Linux Advisory Watch - October 17th 2003

This week, advisories were
released for glibc, tomcat4, sane, XFree86, sendmail, and openssl. The distributors
include Conectiva, Debian, Mandrake, and NetBSD.Last week, I gave a brief
introduction of cryptography and the differences between symmetric and asymmetric
and encryption. Also, I made several comments on how the strength of cryptography
is measured. This week, I am going to show the basics of using the GNU Privacy
Guard (GNUPG). GNUPG is a text-based command line tool that is very straightforward
to use and based on a public & private (asymmetric) key system.

To begin using encryption
on your Linux machine, you must first download the GNUPG packages. It can be
downloaded from: http://www.gnupg.org After
the application is installed, several steps must be taken before you can begin.

First, a key-pair must
be generated. To generate your keys, go to the command line and issue the following:

[prompt]$ gpg –gen-key

If gpg has been installed
correctly, you will be prompted to enter the type of key, keysize, duration
it is valid, your name, email address, and a comment. At this point, it will
be possible for you to begin using most of gpg’s other functions. Probably the
most daunting part of gpg is key management. After generating your key, the
next thing you would want to do is export your public key.

[prompt]$ gpg –export
-a youremail@domain.com > public.key

At this point, you can
share your public key with others. If other people want to send you confidential
data, they can encrypt it with your public key and you’ll be the only one who
can decrypt it. If you want to send someone else an encrypted message, you’ll
need their public key. To import another person’s public key, use the following
command:

[prompt]$ gpg –import
filename.key

To sign and encrypt data
(filename.txt), the following command can be used:

[prompt]$ gpg -ea
-r TargetUserName filename.txt

For TargetUserName to decrypt
that file, the following command should be used:

[prompt]$ gpg -d
filename.txt.asc > output.txt

Another useful feature
of gpg is its ability to use symmetric encryption. This can be used when you
only wish to encrypt a file for personal use. It uses the same key for both
encryption and decryption. To encrypt a file symmetrically, use the following:

[prompt]$ gpg -c
filename.txt

GNUPG can also be easily
interfaced with email. Several years ago, a feature for LinuxSecurity.com was
written that describes how to interface it with pine. Virtually all modern email
clients will support it. There is a wealth of information available on Google
that can help you learn how to take advantage of GPG’s features. Have fun!

Using GnuPG with Pine for
Secure E-Mail:
http://www.linuxsecurity.com/feature_stories/feature_story-83.html

Until next time, cheers!
Benjamin D. Thomas

LinuxSecurity Feature
Extras:

EnGarde
GDSN Subscription Price Reduction
– Guardian Digital, the world’s premier open source security company, announced
today that they will be reducing the annual subscription cost of the Guardian
Digital Secure Network for EnGarde Community users from $229 to $60 for a
limited time.

R00ting
The Hacker
– Dan Verton, the author of The Hacker Diaries: Confessions of
Teenage Hackers is a former intelligence officer in the U.S. Marine Corps
who currently writes for Computerworld and CNN.com, covering national cyber-security
issues and critical infrastructure
protection.

[ Linux
Advisory Watch ] – [ Linux
Security Week ] – [ PacketStorm
Archive ] – [ Linux Security
Documentation ]


Distribution:			Conectiva
	10/14/2003	glibc
		Buffer overflow vulnerability This glibc update includes the fix for a local vulnerability and new timezone maps adjusted for the brazilian daylight saving time 2003/2004 schedule: http://www.linuxsecurity.com/advisories/connectiva_advisory-3732.html


Distribution:			Debian
	10/13/2003	openssl095
		ASN.1 Remote vulnerability teve Henson of the OpenSSL core team identified and prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 code that were discovered after running a test suite by British National Infrastructure Security Coordination Centre (NISCC). http://www.linuxsecurity.com/advisories/debian_advisory-3731.html

	10/15/2003	tomcat4
		denial of service vulnerability Aldrin Martoq has discovered a denial of service (DoS) vulnerability in Apache Tomcat 4.0.x. http://www.linuxsecurity.com/advisories/debian_advisory-3733.html


Distribution:			Mandrake
	10/10/2003	sane
		multiple vulnerabilities Several vulnerabilities were discovered in the saned daemon, a part of the sane package, which allows for a scanner to be used remotely. http://www.linuxsecurity.com/advisories/mandrake_advisory-3727.html


Distribution:			NetBSD
	10/10/2003	XFree86
		font buffer overflow vulnerabilities There is an integer overflow in the XFree86 font libraries, which could lead to potential privilege escalation and/or remote code execution. http://www.linuxsecurity.com/advisories/netbsd_advisory-3728.html

	10/10/2003	sendmail
		buffer overflow vulnerabilities Fix a buffer overflow in address parsing. However, a remote exploit of the sendmail (smmsp – Sendmail Message Submission Program) uid could lead to opportunities to apply local exploits to further elevate privileges. http://www.linuxsecurity.com/advisories/netbsd_advisory-3729.html

	10/10/2003	openssl
		multiple vulnerabilities OpenSSL had multiple vulnerabilities, they were found by tests performed by NISCC (www.niscc.gov.uk). http://www.linuxsecurity.com/advisories/netbsd_advisory-3730.html

LinuxSecurity Feature Extras:

RELATED ARTICLESMORE FROM AUTHOR

Maintainer Confidential: Challenges and Opportunities One Year On

Bridging Design and Runtime Gaps: AsyncAPI in Event-Driven Architecture

Implementing OpenTelemetry Natively in an Event Broker

Innovation as a Catalyst in Telecommunications

Linux 6.8 Brings More Sound Hardware Support For Intel & AMD, Including The Steam Deck

LinuxSecurity Feature
Extras:

RELATED ARTICLES MORE FROM AUTHOR