- Arch-security - lists.archlinux.org

[arch-security] [kernel] CVE-2014-2523 (fixed??) - netfilter: nf_conntrack_dccp: incorrect skb_header_pointer API usages :: FIXED??
by Billy McCann 18 Mar '14

18 Mar '14

Greetings all. CVE-2014-2523 for linux kernel has been assigned. However, I'm having difficulty finding whether this issue is fixed in the current (Arch) kernel. I'm thinking it has been, as the fixing commit was made on 06/01/2014. Confirmation requested. *Relevant info CVE details: https://access.redhat.com/security/cve/CVE-2014-2523 Introduced by: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2… Upstream Fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b… BW

2 1

Re: [arch-security] Division of Labor
by RbN 17 Mar '14

17 Mar '14

> I also think we need a system to track which CVEs have been dealt with. > > How about a wiki page with a table (per month?) with the following columns: > > CVE Id > Package/version > Date public > Update/Bug (upstream version with fix or bug report number with patch) > Fixed version > Time vulnerable (for interest!) > > Allan I just created a page to track CVE for 2014 (if it gets too long, we will split it later) : https://wiki.archlinux.org/index.php/CVE-2014 It's basically a table wth the following columns for each CVE : CVE-id Package/version Date public Update/Bug (upstream version with fix or bug report number with patch) Fixed version Time vulnerable (for interest!) As you might see, any wikitext ninja is welcome to improve the table ;) I will add some links later : CVE -ids linked to Mitre Package name linked to the good page FS# linked to the bug report I filled it with the content of the file I used on my laptop to keep track of CVE to see how it looks like with real content. There is CVE with the time vulnerable field filled with "??", it means that I didn't take time to check it, it's easy work for anybody willing to gets his hands dirty with CVE management. RbN

2 2

[arch-security] gnu-coreutils patched : possible future CVE announcement
by Billy McCann 14 Mar '14

14 Mar '14

Greetings all. There has been a CVE request for gnu coreutils 8.22. This request may be found on the openwall mailing list. The CVE request is concerned with `shuf'. The bug report can be viewed here https://bugs.archlinux.org/task/39425 The patch has been applied and marked FIXED. Should a CVE for gnu coreutils 8.22 centered on `shuf' be released, this issue has already been resolved within Arch Linux. Regards, BW

1 0

[arch-security] CVE-2013-4496 | CVE-2013-6442 [samba]
by Billy McCann 14 Mar '14

14 Mar '14

Samba has been flagged out-of-date since 2014-03-12. Two CVE's were issued 2014-03-14. *Solution* Upgrade [extra] samba to 4.1.6. *Summary* CVE-2013-4496: Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts. CVE-2013-6442 Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected. *Links* http://www.samba.org/samba/security/CVE-2013-4496 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4496 http://www.samba.org/samba/security/CVE-2013-6442 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6442 ------------------------------------------[00(01|10)11] ----------------------------------------- Billy Wayne McCann, Ph.D. Google+ <https://plus.google.com/+BillyWayneMcCann> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040> irc://irc.freenode.net:bwayne MzM0LTcwMy0wMTIyCg== | base64 -d "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe) ------------------------------------------[11(10|01)00]------- -----------------------------------

1 2

[arch-security] [flash-plugin] CVE-2014-0504 : attackers read the clipboard via unspecified vectors
by Billy McCann 13 Mar '14

13 Mar '14

A CVE was announced for Adobe Flash Player on 3-12 . flash-plugin has been flagged out of date since 3-11. https://www.archlinux.org/packages/extra/i686/flashplugin/ Bug has been filed to alert devs that upgrad e is critical. See issue entry below. https://bugs.archlinux.org/task/39385 BW === B E G I N B U G R E P O R T ======= Description: Adobe Flash Player before 11.2.202.346 on Linux allows attackers to read the clipboard via unspecified vectors. Solution: Update to latest Flash Player. Links to Description: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0504 http://helpx.adobe.com/security/products/flash-player/apsb14-08.html Additional info: * package version(s) 11.2.202.341 * Misc Package was flagged as outdated on the 11th of March, 2014. https://www.archlinux.org/packages/extra/i686/flashplugin/ === E N D ===== ------------------------------------------[00(01|10)11]----------------------------------------- Billy Wayne McCann, Ph.D. Google+ PGP Key irc://irc.freenode.net:bwayne MzM0LTcwMy0wMTIyCg== | base64 -d "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe) ------------------------------------------[11(10|01)00]------------------------------------------

1 1

[arch-security] Security-related ressources
by RbN 12 Mar '14

12 Mar '14

Hello, A message to give some hints and links to look more efficiently for security issues and CVE. Some mailing lists : * oss-sec main list dealing with security of free software, a lot of CVE attributions happen here, required if you wish to follow security news. * info: http://oss-security.openwall.org/wiki/mailing-lists/oss-security * subscribe: oss-security-subscribe(at)lists.openwall.com * archive: http://www.openwall.com/lists/oss-security/ * bugtraq a full disclosure moderated mailing list (noisy) * info: http://www.securityfocus.com/archive/1/description * subscribe: bugtraq-subscribe(at)securityfocus.com * full-disclosure another full-disclosure mailing-list (noisy) * info: http://lists.grok.org.uk/full-disclosure-charter.html * subscribe: full-disclosure-request(at)lists.grok.org.uk You can also use some others : LibreOffice, X.org, Puppetlabs, ISC, etc. Resources of other distributions (to look for CVE, patch, comments etc.): *RedHat and Fedora: * rss advisories: https://admin.fedoraproject.org/updates/rss/rss2.0?type=security * CVE tracker: https://access.redhat.com/security/cve/<CVE-id> * bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=<CVE-id> Ubuntu: * advisories: http://www.ubuntu.com/usn/atom.xml * CVE tracker: http://people.canonical.com/~ubuntu-security/cve/?cve=<CVE-id> * database: https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master Debian: * CVE tracker: http://security-tracker.debian.org/tracker/<CVE-id> * patch-tracker: http://patch-tracker.debian.org/ * database: http://anonscm.debian.org/viewvc/secure-testing/data/ OpenSUSE: * CVE tracker: http://support.novell.com/security/cve/<CVE-id>.html Mitre and NVD links for CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=<CVE-id> http://web.nvd.nist.gov/view/vuln/detail?vulnId=<CVE-id> NVD and Mitre do not necessarily fill their CVE entry immediately after attribution, so it's not always relevant for us. The CVE-id and the "Date Entry Created" fields do not have particular meaning. CVE are attributed by CVE Numbering Authorities (CNA), and each CNA obtain CVE blocks from Mitre when needed/asked, so the CVE ID is not linked to the attribution date. The "Date Entry Created" field often only indicates when the CVE block was given to the CNA, nothing more. Linux Weekly News: LWN provides a daily notice of security updates for various distributions, sometimes very usefull: http://lwn.net/headlines/newrss This might be very handy to check if we miss something. If you need more, check the openwall wiki: http://oss-security.openwall.org/wiki/ RbN

2 1

[arch-security] Wiki Page
by Billy McCann 12 Mar '14

12 Mar '14

Greetings All. A rough draft for the wiki page describing the "Arch CVE Monitoring Team" as well as project categories and a "sign-up sheet" of sorts has been published. https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team I ask those interested to read, correct mistakes, add to, or subtract from this article. Best wishes, BW ------------------------------------------[00(01|10)11] ----------------------------------------- Billy Wayne McCann, Ph.D. Google+ <https://plus.google.com/+BillyWayneMcCann> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040> irc://irc.freenode.net:bwayne MzM0LTcwMy0wMTIyCg== | base64 -d "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe) ------------------------------------------[11(10|01)00]------- -----------------------------------

1 0

[arch-security] Division of Labor
by Billy McCann 11 Mar '14

11 Mar '14

Salutations and Felicitations! The arch-security ML is a great idea. I'd like to help, but I'm not sure where I'm best placed. I have time to watch a couple of mailing lists for security announcements. But I feel I need to know who is doing what, so that I'm not duplicating someone else's work, a sort of division of labor. If we all take a ML or two, share what we're doing, then we'll divide the labor and be more efficient at keeping Arch secure. What think ye? BW ------------------------------------------[00(01|10)11] ----------------------------------------- Billy Wayne McCann, Ph.D. Google+ <https://plus.google.com/+BillyWayneMcCann> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040> irc://irc.freenode.net:bwayne MzM0LTcwMy0wMTIyCg== | base64 -d "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe) ------------------------------------------[11(10|01)00]------- -----------------------------------

3 3

[arch-security] The arch-security list now works!
by Thomas Bächler 11 Mar '14

11 Mar '14

You read it. Posting to this list actually works now. Thanks for reading.

2 1

[arch-security] Fwd: [arch-general] Security vulnerability (CVE-2014-0004) in udisks/udisks2
by Thomas Bächler 11 Mar '14

11 Mar '14

-------- Original-Nachricht -------- Betreff: [arch-general] Security vulnerability (CVE-2014-0004) in udisks/udisks2 Datum: Tue, 11 Mar 2014 10:24:26 +0000 (UTC) Von: Manuel Reimer <manuel.spam(a)nurfuerspam.de> Antwort an: General Discussion about Arch Linux <arch-general(a)archlinux.org> An: arch-general(a)archlinux.org Hello, I already flagged the packages out of date, but maybe other people are interested, too, that there is a known security hole in udisks/udisks2, which has been fixed upstream with new releases: http://lists.freedesktop.org/archives/devkit-devel/2014-March/001568.html Greetings, Manuel

1 0