latest exploits

[amdphr3@kXP]

In this post, i will post information on the latest exploits, this will (hopefully) be useful for everyone to help keep their pc's and servers secure

[amdphr3@kXP]

[smartFTP] Two Buffer Overflow Vulnerabilities

PRODUCT : SmartFTP

VERSIONS : 1.0.973

VENDOR : SmartFTP (http://www.smartftp.com/)

SEVERITY : Critical.

Code Execution.

SmartFTP has following two buffer overflow vulnerabilities;

1. The buffer overflow vulnerability in the reply for PWD command.

If the reply that contains a long address is returned from

a server for "PWD" command request, the buffer overflow occurs

on the stack area.

By exploiting this vulnerability, an attacker can execute

an arbitrary code on the user's system if the user connects

to the malicious server.

2. The heap buffer overrun vulnerability in the File List.

If the File List that contains a line of long string is returned

from a server, the buffer overrun occurs on the heap area.

By exploiting this vulnerability, an attacker possibly could

execute an arbitrary code on the user's system if the user

connects to the malicious server.

With these vulnerabilities, there could be following risks;

* Infection with Virus or Trojan, etc.

* Destruction of the system.

* Leak or alteration of the local data.

[amdphr3@kXP]

[LeapFTP] "PASV" Reply Buffer Overflow Vulnerability

PRODUCT : LeapFTP

VERSIONS : 2.7.3.600

VENDOR : LeapWare (http://www.leapware.com/)

SEVERITY : Critical.

Code Execution.

The buffer overflow occurs on the stack area if the reply that contains

a long string is returned from a server for the "PASV" command request.

By exploiting this vulnerability, an attacker can execute an arbitrary

code on the user's system if the user connects to the malicious server.

With this vulnerability, there could be following risks;

* Infection with Virus or Trojan, etc.

* Destruction of the system.

* Leak or alteration of the local data.

SYSTEMS AFFECTED

LeapFTP 2.7.3.600

And previous versions may have same vulnerability.

[amdphr3@kXP]

Nokia GGSN (IP650 Based) DoS

Application: Nokia GGSN (IP650 Based)

Platform: Nokia GGSN (IP650 Based)

Severity: An attacker is able to cause GGSN to kernel panic

Overview:

Nokia's (http://www.nokia.com) GGSN (Gateway GPRS support

node)

is the platform that exists between Gn and Gi networks within a GPRS

network.

There exists a vulnerability in the TCP stack that allows an

attacker to cause the GGSN to kernel panic and shutdown. This

potentially allows an attacker to crash all data connectivity within

a GPRS based network.

This is a good example of why network elements which introduce IP

functionality to legacy networks should have their functionality

verified in terms of impact on security before deployment in a

production environment.

This vulnerability is exploited by sending a malformed

IP packet with a TCP option of 0xFF over a cellphone to the affected

network.

[amdphr3@kXP]

[LSD] HP-UX security vulnerabilities

1. /usr/sbin/lanadmin

/usr/sbin/landiag

The vulnerability in the lanadmin and landiag programs is caused by improper

handling of the TERM environment variable in the setupterm() function - it

copies this variable without any size checking into the stack buffer with

the use of strcpy function. This bug can be triggered by invoking lanadmin

or landiag program with TERM environment variable set to a long string value.

When appropriately exploited it can lead to a local root compromise of

a vulnerable system.

2. /opt/sharedprint/bin/pcltotiff

There exists a buffer overflow vulnerability in the command line parsing

code portion of the pcltotiff program. This bug can be triggered by invoking

pcltotiff program with a long string argument passed with the -t command line

option. During program execution, this argument is further insecurely copied

into the stack buffer with the use of strcpy() function and without any size

checking. When appropriately exploited this bug can lead to privilege

elevation attack as group id of bin can be gained on a vulnerable system.

3. rpc.yppasswdd

The rpc.yppasswdd service is typically instaled with NIS (Network Information

Service) subsystem. The purpose of this service is to handle password change

requests from yppasswd program. In the HP-UX operating system, the

rpc.yppasswdd is installed as RPC service number 100009.

We have found that there exists the same security vulnerability in HP-UX

rpc.yppasswdd like in Solaris operating system (Bulletin Number #00209).

This vulnerability can be remotely exploited to gain unauthorised access to

the target HP-UX system with administrative (root user) privileges.

The vulnerability can be triggered by sending carefully crafted string

argument to the YPPASSWDPROC_UPDATE function. This function has two

arguments: a character string and a passwd struct (in our proof of concept

ode we only send a string instead of the whole structure), which stand for

respectively the oldpass and passwd struct (in our case pw_name string).

In the changepasswd() function the pw_name field of the passwd structure

is copied to a fixed buffer with the use of strcpy() function call. As this

call is done without any checking of the string length and boundaries,

program stack can be overwritten in a result of a buffer overflow condition.

Below you can see a detailed trace log from our bptrace tool, which clearly

illustrates the rpc.yppasswdd execution path that leads to the overflow

condition.

[21110] 0x00012a98 1 changepasswd()

[21110] 0x00025480 1 memset(0xffbefa30,0,40)

[21110] 0x00014448 1 xdr_yppasswd()

[21110] 0x00025738 1 xdr_wrapstring()

[21110] 0x00014374 1 xdr_passwd()

[21110] 0x00025744 1 xdr_uid_t()

[21110] 0x00025750 1 xdr_gid_t()

[21110] 0x000126b4 1 validstr()

[21110] 0x0002545c 1 strlen("")

[21110] 0x000255b8 1 strchr("",':')

[21110] 0x000126b4 2 validstr()

[21110] 0x000126b4 3 validstr()

[21110] 0x00025474 1 strcmp("udp","ticlts")

....

[21110] 0x00025438 1 strcpy(0xffbef9d8,"overlfow string with shellcode")

4. /usr/lib/X11/Xserver/ucode/screens/hp/rs.F3000

This vulnerability results from bad coding practices, specifically the

way system() function call is used throughout the code of rs.F30002 program.

This function call is used by rs.F30002 for invoking external programs

(like rm) without specifying their absolute path. If PATH environment

variable is appropriately set prior to such an unsafe system() call

invocation, user programs can be executed at elevated privileges

(user=daemon).

5. /usr/bin/stmkfont

Simple buffer overflow vulnerability exists in the command line parsing

code portion of the stmkfont program. This bug can be triggered by invoking

stmkfont program with a long string argument. When appropriately exploited

it can lead to privilege elevation attack as group id of bin can be gained

on a vulnerable system.

6. /usr/bin/uucp

The buffer overflow vulnerability exists in the command line parsing code

portion of the uucp program. This bug can be triggered by invoking uucp

program with a long string argument as option. When appropriately exploited

it can lead to the privilege elevation attack as user id of uucp can be

gained on a vulnerable system.

7. /usr/bin/uusub

The buffer overflow vulnerability exists in the command line parsing code

portion of the uusub program. This bug can be triggered by invoking uusub

program with a long string argument passed with -a command line option.

When appropriately exploited it can lead to the privilege elevation attack

as user id of uucp can can be gained on a vulnerable system.

[amdphr3@kXP]

GNU gzexe Temporary File Vulnerability

It has been reported that gzexe uses temporary files insecurely. During execution, an instance of gzexe creates a symbolic link in /tmp with a filename based on its process ID. This creates a race condition that may be exploited by local users to corrupt files writeable by target users.

SYSTEMS AFFECTED

GNU gzip 1.2.4 a

+ MandrakeSoft Corporate Server 1.0.1

+ MandrakeSoft Linux Mandrake 7.0

+ MandrakeSoft Linux Mandrake 7.1

+ MandrakeSoft Linux Mandrake 7.2

+ MandrakeSoft Linux Mandrake 8.0

+ MandrakeSoft Linux Mandrake 8.0 ppc

+ MandrakeSoft Linux Mandrake 8.1

+ MandrakeSoft Linux Mandrake 8.1 ia64

+ MandrakeSoft Single Network Firewall 7.2

+ RedHat Linux 6.2 alpha

+ RedHat Linux 6.2 i386

+ RedHat Linux 6.2 sparc

+ SGI IRIX 6.5

+ SGI IRIX 6.5.1

+ SGI IRIX 6.5.2

+ SGI IRIX 6.5.3

+ SGI IRIX 6.5.4

+ SGI IRIX 6.5.5

+ SGI IRIX 6.5.6

+ SGI IRIX 6.5.7

+ SGI IRIX 6.5.8

+ SGI IRIX 6.5.9

+ SGI IRIX 6.5.10

+ SGI IRIX 6.5.11 f

+ SGI IRIX 6.5.11 m

+ SGI IRIX 6.5.12 f

+ SGI IRIX 6.5.12 m

+ SGI IRIX 6.5.13 f

+ SGI IRIX 6.5.13 m

+ SGI IRIX 6.5.14 f

+ SGI IRIX 6.5.14 m

+ SGI IRIX 6.5.15 f

+ SGI IRIX 6.5.15 m

+ Trustix Secure Linux 1.1

+ Trustix Secure Linux 1.2

+ Trustix Secure Linux 1.5

GNU gzip 1.2.4

+ Debian Linux 2.2 68k

+ Debian Linux 2.2 alpha

+ Debian Linux 2.2 arm

+ Debian Linux 2.2 IA-32

+ Debian Linux 2.2 powerpc

+ Debian Linux 2.2 sparc

+ RedHat Linux 5.2 alpha

+ RedHat Linux 5.2 i386

+ RedHat Linux 5.2 sparc

+ RedHat Linux 6.0

+ RedHat Linux 6.0 alpha

+ RedHat Linux 6.0 sparc

+ RedHat Linux 6.1 alpha

+ RedHat Linux 6.1 i386

+ RedHat Linux 6.1 sparc

+ Slackware Linux 7.0

+ Slackware Linux 7.1

+ Slackware Linux 8.0

+ Sun Solaris 8.0

+ Sun Solaris 8.0 _x86

GNU gzip 1.3

+ RedHat Linux 7.0 alpha

+ RedHat Linux 7.0 i386

+ RedHat Linux 7.0 sparc

+ RedHat Linux 7.1 alpha

+ RedHat Linux 7.1 i386

+ RedHat Linux 7.2 alpha

+ RedHat Linux 7.2 i386

GNU gzip 1.3.2

+ Debian Linux 3.0

+ Debian Linux 3.0 alpha

+ Debian Linux 3.0 arm

+ Debian Linux 3.0 hppa

+ Debian Linux 3.0 ia-32

+ Debian Linux 3.0 ia-64

+ Debian Linux 3.0 m68k

+ Debian Linux 3.0 mips

+ Debian Linux 3.0 mipsel

+ Debian Linux 3.0 ppc

+ Debian Linux 3.0 s/390

+ Debian Linux 3.0 sparc

SOLUTION

Debian has issued upgrades that will eliminate the vulnerability in Debian packages. See DSA-308-1 (in the reference section) for URLs.

TECHNICAL DETAILS

It has been discovered that znew, a script included in the gzip

package, creates its temporary files without taking precautions to

avoid a symlink attack (CAN-2003-0367).

The gzexe script has a similar vulnerability which was patched in an

earlier release but inadvertently reverted.

For the stable distribution (woody) both problems have been fixed in

version 1.3.2-3woody1.

For the old stable distribution (potato) CAN-2003-0367 has been fixed

in version 1.2.4-33.2. This version is not vulnerable to

CVE-1999-1332 due to an earlier patch.

For the unstable distribution (sid) this problem will be fixed soon

[XPerties]

Apparently 2.8.12 is vuln to some type of exploit.

You are running an insecure apache setup. You should run /scripts/easyapache and upgrade to a newer version as soon as possible to avoid your system being compromised.

Update mod_ssl to 2.8.14

[vcant]

wow, didnt know that about smartftp, thanx for the info.

i think i need to run and inform one of the clients

[MSNwar]

Good stuff Rufo.

Lets move this to:

Networks, Internet and Security

Secure your computer today against hackers and spyware, find out how!

Moved

[amdphr3@kXP]

Debian Security Advisory

Affected Packages: kernel

A number of vulnerabilities have been discovered in the Linux kernel.

CVE-2002-0429: The iBCS routines in arch/i386/kernel/traps.c for Linux kernels 2.4.18 and earlier on x86 systems allow local users to kill arbitrary processes via a binary compatibility interface (lcall).

CAN-2003-0001: Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets.

CAN-2003-0127: The kernel module loader allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel.

CAN-2003-0244: The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions related to the PREROUTING chain.

CAN-2003-0246: The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports.

CAN-2003-0247: Vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops").

CAN-2003-0248: The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address.

CAN-2003-0364: The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions.

This advisory covers only the i386 (Intel IA32) architectures. Other architectures will be covered by separate advisories.

For the stable distribution (woody) on the i386 architecture, these problems have been fixed in kernel-source-2.4.18 version 2.4.18-9, kernel-image-2.4.18-1-i386 version 2.4.18-8, and kernel-image-2.4.18-i386bf version 2.4.18-5woody1.

For the unstable distribution (sid) these problems are fixed in the 2.4.20 series kernels based on Debian sources.

It is recommended that you upgrade your kernel packages

If you are using the kernel installed by the installation system when the "bf24" option is selected (for a 2.4.x kernel), you should install the kernel-image-2.4.18-bf2.4 package. If you installed a different kernel-image package after installation, you should install the corresponding 2.4.18-1 kernel. You may use the table below as a guide.

| If "uname -r" shows: | Install this package:

| 2.4.18-bf2.4 | kernel-image-2.4.18-bf2.4

| 2.4.18-386 | kernel-image-2.4.18-1-386

| 2.4.18-586tsc | kernel-image-2.4.18-1-586tsc

| 2.4.18-686 | kernel-image-2.4.18-1-686

| 2.4.18-686-smp | kernel-image-2.4.18-1-686-smp

| 2.4.18-k6 | kernel-image-2.4.18-1-k6

| 2.4.18-k7 | kernel-image-2.4.18-1-k7

NOTE: that this kernel is not binary compatible with the previous version. For this reason, the kernel has a different version number and will not be installed automatically as part of the normal upgrade process. Any custom modules will need to be rebuilt in order to work with the new kernel.

[Flash]

Notice alot of the 'affectants' is on Linux Operating systems

[vcant]

Notice alot of the 'affectants' is on Linux Operating systems 

i installed RedHat 9.0 on one of the computers, and they have something similar to windows update now, it has the icon that checkes for updates, and besides that, it sends the notification to the email, so im getting notified by email about different critical updated almost every day !!!

and people say they seek of windows update

[amdphr3@kXP]

from my experiences, i have found windows and linux just as exploitable as each other, a mate had a winxp box and a linux box and i was able to exploit one of these as easy as the other, they aren't very secure, as long as an attacker knows what he/she is doing, they can exploit either linux or windows with ease

[amdphr3@kXP]

Sphera Hosting Director Control Panel Multiple Vulnerabilities: XSS-Session Hijacking-DoS/Buffer Overflow-Another User Accounts access

Versions:

VULNERABLE

- 3.x

- 2.x

- 1.x

HostingDirector comprises three fundamental components that are integrated

to provide rich offerings, maximum control for resellers and site owners,

and easy, centralized administration of shared and dedicated environments

running on Linux and Microsoft Windows®.

SECURITY HOLES FOUND and PROOFS OF CONCEPT:

-----------------------------------------

----------------

| XSS in LOGIN |

----------------

I encountered XSS ( Cross Site Scripting ) vulnerabilities in the

SPHERA's product called Hositng Director , located in the vds ( user of

hosting plans ) control panel.

The problems , i think , are related to form tag closing by url code

injection and the input validation system

( there aren`t any ). In addition the success_msg variable ( in internal

scripts ) is vulnerable to XSS too.

With this you can insert html and script code by url command passing like

this:

_______________________

XSS IN THE LOGIN FORM:

-----------------------

]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?uid=">[XSS

ATTACK CODE]

]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?error=">[XSS

ATTACK CODE]

]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/sm_login_screen.php?error=[XSS

ATTACK CODE COMBINATED WITH OTHER VARIABLE FOR EMULATE A REAL ERROR LIKE

"EITHER PASSWORD OR USER ARE INCORRECT , RE-FILL IN" FOR STEAL THE USER

DATA]

]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS

DOMAIN OR IP]&uid=">[XSS ATTACK CODE]&tz=[TIMEZONE CODE , TRY

CEST]&vds_server_ip=">[XSS ATTACK CODE]

--------------

| SAMPLES |

--------------

]/[iNSTALLATIONhttps://[TARGET]/[iNSTALLATION PATH]/login/login_screen.php?vds_ip=[VDS

DOMAIN OR

IP]&uid=">here%20comes%20your%20attack&tz=CEST&vds_server_ip=">He

re%20comes%20your%20XSS%20Attack&error=Either+user+or+password+are+incorrect

+,+please+re-fill+in+.

]/[iNSTALLATIONhttps://[TARGET]/[iNSTALLATION

PATH]/login/sm_login_screen.php?uid=">XSS%20!

------------------

| COMMUNICATIONS |

| ENCRYPTION |

------------------

Sphera uses an "insecure" communications data encryption ( DES (16) ).

DES is a not very secure algorithm ( i think ).

In addition the control panel scripts don't check if you are using the https

protocol and allow you to use based http connections on port 80 ( without

SSL ).

----------------

| SESSION |

| HIJACKING |

----------------

This is a very interesting thing in Sphera Hosting Director VDS Control

Panel ,

if you don't close a session in the control panel , the session is saved all

the time that you use the cookie and the system

don't close the session if you don't close with control panel !.

This can be a big security problem if an attacker generates a session id

randomicing control.

I explain it:

if the first session id that you received is this :

xx01xx01xxX

and the next session id is..

xx01xx02Xxx

The first session id only differs in two parts with the second session ,

this indicates a poor session id randomicing...

the attacker can generate a profile analyzing the random session generating

and make an algorithm or script for make valid

sessions , this can be used for enter the system only changing the USER ID

value and you have access to the system with

the USER ID permissions ! ;-)

I think in another possibilty generating session id randomicing profiles

like monitoring the use of resources and the stack

blocks but this is very difficult for remote users.

The remote method is not very easy but very possible.

--------------------

| BUFFER OVERFLOW |

| AND DoS |

-------------------

I found some possible buffer overflows and Denial of Service attacks .

Some php files used by the vds control panel environment can conduct denial

of service attacks to the installation server.

Other php files can conduct stack attacks by url-based variable hacking and

command injection.

You can enter some crafted urls spoofing th variables and your referer for

make actions in other user accounts.

-

Some Proof of Concepts

-

]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/dev/VDS/submitted.php Sphera Control Panel global used php file

and this file can be used for conduct DoS and Buffer Overflow attacks to the

[TARGET] server with Sphera VDS Control Panel installed in

[iNSTALLATION PATH] , i tell you some samples:

Make a connection in POST mode and request this:

]/[iNSTALLATIONhttp://[TARGET]/[iNSTALLATION PATH]/dev/VDS/submitted.php?[TARGET

USER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_m

sg=Remote USER VDS restarted trough this kind of attack

I think that the system checks your referer for authenticate the request ,

but you can spoof it easier.

With this kinf of attacks you can make actions in other users hosting

accounts like password changing , virtual server restarting watch dog

deactivating and other features ;-)

[amdphr3@kXP]

SuSE Security Announcement: radiusd-cistron (SuSE-SA:2003:030)

SuSE Security Announcement

Package: radiusd-cistron

Announcement-ID: SuSE-SA:2003:030

Date: Friday, Jun 13th 2003 09:32 MET

Affected products: 7.2, 7.3, 8.0

Vulnerability Type: possible remote system compromise

SuSE default package: no

Cross References: http://bugs.debian.org/cgi-bin/bugreport.cgi

?bug=196063

Content of this advisory:

1) security vulnerability resolved: handling too large NAS numbers

problem description, discussion, solution and upgrade information

2) pending vulnerabilities, solutions, workarounds:

- lprng

- frox

- poster

- ghostscript-library

3) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion, solution, upgrade information

The package radiusd-cistron is an implementation of the RADIUS protocol.

Unfortunately the RADIUS server handles too large NAS numbers not

correctly. This leads to overwriting internal memory of the server

process and may be abused to gain remote access to the system the RADIUS

server is running on.

There is no temporary workaround known.

Please download the update package for your distribution and verify its

integrity by the methods listed in section 3) of this announcement.

Then, install the package using the command "rpm -Fhv file.rpm" to apply

the update.

Our maintenance customers are being notified individually. The packages

are being offered to install from the maintenance web.

Please note, missing packages will be published as soon as possible.

Intel i386 Platform:

SuSE-8.0:

ftp://ftp.suse.com/pub/suse/i386/update/8...6.6-88.i386.rpm

e61fb299edfb092f24b3e455256cf262

patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8....i386.patch.rpm

d323307d4bc4c0e4dc0bcef3f848b91f

source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8....6.6-88.src.rpm

fc7718319972625612292798092d9a8b

SuSE-7.3:

ftp://ftp.suse.com/pub/suse/i386/update/7....4-182.i386.rpm

ee949e18ef02e87dffc4b5ea8d5d5ec5

source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/7...6.4-182.src.rpm

f4f87aab549967c0d4c216c8d2e312a1

SuSE-7.2:

ftp://ftp.suse.com/pub/suse/i386/update/7....4-182.i386.rpm

e5a20985f79c887739ce0b83539c347b

source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/7...6.4-182.src.rpm

f5f73b9e9c3e5d338bfddd1a6b2b14d8

Sparc Platform:

SuSE-7.3:

ftp://ftp.suse.com/pub/suse/sparc/update/....4-70.sparc.rpm

7318cc63ec3c29618b81ae6c8eb29fc8

source rpm(s):

ftp://ftp.suse.com/pub/suse/sparc/update/....6.4-70.src.rpm

0212fba5fd8d4ff3e9afe4a8a8802655

PPC Power PC Platform:

SuSE-7.3:

ftp://ftp.suse.com/pub/suse/ppc/update/7....6.4-108.ppc.rpm

30f9920f2a8d2db0e8eb2a0439d61118

source rpm(s):

ftp://ftp.suse.com/pub/suse/ppc/update/7....6.4-108.src.rpm

8133911f08442832c383000cb65e70ca

______________________________________________________________________________

2) Pending vulnerabilities in SuSE Distributions and Workarounds:

- lprng

A race condition in psbanner was fixed that can be abused by local

users to overwrite file owned by daemon:lp.

New packages are available on out FTP servers.

- frox

The init script of frox handled tmp file in an insecure manner.

This behavior can be exploited by local users.

New packages are available on out FTP servers.

- poster

A possible buffer overflow due to usage of gets() was fixed which could

have been exploited by malicious input data to execute code under the

user id of the user running poster.

New packages are available on out FTP servers.

- ghostscript-library

Malicious PostScript[tm] files could execute shell commands

even if the ghostscript interpreter was invoked with the -dSAFER

flag.

______________________________________________________________________________

3) standard appendix: authenticity verification, additional information

- Package authenticity verification:

SuSE update packages are available on many mirror ftp servers all over

the world. While this service is being considered valuable and important

to the free and open source software community, many users wish to be

sure about the origin of the package and its content before installing

the package. There are two verification methods that can be used

independently from each other to prove the authenticity of a downloaded

file or rpm package:

1) md5sums as provided in the (cryptographically signed) announcement.

2) using the internal gpg signatures of the rpm package.

1) execute the command

md5sum

after you downloaded the file from a SuSE ftp server or its mirrors.

Then, compare the resulting md5sum with the one that is listed in the

announcement. Since the announcement containing the checksums is

cryptographically signed (usually using the key security@suse.de),

the checksums show proof of the authenticity of the package.

We disrecommend to subscribe to security lists which cause the

email message containing the announcement to be modified so that

the signature does not match after transport through the mailing

list software.

Downsides: You must be able to verify the authenticity of the

announcement in the first place. If RPM packages are being rebuilt

and a new version of a package is published on the ftp server, all

md5 sums for the files are useless.

2) rpm package signatures provide an easy way to verify the authenticity

of an rpm package. Use the command

rpm -v --checksig

to verify the signature of the package, where is the

filename of the rpm package that you have downloaded. Of course,

package authenticity verification can only target an un-installed rpm

package file.

Prerequisites:

a) gpg is installed

The package is signed using a certain key. The public part of this

key must be installed by the gpg program in the directory

~/.gnupg/ under the user's home directory who performs the

signature verification (usually root). You can import the key

that is used by SuSE in rpm packages for SuSE Linux by saving

this announcement to a file ("announcement.txt") and

running the command (do "su -" to be root):

gpg --batch; gpg SuSE Linux distributions version 7.1 and thereafter install the

key "build@suse.de" upon installation or upgrade, provided that

the package gpg is installed. The file containing the public key

is placed at the top-level directory of the first CD (pubring.gpg)

and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

- SuSE runs two security mailing lists to which any interested party may

subscribe:

suse-security@suse.com

- general/linux/SuSE security discussion.

All SuSE security announcements are sent to this list.

To subscribe, send an email to

.

suse-security-announce@suse.com

- SuSE's announce-only mailing list.

Only SuSE's security announcements are sent to this list.

To subscribe, send an email to