Return-Path: <sentto-279987-3349-1003891203-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 23 Oct 2001 19:42:09 -0700 (PDT) Received: (qmail 16867 invoked by uid 510); 24 Oct 2001 02:39:31 -0000 Received: from n11.groups.yahoo.com (216.115.96.61) by 204.181.12.215 with SMTP; 24 Oct 2001 02:39:31 -0000 X-eGroups-Return: sentto-279987-3349-1003891203-fc=all.net@returns.onelist.com Received: from [10.1.1.224] by n11.groups.yahoo.com with NNFMP; 24 Oct 2001 02:40:03 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 24 Oct 2001 02:40:03 -0000 Received: (qmail 50872 invoked from network); 24 Oct 2001 02:40:03 -0000 Received: from unknown (10.1.10.26) by 10.1.1.224 with QMQP; 24 Oct 2001 02:40:03 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1 with SMTP; 24 Oct 2001 02:40:03 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9O2eR031426 for iwar@onelist.com; Tue, 23 Oct 2001 19:40:27 -0700 Message-Id: <200110240240.f9O2eR031426@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 23 Oct 2001 19:40:26 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Beware.New.Red.Hat.Linux.Release,.Expert.Warns] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Beware New Red Hat Linux Release, Expert Warns By Brian McWilliams, Newsbytes, 10/23/2001 <a href="http://www.newsbytes.com/news/01/171419.html">http://www.newsbytes.com/news/01/171419.html> The latest online update of Red Hat Linux, a commercial version of the open-source operating system, could have been tampered with by attackers, a security expert warned today. Copies of Red Hat Linux 7.2 available from some download sites were not digitally signed by the developer, Red Hat Inc., according to Kurt Seifried, author of an online book entitled "Linux Administrator's Security Guide." "Either Red Hat did not sign these packages, or someone subverted the distribution process before the files got to various sites," said Seifried in a security advisory issued today on the VulnWatch mailing list. Red Hat Linux version 7.2, also known by its code name, "Enigma," was released Tuesday. While Red Hat Linux can be purchased from the vendor on CD-ROM, many users download the software for free from the company's Web site or from numerous mirror sites around the world. According to Seifried, Red Hat ordinarily uses an authentication technology known as GnuPG to sign the various files or "packages" that comprise its distribution of Linux so that users can verify that the downloaded files were not modified. Without such signatures, "it becomes trivial for an attacker to replace packages on a distribution site with no one being able to easily verify that they have been subverted," said Seifried's advisory. A Red Hat spokesperson said the company was studying the security report. In addition to using GnuPG, Red Hat enables users to confirm the authenticity of downloaded software through a hashing technology known as an MD5 checksum. Matthias Saou, operator of a unofficial Red Hat distribution and discussion site, FreshRPMs.net, said the MD5 checksums of Red Hat 7.2 files he obtained two weeks ago from the vendor's server checked out. "I really don't think there's any problem with the files Red Hat put out," said Saou, who added that Seifried's security advisory was missing important technical details. According to Seifried, the Red Hat 7.2 packages that failed GnuPG verification included rpmdb-redhat and redhat-release. All of the files in the operating system's previous release, Red Hat Linux 7.1, were correctly signed with the Red Hat GnuPG security key, according to Seifried. In a chapter of his security guide that deals with installing Linux, Seifried warned that acquiring the operating system from an unverified source "could potentially end up with an installation that has backdoors or other security issues." Seifried's advisory on Red Hat Linux 7.2 is archived here: <a href="http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0019.html">http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0019.html> ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST