(追記) (追記ここまで)
|
|
Log in / Subscribe / Register

Security

The OpenLiberty Project

January 24, 2007

This article was contributed by Jake Edge.

A buzzword dense press release announcing a new open source project for 'identity management' is hardly the kind of thing to set hearts to racing. The release did succeed on one level, however, as it made us wonder what the openLiberty project is and what it can do for open source developers. Follow along as we try to shed some light on the world of internet identities and the standards, protocols and organizations involved.

An 'internet identity' means different things to different people; often depending on how they want to use this identity information. A website owner that allows comments has much less strict requirements for what an identity is than a hospital or stock broker might have. Some identities need to be tied to specific individuals, those used for e-commerce, for instance, whereas others can have pseudonymity. Privacy concerns also play a role in that a user does not necessarily always want to provide the same information to all parties they want to establish an identity with; LWN should not (and does not) require your government ID number in order for one to post comments here, but a stock broker might very well need it.

The sponsor of openLiberty is the Liberty Alliance, which is a consortium of vendors that seeks to provide standards for identity-based web services. This organization was started by Sun Microsystems in 2001 as a competitor to Microsoft's Passport (aka Windows Live ID) single sign-on system. At the time, many were concerned that Microsoft would become the gatekeeper of internet identity management and that would likely guarantee that competitors were locked out. Sun put together around 30 vendors and some ideas they had been working on to form the alliance with the plan to provide open, standards-based solutions for identity management.

Since that time, the alliance has come out with various specifications for what is, by all accounts, a complex, centralized system for identity management based around Security Assertion Markup Language (SAML). SAML is an emerging OASIS standard that describes the protocol for identity providers to communicate with service providers to authenticate users. The alliance system is popular with larger organizations that typically have tighter requirements for identity management. Websites and services that have simpler needs have largely used OpenID (LWN article here) to facilitate single sign-on.

The openLiberty project is an attempt to attract more interest, especially from the open source community, in the Liberty system, presumably to help drive more adoption. The website is a portal geared towards developing open source libraries to implement various alliance specifications. The first project is a java client library implementing the Identity Web Services Framework (ID-WSF) to provide single sign-on and other identity-enabled web services. The portal has all the expected features: a blog, a wiki, a mailing list, a source code repository (hosted by sourceforge), etc.

As might be expected of a project that has just been announced, there are few messages in the mailing list archive and the participant list appears to be largely made up of Liberty Alliance members. Based on the wealth of information available on the website, the project has already done a lot of the groundwork to establish the portal. It remains to be seen if it attracts a significant number of non-allied developers. Choosing a java client library to start would seem to eliminate some sizable portion of interested parties; other languages are on the roadmap and that might be enough to lure in non-java developers.

An interesting convergence of identity management solutions seems to be going on in the background right now. Proponents of the different systems all see the benefits of interoperability and there appear to be some efforts underway to allow OpenID and Liberty to work together. There is even talk that Microsoft may join the party and make some kind of effort to interoperate with Liberty.

There are clear benefits to users in having one system to manage their internet identity (or identities) across the universe of web services they might wish to use. Simplicity of implementation for web service providers and differing levels of security for different classes of service are also good features to have. One of the ways to get there is by having competing systems that can interoperate relatively transparently and it seems like we may be headed in that direction.

Comments (1 posted)

New vulnerabilities

centericq: buffer overflow

Package(s): centericq CVE #(s): CVE-2007-0160
Created: January 24, 2007 Updated: January 24, 2007
Description: The code in centericq which interfaces with the LiveJournal service suffers from a buffer overflow. This vulnerability is exploitable if a user can be convinced to connect to an unofficial LiveJournal server.
Alerts:
Gentoo 200701-20 centericq 2007年01月24日

Comments (none posted)

ed: symlink attack

Package(s): ed CVE #(s): CVE-2006-6939
Created: January 19, 2007 Updated: January 24, 2007
Description: GNU ed before 0.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files, possibly in the open_sbuf function.
Alerts:
rPath rPSA-2007-0012-1 ed 2007年01月23日
Fedora FEDORA-2007-100 ed 2007年01月18日
Fedora FEDORA-2007-099 ed 2007年01月18日

Comments (none posted)

gtk2: denial of service

Package(s): gtk2 CVE #(s): CVE-2007-0010
Created: January 24, 2007 Updated: February 8, 2007
Description: From the Red Hat advisory: A bug was found in the way the gtk2 GdkPixbufLoader() function processed invalid input. Applications linked against gtk2 could crash if they loaded a malformed image file.
Alerts:
Mandriva MDKSA-2007:039 gtk+2.0 2007年02月07日
Ubuntu USN-415-1 gtk+2.0 2007年02月01日
Debian DSA-1256-1 gtk+2.0 2007年01月31日
SuSE SUSE-SR:2007:002 neon, gtk2, smb4k, amarok, jboss4 2007年01月26日
rPath rPSA-2007-0019-1 gtk 2007年01月25日
Red Hat RHSA-2007:0019-02 gtk2 2007年01月24日

Comments (1 posted)

java: multiple vulnerabilities

Package(s): java CVE #(s): CVE-2006-4339 CVE-2006-4790 CVE-2006-6731 CVE-2006-6736 CVE-2006-6737 CVE-2006-6745
Created: January 18, 2007 Updated: June 4, 2010
Description: java has multiple vulnerabilities, these include: an RSA exponent padding attack vulnerability, two vulnerabilities which allow untrusted applets to access data in other applets, vulnerabilities that involve applets gaining privileges due to serialization bugs in the JRE and buffer overflows in the java image handling routines that can give attackers read/write/execute capabilities for local files.
Alerts:
Gentoo 201408-19 openoffice-bin 2014年08月31日
Pardus 2010-67 openoffice 2010年06月04日
Gentoo 200705-20 blackdown java 2007年05月26日
Red Hat RHSA-2007:0073-01 java 2007年02月09日
Red Hat RHSA-2007:0072-01 ibmjava2 2007年02月08日
Red Hat RHSA-2007:0062-02 java-1.4.2-ibm 2007年02月07日
Gentoo 200701-15 Sun JDK/JRE 2007年01月22日
SuSE SUSE-SA:2007:010 IBMJava2 2007年01月18日

Comments (1 posted)

netrik: insufficient escaping

Package(s): netrik CVE #(s): CVE-2006-6678
Created: January 22, 2007 Updated: January 24, 2007
Description: It has been discovered that netrik, a text mode WWW browser with vi like keybindings, doesn't properly sanitize temporary filenames when editing textareas which could allow attackers to execute arbitrary commands via shell metacharacters.
Alerts:
Debian DSA-1251-1 netrik 2007年01月21日

Comments (none posted)

poppler: denial of service

Package(s): poppler CVE #(s): CVE-2007-0104
Created: January 18, 2007 Updated: January 26, 2007
Description: Poppler, a PDF loader library does not limit the recursion depth of the page model tree. If an attacker can trick a user into opening a specially crafted PDF file, an infinite loop can be caused, leading to a crash of the calling application. This also affects kdegraphics and koffice.
Alerts:
Ubuntu USN-410-2 tetex-bin 2007年01月25日
rPath rPSA-2007-0013-1 poppler 2007年01月23日
Mandriva MDKSA-2007:024 kdegraphics 2007年01月22日
Mandriva MDKSA-2007:022 tetex 2006年01月18日
Mandriva MDKSA-2007:021 xpdf 2007年01月18日
Mandriva MDKSA-2007:020 poppler 2007年01月18日
Mandriva MDKSA-2007:019 pdftohtml 2006年01月18日
Mandriva MDKSA-2007:018 koffice 2007年01月18日
Ubuntu USN-410-1 kdegraphics, koffice, poppler 2007年01月18日

Comments (none posted)

squid: denial of service

Package(s): squid CVE #(s): CVE-2007-0247
Created: January 18, 2007 Updated: January 26, 2007
Description: Squid, a web client proxy caching server, can be made to crash when receiving certain FTP listings, leading to a denial of service.
Alerts:
Gentoo 200701-22 squid 2007年01月25日
Ubuntu USN-414-1 squid 2007年01月24日
Mandriva MDKSA-2007:026 squid 2006年01月23日
SuSE SUSE-SA:2007:012 squid 2007年01月23日
Trustix TSLSA-2007-0003 bzip2, kerberos5, squid, wget, xorg-x11 2007年01月19日
Fedora FEDORA-2007-092 squid 2007年01月17日

Comments (1 posted)

xine: format string vulnerabilities

Package(s): xine CVE #(s): CVE-2007-0017
Created: January 23, 2007 Updated: August 10, 2007
Description: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
Alerts:
Mandriva MDKSA-2007:154 xine-ui 2007年08月09日
Debian DSA-1252-1 vlc 2007年01月27日
Mandriva MDKSA-2007:027 xine-ui 2007年01月26日
Gentoo 200701-24 vlc 2007年01月26日
SuSE SUSE-SA:2007:013 xine-ui,xine-lib,xine-extra,xine-devel 2007年01月23日

Comments (none posted)

xsupplicant: potential code execution

Package(s): xsupplicant CVE #(s): CVE-2006-5601
Created: January 19, 2007 Updated: January 24, 2007
Description: A post-authentication stack overflow in the EAP handling could be used by already authenticated attacker to overflow a stack buffer and so potentially execute code.
Alerts:
SuSE SUSE-SR:2007:001 xsupplicant, ulogd, dazuko 2007年01月19日

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

(追記) (追記ここまで)

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds

AltStyle によって変換されたページ (->オリジナル) /