From security-announce@turbolinux.co.jp Sun Sep 19 07:45:37 2004 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Thu, 16 Sep 2004 14:18:09 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 16/Sep/2004 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 16/Sep/2004 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) krb5 -> Double-free vulnerabilities allow abritrary code execution (2) php -> Non-filtering of null characters allows processing of dangerous tags (3) squid -> Vulnerability allowing bypassing of access control lists (4) samba -> Recently discovered buffer overflow vulnerabilities (5) cdrtools -> euid program (6) imlib -> Multiple reported buffer overflow vulnerabilities (7) httpd -> Two vulnerabilities discovered in httpd =========================================================== * krb5 -> Double-free vulnerabilities allow abritrary code execution =========================================================== More information : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. Double-free vulnerabilities exist in MIT Kerberos 5. Impact : Allows remote attackers to execute arbitrary code. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop, Turbolinux 10 F...] # zabom -u krb5-devel krb5-libs krb5-server krb5-server [other] # turbopkg or # zabom update krb5-devel krb5-libs krb5-server krb5-server --------------------------------------------- Source Packages Size : MD5 krb5-1.2.5-15.src.rpm 5517434 ed8f49991f1522edb5bc0a70d8e784c1 Binary Packages Size : MD5 krb5-devel-1.2.5-15.i586.rpm 538565 4c2a133f8020ce1d496f2a98358f2905 krb5-libs-1.2.5-15.i586.rpm 638443 6f6b12674fcad5cb54f7217710fdab5a krb5-server-1.2.5-15.i586.rpm 602362 be44d53907e93483422234a8cbca86b4 krb5-workstation-1.2.5-15.i586.rpm 601953 1cbe0486d979fb22cb28667fa173e682 Source Packages Size : MD5 krb5-1.2.5-15.src.rpm 5517434 5e5d2206a82188bbc18c4d64d21d79cf Binary Packages Size : MD5 krb5-devel-1.2.5-15.i586.rpm 538347 8c5da942c8cce6f96c262e8bb2f01c99 krb5-libs-1.2.5-15.i586.rpm 638600 4caa141b2c6d7a0ab412aaa3436215ea krb5-server-1.2.5-15.i586.rpm 602767 5610b9e3b3749f9febf04b0c2a517b63 krb5-workstation-1.2.5-15.i586.rpm 601875 1e9b47473730cf84c8e4030bb1a844e1 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/krb5-1.2.5-15.src.rpm 5517434 3b81c31d80f99fa91c3e647fd327337c Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/krb5-devel-1.2.5-15.i586.rpm 577318 cb7ef4827cee8789de73c05ee5bf7e73 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/krb5-libs-1.2.5-15.i586.rpm 343425 774777d19c467b4a155592193df36acb ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/krb5-server-1.2.5-15.i586.rpm 601753 7b73e1c17a36992c2f24079981d53d91 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/krb5-workstation-1.2.5-15.i586.rpm 591287 58c3d0ac67c604394c9ac8177231472e Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/krb5-1.2.5-15.src.rpm 5517434 79a0e8ebe4646d2439dff38c61c4697c Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/krb5-devel-1.2.5-15.i586.rpm 576177 51e8f5b891bcc849581adbde8260ed61 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/krb5-libs-1.2.5-15.i586.rpm 639231 472a5684e98f05f441735814414d1602 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/krb5-server-1.2.5-15.i586.rpm 602771 4efde019247ee9e0f07f449424089741 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/krb5-workstation-1.2.5-15.i586.rpm 602058 217b68738b9ce8f7a443cbf210336f66 References: Kerberos: The Network Authentication Protocol [MIT krb5 Security Advisory 2004-002] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt [MIT krb5 Security Advisory 2004-003] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt CVE [CAN-2004-0642] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642 [CAN-2004-0643] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643 [CAN-2004-0644] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644 [CAN-2004-0772] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772 =========================================================== * php -> Non-filtering of null characters allows processing of dangerous tags =========================================================== More information : PHP is an HTML-embedded scripting language. The strip_tags function in PHP, does not filter null (\0) characters within tag names when restricting input to allowed tags. This allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters; this facilitates the exploitation of cross-site scripting (XSS) vulnerabilities. Impact : Bug allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- # turbopkg or # zabom update php php-gd php-imap php-ldap php-manual php-mysql php-pgsql --------------------------------------------- Source Packages Size : MD5 php-4.2.3-19.src.rpm 3595053 c5665ad3dfdc9b2c47df0324e328839c Binary Packages Size : MD5 php-4.2.3-19.i586.rpm 1631015 77b646a14c8f3ee3f19dac0ad449bb5d php-gd-4.2.3-19.i586.rpm 30936 41f5017420fe063f3398fa916d80c02d php-imap-4.2.3-19.i586.rpm 8924 0f6327426c38c905578a517d56cd8c8f php-ldap-4.2.3-19.i586.rpm 24373 587fb2a24cd98de18b1a3a137245d56b php-manual-4.2.3-19.i586.rpm 341528 cd81ac7b368b227e2edd1603f9cc5e48 php-ming-4.2.3-19.i586.rpm 32944 1739caa35757dd9b4d3a5d59f5bd256c php-mysql-4.2.3-19.i586.rpm 90514 190b14a4a296773ab4af7c258aa197c2 php-pgsql-4.2.3-19.i586.rpm 35173 346b240a7e308808e8521fe2ed667b4b Source Packages Size : MD5 php-4.2.3-19.src.rpm 3595053 c8783be19d61d2273c78a9303ef27358 Binary Packages Size : MD5 php-4.2.3-19.i586.rpm 1631015 cc062d269ab438d266623e0fd699fe06 php-gd-4.2.3-19.i586.rpm 30936 f16e2ee4c1c77842b88a72f84b741ccc php-imap-4.2.3-19.i586.rpm 8924 26cb4e93c285ffb1b67630b3f8690f21 php-ldap-4.2.3-19.i586.rpm 24373 c0e61dbec891cdcf6068a33b42ac4eeb php-manual-4.2.3-19.i586.rpm 341528 6cf984f840d4ae781f0e15052ec2c1b6 php-ming-4.2.3-19.i586.rpm 32944 00331f4b38361c4700f5510a67b1ef89 php-mysql-4.2.3-19.i586.rpm 90514 d4d8546a52ca7b25c75066b02c48f99b php-pgsql-4.2.3-19.i586.rpm 35173 9da7ffe196a63ac4535f8200840d5219 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/php-4.2.3-18.src.rpm 3594911 b8cfa0df501e49b5b3f0e07129157097 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-4.2.3-18.i586.rpm 1630931 c0931e43f76440e1228c87a845219cf8 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-gd-4.2.3-18.i586.rpm 30794 387736b1a1bcae63c15ad2c9a0c22d9c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-imap-4.2.3-18.i586.rpm 8778 5fc23ff382c1c65f78279b8a2cab0aa1 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-ldap-4.2.3-18.i586.rpm 24242 9dea304cc1189e525cd1663e3135c0f4 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-manual-4.2.3-18.i586.rpm 341339 a614767749adab8e73d13de90c87fc1a ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-ming-4.2.3-18.i586.rpm 32790 15df856e70940df33b9c0b8eb20d8ad7 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-mysql-4.2.3-18.i586.rpm 90377 0ac3a2fe05f05f9a18a32f1b46350e73 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-pgsql-4.2.3-18.i586.rpm 35044 7b9e0325c77e699c07511d4c155f6701 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/php-4.2.3-18.src.rpm 3594911 53572cc94259f49e5b1431afd60738cf Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-4.2.3-18.i586.rpm 1631918 7de3bbc72e4ec14cc076f40975b576d1 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-gd-4.2.3-18.i586.rpm 30750 00d7e52198c52a84bf3b6a01b74ed09e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-imap-4.2.3-18.i586.rpm 8778 f48ba9d576d56ffe1dade4a08c1d69d4 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-ldap-4.2.3-18.i586.rpm 24251 6335de34555ab561591b44932977597b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-manual-4.2.3-18.i586.rpm 341306 1ba564f74da044e2cba3ebca42c0445d ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-ming-4.2.3-18.i586.rpm 32765 294b36a3c4fda4678b0d483566489435 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-mysql-4.2.3-18.i586.rpm 90390 cf762723f2372ceaae9aafe1d435fefe ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-pgsql-4.2.3-18.i586.rpm 35006 d893b278914eb9131069c0420d8bd08b Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/php-4.2.3-18.src.rpm 3594911 cf77d9a9c0f2c2867dea80071db19d66 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-4.2.3-18.i586.rpm 1603039 87887fbe74a6f1fa3fab6871db182850 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-imap-4.2.3-18.i586.rpm 8789 36db776c43e3b28ea5985a359fb9734f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-ldap-4.2.3-18.i586.rpm 23812 5faaa8a4a2d9159acb0390054646b86e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-manual-4.2.3-18.i586.rpm 341234 95687623e096bf7560dddab45c9b295b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-mysql-4.2.3-18.i586.rpm 86194 5d5c6d7a371159773c76c43ce2ffc57f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-pgsql-4.2.3-18.i586.rpm 34876 8c87aec01c6a7ac4874d0344aa8707b3 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/php-4.2.3-18.src.rpm 3594911 f30e9ec8cafd458f84ccb4dda299b8e1 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-4.2.3-18.i586.rpm 1602159 07c7d83963a28e69b90ec0d95590acfc ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-imap-4.2.3-18.i586.rpm 8782 5e1eb57bf77ab85142b2a9da349786ae ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-ldap-4.2.3-18.i586.rpm 23800 b076306891335cf0b46f0d8a70d82078 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-manual-4.2.3-18.i586.rpm 341187 259382021ddfe2f0cf13f655c3bc7c6c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-mysql-4.2.3-18.i586.rpm 86170 bcf6637eca00621f9e7cd11a630678a6 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-pgsql-4.2.3-18.i586.rpm 34546 a4b2ca701c271ad27a1d553420fd7093 Notice : After performing the update, it is necessary to restart the httpd daemon. To do this, run the following command as user root. --------------------------------------------- # /etc/init.d/httpd restart or # /etc/rc.d/init.d/httpd restart --------------------------------------------- References: CVE [CAN-2004-0595] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595 =========================================================== * squid -> Vulnerability allowing bypassing of access control lists =========================================================== More information : Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process. Squid contains a bug in the "%xx" URL decoding function. Impact : Squid allows users to bypass certain access controls. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop] # turboupdate # zabom --update squid [Other] # turbopkg # zabom update squid --------------------------------------------- Source Packages Size : MD5 squid-2.5.STABLE6-9.src.rpm 1537249 adefcef8e5ea06b761c5b24b4625ca17 Binary Packages Size : MD5 squid-2.5.STABLE6-9.i586.rpm 825027 d89f00274f13f48aed8febbc4d6074da Source Packages Size : MD5 squid-2.5.STABLE6-9.src.rpm 1537249 2b43bbc54587ead378e42fc7741db10b Binary Packages Size : MD5 squid-2.5.STABLE6-9.i586.rpm 825233 92cd7330fba772036ffd8133e228a7e8 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/squid-2.5.STABLE6-7.src.rpm 1537103 75a80e22d6114bbaced972e834623bc5 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/squid-2.5.STABLE6-7.i586.rpm 825297 349d1ac00a370a4f74dff6561d14af99 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/squid-2.5.STABLE6-7.src.rpm 1537103 442eab27d98907ae17c463e6659f4d75 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/squid-2.5.STABLE6-7.i586.rpm 826938 3b2bab2fe5e77f7a69e05081df29f26c Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/squid-2.5.STABLE6-7.src.rpm 1537103 eefd85164d1615bf43aa0cc2e1f03ab6 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/squid-2.5.STABLE6-7.i586.rpm 831095 4962a5bd06f88fea0ce9139084c07617 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/squid-2.5.STABLE6-7.src.rpm 1537103 95bcaafa47d7362b5d8ea4c823c2d1d4 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/squid-2.5.STABLE6-7.i586.rpm 830754 5b85fedb0652e6280dcca9f4a64c6488 Notice : After performing the update, it is necessary to restart the squid daemon. To do this, run the following command as user root. --------------------------------------------- # /etc/init.d/squid restart or # /etc/rc.d/init.d/squid restart --------------------------------------------- References: www.squid-cache.org [Squid Proxy Cache Security Update Advisory SQUID-2004:1] http://www.squid-cache.org/Advisories/SQUID-2004_1.txt CVE [CAN-2004-0189] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0189 =========================================================== * samba -> Recently discovered buffer overflow vulnerabilities =========================================================== More information : Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients. Buffer overflow vulnerabilities have been discovered in Samba. Impact : The vulnerabilities allow remote attackers to cause a denial of service of Samba server services. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop, Turbolinux 10 F...] # zabom -u samba samba-devel smbfs [other] # turbopkg or # zabom update samba samba-devel smbfs --------------------------------------------- Source Packages Size : MD5 samba-2.2.7a-9jaJP.src.rpm 7155061 8ca20f8ef7abff0378e156f6e9bfe691 Binary Packages Size : MD5 samba-2.2.7a-9jaJP.i586.rpm 11138937 732a5963e730fbf32c246e8530454c8d samba-devel-2.2.7a-9jaJP.i586.rpm 498335 e75b73f05219d89601d9019c3297c67d smbfs-2.2.7a-9jaJP.i586.rpm 628623 d3c6953e5151682716063c1e24f1b0b9 Source Packages Size : MD5 samba-2.2.7a-9jaJP.src.rpm 7155061 24f6ebac45b185817cbe8231971dcd9b Binary Packages Size : MD5 samba-2.2.7a-9jaJP.i586.rpm 11156327 6f227785d0b437fca45174e329663fd7 samba-devel-2.2.7a-9jaJP.i586.rpm 498628 bc0bac91bf5c3949de1323f053dd4717 smbfs-2.2.7a-9jaJP.i586.rpm 627672 3126e92cf4a7b362e453bc1f4080d891 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm 7155061 8054927fe099982a397ac760ebc58d0c Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm 11164913 358acd4f1e0275f790bfa3e35c716a93 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm 512109 e7f669d855d34ed44ae6565a6466827e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm 639529 829fe8f003115948175e4cae8597ab0c Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm 7155061 9c9d4d37608c616e6b57f6c973bb7af5 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm 11156883 4b1d3ff6391208bb1deb9fee7684a0ef ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm 498741 3ea5d49c2241ac4ea559c03b339e911f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm 627730 abe304db0bcccceb7f70103748ced80d Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm 7155061 9f06dd9aeef0e728e3306c1437c8986a Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm 11156590 69ed28551d3d56c8d167afa0c112d3d1 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm 499299 d10f2ad626244e714896947a4476c36f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm 628307 896bf734f803d586e2b4a1a13fcb62fd Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm 7155061 c37a745290cc3cfb95f15930851ae7f7 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm 11023429 77113ab8d22afcfc293638b28cb1fea2 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm 492829 cf806c7080241e15b0fea2900b2e5d50 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm 612783 01ec4e0edc4020d2ef99bfa47a2279a8 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/samba-2.2.7a-9jaJP.src.rpm 7155061 d6fec4fc966dcb092ab90ec6b6ecd737 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/samba-2.2.7a-9jaJP.i586.rpm 11025378 bc2912f826163a4bbf0c7d642e2f246f ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/samba-devel-2.2.7a-9jaJP.i586.rpm 492071 80ad52dc4b60246b2b54644d62fe41c5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/smbfs-2.2.7a-9jaJP.i586.rpm 612799 40f4bcbd87fb84e7131d3718f94bbcab References: samba [Release Notes for Samba 2.2.11] http://us1.samba.org/samba/history/samba-2.2.11.html CVE [CAN-2004-0186] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0186 [CAN--2004-0686] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686 [CAN-2004-0829] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0829 =========================================================== * cdrtools -> euid program =========================================================== More information : cdrtools is a collection of CD/DVD utilities. cdrecord, which is set-uid root, fails to drop the effective UID (of root -- euid=0) when it exec()s a program specified by the user via the $RSH environment variable. Impact : Allows local users to gain root privileges. Affected Products : - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 F... - Turbolinux 10 Desktop Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop, Turbolinux 10 F...] # zabom -u cdda2wav cdrtools cdrtools-devel mkisofs --------------------------------------------- Source Packages Size : MD5 cdrtools-2.0-9.src.rpm 2103029 be1b3126c773b8a07a6e078f2c425aa3 Binary Packages Size : MD5 cdrtools-2.0-9.i586.rpm 672260 4f04c73f06d9a1c524806a48c59795a4 cdrtools-devel-2.0-9.i586.rpm 496602 f0dc69e2525aef9be1b677ef32a5ea89 mkisofs-2.0-9.i586.rpm 478674 de3ae493f085d7e841d8336f61b66cf1 Source Packages Size : MD5 cdrtools-2.0-9.src.rpm 2103029 f28d29b94dc9517406a59fd8d934c7f9 Binary Packages Size : MD5 cdrtools-2.0-9.i586.rpm 671704 30173aba8f73337bf875fc095c855979 cdrtools-devel-2.0-9.i586.rpm 496706 3c6fdc57dbd94f28736fae3fa4f74853 mkisofs-2.0-9.i586.rpm 478790 0b0c20e1c5f84e670e211164fc8efe70 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/cdrtools-2.0-9.src.rpm 2103029 aa0d05ec9760f08ca21ba230e73112d9 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdda2wav-2.0-9.i586.rpm 166032 ff43311dc4cb87048a59e6147c6105a5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdrtools-2.0-9.i586.rpm 666550 5a77cc19f9cf1f58fa5dc51f04ceb18b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/cdrtools-devel-2.0-9.i586.rpm 497339 de65b8f21cdf636408cddc04f0f3ef1b ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/mkisofs-2.0-9.i586.rpm 479449 a4a719a4a593cff75eb62ec5a337f1a9 References: CVE [CAN-2004-0806] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0806 =========================================================== * imlib -> Multiple reported buffer overflow vulnerabilities =========================================================== More information : Imlib is a display depth-independent image loading and rendering library. Multiple buffer overflow vulnerabilities are reported to exist in Imlib. Impact : Allows remote attackers to execute arbitrary code via malformed image files. Affected Products : - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop, Turbolinux 10 F...] # zabom -u imlib imlib-cfgeditor imlib-devel [other] # turbopkg or # zabom update imlib imlib-cfgeditor imlib-devel --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/imlib-1.9.14-7.src.rpm 667541 c6570195df630130e797228163e60ba1 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/imlib-1.9.14-7.i586.rpm 157239 4f4b0f9757fa7b11fa608f9d9a87d25d ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/imlib-cfgeditor-1.9.14-7.i586.rpm 235906 05d6ac550ca3abcbf21137189d338325 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/imlib-devel-1.9.14-7.i586.rpm 227003 d1fbaf39ccfa41b93d1f493cf2d43ec8 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/imlib-1.9.13-9.src.rpm 833109 575a131cbe10f1d933b3e1c780a15601 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/imlib-1.9.13-9.i586.rpm 137593 52a6dda17e323dcb18c7e66d994562d8 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/imlib-cfgeditor-1.9.13-9.i586.rpm 234711 15c1295d9864f3901aa8e36c381cabb4 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/imlib-devel-1.9.13-9.i586.rpm 226984 431e9a2e3d3f00911183568cd7a48405 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/imlib-1.9.13-9.src.rpm 833109 57e15f0fea366bb012dba49452c14951 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/imlib-1.9.13-9.i586.rpm 137511 a20c57441ad495d7c3b91b2bef7940d4 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/imlib-cfgeditor-1.9.13-9.i586.rpm 234724 b7aa88e28e92c2e309f98187d39ba65e ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/imlib-devel-1.9.13-9.i586.rpm 226902 9461360152ccf484753308f99b1f2e04 Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/imlib-1.9.10-6.src.rpm 791546 a8827407f4f9ed8d9c29634b4a67fdb4 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/imlib-1.9.10-6.i586.rpm 127948 2cd3d05c20c7750020d511ece886a8b6 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/imlib-devel-1.9.10-6.i586.rpm 218376 d2b032fa3d5cf635b2ae41cce32a2a7c Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/imlib-1.9.10-6.src.rpm 791546 46d8da2102c16ab8969fcaf9d20e9c6a Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/imlib-1.9.10-6.i586.rpm 127902 52a2ed6a20bfcff99538b8ac491c928d ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/imlib-cfgeditor-1.9.10-6.i586.rpm 233270 9aa7e9b4f8ad959bd94ce8dca56fdc4c ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/imlib-devel-1.9.10-6.i586.rpm 218378 a828b365f4954a2811a60911f378c200 References: CVE [CAN-2004-0817] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0817 =========================================================== * httpd -> Two vulnerabilities discovered in httpd =========================================================== More information : Apache is a powerful, full-featured, efficient, and freely-available Web server. Apache is also the most popular Web server on the Internet. The identified vulnerability is in the apr-util library. The buffer overflow occurs when expanding ${ENVVAR} constructs in .htaccess or httpd.conf files. Impact : Allows remote attackers to cause a denial of service of the Apache server. Affected Products : - Turbolinux 10 F... - Turbolinux 10 Desktop Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Desktop, Turbolinux 10 F...] # zabom -u httpd httpd-devel httpd-manual mod_ssl --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/httpd-2.0.48-6.src.rpm 6349140 5f7d07ffed7377c7742d6a12985d5464 Binary Packages Size : MD5 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-2.0.48-6.i586.rpm 891145 9a87f6912acfc584752b9436b5023493 ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-devel-2.0.48-6.i586.rpm 304443 ca0b114156d1224560fff651c89a6bfd ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-manual-2.0.48-6.i586.rpm 914827 782a5e709b19f37ce0333ed73fad0aed ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/mod_ssl-2.0.48-6.i586.rpm 76883 9a35f890210fb547b32a983e33416d8a References: CVE [CAN-2004-0747] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747 [CAN-2004-0786] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBSSIVK0LzjOqIJMwRAuQNAKC6dotXPPOvgLm/J2BkHTn01I1EMQCfZaGd uGd34EbV5PsMKo+nshlPkGQ= =qyd7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html