| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200501312032.46640.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 31/Jan/2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 31/Jan/2005
============================================================
The following page contains the security information of Turbolinux Inc.
- Turbolinux Security Center
http://www.turbolinux.com/security/
(1) netatalk -> Symlink attack may allow arbitrary file overwriting
(2) openssl -> Symlink attack in openssl may allow arbitrary file overwriting
(3) ruby -> Two vulnerabilities discovered in Ruby
(4) shadow-utils -> Password check vulnerability discovered in shadow-utils
(5) sudo -> Environment variable sanitization bug permits root compromise
(6) zip -> Buffer overflow in zip allows arbitrary code execution
===========================================================
* netatalk -> Symlink attack may allow arbitrary file overwriting
===========================================================
More information:
Netatalk is an implementation of the AppleTalk Protocol Suite for
Unix/Linux systems.
A vulnerability in the manner in which netatalk handles temporary files
could allow local users to overwrite arbitrary files via a symlink attack.
Impact:
This vulerability may allow local users to overwrite arbitrary files
via a symbolic link attack.
Affected Products:
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
# zabom update netatalk netatalk-devel
---------------------------------------------
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/netatalk-1.5.3.1-8.src.rpm
609435 a726fbcd1b151575be7762b9d4f3a5b3
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/netatalk-1.5.3.1-8.i586.rpm
340525 106a4b43bc89dc325033022d5ebc0f2a
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/netatalk-devel-1.5.3.1-8.i586.rpm
62778 2b33a74da3352f77dc816274fa7588e3
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/netatalk-1.5.2-2.src.rpm
800817 96e0841dec8ac28cc112f1f02a9b73c9
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/netatalk-1.5.2-2.i586.rpm
339704 4ef7cf4ef7389c50fd41b3d6b2eb4a71
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/netatalk-devel-1.5.2-2.i586.rpm
62028 726a249c7ed0b406c9f7f99d92f7ce46
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/netatalk-1.5pre8-2.src.rpm
599952 1dcba6ce5a384d518709de4eebf2eb9e
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/netatalk-1.5pre8-2.i586.rpm
318838 39f32dfebab4392d0b1582087b8a5c5e
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/netatalk-devel-1.5pre8-2.i586.rpm
61317 2751e06623a991603af22eae009b7a74
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/netatalk-1.5pre8-2.src.rpm
599952 623f4495a73c09079f6fdabae52b3c0f
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/netatalk-1.5pre8-2.i586.rpm
318685 ca6c8f5e41a414af8f570cdead4f73f0
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/netatalk-devel-1.5pre8-2.i586.rpm
61420 5a9329c07ccde291d40d1979be6eefe7
References:
CVE
[CAN-2004-0974]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0974
===========================================================
* openssl -> Symlink attack in openssl may allow arbitrary file overwriting
===========================================================
More information:
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography library.
A vulnerability in the manner in which openssl handles temporary files
could allow local users to overwrite arbitrary files via a symlink attack.
Impact:
This vulerability may allow local users to overwrite arbitrary files
via a symbolic link attack.
Affected Products:
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F...,
Turbolinux Home]
# turbopkg
or
# zabom -u openssl openssl-compat openssl-devel
[other]
# turbopkg
or
# zabom update openssl openssl-compat openssl-devel
---------------------------------------------
<Turbolinux Appliance Server 1.0 Hosting Edition>
Source Packages
Size: MD5
openssl-0.9.6m-2.src.rpm
2266449 942f4a8c5a89c1b66c1e9c0127c55361
Binary Packages
Size: MD5
openssl-0.9.6m-2.i586.rpm
1367798 9942a8ac0e6f648741a8ec2b2e4fc7a5
openssl-devel-0.9.6m-2.i586.rpm
1157986 79f18ea3916fa542b49fbc0debeb62cc
<Turbolinux Appliance Server 1.0 Workgroup Edition>
Source Packages
Size: MD5
openssl-0.9.6m-2.src.rpm
2266449 c8720cbc73f6b6cd041cdfe0ed1c2416
Binary Packages
Size: MD5
openssl-0.9.6m-2.i586.rpm
1367898 f0a9f484d75e5809f1b29fd2d9b3d09a
openssl-devel-0.9.6m-2.i586.rpm
1158513 07bbbe0c6792d1902da2db1841b21d08
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/openssl-0.9.7d-2.src.rpm
2794914 2b6c48908d1d1670be1c8544fdfe160d
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/openssl-compat-0.9.6m-2.src.rpm
2266197 8e8515b71a8f76db0b7cc60a15076a3f
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssl-0.9.7d-2.i586.rpm
1215827 be7058b738a14d677adb37e5fce108cf
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssl-compat-0.9.6m-2.i586.rpm
754999 2799883d686caf69c1a3ec9895b20c8e
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssl-devel-0.9.7d-2.i586.rpm
1478585 0ac60704d535dd6e7f43c2001153d1e1
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-0.9.7d-2.src.rpm
2794914 a680445b8cb005ccaf6fb03f7224e2c2
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-compat-0.9.6m-2.src.rpm
2266197 f2cf29d7935230dfd21a1c7004da1243
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-0.9.7d-2.i586.rpm
1218917 5dcd48e88684e33e0b6cd124ef25d48d
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-compat-0.9.6m-2.i586.rpm
754249 5e044d1d3dad7a8e00ddb263061672a8
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-devel-0.9.7d-2.i586.rpm
1479240 2c55596b0e7f1fcbaea856f4748fe391
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssl-0.9.6m-2.src.rpm
2266449 8433558cc88895a9c4ecd6d176c1c9da
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-0.9.6m-2.i586.rpm
1368074 3b57da04265dbefe4c1613bf3a34b009
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-devel-0.9.6m-2.i586.rpm
1157941 037ff0347c4df311bb7977aa825f98b6
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssl-0.9.6m-2.src.rpm
2266449 bed1ebe613bc543bad7b2fd1320e8e22
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-0.9.6m-2.i586.rpm
1367818 ace897b6b19e1a85eaf3497048779501
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-devel-0.9.6m-2.i586.rpm
1156486 b2d04aad787992136a4434126032c4aa
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssl-0.9.6m-2.src.rpm
2266449 451daaaabdf36770b4f590e728827553
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-0.9.6m-2.i586.rpm
1337218 b1bf8332de4606b66aaecb8101a0b53d
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-devel-0.9.6m-2.i586.rpm
1140716 9168586f930b569b4bec71d893632edf
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/openssl-0.9.6m-2.src.rpm
2266449 ca67c64c3cf322a29d2a7c94c9733f38
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-0.9.6m-2.i586.rpm
1337106 83dff95819aeefdfb189f7f54c6a058f
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-devel-0.9.6m-2.i586.rpm
1140409 75f4daf1078c503137f113a8232a20ca
References:
CVE
[CAN-2004-0975]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975
===========================================================
* ruby -> Two vulnerabilities discovered in Ruby
===========================================================
More information:
Ruby is an interpreted scripting language designed to allow quick and
easy object-oriented programming. It has many features to process text
files and to perform system management tasks (as in Perl). It is simple,
straight-forward, and extensible.
Two issues have been discovered in Ruby:
- CGI::Session's FileStore implementations store session information
insecurely
- The CGI module in Ruby allows remote attackers to cause a denial of
service (excessive CPU consumption due to an infinite loop) via a
malformed HTTP request
Impact:
The vulnerabilities may allow a local user to steal session information
and hijack sessions or allow a remote attacker to cause a denial of
service in the CGI module in Ruby.
Affected Products:
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F...,
Turbolinux Home]
# turbopkg
or
# zabom -u ruby
[other]
# turbopkg
or
# zabom update ruby
---------------------------------------------
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/ruby-1.8.1-4.src.rpm
2677467 65a142b4aee9ec00b26943303b2d769f
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/ruby-1.8.1-4.i586.rpm
1714005 40f1dc3cc1358971c62e83237a0d078e
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/ruby-1.6.8-2.src.rpm
1028020 e84d9786ff6b8857fbe56db0715ed8c3
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/ruby-1.6.8-2.i586.rpm
992771 9ca9806feca8d09744d291a35fb4ebb0
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/ruby-1.6.4-4.src.rpm
904717 9e4f1248b411614ce69d4424bb8c209c
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/ruby-1.6.4-4.i586.rpm
983046 57610b12ab3eface8274e00f3add9cb5
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/ruby-1.6.4-4.src.rpm
904717 bb111d1f7a10279312af699c7bd7f659
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/ruby-1.6.4-4.i586.rpm
984104 990f54b83c9d47b631f7b18892ae7e18
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/ruby-1.6.4-4.src.rpm
904717 dd3cb8a906d702e2efd18e3ea3754fa3
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/ruby-1.6.4-4.i586.rpm
959172 7fb9589233a771e78a0b557176f8c523
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/ruby-1.6.4-4.src.rpm
904717 d66eb75d3a526b4771245286f7e7bcac
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/ruby-1.6.4-4.i586.rpm
959441 72ce35f4a32690b5e01eb5d7fa2799d4
CVE
[CAN-2004-0755]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755
[CAN-2004-0983]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0983
===========================================================
* shadow-utils -> Password check vulnerability discovered in shadow-utils
===========================================================
More information:
The shadow-utils package includes the necessary programs for converting
UNIX password files to the shadow password format in addition to programs
for managing user and group accounts.
The passwd_check function in shadow-utils allows local users to conduct
unauthorized activities if an error from a pam_chauthtok function call
is not properly handled.
Impact:
This vulnerability may allow local users to bypass certain security
restrictions.
Affected Products:
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F...,
Turbolinux Home]
# turbopkg
or
# zabom -u shadow-utils
[other]
# turbopkg
or
# zabom update shadow-utils
---------------------------------------------
<Turbolinux Appliance Server 1.0 Hosting Edition>
Source Packages
Size: MD5
shadow-utils-20000902-13.src.rpm
623589 9cd92ce5fcfcd5db6a73ec88ef8ab66e
Binary Packages
Size: MD5
shadow-utils-20000902-13.i586.rpm
243997 1fb9b1b64cb3f9a99a370d6330e15d1d
<Turbolinux Appliance Server 1.0 Workgroup Edition>
Source Packages
Size: MD5
shadow-utils-20000902-13.src.rpm
623589 ed305f57f98ff61745c640066a804e8d
Binary Packages
Size: MD5
shadow-utils-20000902-13.i586.rpm
244224 c230eebd9a6edfeec84799e471c4ce68
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/shadow-utils-20000902-13.src.rpm
623589 6ca8e2af75ae40fc57ba0be6063ab2d3
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/shadow-utils-20000902-13.i586.rpm
358077 a074104603e6df2e15d0ead57f09672f
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/shadow-utils-20000902-13.src.rpm
623589 54e7a7b733e0c661d34ab48a7b7e422c
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/shadow-utils-20000902-13.i586.rpm
358789 4ca6933ed1b1385f5315a390c5d96704
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/shadow-utils-20000902-13.src.rpm
623589 d1874fa6706241cc07c7803de910b73e
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/shadow-utils-20000902-13.i586.rpm
244225 ac187b975f2a3bea38418882d7372247
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/shadow-utils-19990827-10.src.rpm
761172 f84711fe9a9af3e08bdf2216fd83d4fc
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/shadow-utils-19990827-10.i586.rpm
247252 f877a6bf9c229eb4b329a08e0842e118
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/shadow-utils-19990827-10.src.rpm
761172 893b0181f64dee12ee816c52d5f48b5b
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/shadow-utils-19990827-10.i586.rpm
243975 5004a54ffd954c2d002d870aa030d96c
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/shadow-utils-19990827-10.src.rpm
761172 b377dc9f28bf730501a16c1fa7e2324b
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/shadow-utils-19990827-10.i586.rpm
243953 9e79320711e34a264a5146581e97d6e6
References:
CVE
[CAN-2004-1001]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1001
===========================================================
* sudo -> Environment variable sanitization bug permits root compromise
===========================================================
More information:
Sudo allows a system administrator to give certain users or groups of
users the ability to run some or all commands as root while logging all
commands and arguments.
A vulnerability in sudo can allow local users to execute arbitrary
commands by using "()"-style environment variables to create functions.
Impact:
This vulnerability can allow local users to gain root privileges.
