---

TurboLinux Security Announcement: Multiple Security Updates

Date: Tue, 8 May 2001 16:27:46 -0700 (PDT)
From: TurboLinux Security Team <security@www1.turbolinux.com>
Subject: [TL-Security-Announce] TLSA2001012 analog-4.16-2
___________________________________________________________________________________________

                     Turbolinux Security Announcement

        Package: analog
        Vulnerable Packages: All Turbolinux versions previous to 4.16-2
        Date: 05/03/2001 5:00 PDT


        Affected Turbolinux platforms:  Turbolinux versions 6.0.5 and earlier
                                      
        Turbolinux Advisory ID#:  TLSA2001012
        Credits:  Vulnerability discovered by Stephen Turner
                  <S.R.E.Turner@statslab.cam.ac.uk>
    

References:  http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=2377


___________________________________________________________________________________________

A security hole was discovered in the package mentioned above. Please
update the package in your installation as soon as possible.
___________________________________________________________________________________________

1. Problem Summary(From the BugTraq database of securityfocus.com,id#2377)

   As designed, the software makes it possible for a user to remotely
   access network statistics using cgi scripts and HTTP FORM
   methods. When queried, the cgi accesses analog, and outputs
   statistics to a web page. Due to a buffer overflow in analog, and
   improper checking of input by the cgi program, it is possible for a
   user to supply a long ALIAS field to the analog program, which will
   result in a buffer overflow.

2. Impact(Also from the BugTraq database, id#2377)

   A user can remotely execute code and execute commands with privileges
   equal to the httpd process.

3. Solution

   First, uninstall the package analog-form using the command:

   rpm -e analog-form-3.0-1.i386.rpm/, or whatever version of analog-form
   you are currently running
     
   Then, update the analog package from our ftp server by running the
   following command:

   rpm -Uvh ftp_path_to_filename

   Where ftp_path_to_filename is the following:

ftp://ftp.turbolinux.com/pub/updates/6.0/security/analog-4.16-2.i386.rpm

   The source RPM can be downloaded here:

   ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/analog-4.16-2.src.rpm

  **Note: You must rebuild and install the RPM if you choose to download
  and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
  THE SECURITY HOLE.

 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
- --------------------------------------------------------------------------------------------

  717b0f32867e30c4423b077faf93bc96      analog-4.16-2.i386.rpm
  5900b3a42477b5a8da1ac6275eb2360b      analog-4.16-2.src.rpm
___________________________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 md5sum name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

______________________________________________________________________________________________

You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ 

for TL6.0 Workstation and Server security updates

Our webpage for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
______________________________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
                Turbolinux products.
  Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security
                         updates and alerts.

  Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce




Date: Tue, 8 May 2001 16:10:50 -0700 (PDT)
From: TurboLinux Security Team <security@www1.turbolinux.com>
Subject: [TL-Security-Announce] TLSA2001010 cvsweb-1.93-1



___________________________________________________________________________________________

                     Turbolinux Security Announcement

        Package: cvsweb
        Vulnerable Packages: All Turbolinux versions previous to 1.91-3
        Date: 05/03/2001 5:00 PDT


        Affected Turbolinux versions: TL Server 6.5, TL Workstation 6.1,
                                      Turbolinux versions 6.0.5 and earlier
                                      
        Turbolinux Advisory ID#:  TLSA2001010
        Credits:  Vulnerability discovered by Joey Hess

___________________________________________________________________________________________

A security hole was discovered in the package mentioned above. Please
update the package in your installation as soon as possible or disable the
service.
___________________________________________________________________________________________

1. Problem Summary

   Current and previous version of cvsweb allow remote users to
   access/write files as the default web user via the cvsweb.cgi script.

2. Impact

   Remote read/write access to arbitrary files owned by the default web
   user is possible via this exploit.


3. Solution
     
   Update the packages from our ftp server by running the following
   command:

   rpm -Uvh ftp_path_to_filename

   Where ftp_path_to_filename is the following:


ftp://ftp.turbolinux.com/pub/updates/6.0/security/cvsweb-1.93-1.noarch.rpm


   The source RPM can be downloaded here:

   ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/cvsweb-1.93-1.src.rpm

  **Note: You must rebuild and install the RPM if you choose to download
  and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
  THE SECURITY HOLE.

 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
- --------------------------------------------------------------------------------------------

701bc3687dd2259fa6090e845d37fe4a        cvsweb-1.93-1.noarch.rpm/
210077135b6aa6df2d693c5be9771910        cvsweb-1.93-1.src.rpm/
  
___________________________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 md5sum name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

______________________________________________________________________________________________

You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ 

for TL6.0 Workstation and Server security updates

Our webpage for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
______________________________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
                Turbolinux products.
  
  Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security
                         updates and alerts.

  Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce


Date: Tue, 8 May 2001 16:06:39 -0700 (PDT)
From: TurboLinux Security Team <security@www1.turbolinux.com>
Subject: [TL-Security-Announce] TLSA2001009 dhcp-2.0pl5-2



___________________________________________________________________________________________

                     Turbolinux Security Announcement

        Package:  dhcp
        Vulnerable Packages: All Turbolinux versions previous to and including 2.0-9
        Date: 04/30/2001 5:00 PDT


        Affected Turbolinux platforms: TL 6.1 WorkStation,
                                      All Turbolinux versions
                                      6.0.5 and earlier

        Turbolinux Advisory ID#:  TLSA2001009

        Credits:  Internet Software Consortium
                  http://www.isc.org/products/DHCP/dhcp-v2.html
___________________________________________________________________________________________

A security hole has been discovered in the dhcp packages.  Please update
the packages in your installation as soon as possible.
___________________________________________________________________________________________

1. Problem Summary

   It is possible for a user to gain root access to a system through the
   use of clever shell metacharacter hacks.


2. Solution
     

   Update the package from our ftp server by running the following
   command:

   rpm -Uvh ftp_path_to_filename

   Where ftp_path_to_filename is the following:

ftp://ftp.turbolinux.com/pub/updates/6.0/security/dhcp-2.0pl5-2.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/dhcp-client-2.0pl5-2.i386.rpm

   The source RPM can be downloaded here:

   ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/dhcp-2.0pl5-2.src.rpm

  **Note: You must rebuild and install the RPM if you choose to download
  and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
  THE SECURITY HOLE.

 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
- ---------------------------------------------------------------------------------------------
                                       
  f8979df299dfbe4f5d6edca681edd8bf      dhcp-2.0pl5-2.i386.rpm/
  48bc3d9afa77a73660aebc8905a8696f      dhcp-client-2.0pl5-2.i386.rpm/
  7cf2a9b3d1a3076ca620e3457ccf1f1f      dhcp-2.0pl5-2.src.rpm/
___________________________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 md5sum name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

______________________________________________________________________________________________

You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0

   Workstation and Server security updates

Our webpage for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
______________________________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
                Turbolinux products.
  Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security
                         updates and alerts.

  Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce


Date: Tue, 8 May 2001 16:20:48 -0700 (PDT)
From: TurboLinux Security Team <security@www1.turbolinux.com>
Subject: [TL-Security-Announce] TLSA2001011 dialog-0.9a-2

___________________________________________________________________________________________

                     Turbolinux Security Announcement

        Package: dialog
        Vulnerable Packages: All Turbolinux versions previous to 0.9a-2
        Date: 05/03/2001 5:00 PDT


        Affected Turbolinux platforms:  TL Server 6.5, TL Workstation 6.1
                                        Turbolinux versions 6.0.5 and earlier
                                      
        Turbolinux Advisory ID#:  TLSA2001011
        
        Credits:  Reported by Matt Kraai                       
References:  https://www.linuxtoday.com/news_story.php3?ltsn=2000-12-25-020-04-SC-DB


___________________________________________________________________________________________

A security hole was discovered in the package mentioned above. Please
update the package in your installation as soon as possible.
___________________________________________________________________________________________

1. Problem Summary

   Dialog creates lock-files insecurely, which makes it vulnerable
   to a symlink attack.


2. Solution

   Update the package from our ftp server by running the following
   command:

   rpm -Uvh ftp_path_to_filename

   Where ftp_path_to_filename is the following:


ftp://ftp.turbolinux.com/pub/updates/6.0/security/dialog-0.9a-2.i386.rpm

   The source RPM can be downloaded here:

   ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/dialog-0.9a-2.src.rpm

  **Note: You must rebuild and install the RPM if you choose to download
  and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
  THE SECURITY HOLE.

 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
- ---------------------------------------------------------------------------------------------

  660babb1fbef04abbfb9dc326a8f4f16      dialog-0.9a-2.i386.rpm/
  5e858ac44ac97f32c7ba3935da2efa44      dialog-0.9a-2.src.rpm/
  
___________________________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 md5sum name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

______________________________________________________________________________________________

You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ 

for TL6.0 Workstation and Server security updates

Our webpage for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
______________________________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
                Turbolinux products.

  Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security
                         updates and alerts.

  Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce


Date: Tue, 8 May 2001 15:33:14 -0700 (PDT)
From: TurboLinux Security Team 
Subject: [TL-Security-Announce] TLSA2001008 squid-2.3.STABLE/4-1

_________________________________________________________________________

                     Turbolinux Security Announcement

        Package: Squid
        Vulnerable Packages: All versions previous to 2.3.STABLE4-1
        Date: 05/04/2001 5:00 PDT

        Affected Turbolinux platforms:  TL 6.1 WorkStation,
                                        All Turbolinux versions
                                        6.0.5 and earlier

        Turbolinux Advisory ID#:  TLSA2001008

   Credits: Vulnerability discovered by Greg KH
_________________________________________________________________________

A security hole has been discovered in the package squid.  Please update
this package in your installation as soon as possible.
_________________________________________________________________________

1. Problem Summary(From the BugTraq database at securityfocus.com,id#2184)

   A /tmp file race condition vulnerability exists.  Squid can be
   set up to send emails notifying the administrator of any updates.
   Whenever the email is created, files are created insecurely
   in the /tmp directory and the pre-existence of these files is
   not queried.  Usually, the file creations occur when the system clock
   is reporting an incorrect time or a development version of squid is
   used.  Therefore, it is possible for a user with malicious motives to
   guess the handle of a future /tmp file, and create a symbolic link to a
   file writable by the UID of the squid process, thus overwriting a file
   owned by the squid user, or appending to and corrupting the file.

2. Solution

  Update the package from our ftp server by running the following command:

  rpm -Uvh ftp_path_to_filename

  Where ftp_path_to_filename is the following:

ftp://ftp.turbolinux.com/pub/updates/6.0/security/squid-2.3.STABLE4-1.i386.rpm

  The source RPM can be downloaded here:


ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/squid-2.3.STABLE4-1.src.rpm

  **Note: You must rebuild and install the RPM if you choose to download
  and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
  THE SECURITY HOLE.

 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
- --------------------------------------------------------------------------
d9844e9082390dc146893c836e3ea2a2        squid-2.3.STABLE4-1.i386.rpm/
2412fc6befc100bd757de8fc91ecfc6c        squid-2.3.STABLE4-1.src.rpm/
_________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 md5sum name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

_________________________________________________________________________

You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0
   Workstation and Server security updates
 

Our webpage for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
_________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
                Turbolinux products.

  Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security
                         updates and alerts.

  Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce


Date: Tue, 8 May 2001 16:35:11 -0700 (PDT)
From: TurboLinux Security Team 
Subject: [TL-Security-Announce] TLSA2001013 vixie-cron-3.0.1-46

___________________________________________________________________________________________

                     Turbolinux Security Announcement

        Package:  vixie-cron
        Vulnerable Packages: All Turbolinux versions previous to 3.0.1-46
        Date: 05/02/2001 5:00 PDT


        Affected Turbolinux platforms: TL Server 6.5,
                                      TL 6.1 WorkStation,
                                      All Turbolinux versions
                                      6.0.5 and earlier

        Turbolinux Advisory ID#:  TLSA2001013

        Credits: Vulnerability first discovered by flatline
     References:  http://marc.theaimsgroup.com/?l=bugtraq&m=98200814418344&w=2

___________________________________________________________________________________________

A security hole has been discovered in the package vixie-cron.  Please
update the packages in your installation as soon as possible.
___________________________________________________________________________________________

1. Problem Summary

   There is a buffer overflow vulnerability associated with the crontab 
   function.  When crontab determines the name of the user calling the
   crontab function, it stores this name in a 20 byte buffer using the
   strcpy() function, which does no bounds checking.  The command
   "useradd" accepts more than 20 characters.  Therefore, a username
   greater than 20 characters will crash a system when passed to the 
   crontab function.

2. Impact

   It is possible for a local user to gain elevated privileges.

3. Solution
     
   Update the packages from our ftp server by running the following command:

   rpm -Uvh ftp_path_to_filename

   Where ftp_path_to_filename is the following:


ftp://ftp.turbolinux.com/pub/updates/6.0/security/vixie-cron-3.0.1-46.i386.rpm 

   The source RPM can be downloaded here:


ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/vixie-cron-3.0.1-46.src.rpm

  **Note: You must rebuild and install the RPM if you choose to download
  and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
  THE SECURITY HOLE.

 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
- ---------------------------------------------------------------------------------------------
                                       
  c79c05f0044f88812908b17730a308ee      vixie-cron-3.0.1-46.i386.rpm/
  cdfd064650b8839a3d7f3eb18a494165      vixie-cron-3.0.1-46.src.rpm/
___________________________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 md5sum name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

______________________________________________________________________________________________

You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ 

for TL6.0 Workstation and Server security updates

Our webpage for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
______________________________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
                Turbolinux products.
  Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security
                         updates and alerts.

  Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce


Date: Tue, 8 May 2001 16:42:10 -0700 (PDT)
From: TurboLinux Security Team 
Subject: [TL-Security-Announce] TLSA2001014 xntp3-5.93-10


___________________________________________________________________________________________

                     Turbolinux Security Announcement

        Package: xntp3
        Vulnerable Packages: All Turbolinux versions previous to 5.93-10
        Date: 05/02/2001 5:00 PDT


        Affected Turbolinux platforms: TL Server 6.5,
                                       TL 6.1 WorkStation,
                                       All Turbolinux versions
                                       6.0.5 and earlier

        Turbolinux Advisory ID#:  TLSA2001014

        Credits:  Vulnerability discovered by Przemyslaw Frasunek      
        References: http://www.securityfocus.com/vdb/bottom.html?vid=2540

___________________________________________________________________________________________

A security hole has been discovered in the xntp3 packages.  Please update
the packages in your installation as soon as possible.
___________________________________________________________________________________________

1. Problem Summary

   A remote buffer overflow vulnerability exists in the network time
   protocol daemon.  It is remotely exploitable and a user with malicious
   intent can crash the daemon or execute arbitrary code on the affected
   host.

2. Impact

   Remote exploitation can result in an attacker gaining remote root
   access or a denial of ntp service on the affected system.

3. Solution
     
   Update the packages from our ftp server by running the following command:

   rpm -Uvh ftp_path_to_filename

   Where ftp_path_to_filename is the following:

ftp://ftp.turbolinux.com/pub/updates/6.0/security/xntp3-5.93-10.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/xntp3-server-5.93-10.i386.rpm 

   The source RPM can be downloaded here:

   ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xntp3-5.93-10.src.rpm

  **Note: You must rebuild and install the RPM if you choose to download
  and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
  THE SECURITY HOLE.

 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
- ---------------------------------------------------------------------------------------------
                                       
  1acc3320414d9cf0c95359ee441f670c      xntp3-5.93-10.i386.rpm/
  dfb4610caddfe8970e7c9f37c4fc9ec7      xntp3-server-5.93-10.i386.rpm/
  b68734be1f493230aa773f19a0bfb0b5      xntp3-5.93-10.src.rpm/
___________________________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 md5sum name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

______________________________________________________________________________________________

You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ 

for TL6.0 Workstation and Server security updates

Our webpage for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
______________________________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
                Turbolinux products.
  Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security
                         updates and alerts.

  Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis