Linux Advisory Watch - October 17th 2003

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+----------------------------------------------------------------+
|  LinuxSecurity.com                        Linux Advisory Watch |
|  October 17th, 2003                       Volume 4, Number 41a |
+----------------------------------------------------------------+

   Editors:     Dave Wreski                Benjamin Thomas
                dave@xxxxxxxxxxxxxxxxx     ben@xxxxxxxxxxxxxxxxx

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each
vulnerability.

This week, advisories were released for glibc, tomcat4, sane XFree86,
sendmail, and openssl.  The distributors include Conectiva, Debian,
Mandrake, and NetBSD.

---

 >> FREE Apache SSL Guide from Thawte  <<

Are you worried about your web server security?  Click here to get a FREE
Thawte Apache SSL Guide and find the answers to all your Apache SSL
security needs.

  Click Command:
  http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=vertad_thawteapache

---

Last week, I gave a brief introduction of cryptography and the differences
between symmetric and asymmetric and encryption.  Also, I made several
comments on how the strength of cryptography is measured.  This week, I am
going to show the basics of using the GNU Privacy Guard (GNUPG).  GNUPG is
a text-based command line tool that is very straightforward to use and
based on a public & private (asymmetric) key system.

To begin using encryption on your Linux machine, you must first download
the GNUPG packages.  It can be downloaded from: http://www.gnupg.org After
the application is installed, several steps must be taken before you can
begin.

First, a key-pair must be generated.  To generate your keys, go to the
command line and issue the following:

   [prompt]$ gpg --gen-key

If gpg has been installed correctly, you will be prompted to enter the
type of key, keysize, duration it is valid, your name, email address, and
a comment.  At this point, it will be possible for you to begin using most
of gpg's other functions.  Probably the most daunting part of gpg is key
management.  After generating your key, the next thing you would want to
do is export your public key.

   [prompt]$ gpg --export -a youremail@xxxxxxxxxx > public.key

At this point, you can share your public key with others.  If other people
want to send you confidential data, they can encrypt it with your public
key and you'll be the only one who can decrypt it.  If you want to send
someone else an encrypted message, you'll need their public key.  To
import another person's public key, use the following command:

   [prompt]$ gpg --import filename.key

To sign and encrypt data (filename.txt), the following command can be
used:

   [prompt]$ gpg -ea -r TargetUserName filename.txt

For TargetUserName to decrypt that file, the following command should be
used:

   [prompt]$ gpg -d filename.txt.asc > output.txt

Another useful feature of gpg is its ability to use symmetric encryption.
This can be used when you only wish to encrypt a file for personal use.
It uses the same key for both encryption and decryption.  To encrypt a
file symmetrically, use the following:

   [prompt]$ gpg -c filename.txt

GNUPG can also be easily interfaced with email.  Several years ago, a
feature for LinuxSecurity.com was written that describes how to interface
it with pine.  Virtually all modern email clients will support it.  There
is a wealth of information available on Google that can help you learn how
to take advantage of GPG's features.  Have fun!

Using GnuPG with Pine for Secure E-Mail:
http://www.linuxsecurity.com/feature_stories/feature_story-83.html

Until next time, cheers!
Benjamin D. Thomas
ben@xxxxxxxxxxxxxxxxx

----

EnGarde GDSN Subscription Price Reduction -
Guardian Digital, the world's premier open source security company,
announced today that they will be reducing the annual subscription cost of
the Guardian Digital Secure Network for EnGarde Community users from $229
to $60 for a limited time.

http://www.linuxsecurity.com/feature_stories/feature_story-151.html

--------------------------------------------------------------------

CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner!
Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing
Editor's Choice Award, EnGarde "walked away with our Editor's Choice award
thanks to the depth of its security strategy..." Find out what the other
Linux vendors are not telling you.

http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2

--------------------------------------------------------------------

-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

+---------------------------------+
|  Distribution: Conectiva        | ----------------------------//
+---------------------------------+

  10/14/2003 - glibc
    Buffer overflow vulnerability

    This glibc update includes the fix for a local vulnerability and new
    timezone maps adjusted for the brazilian daylight saving time
    2003/2004 schedule:
    http://www.linuxsecurity.com/advisories/connectiva_advisory-3732.html


+---------------------------------+
|  Distribution: Debian           | ----------------------------//
+---------------------------------+

  10/13/2003 - openssl
    ASN.1 Remote vulnerability

    Steve Henson of the OpenSSL core team identified and prepared fixes
    for a number of vulnerabilities in the OpenSSL ASN1 code that were
    discovered after running a test suite by British National
    Infrastructure Security Coordination Centre (NISCC).
    http://www.linuxsecurity.com/advisories/debian_advisory-3731.html

  10/15/2003 - tomcat4
    denial of service vulnerability

    Aldrin Martoq has discovered a denial of service (DoS) vulnerability
    in Apache Tomcat 4.0.x.
    http://www.linuxsecurity.com/advisories/debian_advisory-3733.html


+---------------------------------+
|  Distribution: Mandrake         | ----------------------------//
+---------------------------------+

  10/10/2003 - sane
    multiple vulnerabilities

    Several vulnerabilities were discovered in the saned daemon, a part of
    the sane package, which allows for a scanner to be used remotely.
    http://www.linuxsecurity.com/advisories/mandrake_advisory-3727.html


+---------------------------------+
|  Distribution: NetBSD           | ----------------------------//
+---------------------------------+

  10/10/2003 - XFree86
    font buffer overflow vulnerabilities

    There is an integer overflow in the XFree86 font libraries, which
    could lead to potential privilege escalation and/or remote code
    execution.
    http://www.linuxsecurity.com/advisories/netbsd_advisory-3728.html

  10/10/2003 - sendmail
    buffer overflow vulnerabilities

    Fix a buffer overflow in address parsing. However, a remote exploit of
    the sendmail (smmsp - Sendmail Message Submission Program) uid could
    lead to opportunities to apply local exploits to further elevate
    privileges.
    http://www.linuxsecurity.com/advisories/netbsd_advisory-3729.html

  10/10/2003 - openssl
    multiple vulnerabilities

    OpenSSL had multiple vulnerabilities, they were found by tests
    performed by NISCC (www.niscc.gov.uk).
    http://www.linuxsecurity.com/advisories/netbsd_advisory-3730.html

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request@xxxxxxxxxxxxxxxxx
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux