Security Portal: Weekly Linux Security Digest 2001/03/19 to 2001/03/25Mar 26, 2001, 09:31 (0 Talkback[s])
(Other stories by Kurt Seifried)
"A rather momentous week. Ben De Rydt brought something to my attention, and I wrote a security advisory about it. If you have automatic key download enabled in GnuPG or PGP, all an attacker needs to do is send you an rpm file. When you verify it, the key will be downloaded and installed, the rpm file will verify OK, and most admins will then install it. If you do not have automatic key download enabled, the attacker will need to get you to install the key first. Considering that this week TurboLinux sent out a self-signed key twice, it would not be hard to trick users into installing a new key. Also, a traffic analysis vulnerability was announced in SSH. I suggest you read the advisory on it, as it is quite educational."
"We lead off with general advisories and exploit code, then move to vendor advisories. Most items appear in alphabetical order. If we're missing a Linux vendor's advisory, please tell us - ditto for any Linux-related security alerts. The long strings of hex in front of package names are MD5 signatures."