October 17, 2003

Linux Advisory Watch - October 17th 2003

Author: Benjamin D. Thomas

This week, advisories were
released for glibc, tomcat4, sane, XFree86, sendmail, and openssl. The distributors
include Conectiva, Debian, Mandrake, and NetBSD.Last week, I gave a brief
introduction of cryptography and the differences between symmetric and asymmetric
and encryption. Also, I made several comments on how the strength of cryptography
is measured. This week, I am going to show the basics of using the GNU Privacy
Guard (GNUPG). GNUPG is a text-based command line tool that is very straightforward
to use and based on a public & private (asymmetric) key system.

To begin using encryption
on your Linux machine, you must first download the GNUPG packages. It can be
downloaded from: http://www.gnupg.org After
the application is installed, several steps must be taken before you can begin.

First, a key-pair must
be generated. To generate your keys, go to the command line and issue the following:

[prompt]$ gpg --gen-key

If gpg has been installed
correctly, you will be prompted to enter the type of key, keysize, duration
it is valid, your name, email address, and a comment. At this point, it will
be possible for you to begin using most of gpg's other functions. Probably the
most daunting part of gpg is key management. After generating your key, the
next thing you would want to do is export your public key.

[prompt]$ gpg --export
-a youremail@domain.com > public.key

At this point, you can
share your public key with others. If other people want to send you confidential
data, they can encrypt it with your public key and you'll be the only one who
can decrypt it. If you want to send someone else an encrypted message, you'll
need their public key. To import another person's public key, use the following
command:

[prompt]$ gpg --import
filename.key

To sign and encrypt data
(filename.txt), the following command can be used:

[prompt]$ gpg -ea
-r TargetUserName filename.txt

For TargetUserName to decrypt
that file, the following command should be used:

[prompt]$ gpg -d
filename.txt.asc > output.txt

Another useful feature
of gpg is its ability to use symmetric encryption. This can be used when you
only wish to encrypt a file for personal use. It uses the same key for both
encryption and decryption. To encrypt a file symmetrically, use the following:

[prompt]$ gpg -c
filename.txt

GNUPG can also be easily
interfaced with email. Several years ago, a feature for LinuxSecurity.com was
written that describes how to interface it with pine. Virtually all modern email
clients will support it. There is a wealth of information available on Google
that can help you learn how to take advantage of GPG's features. Have fun!

Using GnuPG with Pine for
Secure E-Mail:
http://www.linuxsecurity.com/feature_stories/feature_story-83.html

 

Until next time, cheers!
Benjamin D. Thomas

 

LinuxSecurity Feature
Extras:

EnGarde
GDSN Subscription Price Reduction

- Guardian Digital, the world's premier open source security company, announced
today that they will be reducing the annual subscription cost of the Guardian
Digital Secure Network for EnGarde Community users from $229 to $60 for a
limited time.

R00ting
The Hacker

- Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.

[ Linux
Advisory Watch
] - [ Linux
Security Week
] - [ PacketStorm
Archive
] - [ Linux Security
Documentation
]

 

 
Distribution: Conectiva

 10/14/2003glibc   Buffer
overflow vulnerability

This glibc update includes the fix for a local vulnerability and new timezone
maps adjusted for the brazilian daylight saving time 2003/2004 schedule:

http://www.linuxsecurity.com/advisories/connectiva_advisory-3732.html
  Distribution:Debian 10/13/2003openssl095   ASN.1
Remote vulnerability

teve Henson of the OpenSSL core team identified and prepared fixes for a
number of vulnerabilities in the OpenSSL ASN1 code that were discovered
after running a test suite by British National Infrastructure Security Coordination
Centre (NISCC).

http://www.linuxsecurity.com/advisories/debian_advisory-3731.html
  10/15/2003tomcat4   denial
of service vulnerability

Aldrin Martoq has discovered a denial of service (DoS) vulnerability in
Apache Tomcat 4.0.x.

http://www.linuxsecurity.com/advisories/debian_advisory-3733.html
  Distribution:Mandrake 10/10/2003sane   multiple
vulnerabilities

Several vulnerabilities were discovered in the saned daemon, a part of the
sane package, which allows for a scanner to be used remotely.

http://www.linuxsecurity.com/advisories/mandrake_advisory-3727.html
  Distribution:NetBSD 10/10/2003XFree86   font buffer
overflow vulnerabilities

There is an integer overflow in the XFree86 font libraries, which could
lead to potential privilege escalation and/or remote code execution.

http://www.linuxsecurity.com/advisories/netbsd_advisory-3728.html
  10/10/2003sendmail   buffer
overflow vulnerabilities

Fix a buffer overflow in address parsing. However, a remote exploit of the
sendmail (smmsp - Sendmail Message Submission Program) uid could lead to
opportunities to apply local exploits to further elevate privileges.

http://www.linuxsecurity.com/advisories/netbsd_advisory-3729.html
  10/10/2003openssl   multiple
vulnerabilities

OpenSSL had multiple vulnerabilities, they were found by tests performed
by NISCC (www.niscc.gov.uk).

http://www.linuxsecurity.com/advisories/netbsd_advisory-3730.html
 

 

 

Category:

  • Security
Click Here!