|
Security
ByNathan Willis
April 15, 2015
Although it is best known for safeguarding the anonymity of
Internet users on the client side, the Tor project has long supported hidden
services as well. A hidden service is a mechanism that lets administrators run an
Internet server entirely within the Tor network—thus protecting
the server owner's anonymity as well as the client's. Now the project
is exploring another service option that would be tailored to a
different use case. Direct Onion Services, as the idea is
currently (and, indications are, temporarily) known, would offer the client-side user the
privacy-protecting features already available with hidden services,
but with reduced overhead on the server side. The scheme would mean
that the server gives up its anonymity, but in doing so it
gains improved speed and ease-of-use.
Traditionally, Tor hidden services provide anonymization to both
the client and the server during a session. The client must connect over the
Tor network, and the server is listening only on a virtual interface
that is also connected to Tor (and which is reachable only through a .onion
domain name). Originally, the reason for this design
was that the server could remain just as anonymous as
the client user. No one could determine the owner of an anonymous
dissident's blog by tracing the traffic of a Tor hidden service, since
that traffic is routed through multiple relays.
The trouble with anonymous .onion services
But experience has shown that there is a downside to hidden
services. Configuration is hardly trivial (although the project is
doing what it can to simplify the process) and, more importantly,
routing the hidden service's traffic through multiple
relays—three hops, by default—means increased latency and
reduced bandwidth. And, as it turns out, there are quite a few
hidden-service providers that care little about their own anonymity,
and run their service over Tor primarily for the benefit of their
users—allowing those users to access the service over a secure, anonymous
connection free from prying eyes.
The main example of this scenario is a public Internet service
that maintains a separate Tor entry point as an end-user convenience, such as the
Facebook
hidden service at https://facebookcorewwwi.onion/. The fact that the server
belongs to Facebook is not secret in the least; the .onion site is
there to give users an encrypted and authenticated (due to .onion URLs
self-authenticating design) way to access the
site when using a network that might block or intercept a normal
web connection. For sites like Facebook, the multi-hop routing of
traffic adds network overhead, but no anonymity.
Consequently, the Tor project has been exploring ways to offer a
better solution for "public" .onion services. George Kadianakis
raised the question in a March 30 blog
post that solicited ideas from the public about how hidden
services could be improved. On April 9, Kadianakis sent a proposal to the Tor development list
outlining what he called "direct onion services."
The proposal highlights the aforementioned well-known-public-site
use case, but it offers a few other possibilities as well. Wikileaks,
for example, uses a .onion service for whistleblowers to submit
information, despite (like Facebook) not
attempting to anonymize itself in the process. Rather, Wikileaks's
use case is that the .onion entry point is a "succeed or fail hard"
proposition—meaning that users can either connect to the service
and know that their Tor-based connection is authentic and encrypted,
or they cannot connect at all. It is impossible for a user to
unknowingly connect to the upload site by insecure means.
Another example is applications that lack authentication or
encryption at the protocol level. The proposal cites a plan by
Freenode to offer IRC access over an .onion service, which would grant
users security and anonymity that the IRC protocol itself lacks.
Public .onion services
The essence of the proposal itself is straightforward. Normally, a
hidden .onion service establishes two types of entry-point connections
on Tor. The first are
introduction points: randomly chosen Tor nodes to which the
service distributes its public key at start-up time. That key is then
added to Tor's
distributed hash table (DHT) from multiple sources to further evade tracing
the server's location; users wanting to reach the service grab the key from the
DHT, hash it, and the hash serves as hostname component of the
service's .onion URL. The second variety of entry point type is the
rendezvous point—a randomly chosen Tor node that the client
selects to connect to the service. The client and the service each
create their own circuit to the rendezvous point, rather than
connecting directly.
The proposal states that a non-anonymous service
needs a way to establish one-hop Tor circuits for both types of entry points,
and that it must not connect to guard nodes (a special class of Tor
entry node). Ideally, there will be a way for
users to enable these configuration parameters in a simple manner,
such as by setting a specific option in the .torrc
configuration file.
In the original hidden-service design, each circuit between the server
and an entry point can be multiple hops long. Reducing those excess
hops decreases round-trip time and, in the case of high-traffic
services, it also reduces the amount of overall network traffic sent
over Tor.
The guard-node issue is slightly different. Nodes are assigned the
"guard" flag by Tor's bandwidth-monitoring servers; a guard is a
high-bandwidth node that is designated as a good entry point to the
Tor network for clients. When other Tor nodes see that a node has
been designated a guard, they reduce the number of intermediary
connections they establish through it. Thus, a high-traffic .onion
service could have an undue crippling effect on multiple Tor users if
it sends its higher-than-average traffic through a guard.
