Information Security News mailing list archives
Linux Advisory Watch - December 29th 2000
From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 29 Dec 2000 02:29:11 -0500
+----------------------------------------------------------------+ | LinuxSecurity.com Linux Advisory Watch | | December 15th, 2000 Volume 1, Number 35a | +----------------------------------------------------------------+ Editors: Dave Wreski Benjamin Thomas dave () linuxsecurity com ben () linuxsecurity com Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilities that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for gnupg, stunnel, dialog, and fetchmail. The vendors include Debian and TurboLinux. I'm sure many of you are happy that it is a light week and nothing major has surfaced. Happy New Year to all subscribers and thank you for the kind words and constructive suggestions you have sent during the past year. If you have suggestions that would make our newsletters or website more effective, please let us know. In addition to our Vulnerability Watch newsletter, we also provide a security news newsletter that summarizes the most important security news and events of the week. Be sure to visit LinuxSecurity.com for subscription information. ### OpenDoc Publishing ### Our sponsor this week is OpenDoc Publishing. Their 480-page comprehensive security book, Securing and Optimizing Linux, takes a hands-on approach to installing, optimizing, configuring, and securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL, ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat 6.2 PowerTools edition. http://www.linuxsecurity.com/sponsors/opendocs.html HTML Version: http://www.linuxsecurity.com/vuln-newsletter.html +---------------------------------+ | Installing a new package: | ------------------------------// +---------------------------------+ # rpm -Uvh # dpkg -i Packages can be installed easily by using rpm (Red Hat Package Manager) or dpkg (Debian Package Manager). Most advisories issued by vendors are packaged in either an rpm or dpkg. Additional installation instructions can be found in the body of the Advisories. +---------------------------------+ | Checking Package Integrity: | -----------------------------// +---------------------------------+ The md5sum command is used to compute a 128-bit fingerprint that is strongly dependant upon the contents of the file to which it is applied. It can be used to compare against a previously-generated sum to determine whether the file has changed. It is commonly used to ensure the integrity of updated packages distributed by a vendor. # md5sum ebf0d4a0d236453f63a797ea20f0758b The string of numbers can then be compared against the MD5 checksum published by the packager. While it does not take into account the possibility that the same person that may have modified a package also may have modified the published checksum, it is especially useful for establishing a great deal of assurance in the integrity of a package before installing +---------------------------------+ | Debian Advisories | ----------------------------// +---------------------------------+ * Debian: 'gnupg' vulnerabilities December 25th, 2000 There is a problem in the way gpg checks detached signatures which can lead to false positives. Detached signature can be verified with a command like this: gpg --verify detached.sig < mydata If someone replaced detached.sig with a signed text (ie not a detached signature) and then modified mydata gpg would still report a successfully verified signature. Alpha architecture: http://security.debian.org/dists/stable/updates/main/ binary-alpha/gnupg_1.0.4-1.1_alpha.deb MD5 checksum: 616e391a4eb5561bf32714e40bed38c5 ARM architecture: http://security.debian.org/dists/stable/updates/main/ binary-arm/gnupg_1.0.4-1.1_arm.deb MD5 checksum: e496f7aed98098feef2869be81b774b7 Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/gnupg_1.0.4-1.1_i386.deb MD5 checksum: a6c0494c737250b0ccc7dc33056d8e7c Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/main/ binary-m68k/gnupg_1.0.4-1.1_m68k.deb MD5 checksum: a07cbf5bce2890fe85cfae4d796c5b0d PowerPC architecture: http://security.debian.org/dists/stable/updates/main/ binary-powerpc/gnupg_1.0.4-1.1_powerpc.deb MD5 checksum: e251364c24066cc88a3de11b4ba23275 Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/ binary-sparc/gnupg_1.0.4-1.1_sparc.deb MD5 checksum: b15f4ad07949fb0fa24a221b656691ae Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1016.html * Debian: 'dialog' vulnerability December 24th, 2000 Matt Kraai reported that he found a problem in the way dialog creates lock-files: it did not create them safely which made it susceptible to