+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 12th, 2003 Volume 4, Number 49a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave@private ben@private Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for GnuPG, cvs, rsync, screen, and ethereal. The distributors include Conectiva, Fedora, Gentoo, Immunix, Mandrake, Red Hat, and Slackware. --- >> Get Thawtes NEW Step-by-Step SSL Guide for Apache << In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on you Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29 --- Data integrity has never been more important. A few weeks ago, several Debian servers were compromised. Soon after that, it was reported that the Gentoo rsync server was also compromised. Although these incidents appear to be under control, something catastrophic could have happened. Suppose malicious code was planted on the Debian or Gentoo servers. Later, users wishing to install or update their operating systems downloaded and executed this code. Sooner or later, it could have resulted in thousands of vulnerable systems across the Internet. One problem that we are faced with today is trusting the code that we execute. How can we ensure that it comes from the correct source? When applying security patches, how do we know that this comes from the distributor and not a rouge source? A helpful solution is to use MD5 checksums. Briefly, MD5 (message-digest algorithm) is the most widely used hashing algorithm. With this, it is reasonable to assume that the code you wish to execute came from the source in which you trust. For example, if I needed to send a friend a binary, I may also choose to send a MD5 checksum. (d1ccac94dadcf1686f6692719845991c) With this, the friend can verify the integrity of the binary that I sent. In Linux and most other operating systems, to generate a MD5 checksum, the command 'md5sum filename(s)' is used. When applying security patches, it is important to check the integrity of the patches that are downloaded. When downloading security patches, it is important to check the source of where the download is coming from, and also verify the file(s) with 'md5sum'. This week, there is a Red Hat GnuPG advisory and patch. If you are patching a Red Hat server, after downloading the files, the MD5 checksums can be checked against the ones found in the advisory. e1f31f4a07ebb5b4040f8f6ca3816cc4 9/en/os/SRPMS/gnupg-1.2.1-9.src.rpm 604a2fb5b809ec99280871f46507f4a1 9/en/os/i386/gnupg-1.2.1-9.i386.rpm If they differ with those generated on your machine, there is an integrity problem. Either the code, or the hash was published wrong and it should be investigated. Checking MD5s does not absolutely guarantee data integrity because they could have also been altered. However, because the MD5 hash values and the code are distributed independently, it can give a reasonable assurance that the code can be trusted. Checking a MD5 will only take several seconds and will provide another level of assurance. Until next time, cheers! Benjamin D. Thomas ben@private --- Guardian Digital Customers Protected From Linux Kernel Vulnerability As a result of the planning and secure design of EnGarde Secure Linux, the company's flagship product, Guardian Digital customers are securely protected from a vulnerability that lead to the complete compromise of several high-profile open source projects, including those belonging to the Debian Project. http://www.linuxsecurity.com/feature_stories/feature_story-155.html -------------------------------------------------------------------- CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 -------------------------------------------------------------------- OpenVPN: An Introduction and Interview with Founder, James Yonan In this article, Duane Dunston gives a brief introduction to OpenVPN and interviews its founder James Yonan. http://www.linuxsecurity.com/feature_stories/feature_story-152.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +---------------------------------+ | Distribution: Conectiva | ----------------------------// +---------------------------------+ 12/9/2003 - GnuPG signing key vulnerability Phong Nguyen discovered[2] a vulnerability (CAN-2003-0971[3]) in the way GnuPG deals with type 20 ElGamal sign+encrypt keys which allows an attacker to recover the corresponding private key from a signature. http://www.linuxsecurity.com/advisories/conectiva_advisory-3858.html +---------------------------------+ | Distribution: Fedora | ----------------------------// +---------------------------------+ 12/11/2003 - GnuPG Signing key vulnerability Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys, when those keys are used both to sign and encrypt data. This vulnerability can be used to trivially recover the private key. http://www.linuxsecurity.com/advisories/fedora_advisory-3863.html +---------------------------------+ | Distribution: Gentoo | ----------------------------// +---------------------------------+ 12/11/2003 - cvs Unauthorized access vulnerability This release fixes a security issue with no known exploits that could cause previous versions of CVS to attempt to create files and directories in the filesystem root. http://www.linuxsecurity.com/advisories/gentoo_advisory-3859.html 12/12/2003 - app-crypt/gnupg Multiple vulnerabilities Unauthorized access vulnerability Two flaws have been found in GnuPG 1.2.3 including a format string vulnerability and the compromise of ElGamal signing keys. http://www.linuxsecurity.com/advisories/gentoo_advisory-3871.html +---------------------------------+ | Distribution: Immunix | ----------------------------// +---------------------------------+ 12/8/2003 - rsync Heap overflow vulnerability The rsync team has alerted us to a remotely exploitable heap overflow that is being actively exploited. As the overflow is on the heap, StackGuard offers no protection to this vulnerability. http://www.linuxsecurity.com/advisories/immunix_advisory-3854.html +---------------------------------+ | Distribution: Mandrake | ----------------------------// +---------------------------------+ 12/8/2003 - cvs Unauthorized access vulnerability A vulnerability was discovered in the CVS server < 1.11.10 where a malformed module request could cause the CVS server to attempt to create directories and possibly files at the root of the filesystem holding the CVS repository. http://www.linuxsecurity.com/advisories/mandrake_advisory-3855.html 12/8/2003 - screen Buffer overflow vulnerability A vulnerability was discovered and fixed in screen by Timo Sirainen who found an exploitable buffer overflow that allowed privilege escalation. http://www.linuxsecurity.com/advisories/mandrake_advisory-3856.html 12/11/2003 - cvs Unauthorized access vulnerability (correction) The previous updates had an incorrect temporary directory hard-coded in the cvs binary for 9.1 and 9.2. This update corrects the problem. http://www.linuxsecurity.com/advisories/mandrake_advisory-3860.html 12/11/2003 - ethereal Multiple vulnerabilities A number of vulnerabilities were discovered in ethereal that, if exploited, could be used to make ethereal crash or run arbitrary code by injecting malicious malformed packets onto the wire or by convincing someone to read a malformed packet trace file. http://www.linuxsecurity.com/advisories/mandrake_advisory-3861.html +---------------------------------+ | Distribution: Red Hat | ----------------------------// +---------------------------------+ 12/11/2003 - GnuPG Signing key vulnerability Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys, when those keys are used both to sign and encrypt data. This vulnerability can be used to trivially recover the private key. http://www.linuxsecurity.com/advisories/redhat_advisory-3862.html +---------------------------------+ | Distribution: Slackware | ----------------------------// +---------------------------------+ 12/11/2003 - cvs Unauthorized access vulnerability A security problem which could allow an attacker to create directories and possibly files outside of the CVS repository has been fixed with the release of cvs-1.11.10. http://www.linuxsecurity.com/advisories/slackware_advisory-3870.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request@private with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Dec 15 2003 - 06:04:02 PST