Kadianakis based the proposal on an earlier, unimplemented idea
from Roger Dingledine. Dingledine's idea did not address guard nodes,
and it posited doing away with rendezvous
points, but the end goal remains essentially the same.
Kadianakis also asked whether or not the project should provide
special Tor builds tailored for public .onion services (since it
already provides special builds for Tor-to-web gateways). David
Goulet replied that this would likely
not be useful, since it would limit the ability of service operators
to choose between .onion service types on the fly.
Jacob Haven addressed a more fundamental
issue, noting that, if the public .onion service operator was not
concerned about their own anonymity, the introduction points and
rendezvous points themselves may be unnecessary. The service could
advertise itself in some simpler manner and users could connect to it
directly, thus reducing Tor network load even further.
Kadianakis replied that such simplifications would indeed be likely
to provide additional speed improvements, but that they would require
changes to the hidden-service codebase. There is also a downside, he
added, in that the rendezvous-point connection protocol is able to
punch through NAT, while listening for direct connection requests
would potentially be blocked by NAT.
On the whole, though, there appears to be rough consensus that the
idea is well worth pursuing, and there has indeed been some
preliminary development work by Alec Muffett. Amusingly enough, the
big unresolved question at this point appears to be what to call the
new feature. Kadianakis cautioned in his original email that the name
"direct onion service" would likely need revisiting—it is not
particularly descriptive, and the acronym DOS has an unfortunate name
collision with "denial of service." So, too, does his follow-up
suggestion "dangerous direct onion service" as well as several of the
ideas proposed in the discussion thread (such as Matt "Speak
Freely"'s suggestion
"peeled onion service").
Then again, the name Tor itself has never been especially
new-user-friendly either. In reality, what matters most is that Tor
can provide the anonymity and privacy safeguards that its
users—client or server—depend on. This proposal looks to
be further meeting the needs of users in both categories.
Comments (none posted)
Brief items
Criticizing [J. Alex] Halderman and [Vanessa] Teague for identifying
security flaws in an Internet voting system is like criticizing your friend
for pointing out that the lock on your front door doesn’t work. While
moving to Internet voting may sound reasonable to folks who haven't paid
any attention to the rampant security problems of the Internet these days,
it's just not feasible now. As Verified
Voting notes:『Current systems lack auditability; there’s no way to
independently confirm their correct functioning and that the outcomes
accurately reflect the will of the voters while maintaining voter privacy
and the secret ballot.』 Indeed, the researchers' discovery was not the
first indication that New South Wales was not ready for an Internet voting
system. Australia’s own Joint Standing Committee on Electoral Matters concluded last year, “Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity.”
We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.” The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.
The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of “bystander” systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system, affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.
As long as our leaders are scared of the terrorists, they're going to
continue the security theater. And we're similarly going to accept whatever
measures are forced upon us in the name of security. We're going to accept
the National Security Agency's surveillance of every American, airport
security procedures that make no sense and metal detectors at baseball and
football stadiums. We're going to continue to waste money overreacting to irrational fears.
We no longer need the terrorists. We're now so good at terrorizing ourselves.
Comments (none posted)
New vulnerabilities
apache: information leak
| Package(s): | apache |
CVE #(s): | CVE-2014-5704
|
| Created: | April 13, 2015 |
Updated: | April 16, 2015 |
| Description: |
From the CVE entry:
The DISH Anywhere (aka com.sm.SlingGuide.Dish) application 3.5.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
| Alerts: |
|
Comments (1 posted)
apport: privilege escalation
| Package(s): | apport |
CVE #(s): | CVE-2015-1318
|
| Created: | April 14, 2015 |
Updated: | April 17, 2015 |
| Description: |
From the Ubuntu advisory:
Stéphane Graber and Tavis Ormandy independently discovered that Apport
incorrectly handled the crash reporting feature. A local attacker could use
this issue to gain elevated privileges. |
| Alerts: |
|
Comments (none posted)
asterisk: SSL server spoofing
| Package(s): | asterisk |
CVE #(s): | CVE-2015-3008
|
| Created: | April 15, 2015 |
Updated: | July 21, 2015 |
| Description: |
From the CVE entry:
Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. |
| Alerts: |
|
Comments (none posted)
chrony: multiple vulnerabilities
| Package(s): | chrony |
CVE #(s): | CVE-2015-1821
CVE-2015-1822
CVE-2015-1853
|
| Created: | April 13, 2015 |
Updated: | July 6, 2015 |
| Description: |
From the Debian advisory:
CVE-2015-1821:
Using particular address/subnet pairs when configuring access control
would cause an invalid memory write. This could allow attackers to
cause a denial of service (crash) or execute arbitrary code.
