Red hat linux 7.2 enigma

Red Hat downplayed a security expert's report today of potential security problems with the latest release of its popular operating system software.

The company confirmed that two files distributed with Red Hat Linux 7.2 lack digital signatures used for determining their authenticity. But Red Hat does not consider the issue a security threat, according to Marty Wesley, operating system product manager for Red Hat. "Security should always be an important concern, but this is not a security problem," said Wesley.

Red Hat Linux version 7.2, also known by its code name, "Enigma," was released to the public Monday.

While Red Hat Linux can be purchased from the vendor on CD-ROM, many users download the software for free from the company's Web site or from numerous mirror sites around the world.

To enable users to verify that downloaded files were not tampered with, Red Hat uses an authentication technology known as GnuPG to sign the various files or "packages" that comprise its distribution of Linux.

In an advisory published today on the VulnWatch security mailing list, Kurt Seifried said Red Hat Linux 7.2 lacked signatures on two packages, rpmdb-redhat and redhat-release.

All of the files in the operating system's previous release, Red Hat Linux 7.1, were correctly signed with the Red Hat GnuPG security key, according to Seifried, the author of an online book entitled "Linux Administrator's Security Guide."

Without such signatures, "it becomes trivial for an attacker to replace packages on a distribution site with no one being able to easily verify that they have been subverted," said Seifried's advisory.

Preston Brown, director of Linux engineering for Red Hat, said the software firm doesn't digitally sign the two packages because the firm doesn't consider it necessary.

The two Red Hat 7.2 files without signatures could not be used by attackers to create any serious mischief, according to Wesley. He noted that rpmdb-redhat is a database listing of files included with the Red Hat distribution.

"The worst any attacker could do is change the information in the database so that every time a customer performed an inquiry it replied with an erroneous message," said Wesley.

The second package, redhat-release, identifies the system version when the user logs in.

If that package were modified by an attacker, the "worst case" according to Wesley would be that the user would not be able to access the software firm's Red Hat Network, which depends on the file.

While it's unlikely that anyone would tamper with software distribution sites, Preston said that security conscious users should acquire the software on shrink-wrapped CD-ROMs or from special files known as ISO images from Red Hat's site and official mirrors.

"People shouldn't get software from sources they don't trust. If you just find a random FTP site somewhere and grab a package out of a Red Hat tree, you're on your own," he said.

In a chapter of Seifried's security guide that deals with installing Linux, Seifried warned that acquiring the operating system from an untrusted source "could potentially end up with an installation that has backdoors or other security issues."

Seifried's advisory on Red Hat Linux 7.2 is archived here: http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0019.html

The "Linux Administrator's Security Guide" is online at http://www.seifried.org/lasg/ .

Reported by Newsbytes, http://www.newsbytes.com .

15:51 CST Reposted 16:01 CST

(20011023/WIRES ONLINE, LEGAL, BUSINESS/LINUX/PHOTO)

COPYRIGHT 2001 Newsbytes News Network
COPYRIGHT 2001 Gale Group