From security-announce@turbolinux.co.jp Thu Jan 13 06:51:54 2005 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Thu, 13 Jan 2005 19:41:20 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 13/Jan/2005 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 13/Jan/2005 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) php -> Multiple vulnerabilities in php (2) httpd -> Multiple vulnerabilities in httpd =========================================================== * php -> Multiple vulnerabilities in php =========================================================== More information : PHP is an HTML-embedded scripting language. Buffer overflow vulnerabilities have been discovered in the nserialize and exif_read_data functions of PHP. Impact : The vulnerabilities can allow remote attackers to cause a denial of service and possibly execute arbitrary code. Affected Products : - Turbolinux 10 Server - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation Solution : Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] # zabom -u php4 php4-gd php4-imap php4-ldap php4-manual php4-ming php4-mysql php4-pgsql [other] # turbopkg or # zabom update php php-gd php-imap php-ldap php-manual php-ming php-mysql php-pgsql --------------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/php4-4.3.8-11.src.rpm 12304115 3cec9c192cb53ab27459a9862efc5d9d Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-4.3.8-11.i586.rpm 5137588 13f6d61aefd07e7674a174e73f95dac1 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-debug-4.3.8-11.i586.rpm 6519408 77094cb1256cc9f9b72fa95ffa557961 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-gd-4.3.8-11.i586.rpm 44804 2e5dbdf7a3cd6c4d9d335b9d0454690f ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-imap-4.3.8-11.i586.rpm 10763 981373ebead5f89c3ad21849ab64bb9a ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-ldap-4.3.8-11.i586.rpm 34436 65670f263735f2645c4126b19a8913ff ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-manual-4.3.8-11.i586.rpm 7502182 65dbe4e60bda685fce0d3ad2f1551457 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-ming-4.3.8-11.i586.rpm 45536 98ed5c3c7b22d2496e953d8d074de558 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-mysql-4.3.8-11.i586.rpm 119870 c8c8bf249d106d78a5be7358ff247cf4 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/php4-pgsql-4.3.8-11.i586.rpm 68887 8a51ec5a9cd5833c4ae9c43d629ea252 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/php4-4.3.3-7.src.rpm 4179207 9407355f70cbc4c14ea9bfdfac154015 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/php4-4.3.3-7.i586.rpm 2735662 f4dd577a3b8bc5c33cc73cc015cb6584 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/php4-gd-4.3.3-7.i586.rpm 30563 85965bd7a78ad8bf30eb7a9aed065e1f ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/php4-imap-4.3.3-7.i586.rpm 9256 e41b9edacac390204979dc7e1f9f2d61 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/php4-ldap-4.3.3-7.i586.rpm 23627 0abf252cbe840e040f8ece116631ffd5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/php4-manual-4.3.3-7.i586.rpm 341639 ee222270c41de1653554112bb302ce73 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/php4-ming-4.3.3-7.i586.rpm 30139 cb32cd256566b288640628ca38278dac ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/php4-mysql-4.3.3-7.i586.rpm 81109 3f36b87058d8378e6c584920835703ee ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/php4-pgsql-4.3.3-7.i586.rpm 47675 60777bad904b8014043c8287d3e00e4e Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/php-4.2.3-24.src.rpm 3596640 4f2aea3ebf6ff00dc2f9ef2185c629e7 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-4.2.3-24.i586.rpm 1632058 776e270a3567b5c2d186544cfd495a6c ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-gd-4.2.3-24.i586.rpm 31216 87fbf08da30e4ae58ba7fa46aefecc8b ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-imap-4.2.3-24.i586.rpm 9235 d8cf0364ce2faf7b1f26c356629b3acd ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-ldap-4.2.3-24.i586.rpm 24685 ac6bfe61cadcb49519415c7f6a09f0fd ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-manual-4.2.3-24.i586.rpm 341741 3b83b1f9ef2d4ac998cf456a78b7182f ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-ming-4.2.3-24.i586.rpm 33237 9e8f23b30be928c175d72e4bb7407f4f ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-mysql-4.2.3-24.i586.rpm 90789 c10689afe393966cae1fd43911c2f0fd ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/php-pgsql-4.2.3-24.i586.rpm 35467 ef15fd420e89ab8d8284534b4da8dcc1 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/php-4.2.3-24.src.rpm 3596640 c49321398dcc7f999d5ec7c459f12954 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-4.2.3-24.i586.rpm 1632174 465f0707e702870b8c68fd69f38cf3bc ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-gd-4.2.3-24.i586.rpm 31232 d65bfbd198da2fa27adb30da07b46cdd ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-imap-4.2.3-24.i586.rpm 9234 2751549b7027dd2c5b09a759778d3793 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-ldap-4.2.3-24.i586.rpm 24679 895f5387463625de0a5aca57e02de557 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-manual-4.2.3-24.i586.rpm 341765 12d2bd9bf6ca4848b3c41a5f1539ea74 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-ming-4.2.3-24.i586.rpm 33223 1174db9d2d84427a41e67957e4fdea6b ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-mysql-4.2.3-24.i586.rpm 90840 c4a492770d25472acce0c41f95e75a1f ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/php-pgsql-4.2.3-24.i586.rpm 35512 9dd622d90b73e1f5fbe979870eaa2172 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/php-4.2.3-24.src.rpm 3596640 a8c3b99e7674f8a2fe119b427a02e939 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-4.2.3-24.i586.rpm 1603262 5586a4dde1f5acb861d9982a2a057630 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-imap-4.2.3-24.i586.rpm 9236 07b780d86295569b599a6c7467480ad8 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-ldap-4.2.3-24.i586.rpm 24242 3b1e22d2a11d793f1911da084d6d19b3 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-manual-4.2.3-24.i586.rpm 341734 8390e86c4174e52bf7fa69f8b7b693db ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-mysql-4.2.3-24.i586.rpm 86660 a12aa6e7ef466d734331faa0cf6dd42d ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/php-pgsql-4.2.3-24.i586.rpm 35327 1411e61b2aad435eb13207ee2dc3407e Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/php-4.2.3-24.src.rpm 3596640 7f85391671841ef657f3128d924c6c76 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-4.2.3-24.i586.rpm 1602364 9eed8b51ca59989eda6728813717be33 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-imap-4.2.3-24.i586.rpm 9237 1742ab7b7814a3cd61597a32a0c6ebe6 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-ldap-4.2.3-24.i586.rpm 24250 223cca0fe750193ba65849379753daaf ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-manual-4.2.3-24.i586.rpm 341732 9cc93603cb0f12480198bfdcf7a4da57 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-mysql-4.2.3-24.i586.rpm 86625 70e412ef96b3e804de8ee34c1a39aa33 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/php-pgsql-4.2.3-24.i586.rpm 34982 64b4fc35c3e1a456862c5ef26d541432 Notice: After performing the update, it is necessary to restart the httpd daemon. To do this, run the following command as user root. --------------------------------------------- # /etc/init.d/httpd restart or # /etc/rc.d/init.d/httpd restart --------------------------------------------- References: CVE [CAN-2004-1019] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1019 [CAN-2004-1065] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1065 =========================================================== * httpd -> Multiple vulnerabilities in httpd =========================================================== More information : Apache is a powerful, full-featured, efficient, and freely-available Web server. Apache is also the most popular Web server on the Internet. Please refer to the References section for further information. Impact : The vulnerabilities could allow remote attackers to cause a denial of service and possibly execute arbitrary code. Affected Products : - Turbolinux 10 Server - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop Solution : Please use the turbopkg (zabom) tool to apply the update. ---------------------------------------- [Turbolinux 10 Server] # zabom -u httpd httpd-debug httpd-devel httpd-manual mod_bwshare mod_ssl [Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] # zabom -u httpd ---------------------------------------- Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/httpd-2.0.51-8.src.rpm 6842122 6f911bda264f6b7b9989f5c1e81d4ac0 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/httpd-2.0.51-8.i586.rpm 1032135 214e7c3d1c27cd45e0791d0f85d0d087 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/httpd-debug-2.0.51-8.i586.rpm 3238970 965c8ca35632af6c9bb1360d1fa42e40 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/httpd-devel-2.0.51-8.i586.rpm 222848 dde33db66f69d76c1a87edca5298b9d7 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/httpd-manual-2.0.51-8.i586.rpm 1130005 e931dda35b3bdd4261318ee1435b6f6c ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/mod_bwshare-2.0.51-8.i586.rpm 39007 9722beda50813c05b89e85d49da54e11 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/mod_ssl-2.0.51-8.i586.rpm 86975 f949a8b78974c746446467c077b6e604 Source Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/httpd-2.0.48-15.src.rpm 6315957 5264ab25976140082ab5310ea8c15ec9 Binary Packages Size : MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-2.0.48-15.i586.rpm 892409 4f78d678fc9b9da1db1af6779f3627e0 Notice: After performing the update, it is necessary to restart the httpd daemon. To do this, run the following command as the root user. --------------------------------------------- # /etc/init.d/httpd restart or # /etc/rc.d/init.d/httpd restart --------------------------------------------- References: www.apache.org [CHANGES_2.0] http://www.apache.org/dist/httpd/CHANGES_2.0 CVE [CAN-2004-0488] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488 [CAN-2004-0748] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748 [CAN-2004-0751] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751 [CAN-2004-0809] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809 [CAN-2004-0885] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885 [CAN-2004-0942] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942 fixed points: [Turbolinux 10 Server] CAN-2004-0855, CAN-2004-0942 [Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] CAN-2004-0488, CAN-2004-0748, CAN-2004-0751, CAN-2004-0809, CAN-2004-0885, CAN-2004-0942 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update/ ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFB5lBVK0LzjOqIJMwRAh3gAJ0eDL5ovJpmmFRd007WVmxweA2qzgCgtFXq 80Xj8CGykz854sCVQQXql+A= =BrUw -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html