lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200408311803.43504.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 31/Aug/2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 31/Aug/2004
============================================================

The following page contains the security information of Turbolinux Inc.

 - Turbolinux Security Center
   http://www.turbolinux.com/security/

 (1) rsync -> path-sanitizing bug
 (2) qt -> Multiple vulnerabilities in Qt

===========================================================
* rsync -> path-sanitizing bug
===========================================================

 More information :
    rsync uses the "rsync algorithm" which provides a very fast method for bringing
    remote files into sync.  It does this by sending just the differences in files
    across a link, without requiring that both sets of files be present at one of
    the ends of the beforehand.
    A vulnerability has been discovered in rsync in the sanitize_path function
    in file util.c which allows attackers to read and/or write certain files when chroot is disabled.

 Impact :
    The remote attackers may be able to read and write the file which cannot be read and write.

 Affected Products :
    - Turbolinux 10 F...
    - Turbolinux 10 Desktop
    - Turbolinux 8 Server
    - Turbolinux 8 Workstation
    - Turbolinux 7 Server
    - Turbolinux 7 Workstation

 Solution :
    Please use the turbopkg (zabom) tool to apply the update. 
 ---------------------------------------------
 [Turbolinux 10 Desktop, Turbolinux 10 F...]
 # zabom -u libpng rsync

 [other]
 # turbopkg
 or
 # zabom update rsync
 ---------------------------------------------


 <Turbolinux 10 Desktop, Turbolinux 10 F...>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/rsync-2.6.2-2.src.rpm
       523642 18fee2909b5fe8fabab481209e7291a1

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/rsync-2.6.2-2.i586.rpm
       158416 b1188af123b121e7d967b9bcaf3cc249

 <Turbolinux 8 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/rsync-2.6.2-2.src.rpm
       523642 3dbafb5ddcf1cf8b4b381abbe78c4270

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/rsync-2.6.2-2.i586.rpm
       155932 72e9e155f8cc3356bd64d2ece2a53e90

 <Turbolinux 8 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/rsync-2.6.2-2.src.rpm
       523642 4352d162daeb6dcaa52fa7cd859c1d8a

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/rsync-2.6.2-2.i586.rpm
       155995 87f3eda08a37a1ff477af0d2d43b5945

 <Turbolinux 7 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/rsync-2.6.2-2.src.rpm
       523642 afb8b736d359491027e191a453980e5b

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/rsync-2.6.2-2.i586.rpm
       152228 1961ff32165a00d1d2608db621295ff4

 <Turbolinux 7 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/rsync-2.6.2-2.src.rpm
       523642 7ab289b125b4f6f3c29cb1f2e4b0de76

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/rsync-2.6.2-2.i586.rpm
       152243 53cb13bef3427bf8b5adb8e365f46652


 References:

 rsync
   http://samba.anu.edu.au/rsync/

 CVE
   [CAN-2004-0792]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0792


===========================================================
* qt -> Multiple vulnerabilities in Qt
===========================================================

 More information :
    Qt is a complete, well-designed, multi-platform object-oriented framework for
    developing graphical user interface (GUI) applications in C++.  Qt has seamless
    integration with the OpenGL/Mesa 3D libraries.
    The GIF and XML parser in the Qt library is susceptible to a remote denial
    of service attack via a null pointer dereference triggered by malformed GIF/XML
    file input.

 Impact :
    This may allow remote attackers to to cause a denial of service via malformed GIF and XML file.

 Affected Products :
    - Turbolinux Appliance Server 1.0 Hosting Edition
    - Turbolinux Appliance Server 1.0 Workgroup Edition
    - Turbolinux 10 F...
    - Turbolinux 10 Desktop
    - Turbolinux 8 Server
    - Turbolinux 8 Workstation
    - Turbolinux 7 Server
    - Turbolinux 7 Workstation

 Solution :
    Please use the turbopkg (zabom) tool to apply the update. 
 ---------------------------------------------
 [Turbolinux 10 Desktop, Turbolinux 10 F...]
 # zabom -u qt3 qt3-devel qt3-tools

 [other]
 # turbopkg
 or
 # zabom update qt qt-NSPlugin qt-Xt qt-devel
 ---------------------------------------------


 <Turbolinux 10 Desktop, Turbolinux 10 F...>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/qt3-3.2.3-8.src.rpm
     14026174 8d3461dbf7842da766e0592cfc4a1b55

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-3.2.3-8.i586.rpm
      5367561 89975c7f0d8dae1675e5135c56e722a6
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-devel-3.2.3-8.i586.rpm
      3013232 62270f0a0dbf9c830a8c098a1b99a1fe
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-tools-3.2.3-8.i586.rpm
      2008971 f4896e57a5b8cdc5215391d05f3fb903

 <Turbolinux 8 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/qt-2.3.1-22.src.rpm
      9323108 93c636502e00818cc9c30739931ca649

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-2.3.1-22.i586.rpm
      4586275 a9b3d06fb41e458e5080b3e9ae7c88ba
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm
       151451 0524bbf8a2719666030cb605227b289e
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm
        48073 eb0551aa1315db64cfeef8d7c6bc07f1
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-devel-2.3.1-22.i586.rpm
      6582027 0f4fd868c7586a9a4dd0da74d9432383

 <Turbolinux 8 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/qt-2.3.1-22.src.rpm
      9323108 c795a4d92346142c544d98e92a41bd94

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-2.3.1-22.i586.rpm
      4585883 ad71a31ed173824b9b3cbc639eb60a98
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm
       151663 546774ab62b2585a3ce1001bc06b1c57
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm
        48077 6ffee17848f80b66256fa0f1a949c097
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-devel-2.3.1-22.i586.rpm
      6582669 a6e07283b8ebe59f4c0114f7a6f4b985

 <Turbolinux 7 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/qt-2.3.1-22.src.rpm
      9323108 abcd939f856cda3483316f8f9657251e

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-2.3.1-22.i586.rpm
      4431599 36afff671a32a29304c3e0357d03b966
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm
       150154 89730e78c6f7a408371c9a1a5f664c76
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm
        46815 0d25385a3fc9021072a960ab5a2f76de
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-devel-2.3.1-22.i586.rpm
      6548456 65ba8ec22aebee8c2d3e8595784c989b

 <Turbolinux 7 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/qt-2.3.1-22.src.rpm
      9323108 f6666361d752d211b6caa0bf653c75d4

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-2.3.1-22.i586.rpm
      4430750 d9d9b64005b6120c22c66e0e369ec7eb
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm
       149892 f819e00cafdf5dea46df38f2b95830c8
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm
        46829 dfb530b8d059f5af3d329e22d7fa7d26
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-devel-2.3.1-22.i586.rpm
      6549222 f530ad599fbbe69828244028cfa5a70a


 References:

 CVE
   [CAN-2004-0691]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
   [CAN-2004-0692]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
   [CAN-2004-0693]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693


 * You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.

  http://www.turbolinux.com/download/zabom.html
  http://www.turbolinux.com/download/zabomupdate.html

Package Update Path
http://www.turbolinux.com/update

============================================================
 * To obtain the public key

Here is the public key

 http://www.turbolinux.com/security/

 * To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
  you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).

unsubscribe

 * To change your email address

If you ever want to chage email address in this mailing list,
  you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:

  chaddr 'old address' 'new address'

If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>

Thank you!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBND7mK0LzjOqIJMwRAmF/AJ9xm3HTZhtrRE1w/nekUlswn+AZPQCgu+Yf
gz/ux9mpEZo8HdYu+NkDICY=
=gMtC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