October 10, 2003

Linux Advisory Watch - October 10, 2003

Author: Benjamin D. Thomas

This week, advisories were
released for mplayer, vixie-cron, openssl, kernel, openssh, mysql, SANE, perl,
and pine. The distributors include Conectiva, Guardian Digital's EnGarde Linux,
FreeBSD, Red Hat, and TurboLinux.

This week, I'm going to
give a very brief introduction to cryptography. I realize that there are some
readers that already have a firm understanding, but there are others who need
a little explanation. It would be best to begin with the definition. Dictionary.com
describes it as "The process or skill of communicating in or deciphering secret
writings or ciphers." Cryptography is used to provide several things: confidentiality,
data integrity, user verification, and privacy. Cryptography is used to secure
network traffic, storage, and improve authentication.

Basic cryptography can
be classified into two categories: symmetric, and asymmetric. Symmetric cryptography
requires that both the sender and receiver of the message shares the same secret
key. With a symmetric key, anyone who can encrypt can decrypt. Conversely, with
asymmetric cryptography, it is nearly impossible to determine a decryption key
from an encryption key. An attacker is not helped by the knowledge of an encryption
key. Asymmetric cryptography can be compared to a bevelled sprung lock; anyone
has the ability to lock it, but only those with the key can unlock it. Public
key cryptography is asymmetric.

Strength of cryptography
is usually measured by the length of the key. Cryptography can only be used
to delay an attack. When implementing encryption, it is necessary to determine
the length of time that protection is required and choose a key length that
can not be broken by brute force techniques during that time period. Longer
and longer key lengths are required due to advancement in processing power.
Often attacks choose other methods to intercept data. For example, data may
be encrypted while on the HD, but in plaintext while in memory. The attacker
will simply attempt to capture the values stored in memory.

From this, we can conclude
that encryption does not solve all security problems. Like anything, it is only
a tool that can be used to improve the process.

Until next time, cheers!
Benjamin D. Thomas

 

LinuxSecurity Feature
Extras:

EnGarde
GDSN Subscription Price Reduction
- Guardian
Digital, the world's premier open source security company, announced today
that they will be reducing the annual subscription cost of the Guardian Digital
Secure Network for EnGarde Community users from $229 to $60 for a limited
time.

R00ting
The Hacker

- Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
Archive
] - [ Linux Security
Documentation
]

 

Linux Advisory Watch
is a comprehensive newsletter that outlines the security vulnerabilities that
have been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.

[ Subscribe
]

 

Distribution: Conectiva
 

 10/06/2003mplayer  

Buffer
overflow vulnerability

This advisory is an update for the CLSA-2003:628[] one.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3722.html

 

 10/3/2003vixie-cron  

local
vulnerability

This advisory is an update for the CLSA-2003:628[] one.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3711.html

 

 10/3/2003openssl  

denial
of service vulnerability

This advisory is an update for the CLSA-2003:628[] one.

http://www.linuxsecurity.com/advisories/connectiva_advisory-3713.html

 

Distribution: EnGarde
 

 10/3/2003openssl  

potential
DoS

"Shawn" discovered and reported an SSH
passphrase disclosure vulnerability in the WebTool's User Password Changer
via the engarde-users mailing list.

http://www.linuxsecurity.com/advisories/engarde_advisory-3709.html

 

Distribution: FreeBSD
 

 10/3/2003kernel  

memory
disclosure vulnerability

A bug has been found in OpenSSH's buffer handling where a buffer
could be marked as grown when the actual reallocation failed.

http://www.linuxsecurity.com/advisories/freebsd_advisory-3714.html

 

 10/3/2003openssl  

ASN.1
parsing vulnerabilities

A bug has been found in OpenSSH's buffer handling where a buffer
could be marked as grown when the actual reallocation failed.

http://www.linuxsecurity.com/advisories/freebsd_advisory-3720.html

 

 10/3/2003openssh  

Multiple
vulnerabilities

Multiple PAM vulnerabilities have been fixed.

http://www.linuxsecurity.com/advisories/freebsd_advisory-3721.html

 

Distribution: Red
Hat
 

 10/9/2003mysql  

buffer
overflow vulnerability

There are several buffer overruns in the mars_nwe package.

http://www.linuxsecurity.com/advisories/redhat_advisory-3726.html

 

 10/8/2003SANE  

remote
vulnerabilities

There are several buffer overruns in the mars_nwe package.

http://www.linuxsecurity.com/advisories/redhat_advisory-3724.html

 

 10/3/2003perl  

XSS
vulnerabilities

There are several buffer overruns in the mars_nwe package.

http://www.linuxsecurity.com/advisories/redhat_advisory-3715.html

 

Distribution: TurboLinux
 

 10/8/2003pine  

buffer
overflow vulnerability

An integer overflow exists in the Pine MIME header parsing.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-3725.html

 

 10/8/2003mysql  

buffer
overflow vulnerability

Older versions of mtr did not properly drop root privileges.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-3723.html

Category:

  • Security
Click Here!