| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200502072033.58853.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 07/Feb/2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 31/Jan/2005
============================================================
The following page contains the security information of Turbolinux Inc.
- Turbolinux Security Center
http://www.turbolinux.com/security/
(1) netpbm -> Symlink attack in netpbm may allow arbitrary file overwriting
(2) webmin -> Multiple vulnerabilities exist in webmin
(3) samba -> An integer overflow vulnerability exists in Samba
===========================================================
* netpbm -> Symlink attack in netpbm may allow arbitrary file overwriting
===========================================================
More information:
The netpbm package contains a library of functions which support programs
for handling various graphics file formats.
A vulnerability in the manner in which netpbm handles temporary files
could allow local users to overwrite arbitrary files via a symlink attack.
Impact:
This vulerability could allow attackers to overwrite arbitrary files
via a symbolic link attack.
Affected Products:
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
# zabom update netpbm netpbm-devel netpbm-progs
---------------------------------------------
<Turbolinux 8 Server>
Source Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/netpbm-9.25-3.src.rpm
2065779 d09e323fd80d75f155ccd08f28702f6e
Binary Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/netpbm-9.25-3.i586.rpm
98115 83309ca9209bdea0cf5a32e92980075b
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/netpbm-devel-9.25-3.i586.rpm
114415 65f426ba58c638d3b8eedfca5df43909
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/netpbm-progs-9.25-3.i586.rpm
1150412 3e39bc0b01c94b0263dd8ba23dbed0aa
<Turbolinux 8 Workstation>
Source Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/netpbm-9.25-3.src.rpm
2065779 e3e9752805ac8b9fad72f164de75886e
Binary Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/netpbm-9.25-3.i586.rpm
98171 6f92aebe81941383c6226c1504fbccc9
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/netpbm-devel-9.25-3.i586.rpm
114479 988291608ed6aeae3e15457d3a3a84ee
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/netpbm-progs-9.25-3.i586.rpm
1149972 6089152aca6eb219dbc190ec24889529
<Turbolinux 7 Server>
Source Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/netpbm-9.14-2.src.rpm
2099125 e055878b9d5f6de0512b1ea7bdb2ef9d
Binary Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/netpbm-9.14-2.i586.rpm
82255 46dd4127b57532ef0ef848e1f79d05ac
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/netpbm-devel-9.14-2.i586.rpm
104175 5de813b7c6c018dae8aadf23ecbb4bb9
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/netpbm-progs-9.14-2.i586.rpm
1058389 febc163587b87fb597cc3ece59b60af2
<Turbolinux 7 Workstation>
Source Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/netpbm-9.14-2.src.rpm
2099125 50b5b0ae40301739b06a50c287a19b09
Binary Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/netpbm-9.14-2.i586.rpm
82263 a2b1ca87c21f79fd345f480c577cef9e
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/netpbm-devel-9.14-2.i586.rpm
104255 f77a4e19f384961233710e95aa2c472c
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/netpbm-progs-9.14-2.i586.rpm
1058246 542389d46332d97e4b493bb953578777
References:
CVE
[CAN-2003-0924]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0924
===========================================================
* webmin -> Multiple vulnerabilities exist in webmin
===========================================================
More information:
Webmin is a web-based administration interface for Unix systems.
Using Webmin you can configure DNS, Samba, NFS, local/remote filesystems
and more using your web browser.
Multiple vulnerabilities exist in Webmin:
- A script in Usermin allows local users to overwrite arbitrary files
at install time via a symlink attack on the /tmp/.usermin directory.
- Webmin allows remote attackers to bypass access control rules and gain
read access to configuration information for certain modules.
- The account lockout functionality in webmin does not parse certain
character strings, which allows remote attackers to conduct a brute
force attack to guess user IDs and passwords.
Impact:
This vulerability may allow attackers to overwrite arbitrary files via
a symbolic link attack. The vulnerabilities may allow remote attackers
to bypass access control rules.
Affected Products:
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
# turbopkg
or
# zabom update webmin
---------------------------------------------
<Turbolinux 8 Server>
Source Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/webmin-1.070-3.src.rpm
6930841 534de43ae0ad8830bb74896222b2eaf9
Binary Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/webmin-1.070-3.noarch.rpm
6035769 157751b22142bf504e3a943a3a60f824
<Turbolinux 8 Workstation>
Source Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/webmin-1.070-3.src.rpm
6930841 c80b3687b01f8f65b9db46bf10368e53
Binary Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/webmin-1.070-3.noarch.rpm
6034650 dd4e791efcbecc9189f5dd728dee6b08
<Turbolinux 7 Server>
Source Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/webmin-1.070-3.src.rpm
6930841 fbe7a9612533a0efbeba086ea9ef0609
Binary Packages
size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/webmin-1.070-3.noarch.rpm
6057465 69c1a46d1a5ddcec6901132b8309bf65
References:
CVE
[CAN-2004-0559]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0559
[CAN-2004-0582]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0582
[CAN-2004-0583]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0583
===========================================================
* samba -> An integer overflow vulnerability exists in Samba
===========================================================
More information:
Samba is an Open Source/Free Software suite that provides seamless file
and print services to SMB/CIFS clients. Samba is freely available,
unlike other SMB/CIFS implementations, and allows for interoperability
between Linux/Unix servers and Windows-based clients.
