From security-announce@turbolinux.co.jp Fri Dec 5 16:20:04 2003 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Sat, 6 Dec 2003 03:34:39 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 06/Dec/2003 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 06/Dec/2003 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) glibc -> Multiple vulnerabilities in glibc (2) rsync -> Heap overflow =========================================================== * glibc -> Multiple vulnerabilities in glibc =========================================================== More information : The glibc package contains the standard C libraries used by applications. When a user is a member of a large number of groups,the getgrouplist function in glibc allows attackers to cause a denial of service (segmentation fault) and execute arbitrary code. Impact : This may allow attackers to cause a denial of service or execute arbitrary code. Affected Products : - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or # zabom update glibc glibc-devel glibc-profile mtrace nscd --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/glibc-2.2.5-17.src.rpm 15681872 c5f6718068cad57d328e9cbb99cfc5c2 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/glibc-2.2.5-17.i586.rpm 10948308 e978c66d70ed23c1d37f3cf58fa1d7dd ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/glibc-devel-2.2.5-17.i586.rpm 3087284 027379201c146b8652691fa5fb407fb8 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/glibc-profile-2.2.5-17.i586.rpm 793319 2b825226d3e4628c4fc5a13d028dc42f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/mtrace-2.2.5-17.i586.rpm 26289 3b7e3b3ee9fdad443214abc22ff011a3 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/nscd-2.2.5-17.i586.rpm 33180 2811c092ec2fed1a278f29d6f5393122 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/glibc-2.2.5-17.src.rpm 15681872 0ae07774f7aed8ddceda091ad1aa59eb Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/glibc-2.2.5-17.i586.rpm 10943475 e3ae6e493dae31c06d04de1e5ef24a5b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/glibc-devel-2.2.5-17.i586.rpm 3088889 7bdde2a4805a408ec20b5b6c983c20b7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/glibc-profile-2.2.5-17.i586.rpm 793449 8eb226d87491ab3d2b22e50a978900be ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/mtrace-2.2.5-17.i586.rpm 26291 d9d5ee64fff9b612203b7b6629d95022 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/nscd-2.2.5-17.i586.rpm 33125 5f91d450345639e2f4629005305d401d Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/glibc-2.2.4-13.src.rpm 13582169 668c9eb6ddb16b219cbe155edf9a6ca1 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/glibc-2.2.4-13.i586.rpm 11310068 ebd5c4c08b7e50bafbd79b57801cccdd ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/glibc-devel-2.2.4-13.i586.rpm 6293426 b0b9308e04c0314f4130617e89f60017 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/glibc-profile-2.2.4-13.i586.rpm 4125526 818098cc38a84b39204504e36bc79761 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/mtrace-2.2.4-13.i586.rpm 15377 4de531b6fda1b23c28d91477eb8f4124 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/nscd-2.2.4-13.i586.rpm 31236 d5fbda6a59e9fc074a3df3ac378907b2 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/glibc-2.2.4-13.src.rpm 13582169 b0e8e76f424bd3bd2cd2a94dd37d0dcd Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/glibc-2.2.4-13.i586.rpm 11308991 b5f5f6887dc9a8aaa4e118c6c8ff22e6 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/glibc-devel-2.2.4-13.i586.rpm 6292725 b4e5f9a07c55ff55845a2aa4dbfd5a7f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/glibc-profile-2.2.4-13.i586.rpm 4125536 32c7053ca33d15f10c655b3e1262a769 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/mtrace-2.2.4-13.i586.rpm 15385 5d042786c08b9336fe73fe4c7c69367b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/nscd-2.2.4-13.i586.rpm 31243 fae888249da3141a18336aa8a5f6da60 References : CVE [CAN-2003-0689] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0689 [CAN-2003-0859] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0859 =========================================================== * rsync -> Heap overflow =========================================================== More information : rsync uses the "rsync algorithm" which provides a very fast method for bringing remote files into sync. It does this by sending just the differences in the files across the link, without requiring that both sets of files are present at one of the ends of the link beforehand. Rsync version 2.5.6 and earlier contains a heap overflow vulnerability that can be used to remotely run arbitrary code. Please note that this vulnerability only affects the use of rsync as a "rsync server". Impact : This vulnerability may allow remote third party to gain the root privileges. Affected Products : - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or zabom-1.x # zabom update rsync zabom-2.x # zabom -u rsync --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 499768bcd5851f5dede0a9aaed9f67fd Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/rsync-2.5.7-1.i586.rpm 142068 fba3ab5d577b7eab1818c3d41e6ce13d Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 d4c79a6aba4e8a7b17d8940d6b6e1f87 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/rsync-2.5.7-1.i586.rpm 140316 10b89f1b0c3db89ee56dc9b735b4effa Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 5b521abb17456fadded17f054bd9a5b4 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/rsync-2.5.7-1.i586.rpm 140308 6c9f1e54680ea18d6c885fb1bfe8d924 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 da512bcc0862905542870ede94d4518c Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/rsync-2.5.7-1.i586.rpm 136728 fe9fd94d15842c3e6344811501329205 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 e7e10e4efe32ed6d0308c332b11df197 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/rsync-2.5.7-1.i586.rpm 136761 10f48e8a8ffa4fe9318f277767ad03ed Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 83ded0d90cde0b0a5e1376e468faaa42 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/rsync-2.5.7-1.i386.rpm 136619 b8186c802c41974daf566bc01fbd9e9b Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 c0bd7ffb38fff1d788ae7056915acb28 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm 136611 f6fb180f6652671a6f2627065d2c40cd Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 80d975cc6e84edb7da14d8566e4b7fe0 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm 136599 70d6d5c3e4a227803ea48a2be5af324b Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/rsync-2.5.7-1.src.rpm 454497 081ea78c2a4f089c452fe0a5094b68fa Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/rsync-2.5.7-1.i386.rpm 136607 519b6825e9f917487a8c884b5b1a9006 References : rsync http://rsync.samba.org/ CVE [CAN-2003-0962] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/0M/DK0LzjOqIJMwRAr7wAJ9uc2XNZGeh6lqS+pKIlIjmjCsLaQCePJvs uZ4pje67NlW5ogxnIjemsmk= =ZogU -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html