Your security, networking, programming, and application news source.

Friday, August 22, 2008

Fedora Servers Compromised


  <Fedora announced> (Aug. 22, 2008) that some servers were illegally accessed 'last week'. One of the compromised servers was for signing Fedora packages. Despite being optimistic about the security of the passphrase used to secure the signing keys, Fedora has decided to convert to new signing keys.

  A RHL <security advisory> eludes to successfully compromised OpenSSH packages. "In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4(i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)"

  RHL released an update to OpenSSH to address this as well as <script> to detect these black listed packages.

Wednesday, August 13, 2008

BitTorrent's .torrent File Buffer Overflow Vulnerability

A critical vulnerability was found in uTorrent and BitTorrent. The torrent clients' processing of .torrent files fail to do proper bounds checking for the 'Created By' field. This allows a maliciously crafted .torrent file to do a buffer overflow. From there, arbitrary code execution is a step away.

Confirmed vulnerable versions (previous version are assumed but not confirmed to be vulnerable):

  uTorrent version 1.7.7 (Build 8179)
  BitTorrent versions 6.xx.

TorrentFreak urges users of uTorrent to upgrade to <uTorrent 1.8> and claims there is no upgrade/patch for the mainline BitTorrent client yet, but an update will be available soon.

<TorrentFreak - Critical Vulnerability Discovered in uTorrent>(August 12, 2008)

<Secunia - Security advisory for uTorrent>(August 12, 2008)
<Secunia - Security advisory for BitTorrent>(August 12, 2008)

Monday, August 4, 2008

New PHP Features Coming v5.3

<Skip to the run down>

  PHP(Wiki) is becoming a popular web development language with the recent boom of LAMP(Wiki) servers.

  In general, PHP is a script language with very similar syntax to C/C++. It uses type safe(Wiki) variables that support arrays and tuples(Wiki)(associative arrays), much like Perl and Python.

  PHP is typically embedded into HTML pages (with the .php extension) on a web server. When a PHP page is requested, the PHP content is parsed server-side and only the resulting HTML is replied to the requesting browser.

  PHP 5.3 alpha <was released>(Aug 1, 2008). Version 5.2.6 was recently released in May and was the first release in a couple years. Version 5.2.6 was mostly security and bug fixes. Version 5.3 sports the most new features and improvements seen in a long time. The expected date for a stable PHP 5.3 is mid October 2008.

A quick rundown of some new features in PHP 5.3 Alpha:

 Namespaces(Wiki) - This should allow much shorter class names and grouping flexibility.

 Late Static Binding(Example) - For some more robust class inheritance.

 __callStatic( -  __call is a built in class member function that allows you to define behavior for calls to non-existent member functions. __callStatic extends this functionality to static member calls.

 Lambda Functions( - Quick, throw away, inline functions.

 Closures( - Associate a list of the parent scope's variables to be imported into a function. This also make Lambda functions much more useful.

 __DIR__ - This constant will replace the commonly used dirname(__FILE__) statement to retrieve the current script's directory.

 Phar - A PHAR file is a compressed archive and can contain a complete PHP application. Similar to a Java's JAR files, a Phar file could allow large multi-file PHP scripts to be distributed and used as one, compressed, file.

 PHP goes Windows 2000 and up only

<PHP.NET 5.3 Alpha1 Release announcement>(Aug 1, 2008)