[Full-Disclosure] [TURBOLINUX SECURITY INFO] 30/Mar/2004

• Previous message: se_cur_ity_at_hotmail.com: "[Full-Disclosure] Re: Re: Thanks!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-announce@turbolinux.co.jp
Date: Tue, 30 Mar 2004 18:28:52 +0900

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 30/Mar/2004
============================================================

The following page contains the security information of Turbolinux Inc.

 - Turbolinux Security Center
   http://www.turbolinux.com/security/

 (1) wu-ftpd -> Multiple vulnerabilities in wu-ftpd
 (2) openssl -> Multiple vulnerabilities in openssl

===========================================================
* wu-ftpd -> Multiple vulnerabilities in wu-ftpd
===========================================================

 More information :
    Wu-ftpd is the daemon (background) program which serves FTP files to ftp clients.

    - wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled,
      allows local users to bypass access restrictions by changing the permissions
      to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.
    - Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2
      allows remote attackers to cause a denial of service and possibly execute arbitrary code
      via a s/key (SKEY) request with a long name.

 Impact :
    The ftp users may be able to read the file which cannot be read.
    The vulnerabilities allow an attacker can cause to denial of service of the wu-ftpd.

 Affected Products :
    - Turbolinux Advanced Server 6
    - Turbolinux Server 6.1
    - Turbolinux Workstation 6.0

 Solution :
    Please use turbopkg(zabom) tool to apply the update.
 ---------------------------------------------
 # turbopkg
 or
 # zabom update wu-ftpd
 ---------------------------------------------

 <Turbolinux Advanced Server 6>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/wu-ftpd-2.6.2-4.src.rpm
       368558 68c2ec7979364dd1b3427f72e4338bae

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/wu-ftpd-2.6.2-4.i386.rpm
       194109 33571507dd3b3ca040188dad40dafedf

 <Turbolinux Server 6.1>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/wu-ftpd-2.6.2-4.src.rpm
       368558 bbbfdcf892b2ed521bc8eb2eb97f4ea9

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/wu-ftpd-2.6.2-4.i386.rpm
       193965 81165dc3c00f3011791269f86199b6b4

 <Turbolinux Workstation 6.0>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/wu-ftpd-2.6.2-4.src.rpm
       368558 0a88693eeac7faf5a26c67d89c14e7f2

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/wu-ftpd-2.6.2-4.i386.rpm
       193995 73d774853304aa030ae2d6242cb17288

 notice : We confirmed that "CAN-2004-0185" does not affect our products.

 References :

 CVE
   [CAN-2004-0148]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0148
   [CAN-2004-0185]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0185

===========================================================
* openssl -> Multiple vulnerabilities in openssl
===========================================================

 More information :
    The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade,
    full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
    and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

    - The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c,
      allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake
      that causes a null-pointer assignment.
    - Certain versions of OpenSSL 0.9.6 allow remote attackers to cause a denial of service (infinite loop),
      as demonstrated using the Codenomicon TLS Test Tool.
    - The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites,
      allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake,
      which causes an out-of-bounds read.

 Impact :
    The vulnerabilities allow an attacker can cause to denial of service of the openssl.

 Affected Products :
    - Turbolinux Appliance Server 1.0 Hosting Edition
    - Turbolinux Appliance Server 1.0 Workgroup Edition
    - Turbolinux 10 Desktop
    - Turbolinux 8 Server
    - Turbolinux 8 Workstation
    - Turbolinux 7 Server
    - Turbolinux 7 Workstation
    - Turbolinux Server 6.5
    - Turbolinux Advanced Server 6
    - Turbolinux Server 6.1
    - Turbolinux Workstation 6.0

 Solution :
    Please use turbopkg(zabom) tool to apply the update.
 ---------------------------------------------
 # turbopkg
 or
 [Turbolinux 10 Desktop]
 # zabom -u openssl openssl-compat openssl-devel

 [other]
 # zabom update openssl openssl-devel
 ---------------------------------------------

 <Turbolinux Appliance Server 1.0 Hosting Edition>

   Source Packages
   Size : MD5

   openssl-0.9.6m-1.src.rpm
      2265514 72b075667855cb90a53c325f8eca8e2e

   Binary Packages
   Size : MD5

   openssl-0.9.6m-1.i586.rpm
      1369208 bba436fa46e6d003f908151d5fdcd220
   openssl-devel-0.9.6m-1.i586.rpm
      1156435 9a01f7b30ea969ff1e2e0cb8de624a90

 <Turbolinux Appliance Server 1.0 Workgroup Edition>

   Source Packages
   Size : MD5

   openssl-0.9.6m-1.src.rpm
      2265514 08266734ac965a26dc6083f9b3fb7542

   Binary Packages
   Size : MD5

   openssl-0.9.6m-1.i586.rpm
      1367705 cb90be0ae5ea9756e2d1e1ecc7c0d523
   openssl-devel-0.9.6m-1.i586.rpm
      1157172 ef5019a72ff65524b529de656223b3ad

 <Turbolinux 10 Desktop>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-0.9.7d-1.src.rpm
      2793953 ab0c244579dcea53fa6f5f48505b0b5a
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-compat-0.9.6m-1.src.rpm
      2265321 e03a6f6777dd03c36e31710c8febad77

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-0.9.7d-1.i586.rpm
      1218800 eb84ac4173b36ce151f803cb60eb8bdd
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-compat-0.9.6m-1.i586.rpm
       754120 459d2aab779bcb1f7334806f3da894f6
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-devel-0.9.7d-1.i586.rpm
      1479420 644f6d0e2f0999965417ace5e41853ac

 <Turbolinux 8 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssl-0.9.6m-1.src.rpm
      2265514 dc0389b141a2c78c29d32d250ecb4987

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-0.9.6m-1.i586.rpm
      1367693 aacc89cbc22c431b780366c53003189a
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
      1157874 707e421ad1b9f223fa822573bf8eb81a

 <Turbolinux 8 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssl-0.9.6m-1.src.rpm
      2265514 073e830786e49f88acf8439b0a14b717

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-0.9.6m-1.i586.rpm
      1367591 1d99d917b5f01b61030660045c10f35e
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
      1158207 8b6cbae3a04ff320e847336c0a23a24e

 <Turbolinux 7 Server>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssl-0.9.6m-1.src.rpm
      2265514 132dabe2c91ab0227ff56b85340dc98c

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-0.9.6m-1.i586.rpm
      1337061 99f13d9b84819eae9025465f77ea6c5a
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
      1140489 301ef33ceefc4922ca59b84b10250dbe

 <Turbolinux 7 Workstation>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/openssl-0.9.6m-1.src.rpm
      2265514 4be185ab3a40e0e0982de7cabebaceb0

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-0.9.6m-1.i586.rpm
      1337293 9e51b81ed1a4ac73a43f80c4a78b9a39
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-devel-0.9.6m-1.i586.rpm
      1141285 0a9a7085891aec85f742b2eee1647d29

 <Turbolinux Server 6.5>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/openssl-0.9.6m-1.src.rpm
      2265514 fb4550e5daa482a1978464e8a1272b3c

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-0.9.6m-1.i386.rpm
      1466724 7e303efabc213f57fe6f3eed50f62ef0
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
      1273395 557dfc469d06aea2564a9a14a248ea24

 <Turbolinux Advanced Server 6>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
      2265514 9b0c792b110e7d2e43ff83d072ea647d

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
      1466757 9a76ebcb8a5c390fe4880e750bedeeb2
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
      1273434 680429a3bf0235c7958ee7b9f02ebab5

 <Turbolinux Server 6.1>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
      2265514 0a2f1d263ae5bbaeb18f81551743590d

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
      1466752 c0696ff96729f4218cd588d94033b5c4
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
      1273499 49af08dd7d0b08fd701d61c4f7f11983

 <Turbolinux Workstation 6.0>

   Source Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/openssl-0.9.6m-1.src.rpm
      2265514 f83b24f5112c3e66c9122af6199e0ac5

   Binary Packages
   Size : MD5

   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssl-0.9.6m-1.i386.rpm
      1466745 6f982e6da0d92b23139e111e50143e05
   ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssl-devel-0.9.6m-1.i386.rpm
      1273391 0dec09ad6bfedccfe0157828d682bb80

 Reiferences :

 CVE
   [CAN-2004-0079]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
   [CAN-2004-0081]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081
   [CAN-2004-0112]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112

 * You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.

  http://www.turbolinux.com/download/zabom.html
  http://www.turbolinux.com/download/zabomupdate.html

Package Update Path
http://www.turbolinux.com/update

============================================================
 * To obtain the public key

Here is the public key

 http://www.turbolinux.com/security/

 * To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
  you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).

unsubscribe

 * To change your email address

If you ever want to chage email address in this mailing list,
  you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the following command in the message body:

  chaddr 'old address' 'new address'

If you have any questions or problems, please contact
<supp_info@turbolinux.co.jp>

Thank you!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAaT3XK0LzjOqIJMwRAiGzAKCELg6b7BGsFwoe8wEz+tEa/2HQSwCfZHc3
kQl/1RPs7beiWawymqePdjI=
=Cgq/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: se_cur_ity_at_hotmail.com: "[Full-Disclosure] Re: Re: Thanks!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]