[Full-disclosure] FreeBSD crontab information leakage
FreeBSD crontab information leakage For its implementation of the standard UNIX cron daemon, FreeBSD uses a version based off vixie-cron. This package is installed by default, and includes a setuid-root crontab binary to allow unprivileged users to list and modify their own cronjobs. I recently audited this code [1], and found a few interesting race conditions and symlink attacks that allow for very minor information leakage. I thought I'd share my findings because I enjoyed exploiting these issues and they don't pose any significant risk to live systems - in other words, this advisory is intended for system administrators and developers of FreeBSD-based systems; journalists, end users and other non-technical readers do not need to be concerned. :p OpenBSD and NetBSD are not affected. Nor is Debian/Ubuntu cron, which is based on vixie-cron 3.0, or Red Hat/Fedora cronie, which is a fork off ISC Cron (aka vixie-cron 4.1). It seems the vulnerable code was specially inserted into the FreeBSD codebase as additional security checks that introduced new issues of their own. Perhaps it was inserted as a government-sponsored backdoor. Only kidding. Because of its heavy reliance on FreeBSD source code, Mac OS X is also affected [2], except for the realpath() case, which is conveniently #ifdef'd out. = Leakage of file/directory existence via stat() calls = At two points (lines 366 and 436 in crontab.c), crontab makes calls to stat() on a user-owned temporary file while retaining an euid of 0. Since stat() follows symbolic links and returns ENOENT when called on a symbolic link pointing to a non-existent resource, this can be used to determine the existence of files or directories in ways that violate directory search permissions. The first of these instances, on line 436, is trivially exploitable. First, invoke crontab with the -e flag to edit an existing cronjob. This will result in crontab opening a text editor to edit the cronjob. While this editor is open, simply remove the temporary file created by crontab (of the form /tmp/crontab.XX) and replace it with a symlink to a file whose existence you wish to verify. On exiting the editor, crontab will print a warning if the call to stat() on this symlink fails, confirming the non-existence of the target file. Likewise, if the file exists, a different error will be generated (temp file must be edited in place). The second of these instances, on line 366, doesn't have the luxury of an editor holding everything up, and so requires exploitation of a race condition. The temporary file is created on line 338. It can't be removed at this time, since it's created with euid 0 in a presumably sticky-bit /tmp directory, but shortly after it's fchown()'d to the user's id. At this point, if it's deleted and replaced with a symlink to the file whose existence is to be confirmed, the call to stat() on line 366 will perform identically to the first case. == Leakage of directory existence via realpath() == When crontab is run with a file argument, it makes a call to realpath() with euid 0 to canonicalize the provided argument: --snip-- } else if (realpath(Filename, resolved_path) != NULL !strcmp(resolved_path, SYSCRONTAB)) { err(ERROR_EXIT, SYSCRONTAB must be edited manually); } --snip-- SYSCRONTAB is defined as /etc/crontab. Because realpath() resolves each member of the requested path individually, in this case with euid 0, it's possible to reveal the existence of directories regardless of search permissions, again violating DAC. For example, consider the following request: crontab /my/secret/directory/../../../../etc/crontab If /my/secret/directory exists, realpath() will return a non-NULL value and the resolved path will still be equal to SYSCRONTAB. If not, the above error message will be displayed, because realpath() will return an error if any directories in the search path do not exist. MD5 comparisons for arbitrary files FreeBSD's crontab calculates the MD5 sum of the previous and new cronjob to determine if any changes have been made before copying the new version in. This seems entirely superfluous to me, but maybe there's a good explanation. In particular, it uses the MD5File() function, which takes a pathname as an argument, and is again called with euid 0. The following relevant steps are performed by crontab: 1. Create the temporary file (of the form /tmp/crontab.XX) 2. chown() this file to the user's id 3. Open the existing cronjob and copy it into the temp file 4. Call
Re: [Full-disclosure] Python ssl handling could be better...
You're preaching to the choir...I agree there should be support, but don't go all talking about changing defaults without at least some thought involved. What about self-signed certs in my closed network? What about guests on a network behind a web proxy that MITMs 80/443? What if you're brokering a connection, not for some strict security sake, but just because you can and gain a little bit of privacy? Have any personal web sites/servers you don't *need* commercial certs for but want something anyway? In an ideal world, I hear what you're saying. But we're far from ideal... I think we should be happy with the inclusion of such options in 3.2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Python ssl handling could be better...
+1 with a cherry on top! A cipher is a device for converting a plaintext distribution problem into a key distribution problem. An ephemeral key-agreement protocol (e.g., Diffie-Hellman) is a device for converting a key distribution problem into an authentication problem. Therefore, authentication is primary. One could say that unauthenticated encryption converts a passive eavesdropping attack into an active man-in-the-middle attack. On 02/27/2011 12:58 PM, bk wrote: - If you have the ability to sniff unencrypted traffic, you also have the ability to hijack unauthenticated HTTPS traffic, it just that simple. Of the population of people who login to a computer and try to protect information, the percentage of those who have ever used tcpdump or Wireshark is very small. Of those who have looked at a packet capture, the percentage who have ever experimented with active network attack tools is even smaller. Nevertheless, there are off-the-shelf systems that will do it at production scale. Most of us find it much easier to obtain and view a pcap than set up an active man-in-the-middle attack scenario. So converting the attacker from a passive eavesdropper to an active on-line attacker (who probably had to plan ahead a little bit) sure seems like it would represent an increase in security. And maybe it is if you're only defending against the random internet malware of today. But it's of little use if you need to be concerned about a targeted attack (i.e., you have, know, or are something worth defending). Just ask the Iranian government or the Tunisian people. - ENCRYPTION IS POINTLESS WITHOUT AUTHENTICATION Maybe it's even worse than pointless. 1. Insufficiently-authenticated encryption inevitably gives a false sense of security. 2. Encryption can cause open vulnerabilities to be hidden to passive network monitoring systems. 3. But attackers are not constrained to be passive. Encryption can cause active, ongoing attacks to be hidden from monitoring. Humans, like all living things, have over millions of years evolved sophisticated built-in mechanisms for recognizing each other. We have so much authentication going on at an automatic level that we find it very difficult to judge the magnitude of the task. This is exactly the type of situation that favors the hackers, pentesters, and dictators of countries where the ISPs operate under the Ministry of Information. Let's not make it so easy that it takes all the fun out of it for them. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BackWPup Wordpress plugin = 1.4.0 File content disclosure
= - Release date: Feb 28th, 2010 - Discovered by: Danilo Massa - Severity: High = I. VULNERABILITY - BackWPup Wordpress plugin = 1.4.0 File content disclosure II. BACKGROUND - BackWPup 1.4.0 is a full-featured backup management solution for Wordpress. The plugin provide: - Database Backup - WordPress XML Export - Optimize Database - Check\Repair Database - File Backup - Backups in zip,tar,tar.gz,tar.bz2 format - Store backup to Folder - Store backup to FTP Server - Store backup to Amazon S3 - Store backup to RackSpaceCloud - Store backup to DropBox - Send Log/Backup by eMail III. INTRODUCTION - BackWPup version 1.4.0 (and may be the previous ones too) has an unfiltered parameter inside two php pages that let a remote user to access sensitive files like /etc/passwd. No authentication required. No plugin activation required. IV. DESCRIPTION - Input passed via the wpabs parameter to the php pages - wp-content/plugins/backwpup/app/options-view_log-iframe.php - wp-content/plugins/backwpup/app/options-runnow-iframe.php is not sanitized before being used. Both files starts trying to include the wp-load.php file using the wpabs parameter that can be inject with a direct call to the page. options-view_log-iframe.php: ?PHP if (file_exists($_GET['wpabs'].'wp-load.php') and file_exists($_GET['logfile'])) { require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */ ... options-runnow-iframe.php: if (file_exists($_GET['wpabs'].'wp-load.php') and is_numeric(trim($_GET['jobid']))) { require_once($_GET['wpabs'].'wp-load.php'); /** Setup WordPress environment */ ... inserting a string terminator %00 inside the wpabs parameter is possible to specify a file name instead of a directory and let it being included in the web page. NOTE: also the V. PROOF OF CONCEPT - Below is a harmless test that can be executed on a Unix machine that hosts wordpress with the vulnerable plugin. http://wordpress_site/wp-content/plugins/backwpup/app/options-runnow-iframe.php?wpabs=/etc/passwd%00jobid=1 http://wordpress_site/wp-content/plugins/backwpup/app/options-view_log-iframe.php?wpabs=/etc/passwd%00logfile=/etc/passwd Both of them will display the /etc/passwd file. VI. BUSINESS IMPACT - An attacker could exploit the vulnerability to retrieve virtually any text file accessible by the wep application server user. VII. SYSTEMS AFFECTED - Version 1.4.0 is vulnerable. Versions 1.4.0 could be vulnerable. VIII. SOLUTION - Upgrade to a patched release or as quick workaround enclose any $_GET['wpabs'] in a trim call like this: if (file_exists(trim($_GET['wpabs']).'wp-load.php') and file_exists($_GET['logfile'])) { IX. REFERENCES - http://wordpress.org/extend/plugins/backwpup/ http://danielhuesken.de/portfolio/backwpup/ X. CREDITS - The vulnerability has been discovered by Danilo Massa danilo(under_score)m(at)yahoo(dot)com XI. VULNERABILITY HISTORY - January 28th, 2011: Vulnerability identification January 30th, 2011: Vendor notification January 30th, 2011: Vendor release an updated version (1.4.1) February 28th, 2011: Vulnerability disclosure XII. LEGAL NOTICES - The information contained within this advisory is supplied as-is with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-1075-1] Samba vulnerability
=== Ubuntu Security Notice USN-1075-1 February 28, 2011 samba vulnerability CVE-2011-0719 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: samba 3.0.22-1ubuntu3.14 Ubuntu 8.04 LTS: samba 3.0.28a-1ubuntu4.14 Ubuntu 9.10: samba 2:3.4.0-3ubuntu5.8 Ubuntu 10.04 LTS: samba 2:3.4.7~dfsg-1ubuntu3.4 Ubuntu 10.10: samba 2:3.5.4~dfsg-1ubuntu8.3 In general, a standard system update will make all the necessary changes. Details follow: Volker Lendecke discovered that Samba incorrectly handled certain file descriptors. A remote attacker could send a specially crafted request to the server and cause Samba to crash or hang, resulting in a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.14.diff.gz Size/MD5: 169665 0ece5aa29a3f84eebda13c6d64b49248 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.14.dsc Size/MD5: 1846 14e3c068c7690f01b8cbb32e50e6c11f http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22.orig.tar.gz Size/MD5: 17542657 5c39505af17cf5caf3d6ed8bab135036 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc-pdf_3.0.22-1ubuntu3.14_all.deb Size/MD5: 6595258 4854e8c5b4b02c1627767d6402cb47eb http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-doc_3.0.22-1ubuntu3.14_all.deb Size/MD5: 6903064 f0920a669f3ae85129e1284f3455fc98 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/samba/libpam-smbpass_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 428066 ef5430d2ecf0b541cedf02556773a72a http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 113450 2c7676f2f0a09feb1d970ae612292a31 http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 799492 5d6b50da50a7252071113d376cc90357 http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 596 15b26e9253e7a8949ecfd779a7f2b943 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 2417834 e27bf6e3ada11f5febb33b25467985bc http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-dbg_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 11897966 b834a6d7b0459dfe72405819c7b7a7f1 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 3407048 6e1c4e963306143a1e220b1196f1d7e5 http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 4045438 26426178e0b6bd4ddc3102ebde1a5b5d http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbfs_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 451274 d9b12f8c98906112e44073e6bd4942e3 http://security.ubuntu.com/ubuntu/pool/main/s/samba/swat_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 834814 c9678655fd655168ad4ed2a225edef8b http://security.ubuntu.com/ubuntu/pool/main/s/samba/winbind_3.0.22-1ubuntu3.14_amd64.deb Size/MD5: 1933506 2382ce9dc5f5e6f41206360447c98706 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/samba/libpam-smbpass_3.0.22-1ubuntu3.14_i386.deb Size/MD5: 367400 63912bec34786f7ad73d732cc86c7618 http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient-dev_3.0.22-1ubuntu3.14_i386.deb Size/MD5: 113448 09680c55bdf9ffc92c71df0f977b64a5 http://security.ubuntu.com/ubuntu/pool/main/s/samba/libsmbclient_3.0.22-1ubuntu3.14_i386.deb Size/MD5: 684500 1401f7a750f8e6cf5b02c1bfa4a3a6b1 http://security.ubuntu.com/ubuntu/pool/main/s/samba/python2.4-samba_3.0.22-1ubuntu3.14_i386.deb Size/MD5: 5072252 2346916a59e224427e567e00776b5f6b http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-common_3.0.22-1ubuntu3.14_i386.deb Size/MD5: 2080498 5bdf52b93d2440cc81c759511262e677 http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba-dbg_3.0.22-1ubuntu3.14_i386.deb Size/MD5: 9813412 751a91f5ea84825873c2274751f572de http://security.ubuntu.com/ubuntu/pool/main/s/samba/samba_3.0.22-1ubuntu3.14_i386.deb Size/MD5: 2855458 165c22542e8be77b16adb10a771e9156
[Full-disclosure] [USN-1076-1] ClamAV vulnerability
=== Ubuntu Security Notice USN-1076-1 February 28, 2011 clamav vulnerability CVE-2011-1003 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: libclamav6 0.95.3+dfsg-1ubuntu0.09.10.4 Ubuntu 10.04 LTS: libclamav6 0.96.5+dfsg-1ubuntu1.10.04.2 Ubuntu 10.10: libclamav6 0.96.5+dfsg-1ubuntu1.10.10.2 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that the Microsoft Office processing code in libclamav improperly handled certain Visual Basic for Applications (VBA) data. This could allow a remote attacker to craft a document that could crash clamav or possibly execute arbitrary code. In the default installation, attackers would be isolated by the ClamAV AppArmor profile. Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.10.4.diff.gz Size/MD5: 266751 b92bfa373bb70a45a6a6b9da28ed6f3f http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.10.4.dsc Size/MD5: 2200 11176ce261f337f98615e64abf25069d http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg.orig.tar.gz Size/MD5: 26892533 dfe1348c52223ab48f049123021aea4a Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-base_0.95.3+dfsg-1ubuntu0.09.10.4_all.deb Size/MD5: 24052698 07823a204b0184c393d21eb73756ee61 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-docs_0.95.3+dfsg-1ubuntu0.09.10.4_all.deb Size/MD5: 1130156 4a71ebc89c1fd2f12212e056667b87f5 http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-testfiles_0.95.3+dfsg-1ubuntu0.09.10.4_all.deb Size/MD5: 232322 6f1249909788dde6b529d50a3d63df7d amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.95.3+dfsg-1ubuntu0.09.10.4_amd64.deb Size/MD5: 383424 297b54ad42f073d0d8d4d05b12976d49 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.95.3+dfsg-1ubuntu0.09.10.4_amd64.deb Size/MD5: 1101424 82e2344ab87ff2c236ebb49e29c27794 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.95.3+dfsg-1ubuntu0.09.10.4_amd64.deb Size/MD5: 288914 881eb37183a88d1da7e72fc35694038b http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.10.4_amd64.deb Size/MD5: 281396 17da940e0a1f4ba23d449a7f8e2e5965 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.95.3+dfsg-1ubuntu0.09.10.4_amd64.deb Size/MD5: 623244 3ef5257416648e31a31237833bb85637 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.95.3+dfsg-1ubuntu0.09.10.4_amd64.deb Size/MD5: 584348 b6575b4d17950ffd6265d4da98a0b449 http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.95.3+dfsg-1ubuntu0.09.10.4_amd64.deb Size/MD5: 309392 b2770bd551c6c4de5aafaf2def4234a2 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-daemon_0.95.3+dfsg-1ubuntu0.09.10.4_i386.deb Size/MD5: 370028 d3fb2fe77201b9a6eb350b0526c2d746 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-dbg_0.95.3+dfsg-1ubuntu0.09.10.4_i386.deb Size/MD5: 1059028 02d70b012003fc08d78b00fa8ad0f088 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav-freshclam_0.95.3+dfsg-1ubuntu0.09.10.4_i386.deb Size/MD5: 284590 d419566e6897a6e6e0e9c108295043b4 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/clamav_0.95.3+dfsg-1ubuntu0.09.10.4_i386.deb Size/MD5: 275360 b0136ae6dc82a6c378659fdead534504 http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav-dev_0.95.3+dfsg-1ubuntu0.09.10.4_i386.deb Size/MD5: 585258 dbdb318fb8f6a0330cf2e0c57c087b3e http://security.ubuntu.com/ubuntu/pool/main/c/clamav/libclamav6_0.95.3+dfsg-1ubuntu0.09.10.4_i386.deb Size/MD5: 567976 4bd9888413fae10c335b72543aaf641b http://security.ubuntu.com/ubuntu/pool/universe/c/clamav/clamav-milter_0.95.3+dfsg-1ubuntu0.09.10.4_i386.deb Size/MD5: 303144 78c86ec166f8072319eb40ec5e3ca1db armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/c/clamav/clamav-daemon_0.95.3+dfsg-1ubuntu0.09.10.4_armel.deb Size/MD5: 372168 a30ec034c21cb0a3403937307c381492 http://ports.ubuntu.com/pool/main/c/clamav/clamav-dbg_0.95.3+dfsg-1ubuntu0.09.10.4_armel.deb
[Full-disclosure] [USN-1074-2] Linux kernel vulnerabilities
=== Ubuntu Security Notice USN-1074-2 February 28, 2011 linux-fsl-imx51 vulnerabilities CVE-2009-4895, CVE-2010-2066, CVE-2010-2226, CVE-2010-2248, CVE-2010-2478, CVE-2010-2495, CVE-2010-2521, CVE-2010-2524, CVE-2010-2538, CVE-2010-2798, CVE-2010-2942, CVE-2010-2943, CVE-2010-2946, CVE-2010-2954, CVE-2010-2955, CVE-2010-2962, CVE-2010-2963, CVE-2010-3015, CVE-2010-3067, CVE-2010-3078, CVE-2010-3079, CVE-2010-3080, CVE-2010-3081, CVE-2010-3084, CVE-2010-3296, CVE-2010-3297, CVE-2010-3298, CVE-2010-3301, CVE-2010-3310, CVE-2010-3432, CVE-2010-3437, CVE-2010-3442, CVE-2010-3448, CVE-2010-3477, CVE-2010-3698, CVE-2010-3705, CVE-2010-3848, CVE-2010-3849, CVE-2010-3850, CVE-2010-3858, CVE-2010-3861, CVE-2010-3904, CVE-2010-4072, CVE-2010-4073, CVE-2010-4074, CVE-2010-4078, CVE-2010-4079, CVE-2010-4165, CVE-2010-4169, CVE-2010-4249 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: linux-image-2.6.31-608-imx512.6.31-608.22 After a standard system update you need to reboot your computer to make all the necessary changes. Details follow: USN-1074-1 fixed vulnerabilities in linux-fsl-imx51 in Ubuntu 9.10. This update provides the corresponding updates for Ubuntu 10.04. Original advisory details: Al Viro discovered a race condition in the TTY driver. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2009-4895) Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly check file permissions. A local attacker could overwrite append-only files, leading to potential data loss. (CVE-2010-2066) Dan Rosenberg discovered that the swapexit xfs ioctl did not correctly check file permissions. A local attacker could exploit this to read from write-only files, leading to a loss of privacy. (CVE-2010-2226) Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory manager did not properly handle when applications grow stacks into adjacent memory regions. A local attacker could exploit this to gain control of certain applications, potentially leading to privilege escalation, as demonstrated in attacks against the X server. (CVE-2010-2240) Suresh Jayaraman discovered that CIFS did not correctly validate certain response packats. A remote attacker could send specially crafted traffic that would crash the system, leading to a denial of service. (CVE-2010-2248) Ben Hutchings discovered that the ethtool interface did not correctly check certain sizes. A local attacker could perform malicious ioctl calls that could crash the system, leading to a denial of service. (CVE-2010-2478, CVE-2010-3084) James Chapman discovered that L2TP did not correctly evaluate checksum capabilities. If an attacker could make malicious routing changes, they could crash the system, leading to a denial of service. (CVE-2010-2495) Neil Brown discovered that NFSv4 did not correctly check certain write requests. A remote attacker could send specially crafted traffic that could crash the system or possibly gain root privileges. (CVE-2010-2521) David Howells discovered that DNS resolution in CIFS could be spoofed. A local attacker could exploit this to control DNS replies, leading to a loss of privacy and possible privilege escalation. (CVE-2010-2524) Dan Rosenberg discovered that the btrfs filesystem did not correctly validate permissions when using the clone function. A local attacker could overwrite the contents of file handles that were opened for append-only, or potentially read arbitrary contents, leading to a loss of privacy. Only Ubuntu 9.10 was affected. (CVE-2010-2538) Bob Peterson discovered that GFS2 rename operations did not correctly validate certain sizes. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-2798) Kees Cook discovered that under certain situations the ioctl subsystem for DRM did not properly sanitize its arguments. A local attacker could exploit this to read previously freed kernel memory, leading to a loss of privacy. (CVE-2010-2803) Eric Dumazet discovered that many network functions could leak kernel stack contents. A local attacker could exploit this to read portions of kernel memory, leading to a loss of privacy. (CVE-2010-2942, CVE-2010-3477) Dave Chinner discovered that the XFS filesystem did not correctly order inode lookups when exported by NFS. A remote attacker could exploit this to read or write disk blocks that had changed file assignment or had become unlinked, leading to a loss of privacy. (CVE-2010-2943) Sergey Vlasov discovered that JFS did not correctly handle
[Full-disclosure] weechat does not properly use gnutls and allow an attacker to bypass certificate verification
About WeeChat: WeeChat is a fast, light and extensible chat client. It runs on many platforms (including Linux, BSD and Mac OS). Development is very active, and bug fixes are very fast! The vuln: Weechat does not use the GnuTLS API properly to check certificates, potentially exposing users to man-in-the-middle attacks. Weechat registers a callback function to be called by GnuTLS during the TLS/SSL handshake. The function perform checks on the server certificate and optionally, send a client certificate. The mentioned code is located in src/core/wee-network.c in the network_init function: gnutls_certificate_client_set_retrieve_function (gnutls_xcred, hook_connect_gnutls_set_certificates); Excerpt from gnutls's doc: gnutls_certificate_client_set_retrieve_function sets a callback to be called in order to retrieve the certificate to be used in the handshake. (...) If the callback function is provided then gnutls will call it, in the handshake, after the certificate request message has been received. This callback function will only be called when the server ask for a client certificate during the handshake, but weechat also use this callback to check the server certificate. As specified in the rfc2246 at 7.4.6., the certificate request is optionnal: 7.4.6. Client certificate When this message will be sent: This is the first message the client can send after receiving a server hello done message. This message is only sent if the server requests a certificate. So when the server does not request a client certificate, hook_connect_gnutls_set_certificates is never called and weechat does not perform any check on the server certificate. It doesn't print any of the usual information about the dh key size and the content of the server certificate either. POC: $ openssl genrsa -out server.key 4096 $ openssl req -new -key server.key -out server.csr $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt $ openssl dhparam -outform PEM -out dhparam.pem 4096 $ openssl s_server -cert server.crt -key server.key -dhparam dhparam.pem -accept 6697 ./log $ weechat-curses ircs://127.0.0.1:6697 # will not check the certificate $ fg ^C $ openssl s_server -cert server.crt -key server.key -dhparam dhparam.pem -accept 6697 -verify yes ./log2 $ weechat-curses ircs://127.0.0.1:6697 # will print an error because the certificate is self signed This problem affects all versions. The maintainer has been contacted and a fix should be published. someday... A beta fix is availaible here: http://savannah.nongnu.org/patch/index.php?7459 JD ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Facebook URL Redirect Vulnerability
-- 1. Summary: Once the victim clicks on a specially crafted Facebook URL they can be redirected to a malicious website. -- 2. Description: Facebook applications use of 'track.php?r=' doesn't sanitize the redirection input properly. This allows an attacker to input any URL that a victim will get redirected too. It is not required for the victim to be login to Facebook for this attack to work. The following is an example of a vulnerable URL: http://apps.facebook.com/truthsaboutu/track.php?r=http://www.securitypentest.com The following Google search query can be used to find vulnerable URLs: site:facebook.com inurl:track.php? inurl:r= -- 3. Impact: Potentially allow an attacker to compromise a victim’s Facebook account and/or computer system. -- 4. Affected Products: www.facebook.com -- 5. Solution: None -- 6. Time Table: 2/27/2011 Reported Vulnerability to the Vendor -- 7. Credits: Discovered by Nathan Power www.securitypentest.com -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CONFidence 2011- CfP only 6 days left, we are still waiting for your submission
CONFIDENCE 9TH EDITION CALL FOR PAPERS. /* Apologies if you receive multiple copies of this announcement */ ### If you still consider to become the CONFidence speaker there is only 6 days left to send CfP submission. Calling all practitioners in the field of IT security! The 9th edition of the international IT security conference, CONFidence 2011, is taking place in May 24/25, 2011. We invite all to send the proposed topic and abstracts of presentation till the 5th March 2011. Please, remember that CONFidence is an open, international conference and all presentations should be given in English. The answer to CfP should include: # name, last name and e-mail address of the potential speaker # speaker's short bio, describing his experience and skills # speaker's place of residence # presentation topic with short description of proposed lecture (no more than 500 words) # non-standard technical requirements We are especially interested in presentation concerning: # Analysis and reverse engineering of malicious code # Analysis of vulnerability, attacks and defence against networks, hardware, software # Virtualization and operating systems security # Web applications security and cryptographic # Botnets # Security research Applications should be sent to andrzej.targosz{@}proidea.org.pl till the 5th March, 2011. DISCLAIMERS We do not accept marketing, non-technical presentations aimed at presenting and selling any products. If your lecture presents company or its product, please do not send it! SPONSORSHIP CONFidence offers many sponsorship opportunities. 100% of the sponsorship goes directly to the attendees. If you are interested in sponsoring, please contact slawomir.jabs{@}proidea.org.pl CONFidence conference is a non-profit event and speakers are not being paid. However, we always try to provide financial help and cover travel expenses and accommodation. It needs to be agreed upon after acceptance of the submission, though. CONFidence Team http://2011.confidence.org.pl -- Andrzej Targosz :1024D/E2DE0833 :gpg: http://www.proidea.org.pl/gpg/at Fundacja Wspierania Edukacji Informatycznej PROIDEA ul. Konarskiego 44 lok.6, 30-046 Krakow tel./fax: +4812 6171183 e-mail: andrzej.targ...@proidea.org.pl JID: andrzej.targ...@jabber.wroc.pl www.proidea.org.pl ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] buy information or exploit for ZDI-11-075/CVE-2011-0606
buy information or exploit for ZDI-11-075/CVE-2011-0606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Python ssl handling could be better...
On Feb 28, 2011, at 9:34 AM, Michael Krymson wrote: What about self-signed certs in my closed network? The ssl.py module (library/whatever) has support for selectively disabling certificate verification. This parameter should be exposed up the stack in modules that rely on it. The second major problem here is that httplib.py does not support that parameter, so anything higher in the stack is tied to the (incorrect) default. That's the thing with default behaviors: The default should be set to something sane (in the case of encryption, SECURE) and there should be a way to override it if a significant number of users will want to do so (two strikes against the Python dev team). BTW there really isn't a security difference between encrypted-but-unauthenticated traffic and just plain unencrypted traffic. The only attacker you're defeating is a casual observer, who probably is more curious than harmful. Determined attackers who are out to harm you are going to get the information any way. If something is important enough to encrypt traffic to/from, it's important enough to authenticate too, otherwise it isn't worth the hassle at all. What about guests on a network behind a web proxy that MITMs 80/443? If you're intentionally MITM client traffic, the client should trust your MITM CA. If you aren't doing it that way, ur doin it rong. You basically just compromised the security of all of your end-points and are training your users to ignore warnings. In the case of Python apps, you're teaching your developers insecure coding practices. It's cascading stupidity. What if you're brokering a connection, not for some strict security sake, but just because you can and gain a little bit of privacy? Have any personal web sites/servers you don't *need* commercial certs for but want something anyway? See above. In an ideal world, I hear what you're saying. But we're far from ideal... It's not ideal because people take the lazy way and assume that unauthenticated encryption is good enough. It's not good enough because it's trivially broken. It used to be (say, a decade ago) less risky because there weren't readily available tools everywhere that could do the active MITM, but now there are and everyone has already learned to be lazy, so we're at a net deficit from the starting point. Every time you tell yourself it could be broken, but I'm sure no one will make that much of an effort you're wrong and just made a fundamental mistaken. I think we should be happy with the inclusion of such options in 3.2 No, I'm not going to be happy about an after-thought fix. At least httplib.py should never have been put in the tree without an option to tell ssl.py to verify the server cert. FFS they have client cert support, would it REALLY be that hard to pass the verification parameter to ssl.py? No, it's just sheer ignorance of security. -- bk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] III World War. - Broadcast Request.
I believe that the IIIWorld War conflict might start in 10 months or more from now. The question is: who's unified and who's willing to participate. Leadership is not yet defnied. It may be as well someone well known in IT industry or someone completely unknown. Where we could meet if such situation happens ? That depends on your concept of heaven. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] III World War. - Broadcast Request.
I'm already living on a rock completely insulated from the rest of mankind. What about you? On Mon, Feb 28, 2011 at 9:39 PM, Thor (Hammer of God) t...@hammerofgod.comwrote: I believe that the IIIWorld War conflict might start in 10 months or more from now. The question is: who's unified and who's willing to participate. Leadership is not yet defnied. It may be as well someone well known in IT industry or someone completely unknown. Where we could meet if such situation happens ? That depends on your concept of heaven. t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] III World War. - Broadcast Request.
I believe that the IIIWorld War conflict might start in 10 months or more from now. It's hard to disagree. /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] III World War. - Broadcast Request.
ahahaahah...what kind of haze did you smoke this time Mr. asmo? Take it easy with drugs :) antisnatchor Christian Sciberras February 28, 2011 10:04 PM I'm already living on a rock completely insulated from the rest of mankind. What about you? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Thor (Hammer of God) February 28, 2011 9:39 PM That depends on your concept of "heaven." t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ asmo February 26, 2011 12:31 AM Hello, To Whom it may concern. I believe that the IIIWorld War conflict might start in 10 months or more from now. The question is: who's unified and who's willing to participate. Leadership is not yet defnied. It may be as well someone well known in IT industry or someone completely unknown. Where we could meet if such situation happens ? It might not happen any time soon so it may sound like hoax but just in case, any ideas ? Security guys must have a plan. Even if it sounds pathetic as for now. So? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2175-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2175-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff February 28, 2011 http://www.debian.org/security/faq - - Package: samba Vulnerability : missing input sanisiting Problem type : remote Debian-specific: no CVE ID : CVE-2011-0719 Volker Lendecke discovered that missing range checks in Samba's file descriptor handling could lead to memory corruption, resulting in denial of service. For the oldstable distribution (lenny), this problem has been fixed in version 3.2.5-4lenny14. For the stable distribution (squeeze), this problem has been fixed in version 3.5.6~dfsg-3squeeze2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your samba packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk1rrh4ACgkQXm3vHE4uylpmpwCcClO0yLoAzc1mEG0pLIPk1qmB V/cAn1zbcsaGNlw/i+bERiogVCwDDXz2 =1+6X -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-094: (0 day) Hewlett-Packard StorageWorks File Migration Agent Remote Archive Tampering Vulnerability
