From security-announce@turbolinux.co.jp Wed Sep 17 15:30:09 2003 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Wed, 17 Sep 2003 19:28:55 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 17/Sep/2003 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 17/Sep/2003 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) openssh -> Buffer management errors =========================================================== * openssh -> Buffer management errors =========================================================== More information : OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. Impact : This vulnerability may allow a remote attacker to execute arbitrary code. Affected Products : - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg tool to apply the update. Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssh-3.7.1p1-4.src.rpm 840278 02cd195471b275f6b8cb5d5e81e12f6e Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-3.7.1p1-4.i586.rpm 193036 59445c9e3ade3b20305bc250125b9443 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-askpass-3.7.1p1-4.i586.rpm 33434 0f90ff6a6e5363a76ed79d3da08c64f7 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-askpass-gnome-3.7.1p1-4.i586.rpm 14673 530ebfc4041d38112b65dcd2173a2421 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-clients-3.7.1p1-4.i586.rpm 215841 d754024163ce1e6ee04d2578753f0c21 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssh-server-3.7.1p1-4.i586.rpm 231111 58113eec0703f3d147dc3a4d7d5393b4 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssh-3.7.1p1-4.src.rpm 840278 25971e9e5743a93901a0cbf930ebd080 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssh-3.7.1p1-4.i586.rpm 193015 28b9aed67c3c9ef0054e5e420e3ea5d7 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssh-askpass-3.7.1p1-4.i586.rpm 33432 1530b207ec2d8e85668471660e71e41d ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssh-clients-3.7.1p1-4.i586.rpm 215933 9086039fb1d459ac0921c5ece24c6486 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssh-server-3.7.1p1-4.i586.rpm 231110 20d6f2839d4ccb0a818fefa6b6393325 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssh-3.7.1p1-4.src.rpm 840278 4305414497e7e3489ada142e41c5f703 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssh-3.7.1p1-4.i586.rpm 188813 65f26185e001aa075a52d7d4383d1363 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssh-askpass-3.7.1p1-4.i586.rpm 32944 50f4d9c7adfb8706ae66c71987dbd041 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssh-clients-3.7.1p1-4.i586.rpm 209536 dfa3bc5d0b9976f1aae94a03dc28cd5f ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssh-server-3.7.1p1-4.i586.rpm 223229 93b98fa6432f9238243c3f116b9efc10 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/openssh-3.7.1p1-4.src.rpm 840278 4b558bad9b81322edf8ac49508f42826 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssh-3.7.1p1-4.i586.rpm 188806 c71a45531224e11477666c9ff56688d6 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssh-askpass-3.7.1p1-4.i586.rpm 32948 6d84710cb7306692e82022dda5fe50f4 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssh-clients-3.7.1p1-4.i586.rpm 209570 008a86e2bf50ec0cf62771fa6bda834f ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssh-server-3.7.1p1-4.i586.rpm 223224 3beb7d1854870f4b8cc86523fe39fedb Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/openssh-3.7.1p1-4.src.rpm 840278 1fc5269641d8904819a6dc9f35f9bba9 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssh-3.7.1p1-4.i386.rpm 211400 c1b702a69363937d65fdf69b1abc85d9 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssh-askpass-3.7.1p1-4.i386.rpm 32673 75b7e850dacfece3bcd05d2bc67fe8b8 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssh-clients-3.7.1p1-4.i386.rpm 242262 f3865946c8dbd5bf641272117dd1ff4a ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/openssh-server-3.7.1p1-4.i386.rpm 255627 2af41c03de7763e9abc4e0d73f5642c6 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/openssh-3.7.1p1-4.src.rpm 840278 5633eb4611fd4613ef0eff3769dcaaff Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssh-3.7.1p1-4.i386.rpm 211318 936e47da80580d20effb6bc1482dcf37 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssh-askpass-3.7.1p1-4.i386.rpm 32649 d860b524bfa483196cfb4fe88f5fead1 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssh-askpass-gnome-3.7.1p1-4.i386.rpm 14339 f383aace6a75a8a3b16beb124fceee73 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssh-clients-3.7.1p1-4.i386.rpm 242210 219ed0479b17038aa2e473399f60b9e7 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/openssh-server-3.7.1p1-4.i386.rpm 255609 92fb6a28e5d787b3f768df8568a30332 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/openssh-3.7.1p1-4.src.rpm 840278 71f1c814bfde6b73c563168fd1a5affd Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssh-3.7.1p1-4.i386.rpm 211337 a10b024543c04e490461776e2bbdbb29 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssh-askpass-gnome-3.7.1p1-4.i386.rpm 14340 8c268657f1b2481a7f506775978e68d4 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssh-clients-3.7.1p1-4.i386.rpm 242210 25f186534e651b3ab70b33b38631ce13 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/openssh-server-3.7.1p1-4.i386.rpm 255576 dd79075a3a00142664b6ec55f79e0de8 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/openssh-3.7.1p1-4.src.rpm 840278 522fa52683b073b40d92eaba5b313c46 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssh-3.7.1p1-4.i386.rpm 211326 0b174b2b77e96b5197e5936a605cc4b8 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssh-askpass-3.7.1p1-4.i386.rpm 32655 63e288827126854bcdb50e2873a0852b ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssh-askpass-gnome-3.7.1p1-4.i386.rpm 14336 b62d1e216a47aac58713e780fbc10569 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssh-clients-3.7.1p1-4.i386.rpm 242225 77fe97cd19d4d6aac38887e1baa6f61c ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/openssh-server-3.7.1p1-4.i386.rpm 255578 aa3ed0646f90fece290672f737e206a4 Notice : After performing the update, it is necessary to restart the sshd secure shell daemon. To do this, run the following command as user root. --------------------------------------------- # /etc/init.d/sshd restart or # /etc/rc.d/init.d/sshd restart --------------------------------------------- References : openssh-unix-announce [OpenSSH 3.7 released] http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000062.html [OpenSSH 3.7.1 released] http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000064.html CERT Advisory [CA-2003-24] http://www.cert.org/advisories/CA-2003-24.html CVE [CAN-2003-0693] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 -------------------------------------------------------------------------- Revision History 17 Sep 2003 Initial release -------------------------------------------------------------------------- * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/aDdqK0LzjOqIJMwRAlmxAKCQQNsb82cWmZZZ8tcGRk5ZQl1cIgCfeYEB NeIKPaK4pUiKC+CoZ8xYPN8= =EtFU -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html