From measl at mfn.org Wed Oct 1 00:52:07 2003 From: measl at mfn.org (J.A. Terranson) Date: Tue, 30 Sep 2003 18:52:07 -0500 (CDT) Subject: [Full-Disclosure] More on Dan Geer In-Reply-To: <5.0.0.25.2.20030930102859.04c4bdc0@pop3.direcway.com> Message-ID: On Tue, 30 Sep 2003, madsaxon wrote: > At 10:18 AM 9/30/03 -0400, Stormwalker wrote: > > >The following quotes clarify @Stake's position. It's worse than even I > >thought. They know better, but don't care anymore. M$ is more important > >than truth. > > Perhaps. I caution you, however, to make a distinction between > @Stake as a corporate entity and some of the individual employees > thereof. Except that in this case, @Stake exists solely on the coattails of those individuals. Let's face it, unlike an IBM or Sprint, etc., @Stake *is* these people we [thought] we know. > > m5x -- Yours, J.A. Terranson sysadmin at mfn.org "Every living thing dies alone." Donnie Darko From psirt at cisco.com Wed Oct 1 01:41:41 2003 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Tue, 30 Sep 2003 17:41:41 -0700 Subject: [Full-Disclosure] Cisco Security Advisory: SSL Implementation Vulnerabilities Message-ID: <200309301741.cisco-sa-20030930-ssl@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: SSL Implementation Vulnerabilities Revision 1.0 For Public Release 2003 September 30 at 2330 GMT ---------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: INTERIM Distribution Revision History Cisco Security Procedures ---------------------------------------------------------------------- Summary New vulnerabilities in the OpenSSL implementation for SSL have been announced. An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. There are workarounds available to mitigate the effects of these vulnerabilities. This advisory will be posted at http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml. Affected Products The following products have their SSL implementation based on the OpenSSL code and may be affected by the OpenSSL vulnerabilities. * Cisco IOS 12.1(11)E and later in the 12.1E release train * Cisco PIX Firewall * Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers * Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and 6500 Series switches and Cisco 7600 Series routers * Cisco Content Service Switch (CSS) 11000 series * Cisco Global Site Selector (GSS) 4480 * Cisco Application & Content Networking Software (ACNS) * Cisco SN 5428 Storage Router * CiscoWorks 1105 Hosting Solution Engine (HSE) * CiscoWorks 1105 Wireless LAN Solution Engine (WLSE) * CiscoWorks Common Services (CMF) * Cisco SIP Proxy Server (SPS) The following products, which implement SSL, are currently known to be not vulnerable to the OpenSSL vulnerabilities. * Cisco VPN 3000 Series Concentrators * Cisco Secure Intrusion Detection System (NetRanger) appliance. This includes the IDS-42xx appliances, NM-CIDS and WS-SVS-IDSM2. * Cisco Secure Socket Layer (SSL) Services Module for the Cisco Catalyst 6500 Series and Cisco 7600 Series routers * Cisco Call Manager No other Cisco products are currently known to be affected by these vulnerabilities. Details An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client. The network device is vulnerable to this vulnerability even if it is configured to not authenticate certificates from the client. More information on these OpenSSL vulnerabilities is available at http://www.openssl.org/news/secadv_20030930.txt . * Cisco IOS - All 12.1(11)E and later IOS software releases in the 12.1E release train are affected by the OpenSSL vulnerabilities. The command no ip http secureserver may be used to disable the HTTPS web service on the device. * Cisco PIX Firewall - This vulnerability is documented as Bug ID CSCec31274 . * Cisco Firewall Services Module (FWSM) - This vulnerability is documented as Bug ID CSCec45573 . * Cisco Network Analysis Modules (NAM) - This vulnerability is documented as Bug ID CSCec45573 . * Cisco Content Service Switch (CSS) 11000 series - Cisco WebNS versions 6.x and 7.x are vulnerable. WebNS version 5.x is not vulnerable to the OpenSSL vulnerabilities. This vulnerability is documented as Bug IDs CSCec45165 and CSCec45342 . * Cisco Global Site Selector (GSS) 4480 - This vulnerability is documented as Bug ID CSCec45380 . * Cisco Application & Content Networking Software (ACNS) - This vulnerability is documented as Bug ID CSCec41413 . * Cisco SN 5428 Storage Router - This vulnerability is documented as Bug ID CSCec44103 . * CiscoWorks 1105 Hosting Solution Engine (HSE) - This vulnerability is documented as Bug ID CSCec38542 . * CiscoWorks 1105 Wireless LAN Solution Engine (WLSE) - This vulnerability is documented as Bug ID CSCec38526 . * CiscoWorks Common Services (CMF) - Both Solaris and Windows version of CMF 2.2 and CMF 2.1 are vulnerable. Windows versions of Core 1.0 are also vulnerable. This vulnerability is documented as Bug ID CSCec43722 * Cisco SIP Proxy Server (SPS) - This vulnerability is documented as Bug ID CSCec31901 . Impact An affected network device running an SSL server based on the OpenSSL implementation may be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client regardless of whether it is configured to process client certificates or not. Software Versions and Fixes * Cisco IOS - 12.1(14)E most likely would be the release to have this fix. CCO availability TBD. * Cisco PIX firewall - This vulnerability is fixed in software release 6.3(3.102). CCO availability TBD. * Cisco Firewall Services Module (FWSM) - Fixed Software release TBD. CCO availability TBD. * Cisco Network Analysis Modules (NAM) - Fixed Software release TBD. CCO availability TBD. * Cisco Content Service Switch (CSS) 11000 series - Fixed Software release TBD. CCO availability TBD. * Cisco Global Site Selector (GSS) 4480 - Fixed Software release TBD. CCO availability TBD. * Cisco Application & Content Networking Software (ACNS) - Fixed Software release 5.0.7. CCO availability September 30, 2003. * Cisco SN 5428 Storage Router - Fixed Software version 3.4.2. CCO availability TBD. * CiscoWorks 1105 Hosting Solution Engine (HSE) - Fixed Software release 1.7.3. CCO availability November 21, 2003. * CiscoWorks 1105 Wireless LAN Solution Engine (WLSE) - Fixed Software release 2.5. CCO availability TBD. * CiscoWorks Common Services (CMF) - Fixed Software release TBD. CCO availability TBD. * Cisco SIP Proxy Server (SPS) - Fixed Software release 2.2. CCO availability TBD. Obtaining Fixed Software Cisco is offering free software upgrades or patches to address these vulnerabilities for all affected customers. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades or patches, Customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at the Cisco Connection Online Software Center at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Customers with service contracts should contact their regular update channels to obtain the free software upgrade(s) or patches identified via this advisory. For most customers with service contracts, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com/tacpage/sw-center/. To access the software download URL, you must be a registered user and you must be logged in. Customers whose Cisco products are provided or maintained through a prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with obtaining the free software upgrade(s). Customers who purchased directly from Cisco but who do not hold a Cisco service contract, and customers who purchase through third party vendors but are unsuccessful at obtaining fixed software through their point of sale, should obtain fixed software by contacting the Cisco Technical Assistance Center (TAC) using the contact information listed below. In these cases, customers are entitled to obtain an upgrade to a later version of the same release or as indicated by the applicable corrected software version in the Software Versions and Fixes section (noted above). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Please do not contact either "psirt at cisco.com" or "security-alert at cisco.com" for software upgrades. Workarounds The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code as soon as it is available. * Restrict access to the HTTPS server on the network device: Allow access to the network device only from trusted workstations by using ACL's / MAC filters that are available on the affected platforms. * Disable the SSL server / service on the network device. This workaround must be weighed against the need for secure communications with the vulnerable device. Exploitation and Public Announcements The Cisco PSIRT is not aware of any malicious use of the vulnerabilities described in this advisory at this time. These vulnerabilities have also been documented by the NISCC at http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm . Status of This Notice: INTERIM This is a interim advisory. Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this advisory. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This advisory will be posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml. In addition to worldwide website posting, a text version of this advisory is clear-signed with the Cisco PSIRT PGP key having the fingerprint 8C82 5207 0CA9 ED40 1DD2 EE2A 7B31 A8CF 32B6 B590 and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org (includes CERT/CC) * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.netsys.com * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History +------------------------------------------+ |Revision 1.0|2003-30-Sept|Initial public | | | |release. | +------------------------------------------+ Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. ---------------------------------------------------------------------- This notice is Copyright 2003 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. ---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Comment: PGP Signed by Sharad Ahlawat, Cisco Systems PSIRT iD8DBQE/eh/gezGozzK2tZARArgyAJ47Zi6PHDJyUAd/Rp9BST6tInms2QCgzqfm UXU8aYYmLl11Kqf31glvytQ= =rv61 -----END PGP SIGNATURE----- From bugtraq at gs2.com.br Wed Oct 1 02:12:46 2003 From: bugtraq at gs2.com.br (Fabio Gomes de Souza) Date: Tue, 30 Sep 2003 22:12:46 -0300 Subject: [Full-Disclosure] Strange behavior in Windows 98 and 2000 Message-ID: <3F7A2A0E.6080804@gs2.com.br> Hi, Some of the Windows 98 and 2000 boxes of my customers are suddenly losing their TCP/IP functionality. After a reboot, they become normal again for some time until the TCP/IP stack gets crazy again. - After the craziness takes place, Win2K it is still able to reach the local network, but it won't cross any router. - Windows 98 does not even reach the local net. - Both systems are able to ping the local net and the outside. - Current TCP connections still work, but you cannot establish new ones. - Both systems are behind linux NAT firewalls. Weird. Are you guys noting the same behaviour? I'm scared. :D Fabio Gomes de Souza From m0nk3y at excelex.no-ip.com Wed Oct 1 07:11:51 2003 From: m0nk3y at excelex.no-ip.com (t3h m0nk3y) Date: 01 Oct 2003 02:11:51 -0400 Subject: [Full-Disclosure] Re: Welcome to the "Full-Disclosure" mailing list In-Reply-To: <20031001012503.13725.31264.Mailman@NETSYS.COM> References: <20031001012503.13725.31264.Mailman@NETSYS.COM> Message-ID: <1064988711.188.7.camel@anubis.blackhat.ca> We did report this abuse to our isp at rolex.de. On Tue, 2003-09-30 at 21:25, full-disclosure-request at lists.netsys.com wrote: > Welcome to the Full-Disclosure at lists.netsys.com mailing list! For > guidelines that govern the use of this list, please see the charter at > http://lists.netsys.com/full-disclosure-charter.html > > We hope that you abide by these guidelines. While the list isn't > moderated, we reserve the right to remove and block anyone who is > disruptive or doesn't follow the above guidelines. > > Please use this list as the valuable resource we intend it to be. > > > > > > To post to this list, send your email to: > > full-disclosure at lists.netsys.com > > General information about the mailing list is at: > > http://lists.netsys.com/mailman/listinfo/full-disclosure > > If you ever want to unsubscribe or change your options (eg, switch to > or from digest mode, change your password, etc.), visit your > subscription page at: > > http://lists.netsys.com/mailman/options/full-disclosure/m0nk3y%40excelex.no-ip.com > > > You can also make such adjustments via email by sending a message to: > > Full-Disclosure-request at lists.netsys.com > > with the word `help' in the subject or body (don't include the > quotes), and you will get back a message with instructions. > > You must know your password to change your options (including changing > the password, itself) or to unsubscribe. It is: > > w00tw00t > > If you forget your password, don't worry, you will receive a monthly > reminder telling you what all your lists.netsys.com mailing list > passwords are, and how to unsubscribe or change your options. There > is also a button on your options page that will email your current > password to you. > > You may also have your password mailed to you automatically off of the > Web page noted above. -- I. 4ny 0f v4r10us 4nd l0000ng-t41l3d, 3xtr4-m3d1um-s1z3d m3mb3rs 0f th3 0rd3r 0f t3h pr1m4t3s.. y3h 4nd 1nclud1n t3h 4ntr0p01d 4p3s (th1nk 1s 4 m4k4k) 4nd t3h pr0s1m14nz (fuk 3m). II. 0n3 d4t b3h4v3 1n 4 w4y sugg4st1v3 0f 4 m0nk3y, 4s 4 m1schstuF ch1ld 0r!.. 4 m1m1c. (wtf?) III. t4h 1r0n bl0k 0f 4 p1l3 dr1v3r (d4z m3) IV. sl4ng. V. sl4ng. (j00 fuk1n b14tch!) From security at linux-mandrake.com Wed Oct 1 06:16:36 2003 From: security at linux-mandrake.com (Mandrake Linux Security Team) Date: 1 Oct 2003 05:16:36 -0000 Subject: [Full-Disclosure] MDKSA-2003:098 - Updated openssl packages fix vulnerabilities Message-ID: <20031001051636.4850.qmail@updates.mandrakesoft.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: openssl Advisory ID: MDKSA-2003:098 Date: September 30th, 2003 Affected versions: 8.2, 9.0, 9.1, 9.2, Corporate Server 2.1, Multi Network Firewall 8.2 ________________________________________________________________________ Problem Description: Two bugs were discovered in OpenSSL 0.9.6 and 0.9.7 by NISCC. The parsing of unusual ASN.1 tag values can cause OpenSSL to crash, which could be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. Depending upon the application targetted, the effects seen will vary; in some cases a DoS (Denial of Service) could be performed, in others nothing noticeable or adverse may happen. These two vulnerabilities have been assigned CAN-2003-0543 and CAN-2003-0544. Additionally, NISCC discovered a third bug in OpenSSL 0.9.7. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in deallocation of a structure, leading to a double free. This can be triggered by a remote attacker by sending a carefully-crafted SSL client certificate to an application. This vulnerability may be exploitable to execute arbitrary code. This vulnerability has been assigned CAN-2003-0545. The packages provided have been built with patches provided by the OpenSSL group that resolve these issues. A number of server applications such as OpenSSH and Apache that make use of OpenSSL need to be restarted after the update has been applied to ensure that they are protected from these issues. Users are encouraged to restart all of these services or reboot their systems. ________________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0545 http://www.kb.cert.org/vuls/id/255484 http://www.kb.cert.org/vuls/id/380864 http://www.kb.cert.org/vuls/id/935264 http://www.openssl.org/news/secadv_20030930.txt http://www.uniras.gov.uk/vuls/2003/006489/tls.htm http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm ________________________________________________________________________ Updated Packages: Corporate Server 2.1: ec80ef980212f5bf294f147e5bc19f76 corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm 1de4f2038f479b1b779d5b2c9320e8fb corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm 4946dc25021ef97eb6513f3dd1dd16f6 corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm 3d5e3a05ead47fafa59240be9efc87d2 corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm 6982c0adf01f00ea5d49deb24011c278 corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm Corporate Server 2.1/x86_64: eab60b3828aeec0e2717890e51a90e76 x86_64/corporate/2.1/RPMS/libopenssl0-0.9.6i-1.6.90mdk.x86_64.rpm 19d8a676a11293d8e6acb429bed63a99 x86_64/corporate/2.1/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.x86_64.rpm 5eb3936b8fade73ca1c334d67edad3ae x86_64/corporate/2.1/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.x86_64.rpm 9df6c6e820719ac33744e1708621bdf3 x86_64/corporate/2.1/RPMS/openssl-0.9.6i-1.6.90mdk.x86_64.rpm 6982c0adf01f00ea5d49deb24011c278 x86_64/corporate/2.1/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm Mandrake Linux 8.2: e8d13a3adbd679a0c1cd15dd28eb02f1 8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm 4b783a98f4cc48be8a6b680a92f374ce 8.2/RPMS/libopenssl0-devel-0.9.6i-1.5.82mdk.i586.rpm 0481e5edacc8985d7255266fd136ceba 8.2/RPMS/libopenssl0-static-devel-0.9.6i-1.5.82mdk.i586.rpm 93a47ac82a618905c7d4a6e0d276c586 8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm 15b7ba1d342ae3531964e60a186874d8 8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm Mandrake Linux 9.0: ec80ef980212f5bf294f147e5bc19f76 9.0/RPMS/libopenssl0-0.9.6i-1.6.90mdk.i586.rpm 1de4f2038f479b1b779d5b2c9320e8fb 9.0/RPMS/libopenssl0-devel-0.9.6i-1.6.90mdk.i586.rpm 4946dc25021ef97eb6513f3dd1dd16f6 9.0/RPMS/libopenssl0-static-devel-0.9.6i-1.6.90mdk.i586.rpm 3d5e3a05ead47fafa59240be9efc87d2 9.0/RPMS/openssl-0.9.6i-1.6.90mdk.i586.rpm 6982c0adf01f00ea5d49deb24011c278 9.0/SRPMS/openssl-0.9.6i-1.6.90mdk.src.rpm Mandrake Linux 9.1: 42365cfe8a9214a747bd1fa6329baec8 9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.i586.rpm a3a5046af719b864a337ce432e694a8b 9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.i586.rpm 2e879f9d5349458c5653e97f20cf2218 9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.i586.rpm cf9bc9fc1cce8841d3cdb1d9fcd8b313 9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.i586.rpm b475cc257c14dbaccd9007afa14096f5 9.1/RPMS/openssl-0.9.7a-1.2.91mdk.i586.rpm 329bd3dd8cdfad6d445b4fbcc953dc91 9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm 9498e31ab37a4455f31827ce51afb221 9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm Mandrake Linux 9.1/PPC: 915f8ab4ea91e0d876c9204b1f3699b0 ppc/9.1/RPMS/libopenssl0-0.9.6i-1.2.91mdk.ppc.rpm fafb4ac4c88c321d3c8fb7fdba54bac4 ppc/9.1/RPMS/libopenssl0.9.7-0.9.7a-1.2.91mdk.ppc.rpm 184be4bdf922fbc28b590a71b7cf8c10 ppc/9.1/RPMS/libopenssl0.9.7-devel-0.9.7a-1.2.91mdk.ppc.rpm 09e1bd3c05323d10d8002a44dbbc85dd ppc/9.1/RPMS/libopenssl0.9.7-static-devel-0.9.7a-1.2.91mdk.ppc.rpm cfbcacc68e2585a5fcbbeb8c9fc3b0d7 ppc/9.1/RPMS/openssl-0.9.7a-1.2.91mdk.ppc.rpm 329bd3dd8cdfad6d445b4fbcc953dc91 ppc/9.1/SRPMS/openssl-0.9.7a-1.2.91mdk.src.rpm 9498e31ab37a4455f31827ce51afb221 ppc/9.1/SRPMS/openssl0.9.6-0.9.6i-1.2.91mdk.src.rpm Mandrake Linux 9.2: db717c9a2e8f98905290d341e799c7b2 9.2/RPMS/libopenssl0.9.7-0.9.7b-4.1.92mdk.i586.rpm 76ba7c153a75c5dcfeae9f9f16f001e4 9.2/RPMS/libopenssl0.9.7-devel-0.9.7b-4.1.92mdk.i586.rpm 7655e50f898e4e4d368cd8e47d38806d 9.2/RPMS/libopenssl0.9.7-static-devel-0.9.7b-4.1.92mdk.i586.rpm 3f846e75cfdbdd9e818376474e1e54c0 9.2/RPMS/openssl-0.9.7b-4.1.92mdk.i586.rpm 738181704cb49e34d982a5b4224cc66c 9.2/SRPMS/openssl-0.9.7b-4.1.92mdk.src.rpm Multi Network Firewall 8.2: e8d13a3adbd679a0c1cd15dd28eb02f1 mnf8.2/RPMS/libopenssl0-0.9.6i-1.5.82mdk.i586.rpm 93a47ac82a618905c7d4a6e0d276c586 mnf8.2/RPMS/openssl-0.9.6i-1.5.82mdk.i586.rpm 15b7ba1d342ae3531964e60a186874d8 mnf8.2/SRPMS/openssl-0.9.6i-1.5.82mdk.src.rpm ________________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ________________________________________________________________________ To upgrade automatically, use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/emMzmqjQ0CJFipgRAgz6AJ9wOxt7lA2wyZ9t4kUlmbIKeLq8pACgq5vV RvuAK10PkmmQzzXKTz5f6KM= =SSpZ -----END PGP SIGNATURE----- From steve.wray at paradise.net.nz Wed Oct 1 06:27:07 2003 From: steve.wray at paradise.net.nz (Steve Wray) Date: Wed, 01 Oct 2003 17:27:07 +1200 Subject: [Full-Disclosure] CyberInsecurity: The cost of Monopoly In-Reply-To: <3F79CB13.9010708@onryou.com> Message-ID: <000e01c387dc$a8451380$0201a8c0@cyber.god> Yeah you know, that has always been my theory as to why, in Star Trek (and others), the control panels on starship bridges sometimes explode with sparks and smoke for no better reason than that some component on the outer hull got shot up by the Klingons (or whoever); its an important feedback mechanism ensuring that the operator knows that something is very seriously wrong. Now if only desktop PCs had such a system... > From: full-disclosure-admin at lists.netsys.com > [mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of Cael Abal [snip] > I believe I can safely say that easily 75% of my users would > recognize that their computer needed attention if it started billowing huge > noxious clouds of black smoke. > > Okay, 50% at a minimum. From krahmer at suse.de Wed Oct 1 10:46:01 2003 From: krahmer at suse.de (Sebastian Krahmer) Date: Wed, 1 Oct 2003 11:46:01 +0200 (CEST) Subject: [Full-Disclosure] SuSE Security Announcement: lsh (SuSE-SA:2003:041) Message-ID: <20031001094601.BF9F61495E@wotan.suse.de> -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: lsh Announcement-ID: SuSE-SA:2003:041 Date: Wed Oct 1 10:24:45 CEST 2003 Affected products: 8.0, 8.1, 8.2 Vulnerability Type: remote code execution Severity (1-10): 5 SuSE default package: yes Cross References: - Content of this advisory: 1) security vulnerability resolved: Buffer overflow in lsh. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - node - proftp - OpenSSL 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information LSH is the GNU implementation of SSH and can be seen as an alternative to OpenSSH. Recently various remotely exploitable buffer overflows have been reported in LSH. These allow attackers to execute arbitrary code as root on un-patched systems. LSH is not installed by default on SuSE Linux. An update is therefore only recommended if you run LSH. Maintained SuSE products are not affected by this bug as LSH is not packaged on maintained products such as the Enterprise Server. For the updates to take effect execute the following command as root: /usr/sbin/rclshd restart Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lsh-1.5-114.i586.rpm 798f52402cda6c7e1733aed15bf0d9cb patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/lsh-1.5-114.i586.patch.rpm 9308cdb133d2311a9dc4a10bbf613501 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/lsh-1.5-114.src.rpm 1e1b5beac002cf51d1eea0277934a69d SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/lsh-1.4.2-73.i586.rpm b5ff8ba104623fe9a77705154aad92f7 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/lsh-1.4.2-73.i586.patch.rpm 6341acd3fe513921b7123d7c1d98cc43 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/lsh-1.4.2-73.src.rpm 0a2b95e911f8760009ad0d5b2fd7618e SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/lsh-1.3.5-188.i386.rpm bccfd85985bab8a324b25c1b2443bf2b patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/lsh-1.3.5-188.i386.patch.rpm 8a232720cb0a4b35d0899e9c6a4e80ae source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/lsh-1.3.5-188.src.rpm 8e3e30b134b12400559152bb5c53d0f8 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - node A format string vulnerability has been fixed in the new node packages available on our ftp servers. An update is recommended if you use this package. - proftp A off-by-one buffer overflow has been fixed in the proftp packages for SuSE Linux 7.2 and 7.3. Note that the bug that was fixed is different from the 'ASCII File Transfer Buffer Overrun Vulnerability' (CAN-2003-0831). The proftp packages shipped by SuSE are not affected by CAN-2003-0831. - OpenSSL Critical bugs within the ASN.1 parsing routines have been reported recently. We are currently building new packages and will notify you in a separate advisory when the packages are available. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security at suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build at suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security at suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce at suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. ===================================================================== SuSE's security contact is or . The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBP3qgJHey5gA9JdPZAQEutAf+L935tRS8xmYZFFjUhQdd5MHWOGCanB4I 8WabNy77o6SbztDcskEUUr0+SKjDQjqEEndY4tKFlxCDNWItxJbEYmDtLB2x2CTE dCZSqoJVNxeySWRfYMs8fmC3nEQCgVYgIqhpFhi/VaP89d5/IvITwnDOWOMej0nF pj2emi0cOz62KKSlq64D+uDZJxtMdg0KrVAO15O5TQJvQnze2CkEuWMivvVvmDML jGlTzznhvVey0Czc9LNNK6VPD/i+6zHCM/+XU/1b3Gl4gRAzLjebBsHzjW45bVAu Ed+Z0EPVi/ArzfFJ0P7CcZgnYuTOoqMAJMWagW5O+4pnUpny2aFS/w== =Gv9P -----END PGP SIGNATURE----- From debian-security-announce at lists.debian.org Wed Oct 1 11:43:17 2003 From: debian-security-announce at lists.debian.org (debian-security-announce at lists.debian.org) Date: Wed, 01 Oct 2003 12:43:17 +0200 Subject: [Full-Disclosure] [SECURITY] [DSA-393-1] New OpenSSL packages correct denial of service issues Message-ID: -----BEGIN PGP SIGNED MESSAGE----- - -------------------------------------------------------------------------- Debian Security Advisory DSA 393-1 security at debian.org http://www.debian.org/security/ Michael Stone October 1, 2003 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : openssl Vulnerability : denial of service Problem-Type : remote Debian-specific: no CVE Ids : CAN-2003-0543 CAN-2003-0544 Dr. Stephen Henson (steve at openssl.org), using a test suite provided by NISCC (www.niscc.gov.uk), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability. However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended. For the current stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.4 For the unstable distribution (sid) these problems have been fixed in version 0.9.7c-1 We recommend that you update your openssl package. Note that you will need to restart services which use the libssl library for this update to take effect. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.dsc Size/MD5 checksum: 675 76da6f792eccfa0e219a0bb42296546f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.diff.gz Size/MD5 checksum: 44514 c07ae1f584c7a8bc4d0a821b8e6801ab Architecture independent packages: http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.4_all.deb Size/MD5 checksum: 970 734c96f61a7d7032584ce001811d99ce Alpha architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 1551438 add644f20298bb07dd2368f6139e03bd http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 571194 17117f28911fee940def4cc5a5168ebf http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_alpha.deb Size/MD5 checksum: 736296 f571a65a29ea963e9f82b4a70cc61bbc ARM architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 474030 c34ae889a0b0b05d16ab071069886ee8 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 1357972 7b5efab549fcace562b1df40f58eb434 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_arm.deb Size/MD5 checksum: 729736 bea9047ba98358b5d843ec5502c08d14 HP Precision architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 1435088 64ec697612a1a8bb7ec02a8dfe0f082a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 564870 7c9f44efb6fbf092a4c6285438f4218f http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_hppa.deb Size/MD5 checksum: 741856 c593ae8279de436da67de14a147b991c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 461714 9c291cab723133eb1c7c2309540dd9e2 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 721748 654531d126d43611b236964e691b67e2 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_i386.deb Size/MD5 checksum: 1289866 0b05581c2d1c03f72644737aa7c37fe9 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_ia64.deb Size/MD5 checksum: 763482 0292998feaac6ea041d2d044305b7715 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_ia64.deb Size/MD5 checksum: 711022 dbfc0819492111ff1b8040c4dc615d03 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_ia64.deb Size/MD5 checksum: 1615238 74a9e23d5f17d9a4f40120d1103bfeb2 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_m68k.deb Size/MD5 checksum: 720358 293043604c8e259a058f5e1d5925a96e http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_m68k.deb Size/MD5 checksum: 450572 5ebfb9bc4f0da2986373032213e22f3d http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_m68k.deb Size/MD5 checksum: 1266566 5d8c56beaaa413dd72d3cf90b5b30349 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_mips.deb Size/MD5 checksum: 717764 d7019cf6cf0d6618f8789c8290697367 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_mips.deb Size/MD5 checksum: 1416184 09aa020367ef0d06e3e22e550ea12102 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_mips.deb Size/MD5 checksum: 483650 3008bbee5c4f7f5faf344317c59e0d82 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_mipsel.deb Size/MD5 checksum: 717060 3180c04a1cb7dd325b06496ca2bff71b http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_mipsel.deb Size/MD5 checksum: 1410226 35cc9bc327c59471f5a909878efdbb76 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_mipsel.deb Size/MD5 checksum: 476638 bb83a9bfc07679fbe21aab5abd56256f PowerPC architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_powerpc.deb Size/MD5 checksum: 1386776 f379528eae7a157bd830ea43a371efe4 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_powerpc.deb Size/MD5 checksum: 726638 45d8adac74a907263e7507f64fd3c3e3 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_powerpc.deb Size/MD5 checksum: 502422 a386a0fdd637da29848219a1ca16eae1 IBM S/390 architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_s390.deb Size/MD5 checksum: 510438 4044c7c34e45d3b9b7f3ef69eacae491 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_s390.deb Size/MD5 checksum: 731592 79fe91bb12f87b2dc05a4dff2aba1a10 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_s390.deb Size/MD5 checksum: 1326384 0352ce5cd87305074b2fdc91e78badca Sun Sparc architecture: http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_sparc.deb Size/MD5 checksum: 484720 99bace5e1758b19404ef0ab618f37048 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_sparc.deb Size/MD5 checksum: 1344194 2290093fa5e49278491fdbe03f14ab1a http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_sparc.deb Size/MD5 checksum: 737150 28a4ebcf466e4c4d8aaa0afe974e9893 These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce at lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBP3qviw0hVr09l8FJAQHfbQP+KCrmd5ZZewgLvbmMrQ70agmPhzIzNQ+E NUHr+41wi0atXpBfpflopYrptgycN4gtPHfRjJRE1KAwjr2DkuXX0jzcv/oqOs4m eJlTnIDG+sI7HfeX8H+rpKWz5SnS+Zjc8xZFrqkiGw8Fsbnw/hX3aFrEki1xISPc 5VKxp7qbGPc= =iKdy -----END PGP SIGNATURE----- From krahmer at suse.de Wed Oct 1 12:53:29 2003 From: krahmer at suse.de (Sebastian Krahmer) Date: Wed, 1 Oct 2003 13:53:29 +0200 (CEST) Subject: [Full-Disclosure] SuSE Security Announcement: mysql (SuSE-SA:2003:042) Message-ID: <20031001115329.EBF7C14961@wotan.suse.de> -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: mysql Announcement-ID: SuSE-SA:2003:042 Date: Wed Oct 1 12:12:38 CEST 2003 Affected products: 7.2, 7.3, 8.0, 8.1, 8.2 SuSE Linux Connectivity Server SuSE Linux Enterprise Server 7, 8 SuSE Linux Office Server UnitedLinux 1.0 Vulnerability Type: remote code execution Severity (1-10): 5 SuSE default package: no Cross References: - Content of this advisory: 1) security vulnerability resolved: Buffer overflow in mysql. problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - OpenSSL 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information A remotely exploitable buffer overflow within the authentication code of MySQL has been reported. This allows remote attackers who have access to the 'User' table to execute arbitrary commands as mysql user. The list of affected packages is as follows: mysql, mysql-client, mysql-shared, mysql-bench, mysql-devel, mysql-Max. In this advisory the MD5 sums for the mysql, mysql-shared and mysql-devel packages are listed. To be sure the update takes effect you have to restart the MySQL server by executing the following command as root: /usr/sbin/rcmysql restart Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. i386 Intel Platform: SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-3.23.55-22.i586.rpm 41e8d3781aeedd2e48837293d261f9e2 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-shared-3.23.55-22.i586.rpm b75bdea7f484305c62415cd7412151af ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-devel-3.23.55-22.i586.rpm 264920dc6e1def4e26253cc3d82f2fc7 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-3.23.55-22.i586.patch.rpm 82bac86826eb08ccf8c3204a792e0df1 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-shared-3.23.55-22.i586.patch.rpm ea14dd33b2e390009513209e71229cd3 ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mysql-devel-3.23.55-22.i586.patch.rpm b8e64deab45bdd05657a5447b4e279eb source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mysql-3.23.55-22.src.rpm fd33faf5fe7efc9f9c5871db37ea88b4 SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-3.23.52-106.i586.rpm e7488a05d07282bbd8317f834c24f0d4 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-shared-3.23.52-106.i586.rpm e6db8d49932368487a334d803572ed4e ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-devel-3.23.52-106.i586.rpm 9c6c4ab2b8a461ca391a2453d05d9b71 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-3.23.52-106.i586.patch.rpm 37960d363c09a1123c25b11d6a753968 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-shared-3.23.52-106.i586.patch.rpm 77d66503d21447bd1dd8339463c7b25b ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mysql-devel-3.23.52-106.i586.patch.rpm c747e07c307e9619cf04a3e2c8cc369f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/mysql-3.23.52-106.src.rpm 952c96bc22740b252e151c27537e5c1b SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-3.23.48-81.i386.rpm 7126396c99deb931dda869fdc8e5e6ef ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-shared-3.23.48-81.i386.rpm 6cfa50d58f7b23201f2056d6097c4161 ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap3/mysql-devel-3.23.48-81.i386.rpm 23d978a491c8a0a0035142276ae9c806 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-3.23.48-81.i386.patch.rpm 49833c754e880fba15e579ad32d6861c ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap2/mysql-shared-3.23.48-81.i386.patch.rpm 3eba782210bf2e3a714616571bea0066 ftp://ftp.suse.com/pub/suse/i386/update/8.0/ap3/mysql-devel-3.23.48-81.i386.patch.rpm 9d6d58e8da20ea06bfd3207c44925190 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/mysql-3.23.48-81.src.rpm bc8db10701bdaee4da9776a6dc49fc29 SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap3/mysql-3.23.44-28.i386.rpm f3171ff82e6d3fbf9913cfb58d984602 ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap2/mysql-shared-3.23.44-28.i386.rpm db2fe45728f6073f15c6440538926828 ftp://ftp.suse.com/pub/suse/i386/update/7.3/ap3/mysql-devel-3.23.44-28.i386.rpm 278a0338ed3a6ae65c7328f422f7abfc source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/mysql-3.23.44-28.src.rpm c1076bca4b5a7d750f72811c097e92fa SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap3/mysql-3.23.37-62.i386.rpm 2b5af68cb036119322a8a666fa68046b ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap2/mysql-shared-3.23.37-62.i386.rpm d1f95967eb77ff7b8761ec27795cb740 ftp://ftp.suse.com/pub/suse/i386/update/7.2/ap3/mysql-devel-3.23.37-62.i386.rpm e8cd7dda9473259239458b5e008c6924 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/mysql-3.23.37-62.src.rpm e3c0693bda7d898ffc5bfb8f23478e7e Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap3/mysql-3.23.44-24.sparc.rpm 52a66dfd5f2f330240dab5e59c412ef7 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap2/mysql-shared-3.23.44-24.sparc.rpm 6060be5ff51994e0ab73e8afc7ba2f26 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/ap3/mysql-devel-3.23.44-24.sparc.rpm 802c951032a42b1b21f51ab53af502c9 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/mysql-3.23.44-24.src.rpm 350c8fcc5522c08ca9096803cc34dd42 PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap3/mysql-3.23.44-32.ppc.rpm 4dfbca3cbc9e9a3f8f36ab19a7bb4093 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap2/mysql-shared-3.23.44-32.ppc.rpm 068cbab05a37e74b9f57abcae7eb6b64 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/ap3/mysql-devel-3.23.44-32.ppc.rpm c897ad4fa5a724c11efabbecfdd929c4 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/mysql-3.23.44-32.src.rpm aa219acd13b73c45e2b418e8df03a1ee ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - OpenSSL Critical bugs within the ASN.1 parsing routines have been reported recently. We are currently building new packages and will notify you in a separate advisory when the packages are available. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security at suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build at suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security at suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce at suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. ===================================================================== SuSE's security contact is or . The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBP3q+Jney5gA9JdPZAQEanQf+M0uzKuBuPf7EGBNql8hW5P8XWtVjABiv y7ngIxjah/vACuyTMdPzeMmu+yEdfejCc5jtyYEG0cahxJGpUQOLnJ6jyyDjw+S8 ic+UJ96YZ4j2FKplHaNtGgTpDFUmFtUXg+07vQ76fzfWM8iL1HQKQcFGFuHIauwi 3Ei26HHp8dgRAAVqTzCuEmlOgUkHKTSn4xLbwmdYyDoY9aRtkQ6d7hdN9sOPj7pp p0jlf4I3Xut6fqLJ/4ZbCVI4V1xABG9x+2XagBRAfzauxvLWOfpdrAGRFdX66k14 OvQo58dMxs7pqsubhRtFcYGQROdIjpKLbLSLaLbsypqSOkJrj8ibIQ== =U3Dc -----END PGP SIGNATURE----- From security-announce at turbolinux.co.jp Wed Oct 1 11:35:31 2003 From: security-announce at turbolinux.co.jp (Turbolinux) Date: Wed, 1 Oct 2003 19:35:31 +0900 Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 01/Oct/2003 Message-ID: <200310011935.41699.security-announce@turbolinux.co.jp> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 01/Oct/2003 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) openssl -> DoS vulnerability in openssl =========================================================== * openssl -> DoS vulnerability in openssl =========================================================== More information : The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability. Impact : The vulnerability allow an attacker can cause to denial of service of the openssl. Affected Products : - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or # zabom update openssl openssl-devel --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 7c7271e7263b1fc39847f5dd097dfac8 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-0.9.6k-2.i586.rpm 1366934 0f92e0d644d5ee1e44b31bcf531e1d8c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-devel-0.9.6k-2.i586.rpm 1156710 584a99ceae84e0f457326b2fee6e06f1 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 7f36441af28ed717ba65176c7b66680e Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-0.9.6k-2.i586.rpm 1367811 6526ca70ae9d6593e8be87bc193089d7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-devel-0.9.6k-2.i586.rpm 1156964 30f36c1d28481a8243ff38308efc7b1e Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 834875cad5d1b9e7bbf316470728f97b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-0.9.6k-2.i586.rpm 1335850 57efa60311c81b5af0f3721e08bf05ef ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-devel-0.9.6k-2.i586.rpm 1138724 b7a90942f1e81066443d94e921476f21 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 4df3af6b3df204ff0fae655646cec9ae Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-0.9.6k-2.i586.rpm 1335646 e76c5ddc5ff49b3ffeaf704179bb1cf1 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-devel-0.9.6k-2.i586.rpm 1139634 702820b81eface29fdc6e7a8092674bc Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 5f069ba70311d673515b6cc572748e3b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-0.9.6k-2.i386.rpm 1466551 612a0925a8b7e276fb4ee2e867f86f61 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-devel-0.9.6k-2.i386.rpm 1273363 d466f3b0414335a8fde5243e714fc26b Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 1ffa548a309f2da23f917e0d103d55e3 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-0.9.6k-2.i386.rpm 1466406 96f2960852682c5e42d14ac7d30d2647 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-devel-0.9.6k-2.i386.rpm 1273378 a32d760d95ceaeaf5167ee01d7c99772 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 3fdbc119547bc30c5e1af46392ca7afb Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssl-0.9.6k-2.i386.rpm 1466596 6d44f572db79d5535b79411009f2ab02 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssl-devel-0.9.6k-2.i386.rpm 1273288 ed611659b314586557906d8399eab7a2 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/openssl-0.9.6k-2.src.rpm 2263218 863c8205dfe5f817078f8a7406560130 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssl-0.9.6k-2.i386.rpm 1466434 50bf1498d8c232928685b49c22ca9e98 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssl-devel-0.9.6k-2.i386.rpm 1273442 067ac26f535ffe4c60948443347a13db References : OepnSSL org [OpenSSL Security Advisory [30 September 2003]] http://www.openssl.org/news/secadv_20030930.txt CVE [CAN-2003-0543] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0543 [CAN-2003-0544] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0544 Turbolinux Security Advisory [TLSA-2003-22] http://www.turbolinux.com/security/TLSA-2003-22.txt -------------------------------------------------------------------------- Revision History 01 Oct 2003 Initial release -------------------------------------------------------------------------- * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/eq32K0LzjOqIJMwRAgWfAJ9qaZXGF6svuHn2jm7jG9L+AMJC3QCgt9Zk NVDA46RnVaowRJsUbcM3+tg= =Ofy/ -----END PGP SIGNATURE----- From capegeo at opengroup.org Wed Oct 1 13:01:43 2003 From: capegeo at opengroup.org (George Capehart) Date: Wed, 01 Oct 2003 08:01:43 -0400 Subject: [Full-Disclosure] Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) In-Reply-To: <20030929155417.F071238108@mail.secnap.net> References: <20030929155417.F071238108@mail.secnap.net> Message-ID: <3F7AC227.9050900@opengroup.org> Michael Scheidell wrote: >> Would that that would really help. I guess maybe in the >>long run it might, but I'm not holding my breath. There's still the >>small matter of connecting cause with effect and then implementing a >>program that will function appropriately at all levels of the > > > Just did a presentation to a bunch of AeA CFO's (AeA is American > Electronics Association) where the fist slide I gave them a piece of > paper that has to go with their 10K reports and said: > > Ok, as the CFO of a public company, would you sign this: > (a bunch of legal gook I got from our SEC lawyer). > > Went through a high(board level) presentation with lots of pretty color > pictures, talked about jail time and fines and informed them that the > CFO is the one who will sign it.. > then when done, said 'ok, NOW who will sign this. You KNOW for a FACT > that your IT department has taken care of this, right? you don't need an > outside/third party audit to make sure the IT or internal security guys > did their job, right? > > NO ONE. wanted to sign it then. Heh. That's great. Wish I could have been there to see that. Sounds like you really got their attention. But this brings me back to the original concern: It's one thing to realize that you have a problem. It's something else to fix it. And my experience has been that the people who have the problem don't have a clue how to fix it. Clueful organizations have a strong Information Security/Assurance *program* in place. CFOs of those organizations *will* sign the document because there *is* a formal risk management process in place which includes some kind of certification and accrediation process. They are *very* likely to be the approving authority on some of the systems. They are also part of the governance process. If there is no Information Security / Assurance *program*, there is a huge problem. This is the one I continue encounter: When an external audit/assessment shows many deficiencies, the response of the clueless organization is to; a) (try to) patch the holes, and b) maybe offer up a sacrificial lamb. However, the _root_cause_ of the existence of the problems in the first place is the absence of a real program. In the absence of a program, even if the holes are patched, within a year they will return or be replaced by others. So the *real* solution to the problem is to patch the holes *and* the organization . . . by implementing an effective program. One would hope that, having had their attention focused on the existence of symptoms, the CFOs will conclude that their organization is sick. Some will. Some won't. Of those that will, how many will know what "the cure" is, or how to go about getting it? *This* has been my frustration: having enough time with the right people to educate them on what the options are and what the solution is . . . Cheers, George Capehart -- George W. Capehart "We did a risk management review. We concluded that there was no risk of any management." -- Dilbert From lists at onryou.com Wed Oct 1 13:44:35 2003 From: lists at onryou.com (Cael Abal) Date: Wed, 01 Oct 2003 08:44:35 -0400 Subject: [Full-Disclosure] CyberInsecurity: The cost of Monopoly In-Reply-To: <000e01c387dc$a8451380$0201a8c0@cyber.god> References: <000e01c387dc$a8451380$0201a8c0@cyber.god> Message-ID: <3F7ACC33.9040407@onryou.com> > Yeah you know, that has always been my theory as to why, > in Star Trek (and others), the control panels on starship > bridges sometimes explode with sparks and smoke for no better reason > than that some component on the outer hull got shot up by the > Klingons (or whoever); its an important feedback > mechanism ensuring that the operator knows that something > is very seriously wrong. > > Now if only desktop PCs had such a system... Hi Steve, You know, now that you mention it that makes perfect sense. Although, keep in mind we're talking about MS machines here -- these machines will need to be capable of emitting a shower of sparks and smoke virtually non-stop. Hmm. Actually, I think it might be fun to construct a spring-loaded BANG! type flag, triggered every time Dr. Watson or the current equivalent is executed. take care, C From sintraq at sintelli.com Wed Oct 1 13:45:34 2003 From: sintraq at sintelli.com (Sintelli ) Date: Wed, 1 Oct 2003 13:45:34 +0100 Subject: [Full-Disclosure] Security Vulnerabilities - Week 39, 2003 Message-ID: <003401c38819$e87f4280$0400a8c0@x2> A summary of all vulnerabilities published in Week 39, 2003 are available at: http://www.sintelli.com/sinweek/week39-2003.pdf Regards Sintelli www.sintelli.com From mike at sane.com Wed Oct 1 14:00:30 2003 From: mike at sane.com (Michael Smith) Date: Wed, 1 Oct 2003 09:00:30 -0400 Subject: [Full-Disclosure] Re: Prudent default security In-Reply-To: <001701c3878f$b6b1bb00$0201a8c0@cyber.god> Message-ID: <002e01c3881b$fdf4a8b0$0b01a8c0@sane.com> Steve, it would be a very boring mailing list if only the people who know everything (Paul, apparently) posted to it. I'm expecting that bulk admin tools for windows systems will mature greatly over the next year or so. Hopefully MS will continue to work on the path they have set rather than reinventing the wheel and making all current system and network administration policies and tools obsolete. >Sigh, you are right. >On the one hand, as a Linux geek from way back, >I have a small sense of pride in my lack of MS knowledge. >But I use MS; XP is a great desktop, Outlook is a great >mail client (I also use a Linux desktop and kmail is a great >mail client). > >So, on the other hand, I know that there are a lot of >*nix people out there who endlessly bash MS without >any knowledge of that which they curse. I don't want to >be one of those. > >When the ignorant ask honest questions, don't >get abusive, just answer them... Please? From aliz at gentoo.org Wed Oct 1 15:48:38 2003 From: aliz at gentoo.org (Daniel Ahlberg) Date: Wed, 1 Oct 2003 16:48:38 +0200 (CEST) Subject: [Full-Disclosure] GLSA: openssl (200309-19) Message-ID: <20031001144838.EF7BD9FF2A@noc.internal.fairytale.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - --------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200309-19 - - - --------------------------------------------------------------------- ? ? ? ? ? PACKAGE : openssl ? ? ? ? ? SUMMARY : vulnerabilities in ASN.1 parsing ? ? ? ? ? ? ?DATE : 2003-10-01 14:48 UTC ? ? ? ? ? EXPLOIT : remote GENTOO BUG # : 30001 ? ? ? ? ? ? ? CVE : CAN-2003-0545 CAN-2003-0543 CAN-2003-0544 - - - --------------------------------------------------------------------- DESCRIPTION quote from OpenSSL advisory: "1. Certain ASN.1 encodings that are rejected as invalid by the parser can trigger a bug in the deallocation of the corresponding data structure, corrupting the stack. This can be used as a denial of service attack. It is currently unknown whether this can be exploited to run malicious code. This issue does not affect OpenSSL 0.9.6. 2. Unusual ASN.1 tag values can cause an out of bounds read under certain circumstances, resulting in a denial of service vulnerability. 3. A malformed public key in a certificate will crash the verify code if it is set to ignore public key decoding errors. Public key decode errors are not normally ignored, except for debugging purposes, so this is unlikely to affect production code. Exploitation of an affected application would result in a denial of service vulnerability. 4. Due to an error in the SSL/TLS protocol handling, a server will parse a client certificate when one is not specifically requested. This by itself is not strictly speaking a vulnerability but it does mean that *all* SSL/TLS servers that use OpenSSL can be attacked using vulnerabilities 1, 2 and 3 even if they don't enable client authentication." read the full advisory at http://www.openssl.org/news/secadv_20030930.txt SOLUTION it is recommended that all Gentoo Linux users who are running dev-libs/openssl upgrade to a fixed version. make sure that the version to be installed is atleast 0.9.6k(stable) or 0.9.7c(masked). emerge sync emerge openssl -p emerge openssl emerge clean - - - --------------------------------------------------------------------- aliz at gentoo.org - GnuPG key is available at http://dev.gentoo.org/~aliz - - - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/eulGfT7nyhUpoZMRAqomAJ4uTF38SWWVKdh8khE8loCUuVmoawCeMRrM i2jV0nCkowHud00KH4Eykq8= =zPT1 -----END PGP SIGNATURE----- From dhtml at hush.com Wed Oct 1 15:54:12 2003 From: dhtml at hush.com (dhtml at hush.com) Date: Wed, 1 Oct 2003 07:54:12 -0700 Subject: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT Message-ID: <200310011454.h91EsE3a054357@mailserver2.hushmail.com> "Hackers are criminals" Most, he notes, release their malicious code after patches for Microsoft software have been released, meaning that they are simply reverse engineering to exploit security weaknesses or holes in software. - Microsoft CEO Steve Ballmer 'ninkum`poop [n] a stupid foolish person See Also: simple, simpleton Microsoft has claimed that the majority of the security bugs reported by the company?s software users have been traced back to the code provided by the third party software vendors Almost 90 per cent of the problems, that are reported by the users as part of our automated feedback system, come from the code that is not provided by Microsoft.? - Chief Technology Officer Craig Mundie http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=15200897 http://www.financialexpress.com/fe_full_story.php?content_id=43039 BG Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 From mike at sane.com Wed Oct 1 16:30:02 2003 From: mike at sane.com (Michael Smith) Date: Wed, 1 Oct 2003 11:30:02 -0400 Subject: [Full-Disclosure] Re: Prudent default security In-Reply-To: <200310011502.h91F2WcG010830@turing-police.cc.vt.edu> Message-ID: <000e01c38830$e1acecc0$0b01a8c0@sane.com> >> I'm expecting that bulk admin tools for windows systems will mature >>greatly >> over the next year or so. Hopefully MS will continue to work on the path >> they have set rather than reinventing the wheel and making all current >> system and network administration policies and tools obsolete. > >Remember - MS is a *corporation*. They have *no* reason to change path, >unless >by doing so they improve *their* bottom line. If they can crush a >competitor >and spur sales with a "new improved" product that changes course, they >will. > >People keep acting like MS has some moral or ethical obligation to their >customers. >They don't. That's why they engage in behavior that outsiders find >revolting - because >said behavior is good for the bottom line. > >And the only way to change it is to make the behavior bad for the bottom >line (either >in lost sales when a shop goes Linux, or damages in a lawsuit, whatever...) I agree whole heartedly, MS has no moral or ethical obligation to their customers (and shouldn't, other than to try to fix flaws in software they have sold). I was only pointing out that the upgrade path that has evolved through their OSes has made it difficult to maintain or improve administration tools (as a SysAdmin). The tools I developed in the early 90s to help me administer a WFWG/DOS network differed from the ones I used in 95-00 to administer a Win9x network differed from the ones I use now to admin a W2k/XP network... while most of the tools I've used to admin the unix side of those networks are very similar if not the same. I have absolutely NO problem with MS being engaged in the bottom line. I am one of the few here (maybe the only one) who doesn't have a major problem with @stake letting Dan Geer go... The bottom line is that if he was hurting their business by slamming one of their clients, even if he was correct (which he was), they *should* have let him go. People seem to forget that companies exist to make money. If I had an employee who was working against MY best interests, you can bet he wouldn't last very long. I think that companies have an obligation to act ethically, but I also believe that employees have the same obligations.... they should 'ride for the brand' as it were. ~mike From jimlane at cs.toronto.edu Wed Oct 1 17:30:30 2003 From: jimlane at cs.toronto.edu (Jim Lane) Date: Wed, 1 Oct 2003 12:30:30 -0400 Subject: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Mo nopoly In-Reply-To: Message from "Michael Smith" of "Tue, 30 Sep 2003 10:53:46 EDT." <003901c38762$a6aa0190$0b01a8c0@sane.com> Message-ID: <20031001163031.55DC43D160@winona.cs> Maybe it takes an "old mainframer" to point this out but it depends on what kind of functional unit you're talking about. I remember the days when, from the users point of view, the computer was a dumb terminal and all the intelligence (and security risk) was safely off in a locked room somewhere. We still had security problems back then but they were a lot easier to deal with. Yet another case where Bill Bates and his like have a lot to answer for. Remind me again why client/server was supposed to have been a good idea? Sigh. -- -- Jim Lane Question authority: Sysadmin, CSLab Amateurs built the Ark, jimlane at cs.toronto.edu Professionals built the Titanic > > I think the point is that most people expect their cars to be operational > and do NOT do the maintenance themselves... they DO outsource it to a > mechanic. The average user has A LOT less control over their car than their > computer. A car is basically a single function unit, point A to point B. > Computers never have been nor ever will be that one dimensional. At the > most, I think we could hope for users who learn to know better than to try > to do the 'maintenance' on their computers themselves. > > From thomas at suse.de Wed Oct 1 18:19:52 2003 From: thomas at suse.de (Thomas Biege) Date: Wed, 1 Oct 2003 19:19:52 +0200 (CEST) Subject: [Full-Disclosure] SuSE Security Announcement: openssl (SuSE-SA:2003:043) Message-ID: -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SuSE Security Announcement Package: openssl Announcement-ID: SuSE-SA:2003:043 Date: Wednesday, Oct 1st 2003 16:12 MET Affected products: 7.2, 7.3, 8.0, 8.1, 8.2, 9.0 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7/8, SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server Vulnerability Type: remote denial-of-service Severity (1-10): 5 SuSE default package: yes Cross References: CAN-2003-0543 CAN-2003-0544 CAN-2003-0545 Content of this advisory: 1) security vulnerability resolved: - problems with ASN.1 encoding - accepting client certificates even if disabled problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds: - whois - gdm2 - postgresql 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information OpenSSL is an implementation of the Secure Socket Layer (SSL v2/3) and Transport Layer Security (TLS v1) protocol. While checking the openssl implementation with a tool-kit from NISCC several errors were revealed most are ASN.1 encoding issues that causes a remote denial-of-service attack on the server side and possibly lead to remote command execution. There are two problems with ASN.1 encoding that can be triggered either by special ASN.1 encodings or by special ASN.1 tags. In debugging mode public key decoding errors can be ignored but also lead to a crash of the verify code if an invalid public key was received from the client. A mistake in the SSL/TLS protocol handling will make the server accept client certificates even if they are not requested. This bug makes it possible to exploit the bugs mentioned above even if client authentication is disabled. There is not other solution known to this problem then updating to the current version from our FTP servers. To make this update effective, restart all servers using openssl please. Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web. Please note that this update includes openssl, openssl-devel and openssl-doc. openssl: Intel i386 Platform: SuSE-9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-0.9.7b-71.i586.rpm 88e30d20d288ecffe1e185b6ccc5099e patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-0.9.7b-71.i586.patch.rpm 68ffad90868b2107e3d82cc8fc50f6b7 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/openssl-0.9.7b-71.src.rpm 1f5a12184b14ac5281f8da50da7deab6 SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssl-0.9.6i-19.i586.rpm 20818d3b2d257bcf9258707e2adf8812 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssl-0.9.6i-19.i586.patch.rpm 2fbea6d1b3c19ed67d76337deef05363 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssl-0.9.6i-19.src.rpm 24d40081aa2644a336279ecae878c1f3 SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssl-0.9.6g-99.i586.rpm a2c35048358d85fffd5a5ab7b58f6683 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssl-0.9.6g-99.i586.patch.rpm 08803c7ac279b8c9ad1dc4aef4146617 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssl-0.9.6g-99.src.rpm 8bb653a4f779a125498f47dbaff0dc2f SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssl-0.9.6c-86.i386.rpm 671dc039955089f8523064272a4aad49 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/openssl-0.9.6c-86.i386.patch.rpm 4ae58f8e66b2cc7c2cc936132558ea46 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssl-0.9.6c-86.src.rpm 7577ca638434ebe20406bfab85ec72ad SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec1/openssl-0.9.6b-158.i386.rpm 30ba99434b63d09d46cb271fac1bbefa source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssl-0.9.6b-158.src.rpm 3485c804df9a381131462ba97697d6fb SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/openssl-0.9.6a-83.i386.rpm d235ef6d8b990bfaadb974c205acdc40 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssl-0.9.6a-83.src.rpm 5a753ed3919767077292f96728de3870 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/openssl-0.9.6b-90.sparc.rpm 29caa7dd281c0891c8655bcd5367f1ca source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssl-0.9.6b-90.src.rpm 6faf5fe6fa004eb5515c1777886c49c9 PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/openssl-0.9.6b-151.ppc.rpm b057f2204c43fdca13fcae041a45e977 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssl-0.9.6b-151.src.rpm 7792ee3de5ef30c66c90a5fe43ee4eb2 openssl-doc: Intel i386 Platform: SuSE-9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-doc-0.9.7b-71.i586.rpm 4a7d456b67a0456221cf69231270b4bd patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-doc-0.9.7b-71.i586.patch.rpm 5223616e4b4d8f4bf0c02c63af75106c source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/openssl-0.9.7b-71.src.rpm 1f5a12184b14ac5281f8da50da7deab6 SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssl-doc-0.9.6i-19.i586.rpm fc79cc73f1a9ab5ddfd30cf6ddfb8ddc patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssl-doc-0.9.6i-19.i586.patch.rpm 55c3f3afc117c1d3d49ea875057c8d72 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssl-0.9.6i-19.src.rpm 24d40081aa2644a336279ecae878c1f3 SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssl-doc-0.9.6g-99.i586.rpm 0d094066c96a8880845e0775f9e60b73 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssl-doc-0.9.6g-99.i586.patch.rpm af8fcb4128569d603a018727eba8dc79 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssl-0.9.6g-99.src.rpm 8bb653a4f779a125498f47dbaff0dc2f SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/doc4/openssl-doc-0.9.6c-86.i386.rpm c06870e5a8c6ea57471c13fb975c2c9f patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/doc4/openssl-doc-0.9.6c-86.i386.patch.rpm 911c9fd73b10b9db32e60834a82a79ee source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssl-0.9.6c-86.src.rpm 7577ca638434ebe20406bfab85ec72ad SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/doc3/openssl-doc-0.9.6b-158.i386.rpm 119950dc0267c7038c21acf6d875afdd source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssl-0.9.6b-158.src.rpm 3485c804df9a381131462ba97697d6fb SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/doc3/openssl-doc-0.9.6a-83.i386.rpm 2f664c56f018c857f2f11f2e2634fbfa source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssl-0.9.6a-83.src.rpm 5a753ed3919767077292f96728de3870 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/doc3/openssl-doc-0.9.6b-90.sparc.rpm 6cbb149f6a3fb62eb7cc71e817e80426 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssl-0.9.6b-90.src.rpm 6faf5fe6fa004eb5515c1777886c49c9 PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/doc3/openssl-doc-0.9.6b-151.ppc.rpm 3f4235ab75c44e8e07c764ed2e4659da source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssl-0.9.6b-151.src.rpm 7792ee3de5ef30c66c90a5fe43ee4eb2 openssl-devel: Intel i386 Platform: SuSE-9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-devel-0.9.7b-71.i586.rpm 8cadccfaa0eeb50def65bdf1cfdba470 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-devel-0.9.7b-71.i586.patch.rpm c7349b7e87b828ee90d7e0b87b0f5d38 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/openssl-0.9.7b-71.src.rpm 1f5a12184b14ac5281f8da50da7deab6 SuSE-8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssl-devel-0.9.6i-19.i586.rpm 970728b4b4ae97d162a226a51a49c5b4 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/openssl-devel-0.9.6i-19.i586.patch.rpm f3cde2f53303041001edee7739dc4af1 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/openssl-0.9.6i-19.src.rpm 24d40081aa2644a336279ecae878c1f3 SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssl-devel-0.9.6g-99.i586.rpm b676506791a1d5ddbc97295443092e4b patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/openssl-devel-0.9.6g-99.i586.patch.rpm a9974f26f6a7280a71228b61b6a861cc source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/openssl-0.9.6g-99.src.rpm 8bb653a4f779a125498f47dbaff0dc2f SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/openssl-devel-0.9.6c-86.i386.rpm 6ecfb4d3546645282d62e65c3aec04ad patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/d3/openssl-devel-0.9.6c-86.i386.patch.rpm 1dbd101b9b7619de55d264191465b701 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/openssl-0.9.6c-86.src.rpm 7577ca638434ebe20406bfab85ec72ad SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/d2/openssl-devel-0.9.6b-158.i386.rpm 0c2b11b0002d077219842e2b8e528af1 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/openssl-0.9.6b-158.src.rpm 3485c804df9a381131462ba97697d6fb SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/d2/openssl-devel-0.9.6a-83.i386.rpm 4c206037061e780fdbc20254cfdc9e17 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/openssl-0.9.6a-83.src.rpm 5a753ed3919767077292f96728de3870 Sparc Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/d2/openssl-devel-0.9.6b-90.sparc.rpm 40e0b55f40c1dfd110d3494240c2b533 source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/openssl-0.9.6b-90.src.rpm 6faf5fe6fa004eb5515c1777886c49c9 PPC Power PC Platform: SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/d2/openssl-devel-0.9.6b-151.ppc.rpm f3a7e90f86c2c095ff3eae5d75a1a3c8 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/openssl-0.9.6b-151.src.rpm 7792ee3de5ef30c66c90a5fe43ee4eb2 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - gdm2 Due to a bug in GDM it is possible for local users to read any text file on a system by creating a symlink from ~/.xsession-errors. New packages are available on our FTP servers. - whois The client tool whois is vulnerable to several buffer overflows while processing its command-line arguments. In conjunction with using untrusted data from remote sources as input, like using whois in a CGI script and so on, this buffer overflows may be abused to compromise a system. New packages are available on our FTP servers. - postgresql The SQL database server postgresql of version 7.3.x prior 7.3.4 is vulnerable to buffer overflow attacks. New packages will be available soon. ______________________________________________________________________________ 3) standard appendix: authenticity verification, additional information - Package authenticity verification: SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package. 1) execute the command md5sum after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security at suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless. 2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig to verify the signature of the package, where is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build at suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de . - SuSE runs two security mailing lists to which any interested party may subscribe: suse-security at suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to . suse-security-announce at suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to . For general information or the frequently asked questions (faq) send mail to: or respectively. ===================================================================== SuSE's security contact is or . The public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory. Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J /LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQEVAwUBP3sLUXey5gA9JdPZAQHR6gf+KcmkRZQ8hrjrFt9vP8SZmZJkO8ZjiVX4 js+qeRyIJCf0juZ5dI+I5FGkoaeifNAnuDPDFrMAwIZXF+tgDaLaQ9/nf6r+vZef Ri5wed4B588E7M0GGsvm3guzGSmkOJnwx+Q6aiFo7Sh98LBHUJ/xF2OerSo6Lz3Q k527BCA/EdF9AqlVKuzDynq9HIUiHhbG8ZqHZCNQJMKwOUFPbnhNoTGc2+i/oMeg 0MHSreVr0N9ThUcCVENe8tjzMqNEuTWKe2mIpcMM0dyz9gY10H1zFn3heEHglsCP xrFYt0mfPf5QNVtk2zq1OykKhgvi5vOdsKQ58LxqsFVBJ3N5xQswKw== =byxR -----END PGP SIGNATURE----- Bye, Thomas -- Thomas Biege , SuSE Linux AG, Security Support & Auditing "lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka" Key fingerprint = 51 AD B9 C7 34 FC F2 54 01 4A 1C D4 66 64 09 83 -- ... bring the pieces back together, we discover communication... - Maynard James Keenan From carl.belanger at wave-hosting.net Wed Oct 1 18:36:26 2003 From: carl.belanger at wave-hosting.net (Carl Belanger) Date: Wed, 1 Oct 2003 13:36:26 -0400 (EDT) Subject: [Full-Disclosure] [SECURITY] [DSA-393-1] New OpenSSL packages correct denial of service issues In-Reply-To: References: Message-ID: <16053.206.47.0.171.1065029786.squirrel@mail.wave-hosting.net> FYI > -----BEGIN PGP SIGNED MESSAGE----- > > - > -------------------------------------------------------------------------- > Debian Security Advisory DSA 393-1 > security at debian.org http://www.debian.org/security/ > Michael Stone October 1, 2003 > http://www.debian.org/security/faq - > -------------------------------------------------------------------------- > > Package : openssl > Vulnerability : denial of service > Problem-Type : remote > Debian-specific: no > CVE Ids : CAN-2003-0543 CAN-2003-0544 > > Dr. Stephen Henson (steve at openssl.org), using a test suite provided by > NISCC (www.niscc.gov.uk), discovered a number of errors in the OpenSSL > ASN1 code. Combined with an error that causes the OpenSSL code to parse > client certificates even when it should not, these errors can cause a > denial of service (DoS) condition on a system using the OpenSSL code, > depending on how that code is used. For example, even though apache-ssl > and ssh link to OpenSSL libraries, they should not be affected by this > vulnerability. However, other SSL-enabled applications may be > vulnerable and an OpenSSL upgrade is recommended. > > For the current stable distribution (woody) these problems have been > fixed in version 0.9.6c-2.woody.4 > > For the unstable distribution (sid) these problems have been fixed in > version 0.9.7c-1 > > We recommend that you update your openssl package. Note that you will > need to restart services which use the libssl library for this update to > take effect. > > Upgrade Instructions > - -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > Debian GNU/Linux 3.0 alias woody > - -------------------------------- > > Source archives: > > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.dsc > Size/MD5 checksum: 675 76da6f792eccfa0e219a0bb42296546f > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c.orig.tar.gz > Size/MD5 checksum: 2153980 c8261d93317635d56df55650c6aeb3dc > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4.diff.gz > Size/MD5 checksum: 44514 c07ae1f584c7a8bc4d0a821b8e6801ab > > Architecture independent packages: > > http://security.debian.org/pool/updates/main/o/openssl/ssleay_0.9.6c-2.woody.4_all.deb > Size/MD5 checksum: 970 734c96f61a7d7032584ce001811d99ce > > Alpha architecture: > > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_alpha.deb > Size/MD5 checksum: 1551438 add644f20298bb07dd2368f6139e03bd > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_alpha.deb > Size/MD5 checksum: 571194 17117f28911fee940def4cc5a5168ebf > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_alpha.deb > Size/MD5 checksum: 736296 f571a65a29ea963e9f82b4a70cc61bbc > > ARM architecture: > > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_arm.deb > Size/MD5 checksum: 474030 c34ae889a0b0b05d16ab071069886ee8 > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_arm.deb > Size/MD5 checksum: 1357972 7b5efab549fcace562b1df40f58eb434 > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_arm.deb > Size/MD5 checksum: 729736 bea9047ba98358b5d843ec5502c08d14 > > HP Precision architecture: > > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_hppa.deb > Size/MD5 checksum: 1435088 64ec697612a1a8bb7ec02a8dfe0f082a > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_hppa.deb > Size/MD5 checksum: 564870 7c9f44efb6fbf092a4c6285438f4218f > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_hppa.deb > Size/MD5 checksum: 741856 c593ae8279de436da67de14a147b991c > > Intel IA-32 architecture: > > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_i386.deb > Size/MD5 checksum: 461714 9c291cab723133eb1c7c2309540dd9e2 > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_i386.deb > Size/MD5 checksum: 721748 654531d126d43611b236964e691b67e2 > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_i386.deb > Size/MD5 checksum: 1289866 0b05581c2d1c03f72644737aa7c37fe9 > > Intel IA-64 architecture: > > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_ia64.deb > Size/MD5 checksum: 763482 0292998feaac6ea041d2d044305b7715 > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_ia64.deb > Size/MD5 checksum: 711022 dbfc0819492111ff1b8040c4dc615d03 > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_ia64.deb > Size/MD5 checksum: 1615238 74a9e23d5f17d9a4f40120d1103bfeb2 > > Motorola 680x0 architecture: > > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_m68k.deb > Size/MD5 checksum: 720358 293043604c8e259a058f5e1d5925a96e > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_m68k.deb > Size/MD5 checksum: 450572 5ebfb9bc4f0da2986373032213e22f3d > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_m68k.deb > Size/MD5 checksum: 1266566 5d8c56beaaa413dd72d3cf90b5b30349 > > Big endian MIPS architecture: > > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_mips.deb > Size/MD5 checksum: 717764 d7019cf6cf0d6618f8789c8290697367 > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_mips.deb > Size/MD5 checksum: 1416184 09aa020367ef0d06e3e22e550ea12102 > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_mips.deb > Size/MD5 checksum: 483650 3008bbee5c4f7f5faf344317c59e0d82 > > Little endian MIPS architecture: > > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_mipsel.deb > Size/MD5 checksum: 717060 3180c04a1cb7dd325b06496ca2bff71b > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_mipsel.deb > Size/MD5 checksum: 1410226 35cc9bc327c59471f5a909878efdbb76 > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_mipsel.deb > Size/MD5 checksum: 476638 bb83a9bfc07679fbe21aab5abd56256f > > PowerPC architecture: > > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_powerpc.deb > Size/MD5 checksum: 1386776 f379528eae7a157bd830ea43a371efe4 > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_powerpc.deb > Size/MD5 checksum: 726638 45d8adac74a907263e7507f64fd3c3e3 > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_powerpc.deb > Size/MD5 checksum: 502422 a386a0fdd637da29848219a1ca16eae1 > > IBM S/390 architecture: > > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_s390.deb > Size/MD5 checksum: 510438 4044c7c34e45d3b9b7f3ef69eacae491 > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_s390.deb > Size/MD5 checksum: 731592 79fe91bb12f87b2dc05a4dff2aba1a10 > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_s390.deb > Size/MD5 checksum: 1326384 0352ce5cd87305074b2fdc91e78badca > > Sun Sparc architecture: > > http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.6_0.9.6c-2.woody.4_sparc.deb > Size/MD5 checksum: 484720 99bace5e1758b19404ef0ab618f37048 > http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.6c-2.woody.4_sparc.deb > Size/MD5 checksum: 1344194 2290093fa5e49278491fdbe03f14ab1a > http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.6c-2.woody.4_sparc.deb > Size/MD5 checksum: 737150 28a4ebcf466e4c4d8aaa0afe974e9893 > > These files will probably be moved into the stable distribution on its > next revision. > > - > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main Mailing list: > debian-security-announce at lists.debian.org > Package info: `apt-cache show ' and > http://packages.debian.org/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iQCVAwUBP3qviw0hVr09l8FJAQHfbQP+KCrmd5ZZewgLvbmMrQ70agmPhzIzNQ+E > NUHr+41wi0atXpBfpflopYrptgycN4gtPHfRjJRE1KAwjr2DkuXX0jzcv/oqOs4m > eJlTnIDG+sI7HfeX8H+rpKWz5SnS+Zjc8xZFrqkiGw8Fsbnw/hX3aFrEki1xISPc > 5VKxp7qbGPc= > =iKdy > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Carl B?langer Wave-Hosting.net carl.belanger at wave-hosting.net From sintraq at sintelli.com Wed Oct 1 18:43:40 2003 From: sintraq at sintelli.com (Sintelli ) Date: Wed, 1 Oct 2003 18:43:40 +0100 Subject: [Full-Disclosure] Cross-site Scripting Vulnerability in Atrise EveryFind Message-ID: <001901c38843$8d5a7d50$0400a8c0@x2> Ezhilan of Sintelli has identified a Cross-Site Scripting Vulnerability in Atrise EveryFind 5.0.2. Details of the vulnerability are provided here: http://www.sintelli.com/adv/sa-2003-01-everyfind.pdf Users are advised to upgrade to EveryFind 5.0.3 http://www.atrise.com/everyfind/version.html Regards Sintelli www.sintelli.com Week 39, 2003 Security Vulnerabilities http://www.sintelli.com/sinweek/week39-2003.pdf From shawn.a.clifford at lmco.com Wed Oct 1 18:51:56 2003 From: shawn.a.clifford at lmco.com (Clifford, Shawn A) Date: Wed, 01 Oct 2003 13:51:56 -0400 Subject: [Full-Disclosure] Re: [ISN] Technology Firm With Ties to Microsoft Fires Executive Over Criticism Message-ID: <40009098993FA041A331FB80F5F94F9701B5D426@EMSS03M12.us.lmco.com> It's posted in the "Columns" section: http://mcpmag.com/columns/article.asp?EditorialsID=610 -- Shawn > -----Original Message----- > From: Paul Robichaux [mailto:paul at robichaux.net] > Sent: Tuesday, September 30, 2003 2:41 PM > To: InfoSec News; Dan_Verton at computerworld.com; jasonc at science.org > Cc: rforno at infowarrior.org; full-disclosure at lists.netsys.com > Subject: [Full-Disclosure] Re: [ISN] Technology Firm With Ties to > Microsoft Fires Executive Over Criticism > > > I erred in saying that Geer represented himself, or the > report, as speaking > for @stake. > > There's a lot more that I'm tempted to say, but I think > Roberta Bragg said > it better in her column yesterday. Rather than muddle her > arguments, I refer > interested readers to http://mcpmag.com/security; the > column's not posted > there yet but should be shortly. > > Cheers, > -Paul From guninski at guninski.com Wed Oct 1 20:06:46 2003 From: guninski at guninski.com (Georgi Guninski) Date: Wed, 1 Oct 2003 22:06:46 +0300 Subject: [Full-Disclosure] NINCOMPOOPERY OF MICROSOFT In-Reply-To: <200310011454.h91EsE3a054357@mailserver2.hushmail.com> References: <200310011454.h91EsE3a054357@mailserver2.hushmail.com> Message-ID: <20031001190646.1907.qmail@localhost.localdomain> This user Bullmur should be carefull with the word "criminal". Question to the lawyers on the list: It is my understanding that "criminal" is someone who breaks the law. microsoft seem to have been found guilty by a court in the antitrust trial, so they seem to have broken the law. Are microsoft criminals from legal point of view? Or does justice work this way: if you deface a website, you are a criminal, but if you screw most of the internet you are a hero? georgi On Wed, 1 Oct 2003 07:54:12 -0700 wrote: > "Hackers are criminals" Most, he notes, release their malicious code > after patches for Microsoft software have been released, meaning that > they are simply reverse engineering to exploit security weaknesses or > holes in software. - Microsoft CEO Steve Ballmer > > 'ninkum`poop [n] a stupid foolish person See Also: simple, simpleton > > From jasonc at science.org Wed Oct 1 20:27:03 2003 From: jasonc at science.org (Jason Coombs) Date: Wed, 01 Oct 2003 09:27:03 -1000 Subject: [Full-Disclosure] Re: [ISN] Technology Firm With Ties to Microsoft Fires Executive Over Criticism In-Reply-To: References: Message-ID: <3F7B2A87.90207@science.org> Paul Robichaux wrote: > I erred ... > but I think Roberta Bragg said ... > http://mcpmag.com/security It was very good of you to acknowledge, Paul, that your response was in error. Mistakes happen... I personally make several per day. Often in writing. One's goal, if one cares about security, must be to understand the source of behaviors, biases, preconceived notions, misunderstandings, etc. that one exhibits in connection with mistakes, even if a given symptom has only been observed once, and trace those flaws to their root cause -- then reprogram. Roberta Bragg makes a sincere attempt to respond to the report, but she does so with emotion rather than critical thinking and an open mind. Roberta is currently unwilling to accept, emotionally, that she is personally supporting a malicious entity that is still engaged in unfair and unreasonable attacks against good people. This is a normal response that people go through (denial) when they are struggling to come to terms with having enabled (co-dependency) a substance abuser. The thinking is something like this: "Microsoft can't be evil because if they are then what does that make me?" To add context, my professional background includes almost being published by Microsoft Press recently in the security area... Until Microsoft saw that the security advice being offered by my book told too much of the truth, and much of it just wasn't compatible with corporate monopolistic self-interest. Here is my response to her article. Since you appear to be an ally of hers, perhaps you'll forward my comments to her personally. 10/1/2003: Jason Coombs says: Roberta has been so badly compromised by her own bias that she isn't aware that she completely missed the point of the report. The Microsoft monopoly is causing severe harm, and its potential for new specific harm increases (force multiplication) as the monopoly grows. A necessary step in the process of information security is selecting software that is designed with open, provable security features -- until Microsoft changes its abusive, monopolistic behaviors (which come from the top of the company) it will never build a trustworthy product. Roberta chooses to trust Microsoft because she is underinformed. Perhaps she has smelled the truth and opted for a financially-comfortable condition of denial where she can help further Microsoft's cause while looking the other way when Microsoft commits terrible offenses. This way the stink doesn't create a denial of service condition for her personal bank account balance. From kevin.hansen at thomson.com Wed Oct 1 20:19:12 2003 From: kevin.hansen at thomson.com (Hansen, Kevin) Date: Wed, 1 Oct 2003 14:19:12 -0500 Subject: [Full-Disclosure] Mystery DNS Changes Message-ID: <63C5D58429F6D41196040006298F207C02B85963@eg-msgmbx-b05.int.westgroup.com> We have seen multiple instances where DHCP enabled workstations have had their DNS reconfigured to point to two of the three addresses listed below. Can anyone else confirm this? Incidents.org is reporting an increase in