Integer overflow vulnerabilities have been discovered in Samba.
Impact:
This vulnerability can allow remote attackers to execute arbitrary code
via certain SMB requests.
Affected Products:
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux 10 Server
- Turbolinux Home
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F...,
Turbolinux Home]
# turbopkg
or
# zabom -u samba samba-debug samba-devel samba-python smbfs
[other]
# turbopkg
or
# zabom update samba samba-devel smbfs
---------------------------------------------
<Turbolinux Appliance Server 1.0 Hosting Edition>
Source Packages
Size: MD5
samba-2.2.7a-14jaJP.src.rpm
7216406 e9173c3c781b4ecd39d93de572b497d2
Binary Packages
Size: MD5
samba-2.2.7a-14jaJP.i586.rpm
11182740 0228cf921d171ab30b557c3ba33f40c7
samba-devel-2.2.7a-14jaJP.i586.rpm
502004 987ec605e854963df377ebd5a3d11e69
smbfs-2.2.7a-14jaJP.i586.rpm
633806 50bef9fdaeb2a56bfb73cf81dc721fbb
<Turbolinux 10 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/samba-3.0.6-13.src.rpm
15053246 e73d926f67f0974baf7c47855f1bc478
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/samba-3.0.6-13.i586.rpm
24905516 427a07abcb7f9c73e42cbe4b14779624
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/samba-debug-3.0.6-13.i586.rpm
2914710 75bd348d0e5a1dbd7d418483ee231234
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/samba-devel-3.0.6-13.i586.rpm
750624 462200f1ab9014d49001d70305c587a1
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/samba-python-3.0.6-13.i586.rpm
4042407 559f002308ae764f317ff7837de65ab0
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/smbfs-3.0.6-13.i586.rpm
245829 a29a85a4dd1fb7a1a38eccb3b9551fef
<Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/samba-2.2.7a-14jaJP.src.rpm
7216406 9421b2bc1f8a5c5ea9b121d3d45c18ef
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/samba-2.2.7a-14jaJP.i586.rpm
11187180 171ae9311e71af58c1025bf0e514c347
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/samba-devel-2.2.7a-14jaJP.i586.rpm
514384 1d0e1ae587ffcdc4b3ec701046ab2923
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/smbfs-2.2.7a-14jaJP.i586.rpm
642601 f9d5a2b8e95a153f0e9a0145dfe6df01
<Turbolinux 8 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/samba-2.2.7a-14jaJP.src.rpm
7216406 3bcd892bfd626df774c9fb340871ddb7
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/samba-2.2.7a-14jaJP.i586.rpm
11192012 5b11473f3e4083f5f8ff6bbf19100abd
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/samba-devel-2.2.7a-14jaJP.i586.rpm
502377 c0dd012ca459803830d5d43e4b4c2d14
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/smbfs-2.2.7a-14jaJP.i586.rpm
635090 61520281f2f8797c6c1266c27df9dca5
<Turbolinux 8 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/samba-2.2.7a-14jaJP.src.rpm
7216406 a821c695771cf4e78efda62ae147a411
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/samba-2.2.7a-14jaJP.i586.rpm
11190948 4246a03c067bae3f24ee0c06cfaf1bb0
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/samba-devel-2.2.7a-14jaJP.i586.rpm
501206 e72960ffa0126e293391986af1519251
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/smbfs-2.2.7a-14jaJP.i586.rpm
632378 34c694b001f4671a506d16fcd4a27b06
<Turbolinux 7 Server>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/samba-2.2.7a-14jaJP.src.rpm
7216406 35092fdb1ad80c96f8732f3ba95c04e4
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/samba-2.2.7a-14jaJP.i586.rpm
11035567 0930ccd99a51e795cf385783205cd41b
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/samba-devel-2.2.7a-14jaJP.i586.rpm
495574 99a444a38d227742fd215588fa9a833b
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/smbfs-2.2.7a-14jaJP.i586.rpm
615525 092ee149e216d7e49f9bab6b06c34d7c
<Turbolinux 7 Workstation>
Source Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/samba-2.2.7a-14jaJP.src.rpm
7216406 6c32c025bcaaabbb917fcf0bd47f79c6
Binary Packages
Size: MD5
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/samba-2.2.7a-14jaJP.i586.rpm
11035447 c362d4d8a874b2b10c65d5c40c34dcbf
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/samba-devel-2.2.7a-14jaJP.i586.rpm
495731 6be170456280eaef09060937582ce12f
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/smbfs-2.2.7a-14jaJP.i586.rpm
615062 f9289151962bf203a88b674ef82ef43c
References:
CVE
[CAN-2004-1154]
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1154
* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.
http://www.turbolinux.com/download/zabom.html
http://www.turbolinux.com/download/zabomupdate.html
Package Update Path
http://www.turbolinux.com/update/
============================================================
* To obtain the public key
Here is the public key
http://www.turbolinux.com/security/
* To unsubscribe from the list
If you ever want to remove yourself from this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).
unsubscribe
* To change your email address
If you ever want to chage email address in this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:
chaddr 'old address' 'new address'
If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFCB1IiK0LzjOqIJMwRAr93AKCTk3EpeSXRUMC5e/Y3xWmkFkaEsACgsFM3
H81wFH0zzuyoY4E29k9z4vM=
=yHbr
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists