From security-announce@turbolinux.co.jp Wed Dec 17 15:20:24 2003 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Wed, 17 Dec 2003 15:49:38 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 17/Dec/2003 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 17/Dec/2003 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) gnupg -> GnuPG's ElGamal signing keys compromised (2) cvs -> CVS server to create files and directories in the file system root directory =========================================================== * gnupg -> GnuPG's ElGamal signing keys compromised =========================================================== More information : GnuPG is a complete and free replacement for PGP. Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is in compliance with the OpenPGP specification (RFC2440). Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds. Impact : This vulnerability may allow attackers to determine the private key from a signature. Affected Products : - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or zabom-1.x # zabom update gnupg zabom-2.x # zabom -u gnupg --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/gnupg-1.2.3-2.src.rpm 3314781 4996b1e2267642d2d69d4f514cf4cad7 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/gnupg-1.2.3-2.i586.rpm 1129596 5fd712d1411be94acc23d49f24048df7 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/gnupg-1.0.7-4.src.rpm 2409951 59104e12eb97ac80f0a4c9d842dfdc20 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/gnupg-1.0.7-4.i586.rpm 885453 72a565e99ff48f8756144b8966432d8e Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/gnupg-1.0.7-4.src.rpm 2409951 883d8e4123edbdfc87be8cd31e58e22b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/gnupg-1.0.7-4.i586.rpm 884696 6299e615d670554116f03a57a77534f9 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/gnupg-1.0.7-4.src.rpm 2409951 174e7eadc938bf7deccb56deba74588d Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/gnupg-1.0.7-4.i586.rpm 863174 eb706737ef71616bbd5e6bc5bc73a8c0 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/gnupg-1.0.7-4.src.rpm 2409951 cde1432e30a483ddffcbde6d61a5d0cf Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/gnupg-1.0.7-4.i586.rpm 862981 82bd0c1c5890c1fea6a7b18fe508320d Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/gnupg-1.0.7-4.src.rpm 2409951 69e46577d72aed27f3c795647a53bb9b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/gnupg-1.0.7-4.i386.rpm 1170666 447865f5363d62abf8e5c6d8570fdb0e Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/gnupg-1.0.7-4.src.rpm 2409951 2fb777b54219241b3a33c6a819bc9ca7 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/gnupg-1.0.7-4.i386.rpm 1170653 c893158b981769a827df840decf771f1 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/gnupg-1.0.7-4.src.rpm 2409951 62b1e2c02457959368139e9d4ec3275e Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/gnupg-1.0.7-4.i386.rpm 1166583 79095cf116744d1da99fbf2607134bd9 References : [Announce] GnuPG's ElGamal signing keys compromised http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html CVE [CAN-2003-0971] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0971 =========================================================== * cvs -> CVS server to create files and directories in the file system root directory =========================================================== More information : CVS is a front end to the rcs(1) revision control system which extends the notion of revision control from a collection of files in a single directory to a hierarchical collection of directories consisting of revision controlled files. A remote user can submit a specially crafted and malformed module request that may cause the CVS server to attempt to create directories and possibly files at the root of the filesystem where the CVS repository is located. Impact : This vulnerability may allow attackers to cause the CVS server to create directories and files in the file system root directory. Affected Products : - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or zabom-1.x # zabom update cvs zabom-2.x # zabom -u cvs --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 be972c16222d933a1a15cb1383627681 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cvs-1.12.4-1.i586.rpm 1003284 ac7eb63b400fa0ab405c1cf74ff9489f Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 f34d17adbe451e3eb9bff68b3caf7d0b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/cvs-1.12.4-1.i586.rpm 995946 fceb8bb6eb65cb7f44a100d3af6ed42a Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 5a6a21b2a288b67ba714f184a285458c Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/cvs-1.12.4-1.i586.rpm 995877 5df89643e16fefd5183896700642a7e1 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 42f33ab58a73254fc924ebfa6966b6e7 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/cvs-1.12.4-1.i586.rpm 984262 1038e7fe32ea05e372a7c016b10f9c16 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 9cb3067c409b85b97c36108574f2e82c Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/cvs-1.12.4-1.i586.rpm 984220 77c6b4d0c386d901c121cb29235098bf Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 22d46f682d34c68303708c6cb80a57f8 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/cvs-1.12.4-1.i386.rpm 1114584 982395edaaa1de0857408c1578b7e68d Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 280ae8d29a89e6bac2383b589fda256b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/cvs-1.12.4-1.i386.rpm 1114630 4ea6455c681420076a03aa4b04b67267 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 c6d9e046f5465a5262f75b9a36b74b7b Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/cvs-1.12.4-1.i386.rpm 1114642 6c12eec4de136fea19f79cfca1013f96 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/cvs-1.12.4-1.src.rpm 2371619 99f636ee48c389242f343eddb0469446 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/cvs-1.12.4-1.i386.rpm 1114681 1059f93b6385e3dbb1224912f7947f45 References : CVE [CAN-2003-0977] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0977 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/3/yGK0LzjOqIJMwRAjhPAJ4otRqgnbViCAu1JRtr0akdBsOIWACeNxWC CBUw9hFitwWpEOZ/40Bjtbg= =awNM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html