[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200403301829.01411.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 30/Mar/2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 30/Mar/2004
============================================================
The following page contains the security information of Turbolinux Inc.
- Turbolinux Security Center
http://www.turbolinux.com/security/
(1) wu-ftpd -> Multiple vulnerabilities in wu-ftpd
(2) openssl -> Multiple vulnerabilities in openssl
===========================================================
* wu-ftpd -> Multiple vulnerabilities in wu-ftpd
===========================================================
More information :
Wu-ftpd is the daemon (background) program which serves FTP files to ftp clients.
- wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled,
allows local users to bypass access restrictions by changing the permissions
to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
- Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2
allows remote attackers to cause a denial of service and possibly execute arbitrary code
via a s/key (SKEY) request with a long name.
Impact :
The ftp users may be able to read the file which cannot be read.
The vulnerabilities allow an attacker can cause to denial of service of the wu-ftpd.
Affected Products :
- Turbolinux Advanced Server 6
- Turbolinux Server 6.1
- Turbolinux Workstation 6.0
Solution :
Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
# zabom update wu-ftpd
---------------------------------------------
<Turbolinux Advanced Server 6>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/wu-ftpd-2.6.2-4.src.rpm
368558 68c2ec7979364dd1b3427f72e4338bae
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/wu-ftpd-2.6.2-4.i386.rpm
194109 33571507dd3b3ca040188dad40dafedf
<Turbolinux Server 6.1>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/wu-ftpd-2.6.2-4.src.rpm
368558 bbbfdcf892b2ed521bc8eb2eb97f4ea9
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/wu-ftpd-2.6.2-4.i386.rpm
193965 81165dc3c00f3011791269f86199b6b4
<Turbolinux Workstation 6.0>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/wu-ftpd-2.6.2-4.src.rpm
368558 0a88693eeac7faf5a26c67d89c14e7f2
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/wu-ftpd-2.6.2-4.i386.rpm
193995 73d774853304aa030ae2d6242cb17288
notice : We confirmed that "CAN-2004-0185" does not affect our products.
References :
CVE
[CAN-2004-0148]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0148
[CAN-2004-0185]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0185
===========================================================
* openssl -> Multiple vulnerabilities in openssl
===========================================================
More information :
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade,
full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
- The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c,
allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake
that causes a null-pointer assignment.
- Certain versions of OpenSSL 0.9.6 allow remote attackers to cause a denial of service (infinite loop),
as demonstrated using the Codenomicon TLS Test Tool.
- The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites,
allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake,
which causes an out-of-bounds read.
Impact :
The vulnerabilities allow an attacker can cause to denial of service of the openssl.
Affected Products :
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
- Turbolinux Server 6.5
- Turbolinux Advanced Server 6
- Turbolinux Server 6.1
- Turbolinux Workstation 6.0
Solution :
Please use turbopkg(zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
[Turbolinux 10 Desktop]
# zabom -u openssl openssl-compat openssl-devel
[other]
# zabom update openssl openssl-devel
---------------------------------------------
<Turbolinux Appliance Server 1.0 Hosting Edition>
Source Packages
Size : MD5
openssl-0.9.6m-1.src.rpm
2265514 72b075667855cb90a53c325f8eca8e2e
Binary Packages
Size : MD5
openssl-0.9.6m-1.i586.rpm
1369208 bba436fa46e6d003f908151d5fdcd220
openssl-devel-0.9.6m-1.i586.rpm
1156435 9a01f7b30ea969ff1e2e0cb8de624a90
<Turbolinux Appliance Server 1.0 Workgroup Edition>
Source Packages
Size : MD5
openssl-0.9.6m-1.src.rpm
2265514 08266734ac965a26dc6083f9b3fb7542
Binary Packages
Size : MD5
openssl-0.9.6m-1.i586.rpm
1367705 cb90be0ae5ea9756e2d1e1ecc7c0d523
openssl-devel-0.9.6m-1.i586.rpm
1157172 ef5019a72ff65524b529de656223b3ad
<Turbolinux 10 Desktop>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-0.9.7d-1.src.rpm
2793953 ab0c244579dcea53fa6f5f48505b0b5a
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-compat-0.9.6m-1.src.rpm
2265321 e03a6f6777dd03c36e31710c8febad77
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-0.9.7d-1.i586.rpm
1218800 eb84ac4173b36ce151f803cb60eb8bdd
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-compat-0.9.6m-1.i586.rpm
754120 459d2aab779bcb1f7334806f3da894f6
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-devel-0.9.7d-1.i586.rpm
1479420 644f6d0e2f0999965417ace5e41853ac
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 dc0389b141a2c78c29d32d250ecb4987
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-0.9.6m-1.i586.rpm
1367693 aacc89cbc22c431b780366c53003189a
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
1157874 707e421ad1b9f223fa822573bf8eb81a
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 073e830786e49f88acf8439b0a14b717
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-0.9.6m-1.i586.rpm
1367591 1d99d917b5f01b61030660045c10f35e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
1158207 8b6cbae3a04ff320e847336c0a23a24e
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 132dabe2c91ab0227ff56b85340dc98c
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-0.9.6m-1.i586.rpm
1337061 99f13d9b84819eae9025465f77ea6c5a
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
1140489 301ef33ceefc4922ca59b84b10250dbe
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 4be185ab3a40e0e0982de7cabebaceb0
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-0.9.6m-1.i586.rpm
1337293 9e51b81ed1a4ac73a43f80c4a78b9a39
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
1141285 0a9a7085891aec85f742b2eee1647d29
<Turbolinux Server 6.5>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 fb4550e5daa482a1978464e8a1272b3c
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-0.9.6m-1.i386.rpm
1466724 7e303efabc213f57fe6f3eed50f62ef0
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
1273395 557dfc469d06aea2564a9a14a248ea24
<Turbolinux Advanced Server 6>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 9b0c792b110e7d2e43ff83d072ea647d
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
1466757 9a76ebcb8a5c390fe4880e750bedeeb2
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
1273434 680429a3bf0235c7958ee7b9f02ebab5
<Turbolinux Server 6.1>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 0a2f1d263ae5bbaeb18f81551743590d
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
1466752 c0696ff96729f4218cd588d94033b5c4
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
1273499 49af08dd7d0b08fd701d61c4f7f11983
<Turbolinux Workstation 6.0>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
2265514 f83b24f5112c3e66c9122af6199e0ac5
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
1466745 6f982e6da0d92b23139e111e50143e05
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
1273391 0dec09ad6bfedccfe0157828d682bb80
Reiferences :
CVE
[CAN-2004-0079]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
[CAN-2004-0081]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
[CAN-2004-0112]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.
http://www.turbolinux.com/download/zabom.html
http://www.turbolinux.com/download/zabomupdate.html
Package Update Path
http://www.turbolinux.com/update
============================================================
* To obtain the public key
Here is the public key
http://www.turbolinux.com/security/
* To unsubscribe from the list
If you ever want to remove yourself from this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).
unsubscribe
* To change your email address
If you ever want to chage email address in this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:
chaddr 'old address' 'new address'
If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAaT3XK0LzjOqIJMwRAiGzAKCELg6b7BGsFwoe8wEz+tEa/2HQSwCfZHc3
kQl/1RPs7beiWawymqePdjI=
=Cgq/
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists