Linux Advisory Watch – September 3, 2004


Author: Preston St. Pierre

This week, advisories were released
for qt, krb5, kdelibs, zlib,kernel, acrobat, gaim, and the Linux kernel. The
distributors include Debain, Fedora, Gentoo, Mandrake, OpenBSD, Red Hat, Slackware,
SuSE, Trustix, and TurboLinux.Introduction to Cryptography

Implementing any large security
project on the Linux operating system requires the use of cryptography. Several
weeks ago, I wrote about a book by Fred Piper and Sean Murphy titled, “Cryptography:
A Very Short Introduction.” It offers a very good introduction to the subject,
but those wishing to implement cryptography in an open source projects need
a more in-depth understanding of the area. Another excellent resource is the
“Handbook of Applied Cryptography,” by Menezes, Oorschot, and Vanstone. It has
often been considered “the bible of cryptography” and offers a detailed and
technical view.

The first several chapters of the
book focus on the basics. It gives an overview and history of cryptography and
follows with an explanation of the mathematics necessary to understand the algorithms.
Midway through the book, it gives detailed information to help the reader understand
stream ciphers, block ciphers, and finally public key encryption. After the
reader has an understanding of the algorithms, the book moves to explain how
they can be used in key establishment protocols. It also offers chapters on
key management and tips for efficient implementation.

For the long time manager, this
book may be slightly on the technical side. However, there are clear benefits
for management having an understanding of technical subjects. Cryptography today
offers a very strong level of protection. It only fails in implementation. For
example, keys are not properly protected or managed. For those of you wishing
to learn a little more about the fascinating subject of cryptography, I highly
recommend this book.

Perhaps the best part is
that the book is available fully for free on the Web:

Hard-copies of the book can also
be purchased through Amazon or any other large bookseller.

When any company decides to take
on a in-house software development project, it is essential to include cryptographic
mechanisms. Books such as this, can give programmers the proper knowledge necessary
to understand how cryptography works and how to avoid problems.

Until next time, cheers!
Benjamin D. Thomas

Feature Extras:

Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code

– Gary McGraw is perhaps best known for his groundbreaking work on securing software,
having co-authored the classic Building Secure Software (Addison-Wesley, 2002).
More recently, he has co-written with Greg Hoglund a companion volume, Exploiting
Software, which details software security from the vantage point of the other
side, the attacker. He has graciously agreed to share some of his insights with
all of us at

Expert Dave Wreski Discusses Open Source Security
– Dave Wreski,
CEO of Guardian Digital, Inc. and respected author of various hardened security
and Linux publications, talks about how Guardian Digital is changing the face
of IT security today. Guardian Digital is perhaps best known for their hardened
Linux solution EnGarde Secure Linux, touted as the premier secure, open-source
platform for its comprehensive array of general purpose services, such as web,
FTP, email, DNS, IDS, routing, VPN, firewalling, and much more.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
] – [ Linux Security

Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[

Distribution: Debian
  8/27/2004 icecast-server
cross site scripting vulnerability

Markus W?rle discovered a cross site scripting problem in status-display
(list.cgi) of the icecast internal webserver.

  8/30/2004 qt
code execution and DoS

Several vulnerabilities were discovered in recent versions of Qt, a commonly
used graphic widget set.

  8/31/2004 python2.2
really fix buffer overflow
code execution and DoS

This security advisory corrects DSA 458-1 which caused some segmentation
faults in gethostbyaddr with non-localhost input. This update also disables
IPv6 on all architectures.

  8/31/2004 krb5

The MIT Kerberos Development Team has discovered a number of vulnerabilities
in the MIT Kerberos Version 5 software

Distribution: Fedora
  8/31/2004 krb5
bugs (Core 1)

Several double-free bugs were found in the Kerberos 5 KDC and libraries

  8/31/2004 krb5
bugs (Core 2)

Several double-free bugs were found in the Kerberos 5 KDC and libraries.

Distribution: Gentoo
  8/27/2004 Mozilla,
Firefox, Thunderbird New releases fix vulnerabilities
bugs (Core 2)

New releases of Mozilla, Mozilla Thunderbird, and Mozilla Firefox fix several
vulnerabilities, including remote DoS and buffer overflows.

  8/27/2004 kdelibs
cookie injection vulnerability

The cookie manager component in kdelibs contains a vulnerability allowing
an attacker to potentially gain access to a user’s session on a legitimate
web server.

  8/27/2004 zlib
of service vulnerabilit

The zlib library contains a Denial of Service vulnerability.

  8/27/2004 gaim
    New vulnerabilities

Gaim contains several security issues that might allow an attacker to execute
arbitrary code or commands.

Distribution: Mandrake
  8/27/2004 kernel

A race condition was discovered in the 64bit file offset handling by Paul
Starzetz from iSEC.

  9/1/2004 krb5

A double-free vulnerability exists in the MIT Kerberos 5’s KDC program that
could potentially allow a remote attacker to execute arbitrary code on the
KDC host.

Distribution: OpenBSD
  8/31/2004 zlib

A bug has been found in the version of zlib included in OpenBSD 3.5 (and
only 3.5) that could allow an attacker to crash programs linked with it

Distribution: Red
  8/27/2004 acrobat

An updated Adobe Acrobat Reader package that fixes multiple security issues
is now available.

  8/31/2004 krb5

Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing
bugs are now available for Red Hat Enterprise Linux.

  8/31/2004 krb5

Updated krb5 packages that improve client responsiveness and fix several
security issues are now available for Red Hat Enterprise Linux 3.

Distribution: Slackware
  8/27/2004 gaim

A couple of bugs were found in the gaim 0.82 release, and gaim-0.82.1 was
released to fix them

Distribution: Suse
  9/1/2004 kernel

Various signedness issues and integer overflows have been fixed within kNFSd
and the XDR decode functions of kernel 2.6.

Distribution: Trustix
  8/27/2004 courier-imap,
samba, zlib Multiple vulnerabilities

Security roll-up.

Distribution: Turbolinux
  8/31/2004 rsync,
qt vulnerabilities

Security roll-up for 31/Aug/2004.