iDEFENSE Security Advisory 05.30.2002

DESCRIPTION

As of the time of this report, the last security update announced on
the US TurboLinux website (http://www.turbolinux.com/security/) was
on January 24, 2002, regarding a problem in xinetd. The last security
updates released on the official US FTP site were on February 8,
2002. Additionally, the US TurboLinux security announcement mailing
list (http://www.TurboLinux.com/pipermail/tl-security-announce/) has
been inactive since January 2002 as well. Inferring from these
lapses, it would seem that TurboLinux Inc.'s Linux distribution
contains multiple security vulnerabilities that remain exploitable at
the time of this advisory. The security patches necessary to patch
these systems are in fact available on the TurboLinux Japanese
servers.

This is the second time TurboLinux has let security support for its
US products lapse for an extended period, the first being about two
years ago, when budget cutbacks resulted in the Linux distribution
security staff at TurboLinux being let go. It was not until several
months later that new security staff was hired (at the time only a
single person) and security updates for the products were made
available once again.

Because of this security lag in the US notification and security
update sites, administrators may have also lapsed in installing
updates. Since the last US update, this includes more than a dozen
serious issues, ranging from remote root compromise via anonymous
access to local root compromises. A number of these problems are
present in software packages that are mandatory (such as zlib) or
very popular (such as Apache, OpenSSH, OpenSSL, at, squid, etc.).

ANALYSIS

The collective security weakness of the outstanding issues listed
below is staggering. The following is a list of the most serious
problems for which most other Linux vendors have provided updates on
their US sites. It represents the outstanding security problems
associated with the limited TurboLinux distributions and updates that
have been available on the US sites only. The list is by no means
complete. Listed is the most current version of the software package
available on the US servers that ships with TurboLinux 7.0 and the
particular vulnerability CAN or CVE ID from Mitre Corp.'s Common
Vulnerabilities and Exposures (CVE) Project at
http://cve.mitre.org/cve, also searchable at http://icat.nist.gov:

* apache 1.3.20 (CVE-2001-0730)
* at 3.1.8 (CAN-2002-0004)
* enscript 1.6.1 (CAN-2002-0044)
* imlib 1.9.10 (CAN-2002-0167, CAN-2002-0168)
* mod_ssl 2.8.4 (CAN-2002-0082)
* ncurses4 4.2 (CAN-2002-0062)
* OpenSSH 2.9p2 (CAN-2002-0083)
* php 4.0.5 (CAN-2002-0081)
* rsync 2.4.6 (CAN-2002-0048)
* sane 1.0.3 (CAN-2001-0887)
* squid 2.3STABLE4 (CAN-2002-0067, CAN-2002-0068, CAN-2002-0069)
* sudo 1.6.3p7 (CAN-2002-0184)
* ucd-snmp 4.2.1 (CAN-2002-0012, CAN-2002-0012)
* xchat 1.6.4 (CAN-2002-0006)
* xsane 0.78 (CAN-2001-0887)
* zlib 1.1.3 (CAN-2001-0059)

DETECTION

The above outstanding security issues pertain to the latest US
available TurboLinux 6 and 7 distribution and possibly other earlier
versions.

VENDOR RESPONSE

Marjo Mercado, Director of Solutions and Support, pointed out the
availability of updates on the Japanese servers. He could not
provide an explanation as to why the US servers had not been synced
in months.

Updated packages for the above security issues are available at:

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/stable/tested/6
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/stable/tested/7
and ftp://ftp.turbolinux.com/mirrors/ftp.turbolinux.co.jp/stable

Additionally while it may be inconvenient to many non-Japanese
customers, users can also get notification of new security issues in
Japanese for the time being from
http://the.turbolinux.co.jp/bugzilla/.

David Endler, CISSP
Director, iDEFENSE Labs
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendleridefense.com
www.idefense.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]