From security-announce@turbolinux.co.jp Wed Apr 7 05:18:21 2004 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Wed, 7 Apr 2004 17:26:53 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 07/Apr/2004 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 07/Apr/2004 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) apache -> Buffer overflows in mod_alias, mod_rewrite (2) httpd -> Two issues have been discovered in httpd (3) libxml2 -> Buffer overflows (4) mod_python -> DoS vulnerability in httpd =========================================================== * apache -> Buffer overflows in mod_alias, mod_rewrite =========================================================== More information : Apache is a powerful, full-featured, efficient, and freely-available Web server. Multiple stack-based buffer overflows in mod_alias and mod_rewrite for Apache. Impact : The vulnerabilities allow remote attackers to cause a denial of service and possibly execute arbitrary code. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation - Turbolinux Server 6.5 - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turbopkg or # zabom update apache apache-devel apache-manual mod_ssl --------------------------------------------- Source Packages Size : MD5 apache-1.3.27-22.src.rpm 3095990 d4e2b916623b4d640b5d679497d9e302 Binary Packages Size : MD5 apache-1.3.27-22.i586.rpm 499679 6212ae0f1cd0f30e01d95031802428eb apache-devel-1.3.27-22.i586.rpm 93851 263f9ec42f46f0e839e5cca1eb927c1e mod_ssl-2.8.14-22.i586.rpm 180744 041df7d94acedd1ba7fb5f97064c7eea Source Packages Size : MD5 apache-1.3.27-22.src.rpm 3095990 3fc9813efe8710c56e0b77b5e05338c3 Binary Packages Size : MD5 apache-1.3.27-22.i586.rpm 499724 7bb20cd888d05c0e4cc5f561199894f6 apache-devel-1.3.27-22.i586.rpm 93832 cae619a1b8963ad97da1a5aed1564999 mod_ssl-2.8.14-22.i586.rpm 180662 9545e160e32aed4032e12b4dfef7df73 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/apache-1.3.27-22.src.rpm 3095990 3839d93452bde8e36b103fb79d3cf458 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/apache-1.3.27-22.i586.rpm 500553 78238f9e36c649c84a1a5b1756d97578 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/apache-devel-1.3.27-22.i586.rpm 93949 a3329e03b72782d3d3b95554b7290c9d ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/apache-manual-1.3.27-22.i586.rpm 850807 6ee1cecbe57b89e3dfc3d5de2e6fdc9a ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/mod_ssl-2.8.14-22.i586.rpm 180800 1cb72b938751a3a9c5c7fa3ae9c6647c Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/apache-1.3.27-22.src.rpm 3095990 b25efd073d90f7454d43c069cd3eeb98 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/apache-1.3.27-22.i586.rpm 500372 3c9763463cda876b97eaed2f1327fe5e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/apache-devel-1.3.27-22.i586.rpm 94018 2470307199ff33d30c642f934667335a ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/apache-manual-1.3.27-22.i586.rpm 850632 1a64d40efe6de1ff15dcc9a2b220e52f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/mod_ssl-2.8.14-22.i586.rpm 180816 cf24eff8c7e7369e3287e41a82432e49 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/apache-1.3.27-22.src.rpm 3095990 ddc39b15d760059c87e182b62d52a33f Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/apache-1.3.27-22.i586.rpm 486217 1151c6ecf1aa21562d0fc170fd67bf40 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/apache-devel-1.3.27-22.i586.rpm 93879 933560ed4038a7fcc72541de230d8acb ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/apache-manual-1.3.27-22.i586.rpm 849973 392beee13024b1444099b1c2f9055f81 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/mod_ssl-2.8.14-22.i586.rpm 177997 037153aac8248fc21470e52fb190ad8a Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/apache-1.3.27-22.src.rpm 3095990 e89f9dda6f70d8c7f52c7cbbf62509dd Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/apache-1.3.27-22.i586.rpm 486199 82c1725c50d0d48c86828e2b2ef9c9d6 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/apache-devel-1.3.27-22.i586.rpm 93949 48d9f27d6b4aaa9f2877de70be155dc4 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/apache-manual-1.3.27-22.i586.rpm 850055 59c90fa2c2377323b8f2d187b8922463 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/mod_ssl-2.8.14-22.i586.rpm 178382 ae4575db718088d905a5a98de9b437db Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/SRPMS/apache-1.3.27-22.src.rpm 3095990 d3b8c26b4d21f8e15ed3e0fb02f4436c Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/apache-1.3.27-22.i386.rpm 572608 