+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| October 17th, 2003 Volume 4, Number 41a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for glibc, tomcat4, sane XFree86,
sendmail, and openssl. The distributors include Conectiva, Debian,
Mandrake, and NetBSD.
---
>> FREE Apache SSL Guide from Thawte <<
Are you worried about your web server security? Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.
Click Command:
http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache
---
Last week, I gave a brief introduction of cryptography and the differences
between symmetric and asymmetric and encryption. Also, I made several
comments on how the strength of cryptography is measured. This week, I am
going to show the basics of using the GNU Privacy Guard (GNUPG). GNUPG is
a text-based command line tool that is very straightforward to use and
based on a public & private (asymmetric) key system.
To begin using encryption on your Linux machine, you must first download
the GNUPG packages. It can be downloaded from: http://www.gnupg.org After
the application is installed, several steps must be taken before you can
begin.
First, a key-pair must be generated. To generate your keys, go to the
command line and issue the following:
[prompt]$ gpg --gen-key
If gpg has been installed correctly, you will be prompted to enter the
type of key, keysize, duration it is valid, your name, email address, and
a comment. At this point, it will be possible for you to begin using most
of gpg's other functions. Probably the most daunting part of gpg is key
management. After generating your key, the next thing you would want to
do is export your public key.
[prompt]$ gpg --export -a youremail@xxxxxxxxxx > public.key
At this point, you can share your public key with others. If other people
want to send you confidential data, they can encrypt it with your public
key and you'll be the only one who can decrypt it. If you want to send
someone else an encrypted message, you'll need their public key. To
import another person's public key, use the following command:
[prompt]$ gpg --import filename.key
To sign and encrypt data (filename.txt), the following command can be
used:
[prompt]$ gpg -ea -r TargetUserName filename.txt
For TargetUserName to decrypt that file, the following command should be
used:
[prompt]$ gpg -d filename.txt.asc > output.txt
Another useful feature of gpg is its ability to use symmetric encryption.
This can be used when you only wish to encrypt a file for personal use.
It uses the same key for both encryption and decryption. To encrypt a
file symmetrically, use the following:
[prompt]$ gpg -c filename.txt
GNUPG can also be easily interfaced with email. Several years ago, a
feature for LinuxSecurity.com was written that describes how to interface
it with pine. Virtually all modern email clients will support it. There
is a wealth of information available on Google that can help you learn how
to take advantage of GPG's features. Have fun!
Using GnuPG with Pine for Secure E-Mail:
http://www.linuxsecurity.com/feature_stories/feature_story-83.html
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
----
EnGarde GDSN Subscription Price Reduction -
Guardian Digital, the world's premier open source security company,
announced today that they will be reducing the annual subscription cost of
the Guardian Digital Secure Network for EnGarde Community users from $229
to $60 for a limited time.
http://www.linuxsecurity.com/feature_stories/feature_story-151.html
--------------------------------------------------------------------
CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
--------------------------------------------------------------------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
10/14/2003 - glibc
Buffer overflow vulnerability
This glibc update includes the fix for a local vulnerability and new
timezone maps adjusted for the brazilian daylight saving time
2003/2004 schedule:
http://www.linuxsecurity.com/advisories/connectiva_advisory-3732.html
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
10/13/2003 - openssl
ASN.1 Remote vulnerability
Steve Henson of the OpenSSL core team identified and prepared fixes
for a number of vulnerabilities in the OpenSSL ASN1 code that were
discovered after running a test suite by British National
Infrastructure Security Coordination Centre (NISCC).
http://www.linuxsecurity.com/advisories/debian_advisory-3731.html
10/15/2003 - tomcat4
denial of service vulnerability
Aldrin Martoq has discovered a denial of service (DoS) vulnerability
in Apache Tomcat 4.0.x.
http://www.linuxsecurity.com/advisories/debian_advisory-3733.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
10/10/2003 - sane
multiple vulnerabilities
Several vulnerabilities were discovered in the saned daemon, a part of
the sane package, which allows for a scanner to be used remotely.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3727.html
+---------------------------------+
| Distribution: NetBSD | ----------------------------//
+---------------------------------+
10/10/2003 - XFree86
font buffer overflow vulnerabilities
There is an integer overflow in the XFree86 font libraries, which
could lead to potential privilege escalation and/or remote code
execution.
http://www.linuxsecurity.com/advisories/netbsd_advisory-3728.html
10/10/2003 - sendmail
buffer overflow vulnerabilities
Fix a buffer overflow in address parsing. However, a remote exploit of
the sendmail (smmsp - Sendmail Message Submission Program) uid could
lead to opportunities to apply local exploits to further elevate
privileges.
http://www.linuxsecurity.com/advisories/netbsd_advisory-3729.html
10/10/2003 - openssl
multiple vulnerabilities
OpenSSL had multiple vulnerabilities, they were found by tests
performed by NISCC (www.niscc.gov.uk).
http://www.linuxsecurity.com/advisories/netbsd_advisory-3730.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
