Discussion of security flaws, concepts, and practices in the Open Source community

List Archives

Latest Posts

Re: plone, rrdtool, zenoss bugs Henri Salo (May 19)
Tested Debian wheezy packages:

python-rrdtool 1.4.7-2
python2.7 2.7.3-6

Backtrace attached. Might affect other software too.
Debian bug: http://bugs.debian.org/708866

---
Henri Salo
(gdb) run -c "import rrdtool;rrdtool.graph('/tmp=/out.png','-f','%n%n')"
Starting program: /usr/bin/python2.7 -c "import rrdtool;rrdtool.graph('/tmp=/out.png','-f','%n%n')"
[Thread...

Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Gilles Chehade (May 19)
Yes, that would have been much nicer.

We discovered the CVE request at the same time as everyone, on two
public lists along with a script that allows any kiddie to trigger
it... sent by a package maintainer we had talked to minutes ago to
explain the issue and who knew the fix release was two days away.

Anyway, what's done is done, we released earlier, hopefully we get
a bit more coordination next time.

Hopefully, we don't need too...

Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Kurt Seifried (May 19)
For future reference you can get CVEs privately, although if you're
not the official upstream this means there is a greater chance of
duplicates (and thus of me saying "no, make a public request). So if
you want to do this a possible compromise is to email me and the
upstream and if upstream replies that it's ok then I'd probably go ahead.

Agreed, generally with public source code commits fixing an issue we
consider it public...

More zPanel security flaws? Trying to sort them out Kurt Seifried (May 19)
So the head of the zPanel project "ballen" ("Bobby Allen" according to
Google) reports:

http://forums.zpanelcp.com/showthread.php?27608-ZPanelCP-Server-has-not-been-compromised

======
4) Security issues raised
The security issues mentioned in the following article
(http://imgur.com/a/lzRuo) are already fixed, however we are a short
way off being able to release the new version. All known security
vulnerabilities have been...

Re: CVE Request: DoS in OpenSMTPD TLS Support Jason A. Donenfeld (May 19)
Sorry about that. I was in the midst of bumping packages in gentoo to
the snapshot where you had fixed the issue, when I figured it might be
wise to also get the issue tracked with a CVE asap. Sorry for jumping
the gun.

The quote was "I haven't looked into why this happens or if memory
corruption / code execution is a possibility, but at the very least,
it's a nasty DoS."

Which is why I figured it was already a public issue,...

Re: Re: CVE Request: DoS in OpenSMTPD TLS Support Kurt Seifried (May 18)
A snapshot has been posted to http://www.opensmtpd.org/archives/ , but

Please use CVE-2013-2125 for this issue.

Re: CVE request: WordPress plugin wp-cleanfix CSRF Kurt Seifried (May 18)
Ok this is a slightly messy one. Normally yes, WP admin can modify the
site and thus execute arbitrary PHP, so a remote flaw that allows php
command execution only for admin would be a security flaw (e.g. worth
of hardening) but not typically a security vulnerability (e.g. worthy
of a CVE and full security treatment).

However in this case it is exploitable, the CSRF provides a vector for
exploitation. So it's gets a separate CVE.

So please...

Re: Multiple vulnerabilities in PHP Address Book v8.2.5 Henri Salo (May 18)
As far as I can tell - yes.

---
Henri Salo

Re: CVE Request: DoS in OpenSMTPD TLS Support Gilles Chehade (May 18)
Erf...

Not too nice to send a CVE request without ANY coordination with us ...

Just for the record, you contacted us today reporting a bug which could
be memory corruption and you didn't know if it could be exploited. Then
I replied telling you that we discovered and fixed the bug two days ago
and I then explained to you what the bug really was (wrong logic in the
IO events handling code in our SSL layer). I then told you that we made...

CVE Request: DoS in OpenSMTPD TLS Support Jason A. Donenfeld (May 18)
Hi Kurt,

The SSL handling in the latest OpenSMTPD (5.3.1) misconfigures its
sockets in blocking mode, allowing an attacker to prevent all mail
delivery simply by holding a socket open.

I discovered this accidentally, as I noticed my HP printer's smtp
client would keep the connection indefinitely open after an
unsuccessful authentication attempt, causing no more mail to be
delivered until I SIGKILL'd my smtpd process or unplugged my...

Re: CVE request: WordPress plugin wp-cleanfix CSRF Henri Salo (May 18)
File wpCleanFixAjax.php contains:

30 $command = strip_tags( $_POST['command'] );
31 eval ( $command );

and there is:

12 if ( is_admin() && _wpdk_is_ajax() ) {

So it only work when logged in administrator. This is not a security
vulnerability as is, because WordPress administrator can upload/edit PHP as she
or he likes.

There is a CSRF vulnerability, which can be used to execute arbitrary PHP.

POST...

Re: CVE Request: WebAuth: Authentication credential disclosure Kurt Seifried (May 18)
Yeah in this case I'm definitely going count a 4 month window as "made
available" =). Please use CVE-2013-2106 for this issue. With any luck
now all the standard scanners like Nessus will add a test and anyone
vulnerable will find out asap.

Re: CVE Request: WebAuth: Authentication credential disclosure Russ Allbery (May 18)
Kurt Seifried <kseifried () redhat com> writes:

Yes, via http://webauth.stanford.edu/ as well as via my personal web site.
I did issue an advisory (to webauth-announce () lists stanford edu). There
were six announced (distributed, tagged, etc.) releases that had this
vulnerability.

WebAuth is moderately well-used; it's not as popular as some of the other
web single sign-on systems, but it's been distributed with Debian and...

Re: Show In Browser 0.0.3 Ruby Gem /tmp file injection vulnerability Kurt Seifried (May 18)
Please use CVE-2013-2105 for this issue.

Re: CVE Request: WebAuth: Authentication credential disclosure Kurt Seifried (May 18)
WebAuth 4.4.1 was changed to use a persistent CGI::Application object

I did a Google search, there appear to be other
universities/organizations using WebAuth, was the vulnerable version
made generally available (e.g. on an ftp site or whatever?).

More Lists

Dozens of other network security lists are archived at SecLists.Org.