From security-announce@turbolinux.co.jp Mon Oct 20 15:23:47 2003 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Mon, 20 Oct 2003 20:08:43 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 20/Oct/2003 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 20/Oct/2003 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) kernel -> Multiple vulnerabilities in kernel (2) kdebase -> Two issues have been discovered in KDM =========================================================== * kernel -> Multiple vulnerabilities in kernel =========================================================== More information : The kernel package contains the Linux kernel (vmlinuz), the core of your Linux operating system. The kernel handles the basic functions of the operating system. - /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. - A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). - The STP protocol implementation does not properly verify certain lengths, which could allow attackers to cause a denial of service. Impact : The vulnerabilities allow an attacker to make the cause of the denial of service of the kernel and to gain sensitive information on your system. Affected Products : - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or # zabom update kernel kernel-BOOT kernel-doc kernel-headers kernel-pcmcia-cs kernel-smp kernel-smp64G kernel-source --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/kernel-2.4.18-14.src.rpm 41830023 9765a2ec6220266e8b2700b93459670b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-2.4.18-14.i586.rpm 14058234 82db3c20c79b9f0ef84eba74f4ec7b77 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-BOOT-2.4.18-14.i586.rpm 7089082 08b378fdfe39bea52f3a6d1adeaa6064 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-doc-2.4.18-14.i586.rpm 1456572 6777d197a1914eada0d4896da311a343 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-headers-2.4.18-14.i586.rpm 1815315 89ecfca39f5887e447acd37a017e3396 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-pcmcia-cs-2.4.18-14.i586.rpm 328971 a72ece851b562ae62d123416c0ff676e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-smp-2.4.18-14.i586.rpm 14541620 38b18536f9f3bf8d16aa67f97a8a88c7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-smp64G-2.4.18-14.i586.rpm 14529456 297bff4f2d3bd19d5c9e2f2e1045d302 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kernel-source-2.4.18-14.i586.rpm 26614965 cea03467b12fe632b16a9cd4dc8f24ad Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/kernel-2.4.18-14.src.rpm 41830023 9765a2ec6220266e8b2700b93459670b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-2.4.18-14.i586.rpm 14058234 82db3c20c79b9f0ef84eba74f4ec7b77 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-BOOT-2.4.18-14.i586.rpm 7089082 08b378fdfe39bea52f3a6d1adeaa6064 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-doc-2.4.18-14.i586.rpm 1456572 6777d197a1914eada0d4896da311a343 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-headers-2.4.18-14.i586.rpm 1815315 89ecfca39f5887e447acd37a017e3396 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-pcmcia-cs-2.4.18-14.i586.rpm 328971 a72ece851b562ae62d123416c0ff676e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-smp-2.4.18-14.i586.rpm 14541620 38b18536f9f3bf8d16aa67f97a8a88c7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-smp64G-2.4.18-14.i586.rpm 14529456 297bff4f2d3bd19d5c9e2f2e1045d302 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kernel-source-2.4.18-14.i586.rpm 26614965 cea03467b12fe632b16a9cd4dc8f24ad Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/kernel-2.4.18-14.src.rpm 41830023 9765a2ec6220266e8b2700b93459670b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-2.4.18-14.i586.rpm 14058234 82db3c20c79b9f0ef84eba74f4ec7b77 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-BOOT-2.4.18-14.i586.rpm 7089082 08b378fdfe39bea52f3a6d1adeaa6064 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-doc-2.4.18-14.i586.rpm 1456572 6777d197a1914eada0d4896da311a343 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-headers-2.4.18-14.i586.rpm 1815315 89ecfca39f5887e447acd37a017e3396 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-pcmcia-cs-2.4.18-14.i586.rpm 328971 a72ece851b562ae62d123416c0ff676e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-smp-2.4.18-14.i586.rpm 14541620 38b18536f9f3bf8d16aa67f97a8a88c7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-smp64G-2.4.18-14.i586.rpm 14529456 297bff4f2d3bd19d5c9e2f2e1045d302 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kernel-source-2.4.18-14.i586.rpm 26614965 cea03467b12fe632b16a9cd4dc8f24ad Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/kernel-2.4.18-14.src.rpm 41830023 9765a2ec6220266e8b2700b93459670b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-2.4.18-14.i586.rpm 14058234 82db3c20c79b9f0ef84eba74f4ec7b77 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-BOOT-2.4.18-14.i586.rpm 7089082 08b378fdfe39bea52f3a6d1adeaa6064 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-doc-2.4.18-14.i586.rpm 1456572 6777d197a1914eada0d4896da311a343 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-headers-2.4.18-14.i586.rpm 1815315 89ecfca39f5887e447acd37a017e3396 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-pcmcia-cs-2.4.18-14.i586.rpm 328971 a72ece851b562ae62d123416c0ff676e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-smp-2.4.18-14.i586.rpm 14541620 38b18536f9f3bf8d16aa67f97a8a88c7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-smp64G-2.4.18-14.i586.rpm 14529456 297bff4f2d3bd19d5c9e2f2e1045d302 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kernel-source-2.4.18-14.i586.rpm 26614965 cea03467b12fe632b16a9cd4dc8f24ad Notice : You have to reboot your system after this update is finished. Enhancement : updated acpi-thermal-40,i2c-2.8.0 drivers added qla2xxx drivers References : CVE [CAN-2003-0461] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0461 [CAN-2003-0462] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0462 [CAN-2003-0551] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0551 Turbolinux Security Advisory [TLSA-2003-41] http://www.turbolinux.com/security/TLSA-2003-41.txt -------------------------------------------------------------------------- Revision History 20 Oct 2003 Initial release -------------------------------------------------------------------------- =========================================================== * kdebase -> Two issues have been discovered in KDM =========================================================== More information : Privilege escalation with specific PAM modules. Session cookies generated by KDM are potentially insecure. Impact : The local users may be able to gain root privileges. The weak cookie generation may allow non-authorized users to guess the session cookie by a brute force attack. Affected Products : - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use turbopkg tool to apply the update. Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/kdebase-2.2.2-16.src.rpm 13104557 af04ccdf4ccf9720df849613b7c20866 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kdebase-2.2.2-16.i586.rpm 16158716 f5e1c81fd4ead3e1bf05f66569b3114e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/kdebase-devel-2.2.2-16.i586.rpm 54350 f61ce9b68c463465ae5846f68879a24e Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/kdebase-2.2.2-16.src.rpm 13104557 ec056e9910b8715a716bce2a4596fe07 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kdebase-2.2.2-16.i586.rpm 16157388 79f26858cec0b67cb83097baf35f7ea0 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/kdebase-devel-2.2.2-16.i586.rpm 54264 0687ccf6695c7f0c79cfcbb709e90506 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/kdebase-2.2.2-16.src.rpm 13104557 75b7decef759e4cd9682c40f1e439bc2 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kdebase-2.2.2-16.i586.rpm 15775946 917d992f65ac098ce3cc785650c83655 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/kdebase-devel-2.2.2-16.i586.rpm 54281 7dada55383a049a4fd6c845a5013e7ea Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/kdebase-2.2.2-16.src.rpm 13104557 b2912df0daf619ae9277cb9305a64896 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kdebase-2.2.2-16.i586.rpm 15761012 c99d88aa9a2a5a2c6915986c3c2ba9d0 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/kdebase-devel-2.2.2-16.i586.rpm 54299 5f9a84f714168c3b846eca52328ef5e0 References : KDE Security Advisory http://www.kde.org/info/security/advisory-20030916-1.txt CVE [CAN-2003-0690] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0690 [CAN-2003-0692] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0692 -------------------------------------------------------------------------- Revision History 20 Oct 2003 Initial release -------------------------------------------------------------------------- * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/k8I/K0LzjOqIJMwRAgbbAJ4ktFX4Mf6X0FI9iJRdgGxOBa22UACfZf3n M0I82Zo5SE27kaDhxDf8xYI= =KsVL -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html