a symlink attack. This has been fixed in version 0.9a-20000118-3bis. PLEASE SEE VENDOR ADVISORY FOR UPDATE Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1014.html * Debian: 'stunnel' vulnerabilities December 24th, 2000 Lez discovered a format string problem in stunnel (a tool to create Universal SSL tunnel for other network daemons). Brian Hatch responded by stating he was already preparing a new release with multiple security fixes: Alpha architecture: http://security.debian.org/dists/stable/updates/main/ binary-alpha/stunnel_3.10-0potato1_alpha.deb MD5 checksum: 832ad31f899dbc655b1796b56cb98c80 Intel ia32 architecture: http://security.debian.org/dists/stable/updates/ main/binary-i386/stunnel_3.10-0potato1_i386.deb MD5 checksum: b64009319600749c58c60d39874db79d Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/ main/binary-m68k/stunnel_3.10-0potato1_m68k.deb MD5 checksum: 89c199d09858d14c9563522f4f6fba67 PowerPC architecture: http://security.debian.org/dists/stable/updates/ main/binary-powerpc/stunnel_3.10-0potato1_powerpc.deb MD5 checksum: cd145736ba23c54f98a41afe7bb5469f Sun Sparc architecture: http://security.debian.org/dists/stable/updates/ main/binary-sparc/stunnel_3.10-0potato1_sparc.deb MD5 checksum: 12d12072d96e1ddc6caa50cbc179619f Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1013.html * Debian: 'dialog' symlink attack December 24th, 2000 Matt Kraai reported that he found a problem in the way dialog creates lock-files: it did not create them safely which made it susceptible to a symlink attack. This has been fixed in version 0.9a-20000118-3bis. Alpha architecture: http://security.debian.org/dists/stable/updates/main/ binary-alpha/dialog_0.9a-20000118-3bis_alpha.deb MD5 checksum: 57c04e1f8dec33de5dffee92d0b162cb ARM architecture: http://security.debian.org/dists/stable/updates/main/ binary-arm/dialog_0.9a-20000118-3bis_arm.deb MD5 checksum: 5735033a17262209a1130459229a0982 Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/ binary-i386/dialog_0.9a-20000118-3bis_i386.deb MD5 checksum: f38bbfaa0076a590fe2421eb2ab68a9f Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/main/ binary-m68k/dialog_0.9a-20000118-3bis_m68k.deb MD5 checksum: e7d0985d05a750c6550dd778ab14863e PowerPC architecture: http://security.debian.org/dists/stable/updates/main/ binary-powerpc/dialog_0.9a-20000118-3bis_powerpc.deb MD5 checksum: 13033d33c56d4e18e8442cc2debaa6f8 Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/ binary-sparc/dialog_0.9a-20000118-3bis_sparc.deb MD5 checksum: c310130da0b7ba8ad8d52003db9669c3 Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1012.html * Debian: multiple 'stunnel' vulnerabilities December 24th, 2000 Lez discovered a format string problem in stunnel (a tool to create Universal SSL tunnel for other network daemons). Brian Hatch responded by stating he was already preparing a new release with multiple security fixes: Alpha architecture: http://security.debian.org/dists/stable/updates/ main/binary-alpha/stunnel_3.10-0potato1_alpha.deb MD5 checksum: 832ad31f899dbc655b1796b56cb98c80 Intel ia32 architecture: http://security.debian.org/dists/stable/updates/ main/binary-i386/stunnel_3.10-0potato1_i386.deb MD5 checksum: b64009319600749c58c60d39874db79d Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/ main/binary-m68k/stunnel_3.10-0potato1_m68k.deb MD5 checksum: 89c199d09858d14c9563522f4f6fba67 PowerPC architecture: http://security.debian.org/dists/stable/updates/ main/binary-powerpc/stunnel_3.10-0potato1_powerpc.deb MD5 checksum: cd145736ba23c54f98a41afe7bb5469f Sun Sparc architecture: http://security.debian.org/dists/stable/updates/ main/binary-sparc/stunnel_3.10-0potato1_sparc.deb MD5 checksum: 12d12072d96e1ddc6caa50cbc179619f Vendor Advisory: http://www.linuxsecurity.com/advisories/debian_advisory-1015.html +---------------------------------+ | Turbo Linux Advisories | ----------------------------// +---------------------------------+ * TurboLinux: 'fetchmail' vulnerability December 28th, 2000 The updated IMAP server released in errata advisory RHSA:102-04 exposes a bug in fetchmail's implementation of the AUTHENTICATE GSSAPI command. ftp://ftp.turbolinux.com/pub/updates/6.0/ security/fetchmail-5.5.0-3.i386.rpm MD5 Checksum: 75f5c835b99182e5f7ca73d669f670c7 Vendor Advisory: http://www.linuxsecurity.com/advisories/turbolinux_advisory-1017.html ------------------------------------------------------------------------ Distributed by: Guardian Digital, Inc. LinuxSecurity.com To unsubscribe email vuln-newsletter-request () linuxsecurity com with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Linux Advisory Watch - December 29th 2000 vuln-newsletter-admins (Dec 30)