From security-announce@turbolinux.co.jp Mon Aug 4 15:24:11 2003 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Mon, 4 Aug 2003 21:39:27 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 04/Aug/2003 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 04/Aug/2003 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) wu-ftpd -> Wu-ftpd fb_realpath() off-by-one bug =========================================================== * wu-ftpd -> Wu-ftpd fb_realpath() off-by-one bug =========================================================== More information : The fb_realpath() function in Wu-ftpd FTP server contains off-by-one bug. Impact : This vulnerability may allow remote authenticated users to execute arbitrary code via commands that cause long pathnames. Affected Products : - Turbolinux Advanced Server 6 - Turbolinux Server 6.1 - Turbolinux Workstation 6.0 Solution : Please use turbopkg tool to apply the update. Source Packages Size : MD5 wu-ftpd-2.6.2-1.src.rpm 370919 da4c93fb937ff43cb9bc7060d7bcdc16 Binary Packages Size : MD5 wu-ftpd-2.6.2-1.i386.rpm 193659 11cc9e60aea3084fad22dc61f46174c0 Source Packages Size : MD5 wu-ftpd-2.6.2-1.src.rpm 370919 38a0906027289b1d56597beefb15a2b8 Binary Packages Size : MD5 wu-ftpd-2.6.2-1.i386.rpm 193661 d17263391c2771cc5a471a6debf01343 Source Packages Size : MD5 wu-ftpd-2.6.2-1.src.rpm 370919 b92fa542f401a4a8fd36e602c1663885 Binary Packages Size : MD5 wu-ftpd-2.6.2-1.i386.rpm 193650 4d5c87aaa86f313c8440ce9866264753 References : CVE [CAN-2003-0466] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0466 * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/LlQDK0LzjOqIJMwRAjMKAKCkdvhkV9jTwqOgiEp36y7GEARpSwCgvhYG xU5SXEMxR69jPa90hp5nMaw= =Q0uD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html