[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200312171549.50244.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 17/Dec/2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 17/Dec/2003
============================================================
The following page contains the security information of Turbolinux Inc.
- Turbolinux Security Center
http://www.turbolinux.com/security/
(1) gnupg -> GnuPG's ElGamal signing keys compromised
(2) cvs -> CVS server to create files and directories in the file system root directory
===========================================================
* gnupg -> GnuPG's ElGamal signing keys compromised
===========================================================
More information :
GnuPG is a complete and free replacement for PGP. Because it does not
use IDEA or RSA it can be used without any restrictions. GnuPG is in
compliance with the OpenPGP specification (RFC2440).
Phong Nguyen identified a severe bug in the way GnuPG creates and uses
ElGamal keys for signing. This is a significant security failure
which can lead to a compromise of almost all ElGamal keys used for
signing. Note that this is a real world vulnerability which will
reveal your private key within a few seconds.
Impact :
This vulnerability may allow attackers to determine the private key from a signature.
Affected Products :
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
- Turbolinux Server 6.5
- Turbolinux Server 6.1
- Turbolinux Workstation 6.0
Solution :
Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
zabom-1.x
# zabom update gnupg
zabom-2.x
# zabom -u gnupg
---------------------------------------------
<Turbolinux 10 Desktop>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/gnupg-1.2.3-2.src.rpm
3314781 4996b1e2267642d2d69d4f514cf4cad7
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/gnupg-1.2.3-2.i586.rpm
1129596 5fd712d1411be94acc23d49f24048df7
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/gnupg-1.0.7-4.src.rpm
2409951 59104e12eb97ac80f0a4c9d842dfdc20
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/gnupg-1.0.7-4.i586.rpm
885453 72a565e99ff48f8756144b8966432d8e
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/gnupg-1.0.7-4.src.rpm
2409951 883d8e4123edbdfc87be8cd31e58e22b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/gnupg-1.0.7-4.i586.rpm
884696 6299e615d670554116f03a57a77534f9
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/gnupg-1.0.7-4.src.rpm
2409951 174e7eadc938bf7deccb56deba74588d
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/gnupg-1.0.7-4.i586.rpm
863174 eb706737ef71616bbd5e6bc5bc73a8c0
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/gnupg-1.0.7-4.src.rpm
2409951 cde1432e30a483ddffcbde6d61a5d0cf
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/gnupg-1.0.7-4.i586.rpm
862981 82bd0c1c5890c1fea6a7b18fe508320d
<Turbolinux Server 6.5>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/gnupg-1.0.7-4.src.rpm
2409951 69e46577d72aed27f3c795647a53bb9b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/gnupg-1.0.7-4.i386.rpm
1170666 447865f5363d62abf8e5c6d8570fdb0e
<Turbolinux Server 6.1>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/gnupg-1.0.7-4.src.rpm
2409951 2fb777b54219241b3a33c6a819bc9ca7
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/gnupg-1.0.7-4.i386.rpm
1170653 c893158b981769a827df840decf771f1
<Turbolinux Workstation 6.0>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/gnupg-1.0.7-4.src.rpm
2409951 62b1e2c02457959368139e9d4ec3275e
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/gnupg-1.0.7-4.i386.rpm
1166583 79095cf116744d1da99fbf2607134bd9
References :
[Announce] GnuPG's ElGamal signing keys compromised
http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html
CVE
[CAN-2003-0971]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0971
===========================================================
* cvs -> CVS server to create files and directories in the file system root directory
===========================================================
More information :
CVS is a front end to the rcs(1) revision control system which extends
the notion of revision control from a collection of files in a single
directory to a hierarchical collection of directories consisting of
revision controlled files.
A remote user can submit a specially crafted and malformed module
request that may cause the CVS server to attempt to create directories
and possibly files at the root of the filesystem where the CVS
repository is located.
Impact :
This vulnerability may allow attackers to cause the CVS server to create directories and files
in the file system root directory.
Affected Products :
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
- Turbolinux Server 6.5
- Turbolinux Advanced Server 6
- Turbolinux Server 6.1
- Turbolinux Workstation 6.0
Solution :
Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
zabom-1.x
# zabom update cvs
zabom-2.x
# zabom -u cvs
---------------------------------------------
<Turbolinux 10 Desktop>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 be972c16222d933a1a15cb1383627681
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cvs-1.12.4-1.i586.rpm
1003284 ac7eb63b400fa0ab405c1cf74ff9489f
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 f34d17adbe451e3eb9bff68b3caf7d0b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/cvs-1.12.4-1.i586.rpm
995946 fceb8bb6eb65cb7f44a100d3af6ed42a
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 5a6a21b2a288b67ba714f184a285458c
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/cvs-1.12.4-1.i586.rpm
995877 5df89643e16fefd5183896700642a7e1
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 42f33ab58a73254fc924ebfa6966b6e7
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/cvs-1.12.4-1.i586.rpm
984262 1038e7fe32ea05e372a7c016b10f9c16
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 9cb3067c409b85b97c36108574f2e82c
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/cvs-1.12.4-1.i586.rpm
984220 77c6b4d0c386d901c121cb29235098bf
<Turbolinux Server 6.5>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 22d46f682d34c68303708c6cb80a57f8
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/cvs-1.12.4-1.i386.rpm
1114584 982395edaaa1de0857408c1578b7e68d
<Turbolinux Advanced Server 6>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 280ae8d29a89e6bac2383b589fda256b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/cvs-1.12.4-1.i386.rpm
1114630 4ea6455c681420076a03aa4b04b67267
<Turbolinux Server 6.1>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 c6d9e046f5465a5262f75b9a36b74b7b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/cvs-1.12.4-1.i386.rpm
1114642 6c12eec4de136fea19f79cfca1013f96
<Turbolinux Workstation 6.0>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/cvs-1.12.4-1.src.rpm
2371619 99f636ee48c389242f343eddb0469446
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/cvs-1.12.4-1.i386.rpm
1114681 1059f93b6385e3dbb1224912f7947f45
References :
CVE
[CAN-2003-0977]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977
* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.
http://www.turbolinux.com/download/zabom.html
http://www.turbolinux.com/download/zabomupdate.html
Package Update Path
http://www.turbolinux.com/update
============================================================
* To obtain the public key
Here is the public key
http://www.turbolinux.com/security/
* To unsubscribe from the list
If you ever want to remove yourself from this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).
unsubscribe
* To change your email address
If you ever want to chage email address in this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:
chaddr 'old address' 'new address'
If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/3/yGK0LzjOqIJMwRAjhPAJ4otRqgnbViCAu1JRtr0akdBsOIWACeNxWC
CBUw9hFitwWpEOZ/40Bjtbg=
=awNM
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists