US TurboLinux security severely out of date
David Endler contributed the following:
iDEFENSE Security Advisory 05.30.2002
As of the time of this report, the last security update announced on the US TurboLinux website (http://www.turbolinux.com/security/) was on January 24, 2002, regarding a problem in xinetd. The last security updates released on the official US FTP site were on February 8, 2002. Additionally, the US TurboLinux security announcement mailing list (http://www.TurboLinux.com/pipermail/tl-security-announce/) has been inactive since January 2002 as well. Inferring from these lapses, it would seem that TurboLinux Inc.'s Linux distribution contains multiple security vulnerabilities that remain exploitable at the time of this advisory. The security patches necessary to patch these systems are in fact available on the TurboLinux Japanese servers.
This is the second time TurboLinux has let security support for its US products lapse for an extended period, the first being about two years ago, when budget cutbacks resulted in the Linux distribution security staff at TurboLinux being let go. It was not until several months later that new security staff was hired (at the time only a single person) and security updates for the products were made available once again.
Because of this security lag in the US notification and security update sites, administrators may have also lapsed in installing updates. Since the last US update, this includes more than a dozen serious issues, ranging from remote root compromise via anonymous access to local root compromises. A number of these problems are present in software packages that are mandatory (such as zlib) or very popular (such as Apache, OpenSSH, OpenSSL, at, squid, etc.).
The collective security weakness of the outstanding issues listed below is staggering. The following is a list of the most serious problems for which most other Linux vendors have provided updates on their US sites. It represents the outstanding security problems associated with the limited TurboLinux distributions and updates that have been available on the US sites only. The list is by no means complete. Listed is the most current version of the software package available on the US servers that ships with TurboLinux 7.0 and the particular vulnerability CAN or CVE ID from Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project at http://cve.mitre.org/cve, also searchable at http://icat.nist.gov:
* apache 1.3.20 (CVE-2001-0730)
* at 3.1.8 (CAN-2002-0004)
* enscript 1.6.1 (CAN-2002-0044)
* imlib 1.9.10 (CAN-2002-0167, CAN-2002-0168)
* mod_ssl 2.8.4 (CAN-2002-0082)
* ncurses4 4.2 (CAN-2002-0062)
* OpenSSH 2.9p2 (CAN-2002-0083)
* php 4.0.5 (CAN-2002-0081)
* rsync 2.4.6 (CAN-2002-0048)
* sane 1.0.3 (CAN-2001-0887)
* squid 2.3STABLE4 (CAN-2002-0067, CAN-2002-0068, CAN-2002-0069)
* sudo 1.6.3p7 (CAN-2002-0184)
* ucd-snmp 4.2.1 (CAN-2002-0012, CAN-2002-0012)
* xchat 1.6.4 (CAN-2002-0006)
* xsane 0.78 (CAN-2001-0887)
* zlib 1.1.3 (CAN-2001-0059)
The above outstanding security issues pertain to the latest US available TurboLinux 6 and 7 distribution and possibly other earlier versions.
Marjo Mercado, Director of Solutions and Support, pointed out the availability of updates on the Japanese servers. He could not provide an explanation as to why the US servers had not been synced in months.
Updated packages for the above security issues are available at:
Additionally while it may be inconvenient to many non-Japanese customers, users can also get notification of new security issues in Japanese for the time being from http://the.turbolinux.co.jp/bugzilla/.
David Endler, CISSP
Director, iDEFENSE Labs
[ Read more ]