+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 10th, 2003 Volume 4, Number 40a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for mplayer, vixie-cron, openssl,
kernel, openssh, mysql, SANE, perl, and pine. The distributors include
Conectiva, Guardian Digital's EnGarde Linux, FreeBSD, Red Hat, and
TurboLinux.
>> FREE Apache SSL Guide from Thawte <<
Are you worried about your web server security? Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.
Click Command:
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache
---
This week, I'm going to give a very brief introduction to cryptography.
I realize that there are some readers that already have a firm
understanding, but there are others who need a little explanation. It
would be best to begin with the definition. Dictionary.com describes it
as "The process or skill of communicating in or deciphering secret
writings or ciphers." Cryptography is used to provide several things:
confidentiality, data integrity, user verification, and privacy.
Cryptography is used to secure network traffic, storage, and improve
authentication.
Basic cryptography can be classified into two categories: symmetric, and
asymmetric. Symmetric cryptography requires that both the sender and
receiver of the message shares the same secret key. With a symmetric key,
anyone who can encrypt can decrypt. Conversely, with asymmetric
cryptography, it is nearly impossible to determine a decryption key from
an encryption key. An attacker is not helped by the knowledge of an
encryption key. Asymmetric cryptography can be compared to a bevelled
sprung lock; anyone has the ability to lock it, but only those with the
key can unlock it. Public key cryptography is asymmetric.
Strength of cryptography is usually measured by the length of the key.
Cryptography can only be used to delay an attack. When implementing
encryption, it is necessary to determine the length of time that
protection is required and choose a key length that can not be broken by
brute force techniques during that time period. Longer and longer key
lengths are required due to advancement in processing power. Often
attacks choose other methods to intercept data. For example, data may be
encrypted while on the HD, but in plaintext while in memory. The attacker
will simply attempt to capture the values stored in memory.
>From this, we can conclude that encryption does not solve all security
problems. Like anything, it is only a tool that can be used to improve
the process.
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
----
EnGarde GDSN Subscription Price Reduction:
Guardian Digital, the world's premier open source security company,
announced today that they will be reducing the annual subscription cost of
the Guardian Digital Secure Network for EnGarde Community users from $229
to $60 for a limited time.
http://www.linuxsecurity.com/feature_stories/feature_story-151.html
--------------------------------------------------------------------
CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
--------------------------------------------------------------------
FEATURE: R00ting The Hacker
Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S.
Marine Corps who currently writes for Computerworld and CNN.com,
covering national cyber-security issues and critical infrastructure
protection.
http://www.linuxsecurity.com/feature_stories/feature_story-150.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: mplayer Buffer overflow vulnerability
October 6th, 2003
This advisory is an update for the CLSA-2003:628[] one.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3722.html
* Conectiva: vixie-cron local vulnerability
October 3rd, 2003
This advisory is an update for the CLSA-2003:628[] one.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3711.html
* Conectiva: vixie-cron local vulnerability
October 3rd, 2003
This advisory is an update for the CLSA-2003:628[] one.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3712.html
* Conectiva: openssl denial of service vulnerability
October 3rd, 2003
This advisory is an update for the CLSA-2003:628[] one.
http://www.linuxsecurity.com/advisories/connectiva_advisory-3713.html
+---------------------------------+
| Distribution: EnGarde | ----------------------------//
+---------------------------------+
* EnGarde: OpenSSL potential DoS
October 3rd, 2003
"Shawn" discovered and reported an SSH passphrase disclosure
vulnerability in the WebTool's User Password Changer via the engarde-users
mailing list.
http://www.linuxsecurity.com/advisories/engarde_advisory-3709.html
+---------------------------------+
| Distribution: FreeBSD | ----------------------------//
+---------------------------------+
* FreeBSD: kernel memory disclosure vulnerability
October 3rd, 2003
A bug has been found in OpenSSH's buffer handling where a buffer could be
marked as grown when the actual reallocation failed.
http://www.linuxsecurity.com/advisories/freebsd_advisory-3714.html
* FreeBSD: OpenSSL ASN.1 parsing vulnerabilities
October 3rd, 2003
A bug has been found in OpenSSH's buffer handling where a buffer could be
marked as grown when the actual reallocation failed.
http://www.linuxsecurity.com/advisories/freebsd_advisory-3720.html
* FreeBSD: OpenSSH Multiple vulnerabilities
October 3rd, 2003
Multiple PAM vulnerabilities have been fixed.
http://www.linuxsecurity.com/advisories/freebsd_advisory-3721.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: mysql buffer overflow vulnerability
October 9th, 2003
There are several buffer overruns in the mars_nwe package.
http://www.linuxsecurity.com/advisories/redhat_advisory-3726.html
* RedHat: SANE remote vulnerabilities
October 8th, 2003
There are several buffer overruns in the mars_nwe package.
http://www.linuxsecurity.com/advisories/redhat_advisory-3724.html
* RedHat: perl XSS vulnerability
October 3rd, 2003
There are several buffer overruns in the mars_nwe package.
http://www.linuxsecurity.com/advisories/redhat_advisory-3715.html
+---------------------------------+
| Distribution: TurboLinux | ----------------------------//
+---------------------------------+
* TurboLinux: pine buffer overflow vulnerability
October 8th, 2003
An integer overflow exists in the Pine MIME header parsing.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3725.html
* TurboLinux: mysql buffer overflow vulnerability
October 7th, 2003
Older versions of mtr did not properly drop root privileges.
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3723.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