CVE-2015-1822:
When allocating memory to save unacknowledged replies to authenticated
command requests, a pointer would be left uninitialized, which could
trigger an invalid memory write. This could allow attackers to cause a
denial of service (crash) or execute arbitrary code.
CVE-2015-1853:
When peering with other NTP hosts using authenticated symmetric
association, the internal state variables would be updated before the
MAC of the NTP messages was validated. This could allow a remote
attacker to cause a denial of service by impeding synchronization
between NTP peers. |
| Alerts: |
|
Comments (1 posted)
das-watchdog: privilege escalation
| Package(s): | das-watchdog |
CVE #(s): | CVE-2015-2831
|
| Created: | April 13, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the Debian advisory:
Adam Sampson discovered a buffer overflow in the handling of the
XAUTHORITY environment variable in das-watchdog, a watchdog daemon to
ensure a realtime process won't hang the machine. A local user can
exploit this flaw to escalate his privileges and execute arbitrary
code as root. |
| Alerts: |
|
Comments (none posted)
dpkg: integrity-verification bypass
| Package(s): | dpkg |
CVE #(s): | CVE-2015-0840
|
| Created: | April 10, 2015 |
Updated: | June 15, 2015 |
| Description: |
From the Debian advisory:
Jann Horn discovered that the source package integrity verification in dpkg-source can be bypassed via a specially crafted Debian source control file (.dsc). Note that this flaw only affects extraction of local Debian source packages via dpkg-source but not the installation of packages from the Debian archive. |
| Alerts: |
|
Comments (none posted)
drupal7-webform: unspecified vulnerability
| Package(s): | drupal7-webform |
CVE #(s): | |
| Created: | April 9, 2015 |
Updated: | April 15, 2015 |
| Description: |
Update to drupal7-webform 4.7 (notes) that may or may not include a security fix. The Fedora advisory includes a bug report reference from the 4.4 series. Whether the update fixes this older bug or another from the 4.7 release cycle is not specified. |
| Alerts: |
|
Comments (none posted)
echoping: denial of service
| Package(s): | echoping |
CVE #(s): | |
| Created: | April 10, 2015 |
Updated: | April 16, 2015 |
| Description: |
From the Red Hat bug report:
echoping segfaults all the time.
[ Which is evidently due to a bad build back in 2013. ] |
| Alerts: |
|
Comments (1 posted)
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2015-0798
CVE-2015-0799
|
| Created: | April 9, 2015 |
Updated: | April 22, 2015 |
| Description: |
From the CVE entries:
CVE-2015-0798: The Reader mode feature in Mozilla Firefox before 37.0.1 on Android, and Desktop Firefox pre-release, does not properly handle privileged URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy.
CVE-2015-0799: The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 allows man-in-the-middle attackers to bypass an intended X.509 certificate-verification step for an SSL server by specifying that server in the uri-host field of an Alt-Svc HTTP/2 response header. |
| Alerts: |
|
Comments (none posted)
icecast: denial of service
| Package(s): | icecast |
CVE #(s): | CVE-2015-3026
|
| Created: | April 13, 2015 |
Updated: | August 19, 2015 |
| Description: |
From the Arch Linux advisory:
The bug can only be triggered if "stream_auth" is being used.
This means, that all installations that use a default configuration are
NOT affected.The default configuration only uses <source-password>.
Neither are simple mountpoints affected that use <password>.
A workaround, if installing an updated package is not possible, is to
disable "stream_auth"and use <password> instead.
As far as we understand the bug only leads to a simple remote denial of
service. The underlying issue is a null pointer dereference. For
clarity: No remote code execution should be possible, server just
segfaults.
An attacker could kill, with triggering the server with a special URL,
the icecast-server due to a null pointer dereference.
The problem has been fixed upstream in version 2.4.2. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java-openjdk |
CVE #(s): | CVE-2005-1080
CVE-2015-0460
CVE-2015-0469
CVE-2015-0477
CVE-2015-0478
CVE-2015-0480
CVE-2015-0488
|
| Created: | April 15, 2015 |
Updated: | April 28, 2015 |
| Description: |
From the Oracle CVE entries:
CVE-2005-1080:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
CVE-2015-0460:
A flaw was found in the way the Hotspot component in OpenJDK handled phantom references. An untrusted Java application or applet could use this flaw to corrupt the Java Virtual Machine memory and, possibly, execute arbitrary code, bypassing Java sandbox restrictions.
CVE-2015-0469:
An off-by-one flaw, leading to a buffer overflow, was found in the font parsing code in the 2D component in OpenJDK. A specially crafted font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrusted Java application or applet to bypass Java sandbox restrictions.
CVE-2015-0477:
A flaw was discovered in the Beans component in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
CVE-2015-0478:
It was found that the RSA implementation in the JCE component in OpenJDK did not follow recommended practices for implementing RSA signatures.
CVE-2015-0480:
A directory traversal flaw was found in the way the jar tool extracted JAR archive files. A specially crafted JAR archive could cause jar to overwrite arbitrary files writable by the user running jar when the archive was extracted.
CVE-2015-0488:
A flaw was found in the way the JSSE component in OpenJDK parsed X.509 certificate options. A specially crafted certificate could cause JSSE to raise an exception, possibly causing an application using JSSE to exit unexpectedly. |
| Alerts: |
|
Comments (none posted)
kernel: information leak
| Package(s): | kernel |
CVE #(s): | CVE-2015-2041
|
| Created: | April 9, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the Ubuntu advisory:
An information leak was discovered in the Linux kernel's handling of userspace configuration of the link layer control (LLC). A local user could exploit this flaw to read data from other sysctl settings. |
| Alerts: |
|
Comments (none posted)
libdbd-firebird-perl: buffer overflow
| Package(s): | libdbd-firebird-perl |
CVE #(s): | CVE-2015-2788
|
| Created: | April 13, 2015 |
Updated: | April 20, 2015 |
| Description: |
From the Debian advisory:
Stefan Roas discovered a way to cause a buffer overflow in DBD-FireBird,
a Perl DBI driver for the Firebird RDBMS, in certain error conditions, due
to the use of the sprintf() function to write to a fixed-size memory buffer. |
| Alerts: |
|
Comments (none posted)
libx11: code execution
| Package(s): | libx11 |
CVE #(s): | CVE-2013-7439
|
| Created: | April 13, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the Debian advisory:
Abhishek Arya discovered a buffer overflow in the MakeBigReq macro
provided by libx11, which could result in denial of service or the
execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CVE-2015-2931
CVE-2015-2932
CVE-2015-2933
CVE-2015-2934
CVE-2015-2935
CVE-2015-2936
CVE-2015-2937
CVE-2015-2938
CVE-2015-2939
CVE-2015-2940
CVE-2015-2941
CVE-2015-2942
|
| Created: | April 10, 2015 |
Updated: | April 20, 2015 |
| Description: |
From the Arch Linux advisory:
CVE-2015-2931 (cross-side scripting) It was discovered that MIME types were not properly restricted, allowing a way to circumvent the SVG MIME blacklist for embedded resources. This allowed an attacker to embed JavaScript in a SVG file.
CVE-2015-2932 (cross-side scripting) The SVG filter to prevent injecting JavaScript using animate elements was incorrect. The list of dangerous parts of HTML5 is supposed to include all uses of 'animate attributename="xlink:href"' in SVG documents.
CVE-2015-2933 (cross-side scripting) A persistent XSS vulnerability was discovered due to the way attributes were expanded in MediaWiki's HTML class, in combination with LanguageConverter substitutions.
CVE-2015-2934 (cross-side scripting) It was discovered that MediaWiki's SVG filtering could be bypassed with entity encoding under the Zend interpreter. This could be used to inject JavaScript.
CVE-2015-2935 (external resource loading) A way was discovered to bypass the style filtering for SVG files to load external resource. This could violate the anonymity of users viewing the SVG. This issue exists because of an incomplete fix for CVE-2014-7199.
CVE-2015-2936 (denial of service) It was discovered that MediaWiki versions using PBKDF2 for password hashing (the default since 1.24) are vulnerable to DoS attacks using extremely long passwords.
CVE-2015-2937 (denial of service) It was discovered that MediaWiki is vulnerable to "Quadratic Blowup" denial of service attacks.
CVE-2015-2938 (cross-side scripting) It was discovered that the MediaWiki feature allowing a user to preview another user's custom JavaScript could be abused for privilege escalation. This feature has been removed.
CVE-2015-2939 (cross-side scripting) It was discovered that function names were not sanitized in Lua error backtraces, which could lead to XSS.
CVE-2015-2940 (cross-side request forgery) It was discovered that the CheckUser extension did not prevent CSRF attacks on the form allowing checkusers to look up sensitive information about other users. Since the use of CheckUser is logged, the CSRF could be abused to defame a trusted user or flood the logs with noise.
CVE-2015-2941 (cross-side scripting) It was discovered that XSS is possible in the way api errors were reflected under HHVM versions before 3.6.1. MediaWiki now detects and mitigates this issue on older versions of HHVM.
CVE-2015-2942 (denial of service) It was discovered that MediaWiki's SVG and XMP parsing running under HHVM was susceptible to "Billion Laughs" DoS attacks. |
| Alerts: |
|
Comments (none posted)
mysql: unspecified vulnerabilities
| Package(s): | mysql |
CVE #(s): | CVE-2015-0385
CVE-2015-0409
|
| Created: | April 13, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the CVE entries:
Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth. (CVE-2015-0385)
Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. (CVE-2015-0409) |
| Alerts: |
|
Comments (none posted)
powerpc-utils-python: code execution
| Package(s): | powerpc-utils-python |
CVE #(s): | CVE-2014-8165
|
| Created: | April 9, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the CVE entry:
scripts/amsvis/powerpcAMS/amsnet.py in powerpc-utils-python uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object. |
| Alerts: |
|
Comments (none posted)
qemu: denial of service
| Package(s): | qemu |
CVE #(s): | CVE-2015-1779
|
| Created: | April 13, 2015 |
Updated: | May 14, 2015 |
| Description: |
From the Red Hat bugzilla:
It was found that the QEMU's websocket frame decoder processed incoming frames without limiting resources used to process the header and payload. An attacker able to access a guest's VNC console could use this flaw to trigger a denial of service on the host by exhausting all available memory and CPU. |
| Alerts: |
|
Comments (none posted)
ruby: man-in-the-middle attack
| Package(s): | ruby |
CVE #(s): | CVE-2015-1855
|
| Created: | April 14, 2015 |
Updated: | May 19, 2015 |
| Description: |
From the Arch Linux advisory:
After reviewing RFC 6125 and RFC 5280, multiple violations were found of
matching hostnames and particularly wildcard certificates.
Ruby’s OpenSSL extension will now provide a string-based matching
algorithm which follows more strict behavior, as recommended by these
RFCs. In particular, matching of more than one wildcard per subject/SAN
is no-longer allowed. As well, comparison of these values are now
case-insensitive.
This change will take affect Ruby’s
OpenSSL::SSL#verify_certificate_identity behavior.
Specifically:
-
Only one wildcard character in the left-most part of the hostname is
allowed.
-
IDNA names can now only be matched by a simple wildcard (e.g.
‘*.domain’).
-
Subject/SAN should be limited to ASCII characters only.
A remote attacker can make use of the overly permissive hostname
matching during certificate verifications to perform a man-in-the-middle
attack by spoofing SSL servers via a crafted certificate. |
| Alerts: |
|
Comments (none posted)
socat: denial of service
| Package(s): | socat |
CVE #(s): | CVE-2015-1379
|
| Created: | April 15, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the Mageia advisory:
In socat before 2.0.0-b8, signal handler implementations are not
async-signal-safe and can cause crash or freeze of socat processes. Mostly
this issue occurs when socat is in listening mode with fork option and a
couple of child processes terminate at the same time |
| Alerts: |
|
Comments (none posted)
varnish: heap buffer overflow
| Package(s): | varnish |
CVE #(s): | |
| Created: | April 13, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the Red Hat bugzilla:
A heap-based buffer overflow flaw was reported (including a reproducer) in varnish, a high-performance HTTP accelerator:
http://seclists.org/oss-sec/2015/q1/776 |
| Alerts: |
|
Comments (none posted)
wesnoth: information leak
| Package(s): | wesnoth-1.10 |
CVE #(s): | CVE-2015-0844
|
| Created: | April 13, 2015 |
Updated: | April 27, 2015 |
| Description: |
From the Debian advisory:
Ignacio R. Morelle discovered that missing path restrictions in the
"Battle of Wesnoth" game could result in the disclosure of arbitrary
files in the user's home directory if malicious campaigns/maps are
loaded. |
| Alerts: |
|
Comments (none posted)
xen: multiple vulnerabilities
| Package(s): | xen |
CVE #(s): | CVE-2015-2752
CVE-2015-2756
CVE-2015-2751
|
| Created: | April 13, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the CVE entries:
The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptable, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). (CVE-2015-2752)
QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. (CVE-2015-2756)
Xen 4.3.x, 4.4.x, and 4.5.x, when using toolstack disaggregation, allows remote domains with partial management control to cause a denial of service (host lock) via unspecified domctl operations. (CVE-2015-2751) |
| Alerts: |
|
Comments (none posted)
xterm: denial of service
| Package(s): | xterm |
CVE #(s): | |
| Created: | April 9, 2015 |
Updated: | April 15, 2015 |
| Description: |
From the Red Hat bug report:
Buffer overflow leading to application crash. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page:
Kernel development>>
|
|
