability.

A local attacker could gain escalated privileges.

Alerts:
Gentoo 201405-26 x2goserver 2014-05-19

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2014, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds