| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200310202008.59077.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 20/Oct/2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 20/Oct/2003
============================================================
The following page contains the security information of Turbolinux Inc.
- Turbolinux Security Center
http://www.turbolinux.com/security/
(1) kernel -> Multiple vulnerabilities in kernel
(2) kdebase -> Two issues have been discovered in KDM
===========================================================
* kernel -> Multiple vulnerabilities in kernel
===========================================================
More information :
The kernel package contains the Linux kernel (vmlinuz), the core of your Linux operating system.
The kernel handles the basic functions of the operating system.
- /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links,
which could allow local users to obtain potentially sensitive information such as
the length of passwords.
- A race condition in the way env_start and env_end pointers are initialized in the execve
system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause
a denial of service (crash).
- The STP protocol implementation does not properly verify certain lengths,
which could allow attackers to cause a denial of service.
Impact :
The vulnerabilities allow an attacker to make the cause of the denial of
service of the kernel and to gain sensitive information on your system.
Affected Products :
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution :
Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
# zabom update kernel kernel-BOOT kernel-doc kernel-headers kernel-pcmcia-cs kernel-smp kernel-smp64G kernel-source
---------------------------------------------
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/kernel-2.4.18-14.src.rpm
41830023 9765a2ec6220266e8b2700b93459670b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-2.4.18-14.i586.rpm
14058234 82db3c20c79b9f0ef84eba74f4ec7b77
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-BOOT-2.4.18-14.i586.rpm
7089082 08b378fdfe39bea52f3a6d1adeaa6064
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-doc-2.4.18-14.i586.rpm
1456572 6777d197a1914eada0d4896da311a343
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-headers-2.4.18-14.i586.rpm
1815315 89ecfca39f5887e447acd37a017e3396
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-pcmcia-cs-2.4.18-14.i586.rpm
328971 a72ece851b562ae62d123416c0ff676e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-smp-2.4.18-14.i586.rpm
14541620 38b18536f9f3bf8d16aa67f97a8a88c7
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-smp64G-2.4.18-14.i586.rpm
14529456 297bff4f2d3bd19d5c9e2f2e1045d302
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-source-2.4.18-14.i586.rpm
26614965 cea03467b12fe632b16a9cd4dc8f24ad
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/kernel-2.4.18-14.src.rpm
41830023 9765a2ec6220266e8b2700b93459670b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-2.4.18-14.i586.rpm
14058234 82db3c20c79b9f0ef84eba74f4ec7b77
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-BOOT-2.4.18-14.i586.rpm
7089082 08b378fdfe39bea52f3a6d1adeaa6064
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-doc-2.4.18-14.i586.rpm
1456572 6777d197a1914eada0d4896da311a343
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-headers-2.4.18-14.i586.rpm
1815315 89ecfca39f5887e447acd37a017e3396
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-pcmcia-cs-2.4.18-14.i586.rpm
328971 a72ece851b562ae62d123416c0ff676e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-smp-2.4.18-14.i586.rpm
14541620 38b18536f9f3bf8d16aa67f97a8a88c7
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-smp64G-2.4.18-14.i586.rpm
14529456 297bff4f2d3bd19d5c9e2f2e1045d302
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-source-2.4.18-14.i586.rpm
26614965 cea03467b12fe632b16a9cd4dc8f24ad
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/kernel-2.4.18-14.src.rpm
41830023 9765a2ec6220266e8b2700b93459670b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-2.4.18-14.i586.rpm
14058234 82db3c20c79b9f0ef84eba74f4ec7b77
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-BOOT-2.4.18-14.i586.rpm
7089082 08b378fdfe39bea52f3a6d1adeaa6064
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-doc-2.4.18-14.i586.rpm
1456572 6777d197a1914eada0d4896da311a343
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-headers-2.4.18-14.i586.rpm
1815315 89ecfca39f5887e447acd37a017e3396
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-pcmcia-cs-2.4.18-14.i586.rpm
328971 a72ece851b562ae62d123416c0ff676e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-smp-2.4.18-14.i586.rpm
14541620 38b18536f9f3bf8d16aa67f97a8a88c7
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-smp64G-2.4.18-14.i586.rpm
14529456 297bff4f2d3bd19d5c9e2f2e1045d302
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-source-2.4.18-14.i586.rpm
26614965 cea03467b12fe632b16a9cd4dc8f24ad
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/kernel-2.4.18-14.src.rpm
41830023 9765a2ec6220266e8b2700b93459670b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-2.4.18-14.i586.rpm
14058234 82db3c20c79b9f0ef84eba74f4ec7b77
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-BOOT-2.4.18-14.i586.rpm
7089082 08b378fdfe39bea52f3a6d1adeaa6064
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-doc-2.4.18-14.i586.rpm
1456572 6777d197a1914eada0d4896da311a343
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-headers-2.4.18-14.i586.rpm
1815315 89ecfca39f5887e447acd37a017e3396
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-pcmcia-cs-2.4.18-14.i586.rpm
328971 a72ece851b562ae62d123416c0ff676e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-smp-2.4.18-14.i586.rpm
14541620 38b18536f9f3bf8d16aa67f97a8a88c7
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-smp64G-2.4.18-14.i586.rpm
14529456 297bff4f2d3bd19d5c9e2f2e1045d302
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-source-2.4.18-14.i586.rpm
26614965 cea03467b12fe632b16a9cd4dc8f24ad
Notice : You have to reboot your system after this update is finished.
Enhancement :
updated acpi-thermal-40,i2c-2.8.0 drivers
added qla2xxx drivers
References :
CVE
[CAN-2003-0461]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0461
[CAN-2003-0462]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0462
[CAN-2003-0551]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0551
Turbolinux Security Advisory
[TLSA-2003-41]
http://www.turbolinux.com/security/TLSA-2003-41.txt
--------------------------------------------------------------------------
Revision History
20 Oct 2003 Initial release
--------------------------------------------------------------------------
===========================================================
* kdebase -> Two issues have been discovered in KDM
===========================================================
More information :
Privilege escalation with specific PAM modules.
Session cookies generated by KDM are potentially insecure.
Impact :
The local users may be able to gain root privileges.
The weak cookie generation may allow non-authorized users to guess the session cookie by
a brute force attack.
Affected Products :
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution :
Please use turbopkg tool to apply the update.
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/kdebase-2.2.2-16.src.rpm
13104557 af04ccdf4ccf9720df849613b7c20866
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kdebase-2.2.2-16.i586.rpm
16158716 f5e1c81fd4ead3e1bf05f66569b3114e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kdebase-devel-2.2.2-16.i586.rpm
54350 f61ce9b68c463465ae5846f68879a24e
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/kdebase-2.2.2-16.src.rpm
13104557 ec056e9910b8715a716bce2a4596fe07
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kdebase-2.2.2-16.i586.rpm
16157388 79f26858cec0b67cb83097baf35f7ea0
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kdebase-devel-2.2.2-16.i586.rpm
54264 0687ccf6695c7f0c79cfcbb709e90506
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/kdebase-2.2.2-16.src.rpm
13104557 75b7decef759e4cd9682c40f1e439bc2
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kdebase-2.2.2-16.i586.rpm
15775946 917d992f65ac098ce3cc785650c83655
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kdebase-devel-2.2.2-16.i586.rpm
54281 7dada55383a049a4fd6c845a5013e7ea
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/kdebase-2.2.2-16.src.rpm
13104557 b2912df0daf619ae9277cb9305a64896
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kdebase-2.2.2-16.i586.rpm
15761012 c99d88aa9a2a5a2c6915986c3c2ba9d0
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kdebase-devel-2.2.2-16.i586.rpm
54299 5f9a84f714168c3b846eca52328ef5e0
References :
KDE Security Advisory
http://www.kde.org/info/security/advisory-20030916-1.txt
CVE
[CAN-2003-0690]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0690
[CAN-2003-0692]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0692
--------------------------------------------------------------------------
Revision History
20 Oct 2003 Initial release
--------------------------------------------------------------------------
* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.
http://www.turbolinux.com/download/zabom.html
http://www.turbolinux.com/download/zabomupdate.html
Package Update Path
http://www.turbolinux.com/update
============================================================
* To obtain the public key
Here is the public key
http://www.turbolinux.com/security/
* To unsubscribe from the list
If you ever want to remove yourself from this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).
unsubscribe
* To change your email address
If you ever want to chage email address in this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:
chaddr 'old address' 'new address'
If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/k8I/K0LzjOqIJMwRAgbbAJ4ktFX4Mf6X0FI9iJRdgGxOBa22UACfZf3n
M0I82Zo5SE27kaDhxDf8xYI=
=KsVL
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists