US TurboLinux security severely out of date

Friday, 31 May 2002, 2:02 AM EST

David Endler contributed the following:

iDEFENSE Security Advisory 05.30.2002

As of the time of this report, the last security update announced on the US TurboLinux website (http://www.turbolinux.com/security/) was on January 24, 2002, regarding a problem in xinetd. The last security updates released on the official US FTP site were on February 8, 2002. Additionally, the US TurboLinux security announcement mailing list (http://www.TurboLinux.com/pipermail/tl-security-announce/) has been inactive since January 2002 as well. Inferring from these lapses, it would seem that TurboLinux Inc.'s Linux distribution contains multiple security vulnerabilities that remain exploitable at the time of this advisory. The security patches necessary to patch these systems are in fact available on the TurboLinux Japanese servers.

This is the second time TurboLinux has let security support for its US products lapse for an extended period, the first being about two years ago, when budget cutbacks resulted in the Linux distribution security staff at TurboLinux being let go. It was not until several months later that new security staff was hired (at the time only a single person) and security updates for the products were made available once again.

Because of this security lag in the US notification and security update sites, administrators may have also lapsed in installing updates. Since the last US update, this includes more than a dozen serious issues, ranging from remote root compromise via anonymous access to local root compromises. A number of these problems are present in software packages that are mandatory (such as zlib) or very popular (such as Apache, OpenSSH, OpenSSL, at, squid, etc.).

ANALYSIS

The collective security weakness of the outstanding issues listed below is staggering. The following is a list of the most serious problems for which most other Linux vendors have provided updates on their US sites. It represents the outstanding security problems associated with the limited TurboLinux distributions and updates that have been available on the US sites only. The list is by no means complete. Listed is the most current version of the software package available on the US servers that ships with TurboLinux 7.0 and the particular vulnerability CAN or CVE ID from Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project at http://cve.mitre.org/cve, also searchable at http://icat.nist.gov:

* apache 1.3.20 (CVE-2001-0730)
* at 3.1.8 (CAN-2002-0004)
* enscript 1.6.1 (CAN-2002-0044)
* imlib 1.9.10 (CAN-2002-0167, CAN-2002-0168)
* mod_ssl 2.8.4 (CAN-2002-0082)
* ncurses4 4.2 (CAN-2002-0062)
* OpenSSH 2.9p2 (CAN-2002-0083)
* php 4.0.5 (CAN-2002-0081)
* rsync 2.4.6 (CAN-2002-0048)
* sane 1.0.3 (CAN-2001-0887)
* squid 2.3STABLE4 (CAN-2002-0067, CAN-2002-0068, CAN-2002-0069)
* sudo 1.6.3p7 (CAN-2002-0184)
* ucd-snmp 4.2.1 (CAN-2002-0012, CAN-2002-0012)
* xchat 1.6.4 (CAN-2002-0006)
* xsane 0.78 (CAN-2001-0887)
* zlib 1.1.3 (CAN-2001-0059)

DETECTION

The above outstanding security issues pertain to the latest US available TurboLinux 6 and 7 distribution and possibly other earlier versions.

VENDOR RESPONSE

Marjo Mercado, Director of Solutions and Support, pointed out the availability of updates on the Japanese servers. He could not provide an explanation as to why the US servers had not been synced in months.

Updated packages for the above security issues are available at:

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/stable/tested/6
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/stable/tested/7
and ftp://ftp.turbolinux.com/mirrors/ftp.turbolinux.co.jp/stable

Additionally while it may be inconvenient to many non-Japanese customers, users can also get notification of new security issues in Japanese for the time being from http://the.turbolinux.co.jp/bugzilla/.

David Endler, CISSP
Director, iDEFENSE Labs
www.idefense.com

[ Read more ]

Related items

  • Advisory: xinetd (23 April 2002)
  • Advisory: squid (23 April 2002)
  • Advisory: wu-ftpd (23 April 2002)
  • Advisory: openssh (23 April 2002)
  • Advisory: esound (23 April 2002)




Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //