From security-announce@turbolinux.co.jp Mon Jan 31 11:18:55 2005 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Mon, 31 Jan 2005 20:32:42 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 31/Jan/2005 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 31/Jan/2005 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) netatalk -> Symlink attack may allow arbitrary file overwriting (2) openssl -> Symlink attack in openssl may allow arbitrary file overwriting (3) ruby -> Two vulnerabilities discovered in Ruby (4) shadow-utils -> Password check vulnerability discovered in shadow-utils (5) sudo -> Environment variable sanitization bug permits root compromise (6) zip -> Buffer overflow in zip allows arbitrary code execution =========================================================== * netatalk -> Symlink attack may allow arbitrary file overwriting =========================================================== More information: Netatalk is an implementation of the AppleTalk Protocol Suite for Unix/Linux systems. A vulnerability in the manner in which netatalk handles temporary files could allow local users to overwrite arbitrary files via a symlink attack. Impact: This vulerability may allow local users to overwrite arbitrary files via a symbolic link attack. Affected Products: - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- # turbopkg or # zabom update netatalk netatalk-devel --------------------------------------------- Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/netatalk-1.5.3.1-8.src.rpm 609435 a726fbcd1b151575be7762b9d4f3a5b3 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/netatalk-1.5.3.1-8.i586.rpm 340525 106a4b43bc89dc325033022d5ebc0f2a ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/netatalk-devel-1.5.3.1-8.i586.rpm 62778 2b33a74da3352f77dc816274fa7588e3 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/netatalk-1.5.2-2.src.rpm 800817 96e0841dec8ac28cc112f1f02a9b73c9 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/netatalk-1.5.2-2.i586.rpm 339704 4ef7cf4ef7389c50fd41b3d6b2eb4a71 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/netatalk-devel-1.5.2-2.i586.rpm 62028 726a249c7ed0b406c9f7f99d92f7ce46 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/netatalk-1.5pre8-2.src.rpm 599952 1dcba6ce5a384d518709de4eebf2eb9e Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/netatalk-1.5pre8-2.i586.rpm 318838 39f32dfebab4392d0b1582087b8a5c5e ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/netatalk-devel-1.5pre8-2.i586.rpm 61317 2751e06623a991603af22eae009b7a74 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/netatalk-1.5pre8-2.src.rpm 599952 623f4495a73c09079f6fdabae52b3c0f Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/netatalk-1.5pre8-2.i586.rpm 318685 ca6c8f5e41a414af8f570cdead4f73f0 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/netatalk-devel-1.5pre8-2.i586.rpm 61420 5a9329c07ccde291d40d1979be6eefe7 References: CVE [CAN-2004-0974] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0974 =========================================================== * openssl -> Symlink attack in openssl may allow arbitrary file overwriting =========================================================== More information: The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. A vulnerability in the manner in which openssl handles temporary files could allow local users to overwrite arbitrary files via a symlink attack. Impact: This vulerability may allow local users to overwrite arbitrary files via a symbolic link attack. Affected Products: - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 Server - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] # turbopkg or # zabom -u openssl openssl-compat openssl-devel [other] # turbopkg or # zabom update openssl openssl-compat openssl-devel --------------------------------------------- Source Packages Size: MD5 openssl-0.9.6m-2.src.rpm 2266449 942f4a8c5a89c1b66c1e9c0127c55361 Binary Packages Size: MD5 openssl-0.9.6m-2.i586.rpm 1367798 9942a8ac0e6f648741a8ec2b2e4fc7a5 openssl-devel-0.9.6m-2.i586.rpm 1157986 79f18ea3916fa542b49fbc0debeb62cc Source Packages Size: MD5 openssl-0.9.6m-2.src.rpm 2266449 c8720cbc73f6b6cd041cdfe0ed1c2416 Binary Packages Size: MD5 openssl-0.9.6m-2.i586.rpm 1367898 f0a9f484d75e5809f1b29fd2d9b3d09a openssl-devel-0.9.6m-2.i586.rpm 1158513 07bbbe0c6792d1902da2db1841b21d08 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/openssl-0.9.7d-2.src.rpm 2794914 2b6c48908d1d1670be1c8544fdfe160d ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/openssl-compat-0.9.6m-2.src.rpm 2266197 8e8515b71a8f76db0b7cc60a15076a3f Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssl-0.9.7d-2.i586.rpm 1215827 be7058b738a14d677adb37e5fce108cf ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssl-compat-0.9.6m-2.i586.rpm 754999 2799883d686caf69c1a3ec9895b20c8e ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/openssl-devel-0.9.7d-2.i586.rpm 1478585 0ac60704d535dd6e7f43c2001153d1e1 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-0.9.7d-2.src.rpm 2794914 a680445b8cb005ccaf6fb03f7224e2c2 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssl-compat-0.9.6m-2.src.rpm 2266197 f2cf29d7935230dfd21a1c7004da1243 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-0.9.7d-2.i586.rpm 1218917 5dcd48e88684e33e0b6cd124ef25d48d ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-compat-0.9.6m-2.i586.rpm 754249 5e044d1d3dad7a8e00ddb263061672a8 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssl-devel-0.9.7d-2.i586.rpm 1479240 2c55596b0e7f1fcbaea856f4748fe391 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/openssl-0.9.6m-2.src.rpm 2266449 8433558cc88895a9c4ecd6d176c1c9da Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-0.9.6m-2.i586.rpm 1368074 3b57da04265dbefe4c1613bf3a34b009 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/openssl-devel-0.9.6m-2.i586.rpm 1157941 037ff0347c4df311bb7977aa825f98b6 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/openssl-0.9.6m-2.src.rpm 2266449 bed1ebe613bc543bad7b2fd1320e8e22 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-0.9.6m-2.i586.rpm 1367818 ace897b6b19e1a85eaf3497048779501 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/openssl-devel-0.9.6m-2.i586.rpm 1156486 b2d04aad787992136a4434126032c4aa Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/openssl-0.9.6m-2.src.rpm 2266449 451daaaabdf36770b4f590e728827553 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-0.9.6m-2.i586.rpm 1337218 b1bf8332de4606b66aaecb8101a0b53d ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/openssl-devel-0.9.6m-2.i586.rpm 1140716 9168586f930b569b4bec71d893632edf Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/openssl-0.9.6m-2.src.rpm 2266449 ca67c64c3cf322a29d2a7c94c9733f38 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-0.9.6m-2.i586.rpm 1337106 83dff95819aeefdfb189f7f54c6a058f ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/openssl-devel-0.9.6m-2.i586.rpm 1140409 75f4daf1078c503137f113a8232a20ca References: CVE [CAN-2004-0975] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0975 =========================================================== * ruby -> Two vulnerabilities discovered in Ruby =========================================================== More information: Ruby is an interpreted scripting language designed to allow quick and easy object-oriented programming. It has many features to process text files and to perform system management tasks (as in Perl). It is simple, straight-forward, and extensible. Two issues have been discovered in Ruby: - CGI::Session's FileStore implementations store session information insecurely - The CGI module in Ruby allows remote attackers to cause a denial of service (excessive CPU consumption due to an infinite loop) via a malformed HTTP request Impact: The vulnerabilities may allow a local user to steal session information and hijack sessions or allow a remote attacker to cause a denial of service in the CGI module in Ruby. Affected Products: - Turbolinux 10 Server - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] # turbopkg or # zabom -u ruby [other] # turbopkg or # zabom update ruby --------------------------------------------- Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/ruby-1.8.1-4.src.rpm 2677467 65a142b4aee9ec00b26943303b2d769f Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/ruby-1.8.1-4.i586.rpm 1714005 40f1dc3cc1358971c62e83237a0d078e Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/ruby-1.6.8-2.src.rpm 1028020 e84d9786ff6b8857fbe56db0715ed8c3 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/ruby-1.6.8-2.i586.rpm 992771 9ca9806feca8d09744d291a35fb4ebb0 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/ruby-1.6.4-4.src.rpm 904717 9e4f1248b411614ce69d4424bb8c209c Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/ruby-1.6.4-4.i586.rpm 983046 57610b12ab3eface8274e00f3add9cb5 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/ruby-1.6.4-4.src.rpm 904717 bb111d1f7a10279312af699c7bd7f659 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/ruby-1.6.4-4.i586.rpm 984104 990f54b83c9d47b631f7b18892ae7e18 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/ruby-1.6.4-4.src.rpm 904717 dd3cb8a906d702e2efd18e3ea3754fa3 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/ruby-1.6.4-4.i586.rpm 959172 7fb9589233a771e78a0b557176f8c523 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/ruby-1.6.4-4.src.rpm 904717 d66eb75d3a526b4771245286f7e7bcac Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/ruby-1.6.4-4.i586.rpm 959441 72ce35f4a32690b5e01eb5d7fa2799d4 CVE [CAN-2004-0755] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0755 [CAN-2004-0983] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0983 =========================================================== * shadow-utils -> Password check vulnerability discovered in shadow-utils =========================================================== More information: The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format in addition to programs for managing user and group accounts. The passwd_check function in shadow-utils allows local users to conduct unauthorized activities if an error from a pam_chauthtok function call is not properly handled. Impact: This vulnerability may allow local users to bypass certain security restrictions. Affected Products: - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 Server - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] # turbopkg or # zabom -u shadow-utils [other] # turbopkg or # zabom update shadow-utils --------------------------------------------- Source Packages Size: MD5 shadow-utils-20000902-13.src.rpm 623589 9cd92ce5fcfcd5db6a73ec88ef8ab66e Binary Packages Size: MD5 shadow-utils-20000902-13.i586.rpm 243997 1fb9b1b64cb3f9a99a370d6330e15d1d Source Packages Size: MD5 shadow-utils-20000902-13.src.rpm 623589 ed305f57f98ff61745c640066a804e8d Binary Packages Size: MD5 shadow-utils-20000902-13.i586.rpm 244224 c230eebd9a6edfeec84799e471c4ce68 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/shadow-utils-20000902-13.src.rpm 623589 6ca8e2af75ae40fc57ba0be6063ab2d3 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/shadow-utils-20000902-13.i586.rpm 358077 a074104603e6df2e15d0ead57f09672f Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/shadow-utils-20000902-13.src.rpm 623589 54e7a7b733e0c661d34ab48a7b7e422c Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/shadow-utils-20000902-13.i586.rpm 358789 4ca6933ed1b1385f5315a390c5d96704 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/shadow-utils-20000902-13.src.rpm 623589 d1874fa6706241cc07c7803de910b73e Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/shadow-utils-20000902-13.i586.rpm 244225 ac187b975f2a3bea38418882d7372247 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/shadow-utils-19990827-10.src.rpm 761172 f84711fe9a9af3e08bdf2216fd83d4fc Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/shadow-utils-19990827-10.i586.rpm 247252 f877a6bf9c229eb4b329a08e0842e118 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/shadow-utils-19990827-10.src.rpm 761172 893b0181f64dee12ee816c52d5f48b5b Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/shadow-utils-19990827-10.i586.rpm 243975 5004a54ffd954c2d002d870aa030d96c Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/shadow-utils-19990827-10.src.rpm 761172 b377dc9f28bf730501a16c1fa7e2324b Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/shadow-utils-19990827-10.i586.rpm 243953 9e79320711e34a264a5146581e97d6e6 References: CVE [CAN-2004-1001] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1001 =========================================================== * sudo -> Environment variable sanitization bug permits root compromise =========================================================== More information: Sudo allows a system administrator to give certain users or groups of users the ability to run some or all commands as root while logging all commands and arguments. A vulnerability in sudo can allow local users to execute arbitrary commands by using "()"-style environment variables to create functions. Impact: This vulnerability can allow local users to gain root privileges. Affected Products: - Turbolinux 10 Server - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] # turbopkg or # zabom -u sudo [other] # turbopkg or # zabom update sudo --------------------------------------------- Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/sudo-1.6.7p5-3.src.rpm 363932 c55a605d45e30cb8b0c7e2e648b3480d Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/sudo-1.6.7p5-3.i586.rpm 143309 2ad10ba64ae16a019b943d667088e591 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/sudo-1.6.7p5-3.src.rpm 363932 22983d2b42dbdd6c0e3a3dd0cbab83c5 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/sudo-1.6.7p5-3.i586.rpm 141482 6de7fcff4275c86ccbf0165430062a1f Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/sudo-1.6.6-5.src.rpm 342008 7d31c8fef75a812170bf824c0d0ac7d8 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/sudo-1.6.6-5.i586.rpm 135478 3d1f1c11deea87c208c66331f55806bb Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/sudo-1.6.6-5.src.rpm 342008 d60029fa4def45151023163462816d8a Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/sudo-1.6.6-5.i586.rpm 135520 50e476a695b7851b33e8714942ef646e Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/sudo-1.6.6-5.src.rpm 342008 2e7e71649af34b4c8ab1ef838967f2ad Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/sudo-1.6.6-5.i586.rpm 133703 849e1cadaa024f441580c2d4ce919737 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/sudo-1.6.6-5.src.rpm 342008 5d83737975d83e8ec6323fef523bd788 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/sudo-1.6.6-5.i586.rpm 133638 d0494b069c57e7d6545e79b1932ec83a References: CVE [CAN-2004-1051] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1051 =========================================================== * zip -> Buffer overflow in zip allows arbitrary code execution =========================================================== More information: Zip is a compression and file packaging utility. A buffer overflow exists in zip which, when using recursive folder compression, can allow remote attackers to execute arbitrary code via a ZIP file containing a very long pathname. Impact: This vulnerability may allow remote attackers to execute arbitrary code via malformed ZIP files. Affected Products: - Turbolinux Appliance Server 1.0 Hosting Edition - Turbolinux Appliance Server 1.0 Workgroup Edition - Turbolinux 10 Server - Turbolinux Home - Turbolinux 10 F... - Turbolinux 10 Desktop - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution: Please use the turbopkg (zabom) tool to apply the update. --------------------------------------------- [Turbolinux 10 Server, Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home] # turbopkg or # zabom -u zip [other] # turbopkg or # zabom update zip --------------------------------------------- Source Packages Size: MD5 zip-2.3-5.src.rpm 730664 fe832dfc5179ca00c17f116eed08caad Binary Packages Size: MD5 zip-2.3-5.i586.rpm 140459 51d8b053827ac40efbcac41f8bd7e680 Source Packages Size: MD5 zip-2.3-5.src.rpm 730664 fb771a395aa91cbeaa4cb5d82ac91c90 Binary Packages Size: MD5 zip-2.3-5.i586.rpm 140616 d099d326a56bf9f1a60fd95f3d6b6663 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/zip-2.3-5.src.rpm 730664 8b7b1da5309b259a15a40969cd297023 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/zip-2.3-5.i586.rpm 141141 d64d6fdec8b7cd22561749be1dae1da0 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/zip-2.3-5.src.rpm 730664 437cb0d2cd71d2aa1dabddaeabf4dae3 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/zip-2.3-5.i586.rpm 142041 f2f7cf4a80aa41b17a16693bacce4003 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/SRPMS/zip-2.3-5.src.rpm 730664 1008f3d6bb0cd4f5b61da81a20e327cd Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/updates/RPMS/zip-2.3-5.i586.rpm 140674 a41c1aae7bdcf0bba6af9b2d90db4209 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/SRPMS/zip-2.3-5.src.rpm 730664 f7fdb3d57323dd8ac5bd54ed1ffe0dea Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/8/updates/RPMS/zip-2.3-5.i586.rpm 140714 f47bf32d1ccec09846765957a6d7b321 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/SRPMS/zip-2.3-5.src.rpm 730664 dd1e3dfd98a935bb0c7ca220e38919e6 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/updates/RPMS/zip-2.3-5.i586.rpm 137854 235f40bf7bbb283ea4768e5f74cf428c Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/SRPMS/zip-2.3-5.src.rpm 730664 0d5a22a702d05c4731b55a0b698d1841 Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/7/updates/RPMS/zip-2.3-5.i586.rpm 137900 c40fe739907ec7b6d62a5543df7ff8b9 References: CVE [CAN-2004-1010] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1010 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update/ ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFB/hddK0LzjOqIJMwRAo5rAKCCykJ/HeUHv22Fp7U8SIIV8FYCmQCgtKlC GBxWvyOrZG+zvs+V9IqBFuQ= =mOOE -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html