Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


iDEFENSE: US TurboLinux Security Severely Out of Date

May 30, 2002, 22:00 (1 Talkback[s])
(Other stories by David Endler)
               iDEFENSE Security Advisory 05.30.2002


DESCRIPTION

As of the time of this report, the last security update announced on 
the US TurboLinux website (http://www.turbolinux.com/security/) was 
on January 24, 2002, regarding a problem in xinetd. The last security 
updates released on the official US FTP site were on February 8, 
2002. Additionally, the US TurboLinux security announcement mailing 
list (http://www.TurboLinux.com/pipermail/tl-security-announce/) has 
been inactive since January 2002 as well.  Inferring from these 
lapses, it would seem that TurboLinux Inc.'s Linux distribution 
contains multiple security vulnerabilities that remain exploitable at 
the time of this advisory.  The security patches necessary to patch 
these systems are in fact available on the TurboLinux Japanese 
servers.

This is the second time TurboLinux has let security support for its 
US products lapse for an extended period, the first being about two 
years ago, when budget cutbacks resulted in the Linux distribution 
security staff at TurboLinux being let go. It was not until several 
months later that new security staff was hired (at the time only a 
single person) and security updates for the products were made 
available once again.

Because of this security lag in the US notification and security 
update sites, administrators may have also lapsed in installing 
updates. Since the last US update, this includes more than a dozen 
serious issues, ranging from remote root compromise via anonymous 
access to local root compromises. A number of these problems are 
present in software packages that are mandatory (such as zlib) or 
very popular (such as Apache, OpenSSH, OpenSSL, at, squid, etc.). 


ANALYSIS

The collective security weakness of the outstanding issues listed 
below is staggering.  The following is a list of the most serious 
problems for which most other Linux vendors have provided updates on 
their US sites. It represents the outstanding security problems 
associated with the limited TurboLinux distributions and updates that 
have been available on the US sites only. The list is by no means 
complete. Listed is the most current version of the software package 
available on the US servers that ships with TurboLinux 7.0 and the 
particular vulnerability CAN or CVE ID from Mitre Corp.'s Common 
Vulnerabilities and Exposures (CVE) Project at 
http://cve.mitre.org/cve, also searchable at http://icat.nist.gov:

* apache 1.3.20 (CVE-2001-0730)
* at 3.1.8 (CAN-2002-0004)
* enscript 1.6.1 (CAN-2002-0044)
* imlib 1.9.10 (CAN-2002-0167, CAN-2002-0168)
* mod_ssl 2.8.4 (CAN-2002-0082)
* ncurses4 4.2 (CAN-2002-0062)
* OpenSSH 2.9p2 (CAN-2002-0083)
* php 4.0.5 (CAN-2002-0081)
* rsync 2.4.6 (CAN-2002-0048)
* sane 1.0.3 (CAN-2001-0887)
* squid 2.3STABLE4 (CAN-2002-0067, CAN-2002-0068, CAN-2002-0069)
* sudo 1.6.3p7 (CAN-2002-0184)
* ucd-snmp 4.2.1 (CAN-2002-0012, CAN-2002-0012)
* xchat 1.6.4 (CAN-2002-0006)
* xsane 0.78 (CAN-2001-0887)
* zlib 1.1.3 (CAN-2001-0059)


DETECTION

The above outstanding security issues pertain to the latest US 
available TurboLinux 6 and 7 distribution and possibly other earlier 
versions. 


VENDOR RESPONSE

Marjo Mercado, Director of Solutions and Support, pointed out the 
availability of updates on the Japanese servers.  He could not 
provide an explanation as to why the US servers had not been synced 
in months.

Updated packages for the above security issues are available at: 

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/stable/tested/6
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/stable/tested/7
and ftp://ftp.turbolinux.com/mirrors/ftp.turbolinux.co.jp/stable

Additionally while it may be inconvenient to many non-Japanese 
customers, users can also get notification of new security issues in 
Japanese for the time being from 
http://the.turbolinux.co.jp/bugzilla/.  



David Endler, CISSP
Director, iDEFENSE Labs

dendler@idefense.com
www.idefense.com

Related Stories: