[Full-Disclosure] [TURBOLINUX SECURITY INFO] 16/Sep/2004

From: Turbolinux (security-announce_at_turbolinux.co.jp)
Date: 09/16/04

  • Next message: Feher Tamas: "[Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden password"
    To: security-announce@turbolinux.co.jp
    Date: Thu, 16 Sep 2004 14:18:09 +0900
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    This is an announcement only email list for the x86 architecture.
    ============================================================
    Turbolinux Security Announcement 16/Sep/2004
    ============================================================

    The following page contains the security information of Turbolinux Inc.

     - Turbolinux Security Center
       http://www.turbolinux.com/security/

     (1) krb5 -> Double-free vulnerabilities allow abritrary code execution
     (2) php -> Non-filtering of null characters allows processing of dangerous tags
     (3) squid -> Vulnerability allowing bypassing of access control lists
     (4) samba -> Recently discovered buffer overflow vulnerabilities
     (5) cdrtools -> euid program
     (6) imlib -> Multiple reported buffer overflow vulnerabilities
     (7) httpd -> Two vulnerabilities discovered in httpd

    ===========================================================
    * krb5 -> Double-free vulnerabilities allow abritrary code execution
    ===========================================================

     More information :
        Kerberos V5 is a trusted-third-party network authentication system,
        which can improve your network's security by eliminating the insecure
        practice of cleartext passwords.

        Double-free vulnerabilities exist in MIT Kerberos 5.

     Impact :
        Allows remote attackers to execute arbitrary code.

     Affected Products :
        - Turbolinux Appliance Server 1.0 Hosting Edition
        - Turbolinux Appliance Server 1.0 Workgroup Edition
        - Turbolinux 10 F...
        - Turbolinux 10 Desktop
        - Turbolinux 8 Server

     Solution :
        Please use the turbopkg (zabom) tool to apply the update.
     ---------------------------------------------
     [Turbolinux 10 Desktop, Turbolinux 10 F...]
     # zabom -u krb5-devel krb5-libs krb5-server krb5-server

     [other]
     # turbopkg
     or
     # zabom update krb5-devel krb5-libs krb5-server krb5-server
     ---------------------------------------------

     <Turbolinux Appliance Server 1.0 Hosting Edition>

       Source Packages
       Size : MD5

       krb5-1.2.5-15.src.rpm
          5517434 ed8f49991f1522edb5bc0a70d8e784c1

       Binary Packages
       Size : MD5

       krb5-devel-1.2.5-15.i586.rpm
           538565 4c2a133f8020ce1d496f2a98358f2905
       krb5-libs-1.2.5-15.i586.rpm
           638443 6f6b12674fcad5cb54f7217710fdab5a
       krb5-server-1.2.5-15.i586.rpm
           602362 be44d53907e93483422234a8cbca86b4
       krb5-workstation-1.2.5-15.i586.rpm
           601953 1cbe0486d979fb22cb28667fa173e682

     <Turbolinux Appliance Server 1.0 Workgroup Edition>

       Source Packages
       Size : MD5

       krb5-1.2.5-15.src.rpm
          5517434 5e5d2206a82188bbc18c4d64d21d79cf

       Binary Packages
       Size : MD5

       krb5-devel-1.2.5-15.i586.rpm
           538347 8c5da942c8cce6f96c262e8bb2f01c99
       krb5-libs-1.2.5-15.i586.rpm
           638600 4caa141b2c6d7a0ab412aaa3436215ea
       krb5-server-1.2.5-15.i586.rpm
           602767 5610b9e3b3749f9febf04b0c2a517b63
       krb5-workstation-1.2.5-15.i586.rpm
           601875 1e9b47473730cf84c8e4030bb1a844e1

     <Turbolinux 10 Desktop, Turbolinux 10 F...>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/krb5-1.2.5-15.src.rpm
          5517434 3b81c31d80f99fa91c3e647fd327337c

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/krb5-devel-1.2.5-15.i586.rpm
           577318 cb7ef4827cee8789de73c05ee5bf7e73
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/krb5-libs-1.2.5-15.i586.rpm
           343425 774777d19c467b4a155592193df36acb
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/krb5-server-1.2.5-15.i586.rpm
           601753 7b73e1c17a36992c2f24079981d53d91
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/krb5-workstation-1.2.5-15.i586.rpm
           591287 58c3d0ac67c604394c9ac8177231472e

     <Turbolinux 8 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/krb5-1.2.5-15.src.rpm
          5517434 79a0e8ebe4646d2439dff38c61c4697c

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/krb5-devel-1.2.5-15.i586.rpm
           576177 51e8f5b891bcc849581adbde8260ed61
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/krb5-libs-1.2.5-15.i586.rpm
           639231 472a5684e98f05f441735814414d1602
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/krb5-server-1.2.5-15.i586.rpm
           602771 4efde019247ee9e0f07f449424089741
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/krb5-workstation-1.2.5-15.i586.rpm
           602058 217b68738b9ce8f7a443cbf210336f66

     References:

     Kerberos: The Network Authentication Protocol
       [MIT krb5 Security Advisory 2004-002]
       http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
       [MIT krb5 Security Advisory 2004-003]
       http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt

     CVE
       [CAN-2004-0642]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
       [CAN-2004-0643]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
       [CAN-2004-0644]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644
       [CAN-2004-0772]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772

    ===========================================================
    * php -> Non-filtering of null characters allows processing of dangerous tags
    ===========================================================

     More information :
        PHP is an HTML-embedded scripting language.
        The strip_tags function in PHP, does not filter null (\0) characters
        within tag names when restricting input to allowed tags.

        This allows dangerous tags to be processed by web browsers such as Internet
        Explorer and Safari, which ignore null characters; this facilitates the
        exploitation of cross-site scripting (XSS) vulnerabilities.

     Impact :
        Bug allows dangerous tags to be processed by web browsers such as Internet
        Explorer and Safari.

     Affected Products :
        - Turbolinux Appliance Server 1.0 Hosting Edition
        - Turbolinux Appliance Server 1.0 Workgroup Edition
        - Turbolinux 8 Server
        - Turbolinux 8 Workstation
        - Turbolinux 7 Server
        - Turbolinux 7 Workstation

     Solution :
        Please use the turbopkg (zabom) tool to apply the update.
     ---------------------------------------------
     # turbopkg
     or
     # zabom update php php-gd php-imap php-ldap php-manual php-mysql php-pgsql
     ---------------------------------------------

     <Turbolinux Appliance Server 1.0 Hosting Edition>

       Source Packages
       Size : MD5

       php-4.2.3-19.src.rpm
          3595053 c5665ad3dfdc9b2c47df0324e328839c

       Binary Packages
       Size : MD5

       php-4.2.3-19.i586.rpm
          1631015 77b646a14c8f3ee3f19dac0ad449bb5d
       php-gd-4.2.3-19.i586.rpm
            30936 41f5017420fe063f3398fa916d80c02d
       php-imap-4.2.3-19.i586.rpm
             8924 0f6327426c38c905578a517d56cd8c8f
       php-ldap-4.2.3-19.i586.rpm
            24373 587fb2a24cd98de18b1a3a137245d56b
       php-manual-4.2.3-19.i586.rpm
           341528 cd81ac7b368b227e2edd1603f9cc5e48
       php-ming-4.2.3-19.i586.rpm
            32944 1739caa35757dd9b4d3a5d59f5bd256c
       php-mysql-4.2.3-19.i586.rpm
            90514 190b14a4a296773ab4af7c258aa197c2
       php-pgsql-4.2.3-19.i586.rpm
            35173 346b240a7e308808e8521fe2ed667b4b

     <Turbolinux Appliance Server 1.0 Workgroup Edition>

       Source Packages
       Size : MD5

       php-4.2.3-19.src.rpm
          3595053 c8783be19d61d2273c78a9303ef27358

       Binary Packages
       Size : MD5

       php-4.2.3-19.i586.rpm
          1631015 cc062d269ab438d266623e0fd699fe06
       php-gd-4.2.3-19.i586.rpm
            30936 f16e2ee4c1c77842b88a72f84b741ccc
       php-imap-4.2.3-19.i586.rpm
             8924 26cb4e93c285ffb1b67630b3f8690f21
       php-ldap-4.2.3-19.i586.rpm
            24373 c0e61dbec891cdcf6068a33b42ac4eeb
       php-manual-4.2.3-19.i586.rpm
           341528 6cf984f840d4ae781f0e15052ec2c1b6
       php-ming-4.2.3-19.i586.rpm
            32944 00331f4b38361c4700f5510a67b1ef89
       php-mysql-4.2.3-19.i586.rpm
            90514 d4d8546a52ca7b25c75066b02c48f99b
       php-pgsql-4.2.3-19.i586.rpm
            35173 9da7ffe196a63ac4535f8200840d5219

