+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| December 12th, 2003 Volume 4, Number 49a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
dave@xxxxxxxxxxxxxxxxx ben@xxxxxxxxxxxxxxxxx
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.
This week, advisories were released for GnuPG, cvs, rsync, screen, and
ethereal. The distributors include Conectiva, Fedora, Gentoo, Immunix,
Mandrake, Red Hat, and Slackware.
---
>> Get Thawtes NEW Step-by-Step SSL Guide for Apache <<
In this guide you will find out how to test, purchase, install and use a
Thawte Digital Certificate on you Apache web server. Throughout, best
practices for set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.
Get your copy of this new guide now:
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte29
---
Data integrity has never been more important. A few weeks ago, several
Debian servers were compromised. Soon after that, it was reported that
the Gentoo rsync server was also compromised. Although these incidents
appear to be under control, something catastrophic could have happened.
Suppose malicious code was planted on the Debian or Gentoo servers.
Later, users wishing to install or update their operating systems
downloaded and executed this code. Sooner or later, it could have resulted
in thousands of vulnerable systems across the Internet.
One problem that we are faced with today is trusting the code that we
execute. How can we ensure that it comes from the correct source? When
applying security patches, how do we know that this comes from the
distributor and not a rouge source? A helpful solution is to use MD5
checksums. Briefly, MD5 (message-digest algorithm) is the most widely
used hashing algorithm. With this, it is reasonable to assume that the
code you wish to execute came from the source in which you trust. For
example, if I needed to send a friend a binary, I may also choose to send
a MD5 checksum. (d1ccac94dadcf1686f6692719845991c) With this, the friend
can verify the integrity of the binary that I sent. In Linux and most
other operating systems, to generate a MD5 checksum, the command 'md5sum
filename(s)' is used.
When applying security patches, it is important to check the integrity of
the patches that are downloaded. When downloading security patches, it is
important to check the source of where the download is coming from, and
also verify the file(s) with 'md5sum'. This week, there is a Red Hat
GnuPG advisory and patch. If you are patching a Red Hat server, after
downloading the files, the MD5 checksums can be checked against the ones
found in the advisory.
e1f31f4a07ebb5b4040f8f6ca3816cc4 9/en/os/SRPMS/gnupg-1.2.1-9.src.rpm
604a2fb5b809ec99280871f46507f4a1 9/en/os/i386/gnupg-1.2.1-9.i386.rpm
If they differ with those generated on your machine, there is an integrity
problem. Either the code, or the hash was published wrong and it should
be investigated. Checking MD5s does not absolutely guarantee data
integrity because they could have also been altered. However, because the
MD5 hash values and the code are distributed independently, it can give a
reasonable assurance that the code can be trusted. Checking a MD5 will
only take several seconds and will provide another level of assurance.
Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx
---
Guardian Digital Customers Protected From Linux Kernel Vulnerability
As a result of the planning and secure design of EnGarde Secure Linux, the
company's flagship product, Guardian Digital customers are securely
protected from a vulnerability that lead to the complete compromise of
several high-profile open source projects, including those belonging to
the Debian Project.
http://www.linuxsecurity.com/feature_stories/feature_story-155.html
--------------------------------------------------------------------
CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.
http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2
--------------------------------------------------------------------
OpenVPN: An Introduction and Interview with Founder, James Yonan In this
article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.
http://www.linuxsecurity.com/feature_stories/feature_story-152.html
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Conectiva | ----------------------------//
+---------------------------------+
12/9/2003 - GnuPG
signing key vulnerability
Phong Nguyen discovered[2] a vulnerability (CAN-2003-0971[3]) in the
way GnuPG deals with type 20 ElGamal sign+encrypt keys which allows an
attacker to recover the corresponding private key from a signature.
http://www.linuxsecurity.com/advisories/conectiva_advisory-3858.html
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
12/11/2003 - GnuPG
Signing key vulnerability
Phong Nguyen identified a severe bug in the way GnuPG creates and uses
ElGamal keys, when those keys are used both to sign and encrypt data.
This vulnerability can be used to trivially recover the private key.
http://www.linuxsecurity.com/advisories/fedora_advisory-3863.html
+---------------------------------+
| Distribution: Gentoo | ----------------------------//
+---------------------------------+
12/11/2003 - cvs
Unauthorized access vulnerability
This release fixes a security issue with no known exploits that could
cause previous versions of CVS to attempt to create files and
directories in the filesystem root.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3859.html
12/12/2003 - app-crypt/gnupg Multiple vulnerabilities
Unauthorized access vulnerability
Two flaws have been found in GnuPG 1.2.3 including a format string
vulnerability and the compromise of ElGamal signing keys.
http://www.linuxsecurity.com/advisories/gentoo_advisory-3871.html
+---------------------------------+
| Distribution: Immunix | ----------------------------//
+---------------------------------+
12/8/2003 - rsync
Heap overflow vulnerability
The rsync team has alerted us to a remotely exploitable heap overflow
that is being actively exploited. As the overflow is on the heap,
StackGuard offers no protection to this vulnerability.
http://www.linuxsecurity.com/advisories/immunix_advisory-3854.html
+---------------------------------+
| Distribution: Mandrake | ----------------------------//
+---------------------------------+
12/8/2003 - cvs
Unauthorized access vulnerability
A vulnerability was discovered in the CVS server < 1.11.10 where a
malformed module request could cause the CVS server to attempt to
create directories and possibly files at the root of the filesystem
holding the CVS repository.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3855.html
12/8/2003 - screen
Buffer overflow vulnerability
A vulnerability was discovered and fixed in screen by Timo Sirainen who
found an exploitable buffer overflow that allowed privilege escalation.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3856.html
12/11/2003 - cvs
Unauthorized access vulnerability (correction)
The previous updates had an incorrect temporary directory hard-coded in
the cvs binary for 9.1 and 9.2. This update corrects the problem.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3860.html
12/11/2003 - ethereal
Multiple vulnerabilities
A number of vulnerabilities were discovered in ethereal that, if
exploited, could be used to make ethereal crash or run arbitrary code
by injecting malicious malformed packets onto the wire or by convincing
someone to read a malformed packet trace file.
http://www.linuxsecurity.com/advisories/mandrake_advisory-3861.html
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
12/11/2003 - GnuPG
Signing key vulnerability
Phong Nguyen identified a severe bug in the way GnuPG creates and uses
ElGamal keys, when those keys are used both to sign and encrypt data.
This vulnerability can be used to trivially recover the private key.
http://www.linuxsecurity.com/advisories/redhat_advisory-3862.html
+---------------------------------+
| Distribution: Slackware | ----------------------------//
+---------------------------------+
12/11/2003 - cvs
Unauthorized access vulnerability
A security problem which could allow an attacker to create directories
and possibly files outside of the CVS repository has been fixed with
the release of cvs-1.11.10.
http://www.linuxsecurity.com/advisories/slackware_advisory-3870.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