Affected Products:
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F...,
Turbolinux Home]
# turbopkg
or
# zabom -u sudo
[other]
# turbopkg
or
# zabom update sudo
---------------------------------------------
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/sudo-1.6.7p5-3.src.rpm
363932 c55a605d45e30cb8b0c7e2e648b3480d
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/sudo-1.6.7p5-3.i586.rpm
143309 2ad10ba64ae16a019b943d667088e591
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/sudo-1.6.7p5-3.src.rpm
363932 22983d2b42dbdd6c0e3a3dd0cbab83c5
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/sudo-1.6.7p5-3.i586.rpm
141482 6de7fcff4275c86ccbf0165430062a1f
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/sudo-1.6.6-5.src.rpm
342008 7d31c8fef75a812170bf824c0d0ac7d8
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/sudo-1.6.6-5.i586.rpm
135478 3d1f1c11deea87c208c66331f55806bb
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/sudo-1.6.6-5.src.rpm
342008 d60029fa4def45151023163462816d8a
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/sudo-1.6.6-5.i586.rpm
135520 50e476a695b7851b33e8714942ef646e
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/sudo-1.6.6-5.src.rpm
342008 2e7e71649af34b4c8ab1ef838967f2ad
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/sudo-1.6.6-5.i586.rpm
133703 849e1cadaa024f441580c2d4ce919737
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/sudo-1.6.6-5.src.rpm
342008 5d83737975d83e8ec6323fef523bd788
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/sudo-1.6.6-5.i586.rpm
133638 d0494b069c57e7d6545e79b1932ec83a
References:
CVE
[CAN-2004-1051]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1051
===========================================================
* zip -> Buffer overflow in zip allows arbitrary code execution
===========================================================
More information:
Zip is a compression and file packaging utility.
A buffer overflow exists in zip which, when using recursive folder
compression, can allow remote attackers to execute arbitrary code via
a ZIP file containing a very long pathname.
Impact:
This vulnerability may allow remote attackers to execute arbitrary code
via malformed ZIP files.
Affected Products:
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F...,
Turbolinux Home]
# turbopkg
or
# zabom -u zip
[other]
# turbopkg
or
# zabom update zip
---------------------------------------------
<Turbolinux Appliance Server 1.0 Hosting Edition>
Source Packages
Size: MD5
zip-2.3-5.src.rpm
730664 fe832dfc5179ca00c17f116eed08caad
Binary Packages
Size: MD5
zip-2.3-5.i586.rpm
140459 51d8b053827ac40efbcac41f8bd7e680
<Turbolinux Appliance Server 1.0 Workgroup Edition>
Source Packages
Size: MD5
zip-2.3-5.src.rpm
730664 fb771a395aa91cbeaa4cb5d82ac91c90
Binary Packages
Size: MD5
zip-2.3-5.i586.rpm
140616 d099d326a56bf9f1a60fd95f3d6b6663
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/zip-2.3-5.src.rpm
730664 8b7b1da5309b259a15a40969cd297023
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/zip-2.3-5.i586.rpm
141141 d64d6fdec8b7cd22561749be1dae1da0
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/zip-2.3-5.src.rpm
730664 437cb0d2cd71d2aa1dabddaeabf4dae3
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/zip-2.3-5.i586.rpm
142041 f2f7cf4a80aa41b17a16693bacce4003
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/zip-2.3-5.src.rpm
730664 1008f3d6bb0cd4f5b61da81a20e327cd
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/zip-2.3-5.i586.rpm
140674 a41c1aae7bdcf0bba6af9b2d90db4209
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/zip-2.3-5.src.rpm
730664 f7fdb3d57323dd8ac5bd54ed1ffe0dea
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/zip-2.3-5.i586.rpm
140714 f47bf32d1ccec09846765957a6d7b321
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/zip-2.3-5.src.rpm
730664 dd1e3dfd98a935bb0c7ca220e38919e6
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/zip-2.3-5.i586.rpm
137854 235f40bf7bbb283ea4768e5f74cf428c
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/zip-2.3-5.src.rpm
730664 0d5a22a702d05c4731b55a0b698d1841
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/zip-2.3-5.i586.rpm
137900 c40fe739907ec7b6d62a5543df7ff8b9
References:
CVE
[CAN-2004-1010]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1010
* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.
http://www.turbolinux.com/download/zabom.html
http://www.turbolinux.com/download/zabomupdate.html
Package Update Path
http://www.turbolinux.com/update/
============================================================
* To obtain the public key
Here is the public key
http://www.turbolinux.com/security/
* To unsubscribe from the list
If you ever want to remove yourself from this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).
unsubscribe
* To change your email address
If you ever want to chage email address in this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:
chaddr 'old address' 'new address'
If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFB/hddK0LzjOqIJMwRAo5rAKCCykJ/HeUHv22Fp7U8SIIV8FYCmQCgtKlC
GBxWvyOrZG+zvs+V9IqBFuQ=
=mOOE
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists