[ISN] Linux Advisory Watch - December 12th 2003

From: InfoSec News (isn@private)
Date: Mon Dec 15 2003 - 03:14:27 PST

  • Next message: InfoSec News: "[ISN] Spam wars play out across Internet"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  December 12th, 2003                      Volume 4, Number 49a |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                Benjamin Thomas
                   dave@private     ben@private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the week.
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for GnuPG, cvs, rsync, screen, and
    ethereal.  The distributors include Conectiva, Fedora, Gentoo, Immunix,
    Mandrake, Red Hat, and Slackware.
    
    ---
    
    >> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<
    
    In this guide you will find out how to test, purchase, install and use a
    Thawte Digital Certificate on you Apache web server. Throughout, best
    practices for set-up are highlighted to help you ensure efficient ongoing
    management of your encryption keys and digital certificates.
    
    Get your copy of this new guide now:
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29
    
    ---
    
    Data integrity has never been more important.  A few weeks ago, several
    Debian servers were compromised.  Soon after that, it was reported that
    the Gentoo rsync server was also compromised.  Although these incidents
    appear to be under control, something catastrophic could have happened.
    Suppose malicious code was planted on the Debian or Gentoo servers.
    Later, users wishing to install or update their operating systems
    downloaded and executed this code. Sooner or later, it could have resulted
    in thousands of vulnerable systems across the Internet.
    
    One problem that we are faced with today is trusting the code that we
    execute.  How can we ensure that it comes from the correct source?  When
    applying security patches, how do we know that this comes from the
    distributor and not a rouge source?  A helpful solution is to use MD5
    checksums.  Briefly, MD5 (message-digest algorithm) is the most widely
    used hashing algorithm. With this, it is reasonable to assume that the
    code you wish to execute came from the source in which you trust.  For
    example, if I needed to send a friend a binary, I may also choose to send
    a MD5 checksum.  (d1ccac94dadcf1686f6692719845991c)  With this, the friend
    can verify the integrity of the binary that I sent.  In Linux and most
    other operating systems, to generate a MD5 checksum, the command 'md5sum
    filename(s)' is used.
    
    When applying security patches, it is important to check the integrity of
    the patches that are downloaded.  When downloading security patches, it is
    important to check the source of where the download is coming from, and
    also verify the file(s) with 'md5sum'.  This week, there is a Red Hat
    GnuPG advisory and patch. If you are patching a Red Hat server, after
    downloading the files, the MD5 checksums can be checked against the ones
    found in the advisory.
    
    e1f31f4a07ebb5b4040f8f6ca3816cc4 9/en/os/SRPMS/gnupg-1.2.1-9.src.rpm
    604a2fb5b809ec99280871f46507f4a1 9/en/os/i386/gnupg-1.2.1-9.i386.rpm
    
    If they differ with those generated on your machine, there is an integrity
    problem.  Either the code, or the hash was published wrong and it should
    be investigated.  Checking MD5s does not absolutely guarantee data
    integrity because they could have also been altered.  However, because the
    MD5 hash values and the code are distributed independently, it can give a
    reasonable assurance that the code can be trusted.  Checking a MD5 will
    only take several seconds and will provide another level of assurance.
    
    Until next time, cheers!
    Benjamin D. Thomas
    ben@private
    
    ---
    
    Guardian Digital Customers Protected From Linux Kernel Vulnerability
    
    As a result of the planning and secure design of EnGarde Secure Linux, the
    company's flagship product, Guardian Digital customers are securely
    protected from a vulnerability that lead to the complete compromise of
    several high-profile open source projects, including those belonging to
    the Debian Project.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-155.html
    
    --------------------------------------------------------------------
    
    CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
    thanks to the depth of its security strategy..." Find out what the other
    Linux vendors are not telling you.
    
    http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
    
    --------------------------------------------------------------------
    
    OpenVPN: An Introduction and Interview with Founder, James Yonan In this
    article, Duane Dunston gives a brief introduction to OpenVPN and
    interviews its founder James Yonan.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-152.html
    
    
    -->  Take advantage of the LinuxSecurity.com Quick Reference Card!
    -->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf
    
    +---------------------------------+
    |  Distribution: Conectiva        | ----------------------------//
    +---------------------------------+
    