     <Turbolinux 8 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/php-4.2.3-18.src.rpm
          3594911 b8cfa0df501e49b5b3f0e07129157097

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-4.2.3-18.i586.rpm
          1630931 c0931e43f76440e1228c87a845219cf8
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-gd-4.2.3-18.i586.rpm
            30794 387736b1a1bcae63c15ad2c9a0c22d9c
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-imap-4.2.3-18.i586.rpm
             8778 5fc23ff382c1c65f78279b8a2cab0aa1
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-ldap-4.2.3-18.i586.rpm
            24242 9dea304cc1189e525cd1663e3135c0f4
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-manual-4.2.3-18.i586.rpm
           341339 a614767749adab8e73d13de90c87fc1a
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-ming-4.2.3-18.i586.rpm
            32790 15df856e70940df33b9c0b8eb20d8ad7
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-mysql-4.2.3-18.i586.rpm
            90377 0ac3a2fe05f05f9a18a32f1b46350e73
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-pgsql-4.2.3-18.i586.rpm
            35044 7b9e0325c77e699c07511d4c155f6701

     <Turbolinux 8 Workstation>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/php-4.2.3-18.src.rpm
          3594911 53572cc94259f49e5b1431afd60738cf

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-4.2.3-18.i586.rpm
          1631918 7de3bbc72e4ec14cc076f40975b576d1
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-gd-4.2.3-18.i586.rpm
            30750 00d7e52198c52a84bf3b6a01b74ed09e
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-imap-4.2.3-18.i586.rpm
             8778 f48ba9d576d56ffe1dade4a08c1d69d4
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-ldap-4.2.3-18.i586.rpm
            24251 6335de34555ab561591b44932977597b
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-manual-4.2.3-18.i586.rpm
           341306 1ba564f74da044e2cba3ebca42c0445d
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-ming-4.2.3-18.i586.rpm
            32765 294b36a3c4fda4678b0d483566489435
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-mysql-4.2.3-18.i586.rpm
            90390 cf762723f2372ceaae9aafe1d435fefe
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-pgsql-4.2.3-18.i586.rpm
            35006 d893b278914eb9131069c0420d8bd08b

     <Turbolinux 7 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/php-4.2.3-18.src.rpm
          3594911 cf77d9a9c0f2c2867dea80071db19d66

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-4.2.3-18.i586.rpm
          1603039 87887fbe74a6f1fa3fab6871db182850
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-imap-4.2.3-18.i586.rpm
             8789 36db776c43e3b28ea5985a359fb9734f
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-ldap-4.2.3-18.i586.rpm
            23812 5faaa8a4a2d9159acb0390054646b86e
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-manual-4.2.3-18.i586.rpm
           341234 95687623e096bf7560dddab45c9b295b
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-mysql-4.2.3-18.i586.rpm
            86194 5d5c6d7a371159773c76c43ce2ffc57f
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-pgsql-4.2.3-18.i586.rpm
            34876 8c87aec01c6a7ac4874d0344aa8707b3

     <Turbolinux 7 Workstation>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/php-4.2.3-18.src.rpm
          3594911 f30e9ec8cafd458f84ccb4dda299b8e1

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-4.2.3-18.i586.rpm
          1602159 07c7d83963a28e69b90ec0d95590acfc
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-imap-4.2.3-18.i586.rpm
             8782 5e1eb57bf77ab85142b2a9da349786ae
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-ldap-4.2.3-18.i586.rpm
            23800 b076306891335cf0b46f0d8a70d82078
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-manual-4.2.3-18.i586.rpm
           341187 259382021ddfe2f0cf13f655c3bc7c6c
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-mysql-4.2.3-18.i586.rpm
            86170 bcf6637eca00621f9e7cd11a630678a6
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-pgsql-4.2.3-18.i586.rpm
            34546 a4b2ca701c271ad27a1d553420fd7093

     Notice :
        After performing the update, it is necessary to restart the httpd daemon.
        To do this, run the following command as user root.
     ---------------------------------------------
     # /etc/init.d/httpd restart
     or
     # /etc/rc.d/init.d/httpd restart
     ---------------------------------------------

     References:

     CVE
       [CAN-2004-0595]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595

    ===========================================================
    * squid -> Vulnerability allowing bypassing of access control lists
    ===========================================================

     More information :
        Squid is a high-performance proxy caching server for web clients,
        supporting FTP, gopher, and HTTP data objects. Unlike traditional caching
        software, Squid handles all requests in a single, non-blocking, I/O-driven
        process. Squid contains a bug in the "%xx" URL decoding function.

     Impact :
        Squid allows users to bypass certain access controls.

     Affected Products :
        - Turbolinux Appliance Server 1.0 Hosting Edition
        - Turbolinux Appliance Server 1.0 Workgroup Edition
        - Turbolinux 8 Server
        - Turbolinux 8 Workstation
        - Turbolinux 7 Server
        - Turbolinux 7 Workstation

     Solution :
        Please use the turbopkg (zabom) tool to apply the update.
     ---------------------------------------------
     [Turbolinux 10 Desktop]
     # turboupdate
     # zabom --update squid

     [Other]
     # turbopkg
     # zabom update squid
     ---------------------------------------------

     <Turbolinux Appliance Server 1.0 Hosting Edition>

       Source Packages
       Size : MD5

       squid-2.5.STABLE6-9.src.rpm
          1537249 adefcef8e5ea06b761c5b24b4625ca17

       Binary Packages
       Size : MD5

       squid-2.5.STABLE6-9.i586.rpm
           825027 d89f00274f13f48aed8febbc4d6074da

     <Turbolinux Appliance Server 1.0 Workgroup Edition>

       Source Packages
       Size : MD5

       squid-2.5.STABLE6-9.src.rpm
          1537249 2b43bbc54587ead378e42fc7741db10b

       Binary Packages
       Size : MD5

       squid-2.5.STABLE6-9.i586.rpm
           825233 92cd7330fba772036ffd8133e228a7e8

     <Turbolinux 8 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/squid-2.5.STABLE6-7.src.rpm
          1537103 75a80e22d6114bbaced972e834623bc5

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/squid-2.5.STABLE6-7.i586.rpm
           825297 349d1ac00a370a4f74dff6561d14af99

     <Turbolinux 8 Workstation>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/squid-2.5.STABLE6-7.src.rpm
          1537103 442eab27d98907ae17c463e6659f4d75

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/squid-2.5.STABLE6-7.i586.rpm
           826938 3b2bab2fe5e77f7a69e05081df29f26c

     <Turbolinux 7 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/squid-2.5.STABLE6-7.src.rpm
          1537103 eefd85164d1615bf43aa0cc2e1f03ab6

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/squid-2.5.STABLE6-7.i586.rpm
           831095 4962a5bd06f88fea0ce9139084c07617

     <Turbolinux 7 Workstation>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/squid-2.5.STABLE6-7.src.rpm
          1537103 95bcaafa47d7362b5d8ea4c823c2d1d4

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/squid-2.5.STABLE6-7.i586.rpm
           830754 5b85fedb0652e6280dcca9f4a64c6488

     Notice :
        After performing the update, it is necessary to restart the squid daemon.
        To do this, run the following command as user root.
     ---------------------------------------------
     # /etc/init.d/squid restart
     or
     # /etc/rc.d/init.d/squid restart
     ---------------------------------------------

     References:

     www.squid-cache.org
       [Squid Proxy Cache Security Update Advisory SQUID-2004:1]
       http://www.squid-cache.org/Advisories/SQUID-2004_1.txt

     CVE
       [CAN-2004-0189]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189

    ===========================================================
    * samba -> Recently discovered buffer overflow vulnerabilities
    ===========================================================

     More information :
        Samba is an Open Source/Free Software suite that provides seamless file
        and print services to SMB/CIFS clients. Samba is freely available,
        unlike other SMB/CIFS implementations, and allows for interoperability
        between Linux/Unix servers and Windows-based clients.

        Buffer overflow vulnerabilities have been discovered in Samba.

     Impact :
        The vulnerabilities allow remote attackers to cause a denial of service
        of Samba server services.

     Affected Products :
        - Turbolinux Appliance Server 1.0 Hosting Edition
        - Turbolinux Appliance Server 1.0 Workgroup Edition
        - Turbolinux 10 F...
        - Turbolinux 10 Desktop
        - Turbolinux 8 Server
        - Turbolinux 8 Workstation
        - Turbolinux 7 Server
        - Turbolinux 7 Workstation

     Solution :
        Please use the turbopkg (zabom) tool to apply the update.
     ---------------------------------------------
     [Turbolinux 10 Desktop, Turbolinux 10 F...]
     # zabom -u samba samba-devel smbfs

     [other]
     # turbopkg
     or
     # zabom update samba samba-devel smbfs
     ---------------------------------------------

     <Turbolinux Appliance Server 1.0 Hosting Edition>

       Source Packages
       Size : MD5

       samba-2.2.7a-9jaJP.src.rpm
          7155061 8ca20f8ef7abff0378e156f6e9bfe691

       Binary Packages
       Size : MD5

       samba-2.2.7a-9jaJP.i586.rpm
         11138937 732a5963e730fbf32c246e8530454c8d
       samba-devel-2.2.7a-9jaJP.i586.rpm
           498335 e75b73f05219d89601d9019c3297c67d
       smbfs-2.2.7a-9jaJP.i586.rpm
           628623 d3c6953e5151682716063c1e24f1b0b9

     <Turbolinux Appliance Server 1.0 Workgroup Edition>

       Source Packages
       Size : MD5

       samba-2.2.7a-9jaJP.src.rpm
          7155061 24f6ebac45b185817cbe8231971dcd9b

       Binary Packages
       Size : MD5

       samba-2.2.7a-9jaJP.i586.rpm
         11156327 6f227785d0b437fca45174e329663fd7
       samba-devel-2.2.7a-9jaJP.i586.rpm
           498628 bc0bac91bf5c3949de1323f053dd4717
       smbfs-2.2.7a-9jaJP.i586.rpm
           627672 3126e92cf4a7b362e453bc1f4080d891

     <Turbolinux 10 Desktop, Turbolinux 10 F...>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm
          7155061 8054927fe099982a397ac760ebc58d0c

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm
         11164913 358acd4f1e0275f790bfa3e35c716a93
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm
           512109 e7f669d855d34ed44ae6565a6466827e
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm
           639529 829fe8f003115948175e4cae8597ab0c

     <Turbolinux 8 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm
          7155061 9c9d4d37608c616e6b57f6c973bb7af5

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm
         11156883 4b1d3ff6391208bb1deb9fee7684a0ef
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm
           498741 3ea5d49c2241ac4ea559c03b339e911f
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm
           627730 abe304db0bcccceb7f70103748ced80d

     <Turbolinux 8 Workstation>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm
          7155061 9f06dd9aeef0e728e3306c1437c8986a

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm
         11156590 69ed28551d3d56c8d167afa0c112d3d1
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm
           499299 d10f2ad626244e714896947a4476c36f
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm
           628307 896bf734f803d586e2b4a1a13fcb62fd

     <Turbolinux 7 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm
          7155061 c37a745290cc3cfb95f15930851ae7f7

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm
         11023429 77113ab8d22afcfc293638b28cb1fea2
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm
           492829 cf806c7080241e15b0fea2900b2e5d50
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm
           612783 01ec4e0edc4020d2ef99bfa47a2279a8

     <Turbolinux 7 Workstation>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm
          7155061 d6fec4fc966dcb092ab90ec6b6ecd737

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm
         11025378 bc2912f826163a4bbf0c7d642e2f246f
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm
           492071 80ad52dc4b60246b2b54644d62fe41c5
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm
           612799 40f4bcbd87fb84e7131d3718f94bbcab

     References:

     samba
       [Release Notes for Samba 2.2.11]
       http://us1.samba.org/samba/history/samba-2.2.11.html

     CVE
       [CAN-2004-0186]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0186
       [CAN--2004-0686]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686
       [CAN-2004-0829]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0829

    ===========================================================
    * cdrtools -> euid program
    ===========================================================

     More information :
        cdrtools is a collection of CD/DVD utilities.

        cdrecord, which is set-uid root, fails to drop the effective UID (of
        root -- euid=0) when it exec()s a program specified by the user via the
        $RSH environment variable.

     Impact :
        Allows local users to gain root privileges.

     Affected Products :
        - Turbolinux Appliance Server 1.0 Hosting Edition
        - Turbolinux Appliance Server 1.0 Workgroup Edition
        - Turbolinux 10 F...
        - Turbolinux 10 Desktop

     Solution :
        Please use the turbopkg (zabom) tool to apply the update.
     ---------------------------------------------
     [Turbolinux 10 Desktop, Turbolinux 10 F...]
     # zabom -u cdda2wav cdrtools cdrtools-devel mkisofs
     ---------------------------------------------

     <Turbolinux Appliance Server 1.0 Hosting Edition>

       Source Packages
       Size : MD5

       cdrtools-2.0-9.src.rpm
          2103029 be1b3126c773b8a07a6e078f2c425aa3

       Binary Packages
       Size : MD5

       cdrtools-2.0-9.i586.rpm
           672260 4f04c73f06d9a1c524806a48c59795a4
       cdrtools-devel-2.0-9.i586.rpm
           496602 f0dc69e2525aef9be1b677ef32a5ea89
       mkisofs-2.0-9.i586.rpm
           478674 de3ae493f085d7e841d8336f61b66cf1

     <Turbolinux Appliance Server 1.0 Workgroup Edition>

       Source Packages
       Size : MD5

       cdrtools-2.0-9.src.rpm
          2103029 f28d29b94dc9517406a59fd8d934c7f9

       Binary Packages
       Size : MD5

       cdrtools-2.0-9.i586.rpm
           671704 30173aba8f73337bf875fc095c855979
       cdrtools-devel-2.0-9.i586.rpm
           496706 3c6fdc57dbd94f28736fae3fa4f74853
       mkisofs-2.0-9.i586.rpm
           478790 0b0c20e1c5f84e670e211164fc8efe70

     <Turbolinux 10 Desktop, Turbolinux 10 F...>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/cdrtools-2.0-9.src.rpm
          2103029 aa0d05ec9760f08ca21ba230e73112d9

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdda2wav-2.0-9.i586.rpm
           166032 ff43311dc4cb87048a59e6147c6105a5
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdrtools-2.0-9.i586.rpm
           666550 5a77cc19f9cf1f58fa5dc51f04ceb18b
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdrtools-devel-2.0-9.i586.rpm
           497339 de65b8f21cdf636408cddc04f0f3ef1b
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/mkisofs-2.0-9.i586.rpm
           479449 a4a719a4a593cff75eb62ec5a337f1a9

     References:

     CVE
       [CAN-2004-0806]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0806

    ===========================================================
    * imlib -> Multiple reported buffer overflow vulnerabilities
    ===========================================================

     More information :
        Imlib is a display depth-independent image loading and rendering library.

        Multiple buffer overflow vulnerabilities are reported to exist in Imlib.

     Impact :
        Allows remote attackers to execute arbitrary code via malformed image files.

     Affected Products :
        - Turbolinux 10 F...
        - Turbolinux 10 Desktop
        - Turbolinux 8 Server
        - Turbolinux 8 Workstation
        - Turbolinux 7 Server
        - Turbolinux 7 Workstation

     Solution :
        Please use the turbopkg (zabom) tool to apply the update.
     ---------------------------------------------
     [Turbolinux 10 Desktop, Turbolinux 10 F...]
     # zabom -u imlib imlib-cfgeditor imlib-devel

     [other]
     # turbopkg
     or
     # zabom update imlib imlib-cfgeditor imlib-devel
     ---------------------------------------------

     <Turbolinux 10 Desktop, Turbolinux 10 F...>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/imlib-1.9.14-7.src.rpm
           667541 c6570195df630130e797228163e60ba1

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/imlib-1.9.14-7.i586.rpm
           157239 4f4b0f9757fa7b11fa608f9d9a87d25d
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/imlib-cfgeditor-1.9.14-7.i586.rpm
           235906 05d6ac550ca3abcbf21137189d338325
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/imlib-devel-1.9.14-7.i586.rpm
           227003 d1fbaf39ccfa41b93d1f493cf2d43ec8

     <Turbolinux 8 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/imlib-1.9.13-9.src.rpm
           833109 575a131cbe10f1d933b3e1c780a15601

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/imlib-1.9.13-9.i586.rpm
           137593 52a6dda17e323dcb18c7e66d994562d8
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/imlib-cfgeditor-1.9.13-9.i586.rpm
           234711 15c1295d9864f3901aa8e36c381cabb4
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/imlib-devel-1.9.13-9.i586.rpm
           226984 431e9a2e3d3f00911183568cd7a48405

     <Turbolinux 8 Workstation>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/imlib-1.9.13-9.src.rpm
           833109 57e15f0fea366bb012dba49452c14951

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/imlib-1.9.13-9.i586.rpm
           137511 a20c57441ad495d7c3b91b2bef7940d4
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/imlib-cfgeditor-1.9.13-9.i586.rpm
           234724 b7aa88e28e92c2e309f98187d39ba65e
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/imlib-devel-1.9.13-9.i586.rpm
           226902 9461360152ccf484753308f99b1f2e04

     <Turbolinux 7 Server>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/imlib-1.9.10-6.src.rpm
           791546 a8827407f4f9ed8d9c29634b4a67fdb4

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/imlib-1.9.10-6.i586.rpm
           127948 2cd3d05c20c7750020d511ece886a8b6
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/imlib-devel-1.9.10-6.i586.rpm
           218376 d2b032fa3d5cf635b2ae41cce32a2a7c

     <Turbolinux 7 Workstation>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/imlib-1.9.10-6.src.rpm
           791546 46d8da2102c16ab8969fcaf9d20e9c6a

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/imlib-1.9.10-6.i586.rpm
           127902 52a2ed6a20bfcff99538b8ac491c928d
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/imlib-cfgeditor-1.9.10-6.i586.rpm
           233270 9aa7e9b4f8ad959bd94ce8dca56fdc4c
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/imlib-devel-1.9.10-6.i586.rpm
           218378 a828b365f4954a2811a60911f378c200

     References:

     CVE
       [CAN-2004-0817]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817

    ===========================================================
    * httpd -> Two vulnerabilities discovered in httpd
    ===========================================================

     More information :
        Apache is a powerful, full-featured, efficient, and freely-available
        Web server. Apache is also the most popular Web server on the Internet.

        The identified vulnerability is in the apr-util library.

        The buffer overflow occurs when expanding ${ENVVAR} constructs in
        .htaccess or httpd.conf files.

     Impact :
        Allows remote attackers to cause a denial of service of the Apache server.

     Affected Products :
        - Turbolinux 10 F...
        - Turbolinux 10 Desktop

     Solution :
        Please use the turbopkg (zabom) tool to apply the update.
     ---------------------------------------------
     [Turbolinux 10 Desktop, Turbolinux 10 F...]
     # zabom -u httpd httpd-devel httpd-manual mod_ssl
     ---------------------------------------------

     <Turbolinux 10 Desktop, Turbolinux 10 F...>

       Source Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/httpd-2.0.48-6.src.rpm
          6349140 5f7d07ffed7377c7742d6a12985d5464

       Binary Packages
       Size : MD5

       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-2.0.48-6.i586.rpm
           891145 9a87f6912acfc584752b9436b5023493
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-devel-2.0.48-6.i586.rpm
           304443 ca0b114156d1224560fff651c89a6bfd
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-manual-2.0.48-6.i586.rpm
           914827 782a5e709b19f37ce0333ed73fad0aed
       ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/mod_ssl-2.0.48-6.i586.rpm
            76883 9a35f890210fb547b32a983e33416d8a

     References:

     CVE
       [CAN-2004-0747]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747
       [CAN-2004-0786]
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786

     * You may need to update the turbopkg tool before applying the update.
    Please refer to the following URL for detailed information.

      http://www.turbolinux.com/download/zabom.html
      http://www.turbolinux.com/download/zabomupdate.html

    Package Update Path
    http://www.turbolinux.com/update

    ============================================================
     * To obtain the public key

    Here is the public key

     http://www.turbolinux.com/security/

     * To unsubscribe from the list

    If you ever want to remove yourself from this mailing list,
      you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
    the word `unsubscribe' in the body (don't include the quotes).

    unsubscribe

     * To change your email address

    If you ever want to chage email address in this mailing list,
      you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
    the following command in the message body:

      chaddr 'old address' 'new address'

    If you have any questions or problems, please contact
    <supp_info@turbolinux.co.jp>

    Thank you!

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (GNU/Linux)

    iD8DBQFBSSIVK0LzjOqIJMwRAuQNAKC6dotXPPOvgLm/J2BkHTn01I1EMQCfZaGd
    uGd34EbV5PsMKo+nshlPkGQ=
    =qyd7
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Feher Tamas: "[Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden password"

    Relevant Pages