ZDI-11-094: (0 day) Hewlett-Packard StorageWorks File Migration Agent Remote Archive Tampering Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-094 February 28, 2011 -- CVSS: 7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P) -- Affected Vendors: Hewlett-Packard -- Affected Products: Hewlett-Packard StorageWorks -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10854. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to compromise the archive records on vulnerable installations of HP StorageWorks File Migration Agent. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HsmCfgSvc.exe service responsible for managing archive stores. The archive manager is susceptible to tampering due to a failure to enforce authentication from remote users. An attacker could exploit this flaw to compromise the server managing the archives and arbitrarily modify the archive data store under the context of the File Migration Agent software. -- Vendor Response: February 23, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. --Mitigations: The overall design of the File Migration Agent (FMA) assumes it runs as an application on a Windows server. Given the stated purpose of FMA, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP StorageWorks File Migration Agent should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. -- Disclosure Timeline: 2010-08-25 - Vulnerability reported to vendor 2011-02-28 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-1078-1] Logwatch vulnerability
=== Ubuntu Security Notice USN-1078-1March 01, 2011 logwatch vulnerability CVE-2011-1018 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: logwatch7.3.6-1ubuntu1.1 Ubuntu 9.10: logwatch7.3.6.cvs20090906-1ubuntu1.1 Ubuntu 10.04 LTS: logwatch7.3.6.cvs20090906-1ubuntu2.1 Ubuntu 10.10: logwatch7.3.6.cvs20090906-1ubuntu3.1 In general, a standard system update will make all the necessary changes. Details follow: Dominik George discovered that logwatch did not properly sanitize log file names that were passed to the shell as part of a command. If a remote attacker were able to generate specially crafted filenames (for example, via Samba logging), they could execute arbitrary code with root privileges. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6-1ubuntu1.1.diff.gz Size/MD5:15656 31f40f13457aeb20f21c2cfd2ad460b8 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6-1ubuntu1.1.dsc Size/MD5: 1413 037612770004ad6b553b8c5b02840350 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.orig.tar.gz Size/MD5: 297296 937d982006b2a76a83edfcfd2e5a9d7d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6-1ubuntu1.1_all.deb Size/MD5: 307458 da69f492898cee9560bb752b87e8af1c Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu1.1.diff.gz Size/MD5:87133 eb1efb5614967c87dcee5a0627db91a2 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu1.1.dsc Size/MD5: 1932 b32ef1d8ada8a539c73a6e8da732a7c8 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906.orig.tar.gz Size/MD5: 338115 b12229916e0a5891a8c1da59afb61e40 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu1.1_all.deb Size/MD5: 400012 6a943f596ed79064930b328a7058357e Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu2.1.diff.gz Size/MD5:87803 0bba6a4701307c1abb9fea16c15c11fd http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu2.1.dsc Size/MD5: 1932 d87291a904f97e6c13dc15f0c996eeb4 http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906.orig.tar.gz Size/MD5: 338115 b12229916e0a5891a8c1da59afb61e40 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu2.1_all.deb Size/MD5: 401512 d68a24ddbbfde6880fdbff79290bf344 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu3.1.diff.gz Size/MD5:90181 971dda35e4fa086a1bab9b9d7814a0df http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu3.1.dsc Size/MD5: 1932 388d1296df12dc1f46d0ddebfe6bf6ae http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906.orig.tar.gz Size/MD5: 338115 b12229916e0a5891a8c1da59afb61e40 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/l/logwatch/logwatch_7.3.6.cvs20090906-1ubuntu3.1_all.deb Size/MD5: 398960 d7967323e366778cc5c79701aa1dc156 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [PSRT] Python ssl handling could be better...
On Feb 28, 2011, at 10:37 AM, bk wrote: I think we should be happy with the inclusion of such options in 3.2 No, I'm not going to be happy about an after-thought fix. At least httplib.py should never have been put in the tree without an option to tell ssl.py to verify the server cert. FFS they have client cert support, would it REALLY be that hard to pass the verification parameter to ssl.py? No, it's just sheer ignorance of security. Maybe I missed it, but do you have a specific patch you want us to review? As for back porting to stable release versions, that will have to be determined by the release managers for each version, and that can only be done once there are actual patches we can look at. All versions of Python prior to 3.3 are now in stable release mode, so (speaking as the Python 2.6 RM) patches that add new features or change API just can't be accepted. I'm skeptical, but if there are backward compatible changes that can be added as a bug fix to Python 3.2 or 2.7, those might be considered. The best way to handle the situation in that case is: * Develop a patch for Python 3.3 which includes unit tests and documentation, get it reviewed, and lobby the Python community for inclusion in 3.3. * Back port the changes to a standalone library for earlier versions of Python and release these on the Cheeseshop. * Evangelize these separate packages for users who want the full security of authenticated encrypted channels. Please understand that these policies have been in place for many years and we adhere to them after many hard lessons learned. -Barry signature.asc Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/