[Full-Disclosure] [TURBOLINUX SECURITY INFO] 31/Aug/2004
From: Turbolinux (security-announce_at_turbolinux.co.jp)
Date: 08/31/04
- Previous message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 458-2] New python2.2 packages really fix buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-announce@turbolinux.co.jp Date: Tue, 31 Aug 2004 18:03:29 +0900
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 31/Aug/2004
============================================================
The following page contains the security information of Turbolinux Inc.
- Turbolinux Security Center
http://www.turbolinux.com/security/
(1) rsync -> path-sanitizing bug
(2) qt -> Multiple vulnerabilities in Qt
===========================================================
* rsync -> path-sanitizing bug
===========================================================
More information :
rsync uses the "rsync algorithm" which provides a very fast method for bringing
remote files into sync. It does this by sending just the differences in files
across a link, without requiring that both sets of files be present at one of
the ends of the beforehand.
A vulnerability has been discovered in rsync in the sanitize_path function
in file util.c which allows attackers to read and/or write certain files when chroot is disabled.
Impact :
The remote attackers may be able to read and write the file which cannot be read and write.
Affected Products :
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution :
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Desktop, Turbolinux 10 F...]
# zabom -u libpng rsync
[other]
# turbopkg
or
# zabom update rsync
---------------------------------------------
<Turbolinux 10 Desktop, Turbolinux 10 F...>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/rsync-2.6.2-2.src.rpm
523642 18fee2909b5fe8fabab481209e7291a1
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/rsync-2.6.2-2.i586.rpm
158416 b1188af123b121e7d967b9bcaf3cc249
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/rsync-2.6.2-2.src.rpm
523642 3dbafb5ddcf1cf8b4b381abbe78c4270
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/rsync-2.6.2-2.i586.rpm
155932 72e9e155f8cc3356bd64d2ece2a53e90
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/rsync-2.6.2-2.src.rpm
523642 4352d162daeb6dcaa52fa7cd859c1d8a
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/rsync-2.6.2-2.i586.rpm
155995 87f3eda08a37a1ff477af0d2d43b5945
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/rsync-2.6.2-2.src.rpm
523642 afb8b736d359491027e191a453980e5b
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/rsync-2.6.2-2.i586.rpm
152228 1961ff32165a00d1d2608db621295ff4
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/rsync-2.6.2-2.src.rpm
523642 7ab289b125b4f6f3c29cb1f2e4b0de76
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/rsync-2.6.2-2.i586.rpm
152243 53cb13bef3427bf8b5adb8e365f46652
References:
rsync
http://samba.anu.edu.au/rsync/
CVE
[CAN-2004-0792]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0792
===========================================================
* qt -> Multiple vulnerabilities in Qt
===========================================================
More information :
Qt is a complete, well-designed, multi-platform object-oriented framework for
developing graphical user interface (GUI) applications in C++. Qt has seamless
integration with the OpenGL/Mesa 3D libraries.
The GIF and XML parser in the Qt library is susceptible to a remote denial
of service attack via a null pointer dereference triggered by malformed GIF/XML
file input.
Impact :
This may allow remote attackers to to cause a denial of service via malformed GIF and XML file.
Affected Products :
- Turbolinux Appliance Server 1.0 Hosting Edition
- Turbolinux Appliance Server 1.0 Workgroup Edition
- Turbolinux 10 F...
- Turbolinux 10 Desktop
- Turbolinux 8 Server
- Turbolinux 8 Workstation
- Turbolinux 7 Server
- Turbolinux 7 Workstation
Solution :
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------
[Turbolinux 10 Desktop, Turbolinux 10 F...]
# zabom -u qt3 qt3-devel qt3-tools
[other]
# turbopkg
or
# zabom update qt qt-NSPlugin qt-Xt qt-devel
---------------------------------------------
<Turbolinux 10 Desktop, Turbolinux 10 F...>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/qt3-3.2.3-8.src.rpm
14026174 8d3461dbf7842da766e0592cfc4a1b55
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-3.2.3-8.i586.rpm
5367561 89975c7f0d8dae1675e5135c56e722a6
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-devel-3.2.3-8.i586.rpm
3013232 62270f0a0dbf9c830a8c098a1b99a1fe
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/qt3-tools-3.2.3-8.i586.rpm
2008971 f4896e57a5b8cdc5215391d05f3fb903
<Turbolinux 8 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/qt-2.3.1-22.src.rpm
9323108 93c636502e00818cc9c30739931ca649
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-2.3.1-22.i586.rpm
4586275 a9b3d06fb41e458e5080b3e9ae7c88ba
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm
151451 0524bbf8a2719666030cb605227b289e
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm
48073 eb0551aa1315db64cfeef8d7c6bc07f1
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/qt-devel-2.3.1-22.i586.rpm
6582027 0f4fd868c7586a9a4dd0da74d9432383
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/qt-2.3.1-22.src.rpm
9323108 c795a4d92346142c544d98e92a41bd94
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-2.3.1-22.i586.rpm
4585883 ad71a31ed173824b9b3cbc639eb60a98
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm
151663 546774ab62b2585a3ce1001bc06b1c57
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm
48077 6ffee17848f80b66256fa0f1a949c097
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/qt-devel-2.3.1-22.i586.rpm
6582669 a6e07283b8ebe59f4c0114f7a6f4b985
<Turbolinux 7 Server>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/qt-2.3.1-22.src.rpm
9323108 abcd939f856cda3483316f8f9657251e
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-2.3.1-22.i586.rpm
4431599 36afff671a32a29304c3e0357d03b966
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm
150154 89730e78c6f7a408371c9a1a5f664c76
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm
46815 0d25385a3fc9021072a960ab5a2f76de
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/qt-devel-2.3.1-22.i586.rpm
6548456 65ba8ec22aebee8c2d3e8595784c989b
<Turbolinux 7 Workstation>
Source Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/qt-2.3.1-22.src.rpm
9323108 f6666361d752d211b6caa0bf653c75d4
Binary Packages
Size : MD5
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-2.3.1-22.i586.rpm
4430750 d9d9b64005b6120c22c66e0e369ec7eb
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-NSPlugin-2.3.1-22.i586.rpm
149892 f819e00cafdf5dea46df38f2b95830c8
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-Xt-2.3.1-22.i586.rpm
46829 dfb530b8d059f5af3d329e22d7fa7d26
ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/qt-devel-2.3.1-22.i586.rpm
6549222 f530ad599fbbe69828244028cfa5a70a
References:
CVE
[CAN-2004-0691]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0691
[CAN-2004-0692]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0692
[CAN-2004-0693]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0693
* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.
http://www.turbolinux.com/download/zabom.html
http://www.turbolinux.com/download/zabomupdate.html
Package Update Path
http://www.turbolinux.com/update
============================================================
* To obtain the public key
Here is the public key
http://www.turbolinux.com/security/
* To unsubscribe from the list
If you ever want to remove yourself from this mailing list,
you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).
unsubscribe
* To change your email address
If you ever want to chage email address in this mailing list,
you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the following command in the message body:
chaddr 'old address' 'new address'
If you have any questions or problems, please contact
<supp_info@turbolinux.co.jp>
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFBND7mK0LzjOqIJMwRAmF/AJ9xm3HTZhtrRE1w/nekUlswn+AZPQCgu+Yf
gz/ux9mpEZo8HdYu+NkDICY=
=gMtC
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 458-2] New python2.2 packages really fix buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
