The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Debian Linux

computer vulnerability announce CVE-2013-4242

GnuPG, Libgcrypt: reading private key via L3 flush+reload

Synthesis of the vulnerability

A local attacker can access to the processor L3 cache, in order to read 98% of the private key used by GnuPG.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, GnuPG, MBS, MES, openSUSE, Solaris, RHEL, Slackware, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 25/07/2013.
Identifiers: BID-61464, CERTFR-2014-AVI-244, CVE-2013-4242, DSA-2730-1, DSA-2731-1, FEDORA-2013-13671, FEDORA-2013-13678, FEDORA-2013-13940, FEDORA-2013-13975, FEDORA-2014-6851, MDVSA-2013:205, openSUSE-SU-2013:1294-1, RHSA-2013:1457-01, RHSA-2013:1458-01, SOL75253136, SSA:2013-215-01, VIGILANCE-VUL-13167.

Description of the vulnerability

A processor has several cache levels: L1 (fast), L2 and L3 (slow).

When GnuPG performs an operation with a RSA private key, it uses the "square and multiply" algorithm to compute the exponentiation. This algorithm operates one bit at a time.

A malicious program can measure the access time to the L3 cache, in order to detect if GnuPG performed an elementary operation of the "square and multiply". He can then guess if the current private key bit is 0 or 1, with high accuracy.

A local attacker can therefore access to the processor L3 cache, in order to read 98% of the private key used by GnuPG.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2013-4163

Linux kernel: denial of service via ip6_append_data_mtu

Synthesis of the vulnerability

A local attacker can send IPv6 data with UDP_CORK and IPV6_MTU, in order to stop the kernel.
Impacted products: Debian, Linux, MBS, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 24/07/2013.
Identifiers: BID-61412, CERTA-2013-AVI-498, CERTA-2013-AVI-545, CVE-2013-4163, DSA-2745-1, MDVSA-2013:242, openSUSE-SU-2013:1619-1, openSUSE-SU-2013:1773-1, RHSA-2013:1264-01, SUSE-SU-2013:1473-1, SUSE-SU-2013:1474-1, VIGILANCE-VUL-13157.

Description of the vulnerability

The UDP_CORK option groups several data in one datagram, which is sent when the option is disabled. The IPV6_MTU option defines the MTU (maximal size of packets).

However, when the socket is IPv6 with IPV6_MTU, and when data prepared with UDP_CORK are sent, the ip6_append_data_mtu() function is called, and incorrectly computes the new size, which triggers a call to the BUG() macro.

A local attacker can therefore send IPv6 data with UDP_CORK and IPV6_MTU, in order to stop the kernel.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2013-4162

Linux kernel: denial of service via ip6_push_pending_frames

Synthesis of the vulnerability

A local attacker can send mixed IPv4/IPv6 data with UDP_CORK, in order to stop the kernel.
Impacted products: Debian, Linux, MBS, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 24/07/2013.
Identifiers: BID-61411, CERTA-2013-AVI-498, CERTA-2013-AVI-545, CVE-2013-4162, DSA-2745-1, DSA-2906-1, MDVSA-2013:242, openSUSE-SU-2013:1619-1, openSUSE-SU-2013:1773-1, openSUSE-SU-2013:1971-1, RHSA-2013:1264-01, RHSA-2013:1292-01, RHSA-2013:1436-01, RHSA-2013:1520-01, SUSE-SU-2013:1473-1, SUSE-SU-2013:1474-1, SUSE-SU-2014:0536-1, SUSE-SU-2014:1138-1, VIGILANCE-VUL-13156.

Description of the vulnerability

The UDP_CORK option groups several data in one datagram, which is sent when the option is disabled.

However, when the socket is IPv6, and when data prepared with UDP_CORK are IPv4, the kernel calls the IPv6 ip6_push_pending_frames() function to send data, which triggers a call to the BUG() macro.

A local attacker can therefore send mixed IPv4/IPv6 data with UDP_CORK, in order to stop the kernel.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2013-2877

libxml2: denial of service via a truncation

Synthesis of the vulnerability

An attacker can send a truncated XML file, to an application linked to libxml2, in order to trigger a denial of service.
Impacted products: Debian, Juniper J-Series, Junos OS, libxml, MBS, openSUSE, RHEL, SLES, Unix (platform) ~ not comprehensive, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 1/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 19/07/2013.
Identifiers: CERTFR-2015-AVI-023, CVE-2013-2877, DSA-2724-1, DSA-2779-1, JSA10669, MDVSA-2013:198, openSUSE-SU-2013:1221-1, openSUSE-SU-2013:1246-1, RHSA-2014:0513-01, SUSE-SU-2013:1625-1, SUSE-SU-2013:1627-1, VIGILANCE-VUL-13145, VMSA-2014-0008.2, VMSA-2014-0012.

Description of the vulnerability

The libxml2 library implements an XML parser.

However, several libxml2 functions do not check the premature end of data. They then try to read after the end of data, which stops the application.

An attacker can therefore send a truncated XML file, to an application linked to libxml2, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2013-1861 CVE-2013-3783 CVE-2013-3793

MySQL: several vulnerabilities of July 2013

Synthesis of the vulnerability

Several vulnerabilities of MySQL are fixed by the CPU of July 2013.
Impacted products: Debian, Junos Space, Junos Space Network Management Platform, MES, MySQL Community, MySQL Enterprise, openSUSE, Solaris, Percona Server, XtraDB Cluster, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 17/07/2013.
Identifiers: BID-58511, BID-61210, BID-61214, BID-61222, BID-61227, BID-61233, BID-61235, BID-61238, BID-61244, BID-61249, BID-61252, BID-61256, BID-61260, BID-61264, BID-61269, BID-61272, BID-61274, bulletinoct2015, CERTA-2013-AVI-419, CERTA-2013-AVI-543, cpujuly2013, CVE-2013-1861, CVE-2013-3783, CVE-2013-3793, CVE-2013-3794, CVE-2013-3795, CVE-2013-3796, CVE-2013-3798, CVE-2013-3801, CVE-2013-3802, CVE-2013-3804, CVE-2013-3805, CVE-2013-3806, CVE-2013-3807, CVE-2013-3808, CVE-2013-3809, CVE-2013-3810, CVE-2013-3811, CVE-2013-3812, DSA-2818-1, JSA10601, MDVSA-2013:197, openSUSE-SU-2013:1335-1, openSUSE-SU-2013:1410-1, SUSE-SU-2013:1390-1, SUSE-SU-2013:1529-1, VIGILANCE-VUL-13132.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of MySQL.

An authenticated attacker can use a geometry query, in order to stop MySQL (VIGILANCE-VUL-12529). [severity:2/4; BID-58511, CVE-2013-1861]

An attacker can use a vulnerability of MemCached, in order to alter information, or to trigger a denial of service. [severity:2/4; BID-61274, CVE-2013-3798]

An attacker can use a vulnerability of Audit Log, in order to alter information. [severity:2/4; BID-61272, CVE-2013-3809]

An attacker can use a vulnerability of Data Manipulation Language, in order to trigger a denial of service. [severity:2/4; BID-61264, CVE-2013-3793]

An attacker can use a vulnerability of Data Manipulation Language, in order to trigger a denial of service. [severity:2/4; BID-61238, CVE-2013-3795]

An attacker can use a vulnerability of Full Text Search, in order to trigger a denial of service. [severity:2/4; BID-61244, CVE-2013-3802]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-61235, CVE-2013-3806]

An attacker can use a vulnerability of Prepared Statements, in order to trigger a denial of service. [severity:2/4; BID-61256, CVE-2013-3805]

An attacker can use a vulnerability of Server Optimizer, in order to trigger a denial of service. [severity:2/4; BID-61260, CVE-2013-3804]

An attacker can use a vulnerability of Server Optimizer, in order to trigger a denial of service. [severity:2/4; BID-61233, CVE-2013-3796]

An attacker can use a vulnerability of Server Options, in order to trigger a denial of service. [severity:2/4; BID-61227, CVE-2013-3808]

An attacker can use a vulnerability of Server Options, in order to trigger a denial of service. [severity:2/4; BID-61269, CVE-2013-3801]

An attacker can use a vulnerability of Server Parser, in order to trigger a denial of service. [severity:2/4; BID-61210, CVE-2013-3783]

An attacker can use a vulnerability of Server Partition, in order to trigger a denial of service. [severity:2/4; BID-61222, CVE-2013-3794]

An attacker can use a vulnerability of Server Privileges, in order to obtain or alter information. [severity:2/4; BID-61238, CVE-2013-3807]

An attacker can use a vulnerability of InnoDB, in order to trigger a denial of service. [severity:2/4; BID-61252, CVE-2013-3811]

An attacker can use a vulnerability of Server Replication, in order to trigger a denial of service. [severity:2/4; BID-61249, CVE-2013-3812]

An attacker can use a vulnerability of XA Transactions, in order to trigger a denial of service. [severity:2/4; BID-61214, CVE-2013-3810]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2013-2851

Linux kernel: privilege escalation via Disk Name

Synthesis of the vulnerability

Impacted products: Debian, Fedora, Linux, MBS, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: administrator access/rights.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 15/07/2013.
Identifiers: CERTA-2013-AVI-412, CERTA-2013-AVI-498, CVE-2013-2851, DSA-2745-1, DSA-2766-1, FEDORA-2013-10695, FEDORA-2013-9123, MDVSA-2013:194, openSUSE-SU-2013:1619-1, openSUSE-SU-2013:1773-1, openSUSE-SU-2013:1971-1, RHSA-2013:1264-01, RHSA-2013:1645-02, RHSA-2013:1783-01, RHSA-2014:0284-01, SUSE-SU-2013:1473-1, SUSE-SU-2013:1474-1, VIGILANCE-VUL-13109.

Description of the vulnerability

A local administrator (uid 0) attacker can use a disk name triggering a format string attack in the Linux kernel, in order to escalate his privileges (ring 0).
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin CVE-2013-4122

Cyrus SASL: denial of service via crypt

Synthesis of the vulnerability

An attacker can use a malformed salt during the authentication to Cyrus SASL, in order to stop the service.
Impacted products: Cyrus SASL, Debian, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 15/07/2013.
Identifiers: BID-61164, CVE-2013-4122, DSA-3368-1, USN-2755-1, VIGILANCE-VUL-13108.

Description of the vulnerability

The Cyrus SASL library (Simple Authentication and Security Layer) adds new authentication methods to existing protocols.

The crypt() function of the glibc hashes a password, using a salt (random). Since glibc version 2.17, the crypt() function returns a NULL pointer if the salt is malformed. However, Cyrus SASL does not handle this case, and dereferences a NULL pointer. The current process is then stopped, and is not restarted.

An attacker can therefore use a malformed salt during the authentication to Cyrus SASL, in order to stop the service (there are 5 processes to kill).
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2013-1571

Javadoc: Frame injection via Relative URI

Synthesis of the vulnerability

An attacker can use a relative URI, to inject an HTML page in web sites generated with Javadoc, in order to trigger a phishing attack on victims connecting on the web site.
Impacted products: Tomcat, Debian, Fedora, HP-UX, Tivoli System Automation, MBS, MES, Java OpenJDK, openSUSE, Java Oracle, JavaFX, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 15/07/2013.
Identifiers: 1650599, BID-60634, c03868911, c03874547, CERTFR-2014-AVI-244, CVE-2013-1571, DSA-2722-1, DSA-2727-1, FEDORA-2013-11281, FEDORA-2013-11285, HPSBUX02907, HPSBUX02908, javacpujun2013, MDVSA-2013:183, MDVSA-2013:196, MDVSA-2014:042, openSUSE-SU-2013:1247-1, openSUSE-SU-2013:1288-1, RHSA-2013:0957-01, RHSA-2013:0958-01, RHSA-2013:0963-01, RHSA-2013:1014-01, RHSA-2013:1059-01, RHSA-2013:1060-01, RHSA-2013:1081-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SUSE-SU-2013:1238-1, SUSE-SU-2013:1254-1, SUSE-SU-2013:1255-1, SUSE-SU-2013:1255-2, SUSE-SU-2013:1255-3, SUSE-SU-2013:1256-1, SUSE-SU-2013:1257-1, SUSE-SU-2013:1263-1, SUSE-SU-2013:1263-2, SUSE-SU-2013:1305-1, VIGILANCE-VUL-13106, VU#225657.

Description of the vulnerability

The Javadoc tool generates the documentation of applications written in Java language.

Index files (index.htm[l]) and table of contents files (toc.htm[l]) are dynamically generated. However, they contain JavaScript code which does not correctly filter relative URI. An HTML Frame can then be replaced by a malicious Frame.

An attacker can therefore use a relative URI, to inject an HTML page in web sites generated with Javadoc, in order to trigger a phishing attack on victims connecting on the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2013-4113

PHP: memory corruption via l'analyseur XML

Synthesis of the vulnerability

An attacker can generate a memory corruption in the XML parser of PHP, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Juniper J-Series, Junos OS, SRX-Series, MBS, MES, openSUSE, Solaris, PHP, RHEL, Slackware, SLES.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Confidence: confirmed by the editor (5/5).
Creation date: 12/07/2013.
Identifiers: 65236, BID-61128, CERTA-2013-AVI-414, CERTA-2013-AVI-478, CERTFR-2014-AVI-191, CERTFR-2014-AVI-244, CVE-2013-4113, DSA-2723-1, FEDORA-2013-12315, FEDORA-2013-12354, FEDORA-2013-12977, JSA10804, MDVSA-2013:195, openSUSE-SU-2013:1244-1, openSUSE-SU-2013:1249-1, RHSA-2013:1049-01, RHSA-2013:1050-01, RHSA-2013:1061-01, RHSA-2013:1062-01, RHSA-2013:1063-01, SOL15169, SSA:2013-197-01, SUSE-SU-2013:1285-1, SUSE-SU-2013:1285-2, SUSE-SU-2013:1315-1, SUSE-SU-2013:1316-1, SUSE-SU-2013:1317-1, SUSE-SU-2013:1351-1, VIGILANCE-VUL-13105.

Description of the vulnerability

PHP is a programing language for the Web and its interpreter. It includes functions to parse XML documents.

The nesting depth of XML elements should not exceed a predefined level. However, the functions _xml_startElementHandler() and _xml_characterDataHandler() from the file "ext/xml/xml.c" did not include all the necessary counts and tests against the maximum nesting level.

An attacker can therefore generate a memory corruption in the XML parser of PHP, in order to trigger a denial of service, and possibly to execute code.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2013-2236

Quagga: buffer overflow of the OSPF daemon via LSA

Synthesis of the vulnerability

An attacker can generate a buffer overflow in the processing of advertisements by the OSFP daemon of Quagga, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Debian, MBS, Solaris, Quagga, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: LAN.
Confidence: confirmed by the editor (5/5).
Creation date: 04/07/2013.
Revisions dates: 05/07/2013, 09/07/2013.
Identifiers: BID-60955, CERTFR-2014-AVI-244, CVE-2013-2236, DSA-2803-1, MDVSA-2013:254, RHSA-2017:0794-01, SUSE-SU-2014:0879-1, USN-2941-1, VIGILANCE-VUL-13046.

Description of the vulnerability

Quagga is a program suite that provides network routing. It includes an OSPF daemon.

The OSPF routers send LSA messages (Link State Advertisement) each other. These messages are variable sized and they include length fields. However, if the length of some fields in the announce is greater than the size of the storage array, an overflow occurs, even if the length provided in the announce is right. The vulnerability is detectable only if the product is built with the option "--enable-opaque-lsa" and the server ospfd is started with the option "-a".

An attacker can therefore generate a buffer overflow in the processing of advertisements by the OSFP daemon of Quagga, in order to trigger a denial of service, and possibly to execute code.

Note: the information source for the vulnerability includes a patch, but it seems more likely that this patch removes the symptom by truncating messages instead of solving the real bug. So, it is not taken into account as a solution.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Debian Linux: