December 12, 2003

Linux Advisory Watch - December 12, 2003

Author: Benjamin D. Thomas

This week, advisories were released
for GnuPG, cvs, rsync, screen, and ethereal. The distributors include Conectiva,
Fedora, Gentoo, Immunix, Mandrake, Red Hat, and Slackware.

Data integrity has never
been more important. A few weeks ago, several Debian servers were compromised.
Soon after that, it was reported that the Gentoo rsync server was also compromised.
Although these incidents appear to be under control, something catastrophic
could have happened. Suppose malicious code was planted on the Debian or Gentoo
servers. Later, users wishing to install or update their operating systems downloaded
and executed this code. Sooner or later, it could have resulted in thousands
of vulnerable systems across the Internet.

One problem that we are
faced with today is trusting the code that we execute. How can we ensure that
it comes from the correct source? When applying security patches, how do we
know that this comes from the distributor and not a rouge source? A helpful
solution is to use MD5 checksums. Briefly, MD5 (message- digest algorithm) is
the most widely used hashing algorithm. With this, it is reasonable to assume
that the code you wish to execute came from the source in which you trust. For
example, if I needed to send a friend a binary, I may also choose to send a
MD5 checksum. (d1ccac94dadcf1686f6692719845991c) With this, the friend can verify
the integrity of the binary that I sent. In Linux and most other operating systems,
to generate a MD5 checksum, the command 'md5sum filename(s)' is used.

When applying security
patches, it is important to check the integrity of the patches that are downloaded.
When downloading security patches, it is important to check the source of where
the download is coming from, and also verify the file(s) with 'md5sum'. This
week, there is a Red Hat GnuPG
and patch. If you are patching a Red Hat server, after downloading
the files, the MD5 checksums can be checked against the ones found in the advisory.

604a2fb5b809ec99280871f46507f4a1 9/en/os/i386/gnupg-1.2.1-9.i386.rpm

If they differ with those generated on your machine, there is an integrity problem.
Either the code, or the hash was published wrong and it should be investigated.
Checking MD5s does not absolutely guarantee data integrity because they could
have also been altered. However, because the MD5 hash values and the code are
distributed independently, it can give a reasonable assurance that the code
can be trusted. Checking a MD5 will only take several seconds and will provide
another level of assurance.

Until next time, cheers!
Benjamin D. Thomas

Feature Extras:

Digital Launches the First Secure Small Business Internet Productivity Solution

- Guardian Digital, the world's premier open source Internet security company,
announced the availability of Internet Productivity Suite, a comprehensive
productivity and security management system. Focused on the increasing requirements
of small and medium organizations, this cohesive and highly-secure suite of
applications combine to protect users from Internet threats while providing
the features necessary to operate a complete Internet presence.

An Introduction and Interview with Founder, James Yonan

- In this article, Duane Dunston gives a brief introduction to OpenVPN and
interviews its founder James Yonan.

The Hacker

- Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and, covering national cyber-security
issues and critical infrastructure

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
] - [ Linux Security


Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe

Distribution: Conectiva
  12/9/2003 GnuPG
key vulnerability

Phong Nguyen discovered[2] a vulnerability (CAN-2003-0971[3]) in the way
GnuPG deals with type 20 ElGamal sign+encrypt keys which allows an attacker
to recover the corresponding private key from a signature.

Distribution: Fedora
  12/11/2003 GnuPG
key vulnerability

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys, when those keys are used both to sign and encrypt data. This vulnerability
can be used to trivially recover the private key.

Distribution: Gentoo
  12/11/2003 cvs
access vulnerability

This release fixes a security issue with no known exploits that could cause
previous versions of CVS to attempt to create files and directories in the
filesystem root.

  12/12/2003 app-crypt/gnupg
Multiple vulnerabilities
access vulnerability

Two flaws have been found in GnuPG 1.2.3 including a format string vulnerability
and the compromise of ElGamal signing keys.

Distribution: Immunix
  12/8/2003 rsync
    Heap overflow

The rsync team has alerted us to a remotely exploitable heap overflow that
is being actively exploited. As the overflow is on the heap, StackGuard
offers no protection to this vulnerability.

Distribution: Mandrake
  12/8/2003 cvs
access vulnerability

A vulnerability was discovered in the CVS server

  12/8/2003 screen
overflow vulnerability

A vulnerability was discovered and fixed in screen by Timo Sirainen who
found an exploitable buffer overflow that allowed privilege escalation.

  12/11/2003 cvs
access vulnerability (correction)

The previous updates had an incorrect temporary directory hard-coded in
the cvs binary for 9.1 and 9.2. This update corrects the problem.

  12/11/2003 ethereal

A number of vulnerabilities were discovered in ethereal that, if exploited,
could be used to make ethereal crash or run arbitrary code by injecting
malicious malformed packets onto the wire or by convincing someone to read
a malformed packet trace file.

Distribution: Red
  12/11/2003 GnuPG
key vulnerability

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys, when those keys are used both to sign and encrypt data. This vulnerability
can be used to trivially recover the private key.

Distribution: Slackware
  12/11/2003 cvs
access vulnerability

A security problem which could allow an attacker to create directories and
possibly files outside of the CVS repository has been fixed with the release
of cvs-1.11.10.



  • Security
Click Here!