Posts Tagged ‘open source’
Monday, May 20, 2013 @ 04:05 PM gHale
The developers of the open source cloud storage and collaboration suite ownCloud released an update to their software that closes critical vulnerabilities.
Version 5.0.6 of ownCloud closes holes that allowed authenticated users to inject SQL commands and execute PHP code on the server or allowed them to download other users’ calendars.
RELATED STORIES
Cloud Security Reputation Growing
Cloud Coverage Shows Leaks
Hiking Cloud Computing Efficiency
Conflicts on Who Owns Cloud Security
Another flaw allows unauthenticated attackers to execute API commands with admin privileges by making use of cross-site request forgery (CSRF).
The ownCloud server can also end up misused as a spam source by turning it into an open email redirector, a problem, which the developers fixed with the update. The update also fixes a number of additional, non security-related bugs; a complete list of all improvements is available on ownCloud’s Change Log web page.
Because of the serious nature of the vulnerabilities, users should upgrade to ownCloud 5.0.6 as soon as possible.
Some of the security vulnerabilities also affect ownCloud 4.0.x and 4.5.x, for these versions the developers released ownCloud 4.0.15 and 4.5.11 that exclusively fix the security problems and include no further bug fixes. Users can download the updated versions of ownCloud from the project’s web site.
Monday, April 23, 2012 @ 10:04 AM gHale
The Ruby development team issued an update to the 1.9.3 series of its open source programming language to fix a vulnerability found in the RubyGems package management framework.
The maintenance release of the scripting language, labelled 1.9.3-p194, updates RubyGems to close a security hole that caused SSL server verification to fail for remote repositories.
RELATED STORIES
OpenSSL Closes Security Holes
Python Updates Hash Collision
OpenSSL Not Completely Secure
Oracle Patches DoS Hole
The update fixes it by disallowing redirects from https to http connections and by enabling the verification of server SSL certificates in an updated version of RubyGems, 1.8.23; more details on these issues are in the latest RubyGems History file. The developers encourage those who use https source in .gemrc or /etc/gemrc to upgrade as soon as possible.
Further information about the update, including a full list of bug fixes, look at the official release announcement and in the change log. Ruby 1.9.3-p194 is available to download from the project’s site.
Thursday, April 12, 2012 @ 05:04 PM gHale
Samba developers patched a critical security vulnerability that hits all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which released in January.
The hole allows an attacker to gain complete access to a Samba server from an unauthenticated connection. The GPLv3 licensed Samba works on Unix and Linux systems with the ability to share files with Windows systems by implementing the SMB, SMB2 and CIFS protocols.
RELATED STORIES
Apple Working on Malware Fix
Mac Botnet Growing Rapidly
Apple Fixes Java Holes
Botnet Rises for Third Time
Security Researcher Brian Gorenc and an unnamed colleague, working for the Zero Day Initiative, discovered the vulnerability. The flaw, located in the code generator for Samba’s remote procedure call (RPC) interface, makes it possible for clients on the network to force the Samba server to execute arbitrary code. This attack can work over an unauthenticated connection, granting the attacker root user privileges and thus complete access to the Samba server.
The fact the problem was in the Perl-based DCE/RPC compiler Samba uses to generate code for handling remote requests has, presumably, made it very hard to detect with automated code auditing methods and caused it to stay hidden for such a long time.
Due to the seriousness of the exploit, all users of Samba should update their installations as soon as possible, officials said. As a temporary workaround, the developers suggest using the hosts allow parameter in the smb.conf file to restrict access to the server to trusted users only. They do point out, however, that “this can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked.”
The Samba project posted patches for Samba 3.6.3/.4, 3.5.13/.14 and 3.4.15/.16. Red Hat has already released patches for RHEL5 and RHEL6.
Wednesday, March 7, 2012 @ 11:03 AM gHale
The open source web application framework Ruby on Rails updated to version 3.2.2 to fix two important security issues and several other bugs.
Because of the serious nature of the security issues, users should upgrade their installations as quickly as possible. Users of Rails 3.0 and 3.1 will find new versions, 3.0.12 and 3.1.4, that also address the vulnerabilities.
RELATED STORIES
Google Fixes Chrome Vulnerabilities
Mozilla Shuts Vital Security Hole
Google Secures Chrome 17
Chrome Loses SSL Query Capability
The two cross-site scripting vulnerabilities officials fixed allowed attackers to take advantage of improperly sanitized options tag fields and direct manipulation of a safebuffer to execute arbitrary HTML in the browser of users visiting a Rails site. Further details of the option tag issue and safebuffer issue are available.
The Rails 3.2.2 update also includes fixes which ensure flushed log files and that failing tests will exit with non-zero status codes. It also removes calls to some deprecated methods and includes various Ruby 2.0 compatibility fixes.
More information on the changes since version 3.2.1 is available on GitHub. Users can download Rails 3.2.2 using RubyGems.
Thursday, February 2, 2012 @ 06:02 PM gHale
Following the release of new versions of its open source Firefox web browser, Thunderbird email client and SeaMonkey suite, Mozilla detailed the security fixes included in each of the updates.
Version 10.0 of Firefox closes 8 security holes in the browser, 5 of which are “Critical” by Mozilla, according to the project’s Security Center page.
RELATED STORIES
Holes Fixed in Mozilla Network
A ‘Blue Screen of Death’ Comeback
Internet Explorer Goes to Silent Updates
Chrome Cuts Vulnerabilities in Update
The critical issues include an exploitable crash when processing a malformed embedded XSLT stylesheet, potential memory corruption when decoding Ogg Vorbis files, XPConnect security checks bypassed by frame scripts, a use after free error in child nodes from nsDOMAttribute and various memory safety hazards. An attacker could exploit these vulnerabilities remotely to execute arbitrary code on a victim’s system.
Additionally, Firefox 10 closes two “High” impact issues that could lead to information disclosure or an attacker violating the HTML5 frame navigation policy by replacing a sub-frame for phishing attacks. They also fixed a moderate severity bug when exporting a user’s Firefox Sync key to a “Firefox Recovery Key.html” file that causes it to save with incorrect permissions.
Based on the same Mozilla Gecko platform as Firefox 10, version 2.7 of the SeaMonkey “all-in-one Internet application suite” fixes all of the same vulnerabilities, while Thunderbird 10 addresses all but the moderate incorrect permissions bug because it does not use Firefox Sync.
An update to the 3.6.x legacy branch of Firefox, version 3.6.23, fixes four of the above critical issues and a low impact bug related to an overly permissive IPv6 literal syntax previously repaired in Firefox 7.0, Thunderbird 7.0 and SeaMonkey 2.4. The developers note that Firefox 3.6.26 “now enforces RFC 3986 IPv6 literal syntax”, adding the change “may break links written using the non-standard Firefox-only forms that were previously accepted”. The 3.1.18 update to the 3.1.x branch of Thunderbird also corrects these issues.
All users should upgrade to the current stable versions, the developers said.
Thursday, September 1, 2011 @ 03:09 PM gHale
Apache webserver buttoned-up a vulnerability attackers are exploiting to crash websites.
Flaws in the open-source Apache’s HTTP daemon made it easy to crash servers using publicly available software. The bugs in the way the HTTPD processed multiple web requests that involved overlapping byte ranges allowed attackers to overwhelm servers by sending them a modest amount of traffic.
RELATED STORIES
Trouble for Net Security Software
Security Provider’s Vulnerability Exposed
Poison Ivy Infected RSA to Steal SecurID
Compliance Does Not Mean Secure
An advisory on Apache’s website said the bug, known as CVE-2011-3192, is gone in version 2.2.20.
“We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the advisory stated. The vulnerability has “active use.”
One of the bugs fixed in the update was specific to Apache, while a second flaw has been out there since 2007, and possibly involves all webservers, an Apache bulletin said. The Internet Engineering Task Force is considering changing the underlying protocol responsible for the problem, Apache said.
Versions 1.3.x and 2.0.x through 2.0.64 contain the denial-of-service vulnerabilities. A single web request that contains overlapping byte ranges for a specific page can trigger the vulnerabilities.
“The problem is that currently such requests internally explode into 100′s of large fetches, all of which are kept in memory in an inefficient way,” Apache’s advisory said. “This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy.”