     12/9/2003 - GnuPG
       signing key vulnerability
    
       Phong Nguyen discovered[2] a vulnerability (CAN-2003-0971[3]) in the
       way GnuPG deals with type 20 ElGamal sign+encrypt keys which allows an
       attacker to recover the corresponding private key from a signature.
       http://www.linuxsecurity.com/advisories/conectiva_advisory-3858.html
    
    
    +---------------------------------+
    |  Distribution: Fedora           | ----------------------------//
    +---------------------------------+
    
     12/11/2003 - GnuPG
       Signing key vulnerability
    
       Phong Nguyen identified a severe bug in the way GnuPG creates and uses
       ElGamal keys, when those keys are used both to sign and encrypt data.
       This vulnerability can be used to trivially recover the private key.
       http://www.linuxsecurity.com/advisories/fedora_advisory-3863.html
    
    
    +---------------------------------+
    |  Distribution: Gentoo           | ----------------------------//
    +---------------------------------+
    
     12/11/2003 - cvs
       Unauthorized access vulnerability
    
       This release fixes a security issue with no known exploits that could
       cause previous versions of CVS to attempt to create files and
       directories in the filesystem root.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-3859.html
    
     12/12/2003 - app-crypt/gnupg Multiple vulnerabilities
       Unauthorized access vulnerability
    
       Two flaws have been found in GnuPG 1.2.3 including a format string
       vulnerability and the compromise of ElGamal signing keys.
       http://www.linuxsecurity.com/advisories/gentoo_advisory-3871.html
    
    
    +---------------------------------+
    |  Distribution: Immunix          | ----------------------------//
    +---------------------------------+
    
     12/8/2003 - rsync
       Heap overflow vulnerability
    
       The rsync team has alerted us to a remotely exploitable heap overflow
       that is being actively exploited. As the overflow is on the heap,
       StackGuard offers no protection to this vulnerability.
       http://www.linuxsecurity.com/advisories/immunix_advisory-3854.html
    
    
    +---------------------------------+
    |  Distribution: Mandrake         | ----------------------------//
    +---------------------------------+
    
     12/8/2003 - cvs
       Unauthorized access vulnerability
    
       A vulnerability was discovered in the CVS server < 1.11.10 where a
       malformed module request could cause the CVS server to attempt to
       create directories and possibly files at the root of the filesystem
       holding the CVS repository.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3855.html
    
     12/8/2003 - screen
       Buffer overflow vulnerability
    
       A vulnerability was discovered and fixed in screen by Timo Sirainen who
       found an exploitable buffer overflow that allowed privilege escalation.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3856.html
    
     12/11/2003 - cvs
       Unauthorized access vulnerability (correction)
    
       The previous updates had an incorrect temporary directory hard-coded in
       the cvs binary for 9.1 and 9.2.  This update corrects the problem.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3860.html
    
     12/11/2003 - ethereal
       Multiple vulnerabilities
    
       A number of vulnerabilities were discovered in ethereal that, if
       exploited, could be used to make ethereal crash or run arbitrary code
       by injecting malicious malformed packets onto the wire or by convincing
       someone to read a malformed packet trace file.
       http://www.linuxsecurity.com/advisories/mandrake_advisory-3861.html
    
    
    +---------------------------------+
    |  Distribution: Red Hat          | ----------------------------//
    +---------------------------------+
    
     12/11/2003 - GnuPG
       Signing key vulnerability
    
       Phong Nguyen identified a severe bug in the way GnuPG creates and uses
       ElGamal keys, when those keys are used both to sign and encrypt data.
       This vulnerability can be used to trivially recover the private key.
       http://www.linuxsecurity.com/advisories/redhat_advisory-3862.html
    
    
    +---------------------------------+
    |  Distribution: Slackware        | ----------------------------//
    +---------------------------------+
    
     12/11/2003 - cvs
       Unauthorized access vulnerability
    
       A security problem which could allow an attacker to create directories
       and possibly files outside of the CVS repository has been fixed with
       the release of cvs-1.11.10.
       http://www.linuxsecurity.com/advisories/slackware_advisory-3870.html
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-request@private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 15 2003 - 06:04:02 PST