d44abe94288e1c3ff15e8d37a67dfce2 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/apache-devel-1.3.27-22.i386.rpm 109943 07b769e891277be997735c9c94d050e2 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/apache-manual-1.3.27-22.i386.rpm 1088335 680afe2861889d0e8d856db384a6f11c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.5/updates/RPMS/mod_ssl-2.8.14-22.i386.rpm 191501 3f0058c21e59084c338fc665630f2231 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/SRPMS/apache-1.3.27-22.src.rpm 3095990 b87e3782487686f17191c93110107c96 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/apache-1.3.27-22.i386.rpm 573652 44cf4220883ca5bf3be8a84e33ea9091 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/apache-devel-1.3.27-22.i386.rpm 109941 5509aca57d903efdc43e2419f5c33e50 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/apache-manual-1.3.27-22.i386.rpm 1089906 6589583a5d032414e48434b71a9dfa32 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/AdvancedServer/6/ja/updates/RPMS/mod_ssl-2.8.14-22.i386.rpm 191495 a69883d96bd09dd3fbeb797a29785cd0 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/SRPMS/apache-1.3.27-22.src.rpm 3095990 49d2e7d0e4f93f896586ce60160042a2 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/apache-1.3.27-22.i386.rpm 573061 157b27651fb523665ca29b0903e474bf ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/apache-devel-1.3.27-22.i386.rpm 109949 0f9b4e1b49e8e2037f65b82c5e5fa7cf ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/apache-manual-1.3.27-22.i386.rpm 1088821 62e88f3f55487327fb2c6a04bd690c19 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/6.1/ja/updates/RPMS/mod_ssl-2.8.14-22.i386.rpm 191460 aa2b4ceeea10ea5f0fbf6c84fdbef499 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/SRPMS/apache-1.3.27-22.src.rpm 3095990 c3380e8d06de7db5d47426e61002b398 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/apache-1.3.27-22.i386.rpm 573837 21e8a2af9561d754a8b38dbceec92a33 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/apache-devel-1.3.27-22.i386.rpm 110112 92b4c9ff967eb61fdf56792ad167288c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/6.0/ja/updates/RPMS/apache-manual-1.3.27-22.i386.rpm 1089097 98f9b8f895fde788a95432850d74e4f5 Reiferences : The Apache HTTP Server Project [Changes with Apache 1.3.29] http://www.apache.org/dist/httpd/CHANGES_1.3 CVE [CAN-2003-0542] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542 =========================================================== * httpd -> Two issues have been discovered in httpd =========================================================== More information : Apache is a powerful, full-featured, efficient, and freely-available Web server. - Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. - Memory leak in ssl_engine_io.c for mod_ssl in Apache 2. Impact : The vulnerabilities may allow an attacker to cause a denial of service of httpd. Affected Products : - Turbolinux 10 Desktop Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turboupdate # turbopkg # zabom update httpd --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/httpd-2.0.47-8.src.rpm 6270514 bf9ca0708d5834ce5e299786a0e2a284 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-2.0.47-8.i586.rpm 884255 ce07501b44185392ff26f888eead50c5 Reiferences : The Apache HTTP Server Project [Apache HTTP Server 2.0.49 Released] http://www.apache.org/dist/httpd/Announcement2.html CVE [CAN-2003-0020] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 [CAN-2004-0113] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113 =========================================================== * libxml2 -> Buffer overflows =========================================================== More information : Libxml2 is a library for manipulating XML files. A buffer overflow vulnerability was discovered in libxml2 versions prior to 2.6.6. Impact : This may allow remote attackers to execute arbitrary code via a long URL. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turboupdate # turbopkg # zabom update libxml2 libxml2-deve libxml2-python --------------------------------------------- Source Packages Size : MD5 libxml2-2.4.22-2.src.rpm 1544784 45887af170d5931f2db7381737a99dfe Binary Packages Size : MD5 libxml2-2.4.22-2.i586.rpm 348852 5e5dae2527a67fcc6d69f0b6ba5c3f75 libxml2-devel-2.4.22-2.i586.rpm 673017 f41474006180d834f54f0a30797c9781 libxml2-python-2.4.22-2.i586.rpm 120006 9ac02ed2be1c8c7cde88fb852e5bbe71 Source Packages Size : MD5 libxml2-2.4.22-2.src.rpm 1544784 132d50b9dc13ff00c6ab39b3719d883e Binary Packages Size : MD5 libxml2-2.4.22-2.i586.rpm 348775 a73087648767b5f3e3ef13f80382ff4d libxml2-devel-2.4.22-2.i586.rpm 672864 37cb38c3d7d50ca02dce0e87f4b8fc21 libxml2-python-2.4.22-2.i586.rpm 119890 eda3ae08127252fa6c0dcbdbaed08b53 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/libxml2-2.5.11-2.src.rpm 2299266 aca3b55257986b10e13d2dcec12db7d5 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/libxml2-2.5.11-2.i586.rpm 510473 d49464be5aaddff35f6a14829ef3ac1e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/libxml2-devel-2.5.11-2.i586.rpm 1039549 474a2f6acc73e12199cde2b1a8233775 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/libxml2-2.4.22-2.src.rpm 1544784 24d996e8d5394c7f70c0cc9a06726bb0 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/libxml2-2.4.22-2.i586.rpm 348613 e4b980f0b4c3aa7b0ac55449fae6491d ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/libxml2-devel-2.4.22-2.i586.rpm 672887 75cfe3b619a4056a3c72d3d742d76f9c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/libxml2-python-2.4.22-2.i586.rpm 119860 8cb2ef3d8f9e780797f1633de3d37775 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/libxml2-2.4.19-2.src.rpm 1934996 b8e13d700dd12e1da05ca9b688cfa8d6 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/libxml2-2.4.19-2.i586.rpm 343360 6a468e671b9058c688f0112e19705c7f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/libxml2-devel-2.4.19-2.i586.rpm 648282 0216b0cf8fcee52f4bdc668f8ba1f1ee ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/libxml2-python-2.4.19-2.i586.rpm 118177 aa5c7e0d05326923eead4d96835f0f9e Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/libxml2-2.4.28-2.src.rpm 2498086 667895c050fde1426e2e8dc854f6a7fb Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/libxml2-2.4.28-2.i586.rpm 387991 226d46babf6a54f72bf89d530aacf160 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/libxml2-devel-2.4.28-2.i586.rpm 971376 7a9c5f4862c41a7768dc36a34a8bc911 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/libxml2-python-2.4.28-2.i586.rpm 155282 cc7039cc53d87eb5cc1d5b9a3dca291b Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/libxml2-2.4.28-2.src.rpm 2498086 d814b4b15a7b4c45abc293795cb8910e Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/libxml2-2.4.28-2.i586.rpm 387983 de5c72d2df1e74a1367563e4394233dd ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/libxml2-devel-2.4.28-2.i586.rpm 971447 baae34a4623c7dbbdbaedaa52a36d31c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/libxml2-python-2.4.28-2.i586.rpm 155244 d7344b14fcff59ae829c5c8a01be17b6 Reiferences : CVE [CAN-2004-0110] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0110 =========================================================== * mod_python -> DoS vulnerability in httpd =========================================================== More information : Mod_python is an Apache module that embeds the Python interpreter within the server. The vulnerability allows remote attackers to cause a denial of service (httpd crash) via a certain query string. Impact : The vulnerability may allow an attacker to cause a denial of service of httpd. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 8 Server - Turbolinux 8 Workstation Solution : Please use turbopkg(zabom) tool to apply the update. --------------------------------------------- # turboupdate # turbopkg # zabom update mod_python --------------------------------------------- Source Packages Size : MD5 mod_python-2.7.8-4.src.rpm 203281 87c696009a79e5061c0ed75480cedf2a Binary Packages Size : MD5 mod_python-2.7.8-4.i586.rpm 472529 0f4ff9ed10305224a8cc65d72ff8bf8c Source Packages Size : MD5 mod_python-2.7.8-4.src.rpm 203281 387ea0a2ad04525c7ea6ff53b9bb72bd Binary Packages Size : MD5 mod_python-2.7.8-4.i586.rpm 472301 e6674f99d9c5c50f589031eb9780ef47 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/mod_python-2.7.8-4.src.rpm 203281 56d0673c20f65e2ecf44ca6680592eac Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/mod_python-2.7.8-4.i586.rpm 472311 82d9da6dd22e08cb3f10dcf361b4978c Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/mod_python-2.7.8-4.src.rpm 203281 435c352b9044e081548ee0e714333cdd Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/mod_python-2.7.8-4.i586.rpm 483519 5a43f671f6a481f06f64115097e1c0ee Reiferences : CVE [CAN-2003-0973] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0973 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAc7tWK0LzjOqIJMwRAkdPAKC6Tta5JDBHqOKy7Dfhd3qszHEsuwCeK1zV izF3sXPh+7prT42sjIRZcUY= =0sDT -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html