// back

TurboLinux vulnerabilities

05.30.02

BACKGROUND

As of this report, the last security update announced on the US TurboLinux website (http://www.turbolinux.com/security/) was on January 24, 2002, regarding a problem in xinetd. The last security update released on the official US FTP site was on February 8, 2002. Additionally, the US TurboLinux security announcement mailing list
(http://www.TurboLinux.com/pipermail/tl-security-announce/) has been inactive since January 2002 as well. As such, it would appear as though TurboLinux Inc.'s Linux distribution contains multiple security vulnerabilities that remain exploitable at the time of this advisory. However, the security patches necessary to patch these systems are in
fact available on the TurboLinux Japanese servers.

DESCRIPTION

This is the second time TurboLinux has let security support for its US products lapse for an extended period, the first being about two years ago, when budget cutbacks resulted in the Linux distribution security staff at TurboLinux being let go. It was not until several months later that new security staff was hired (at the time only a single person) and
security updates for the products were made available once again. Because of this security lag in the US notification and security update sites, administrators may have also lapsed in installing updates. Since the last US update, this includes more than a dozen serious issues, ranging from remote root compromise via anonymous access to local
root compromises. A number of these problems are present in software packages that are mandatory (such as zlib) or very popular (such as Apache, OpenSSH, OpenSSL, at, squid, etc.).

ANALYSIS

The collective security weakness of the outstanding issues listed below is staggering. The following is a list of the most serious problems for which most other Linux vendors have provided updates on their US sites. It represents the outstanding security problems associated with the limited TurboLinux distributions and updates that have been available on the US sites only. The list is by no means complete. Listed is the most current version of the software package available on the US servers that ships with TurboLinux 7.0:

* apache 1.3.20
* at 3.1.8
* enscript 1.6.1
* imlib 1.9.10
* mod_ssl 2.8.4
* ncurses4 4.2
* OpenSSH 2.9p2
* php 4.0.5
* rsync 2.4.6
* sane 1.0.3
* squid 2.3STABLE4
* sudo 1.6.3p7
* ucd-snmp 4.2.1
* xchat 1.6.4
* xsane 0.78
* zlib 1.1.3

DETECTION

The above outstanding security issues pertain to the latest US available TurboLinux 6 and 7 distribution and possibly other earlier versions.

WORKAROUND

No workaround is available as of this writing.

VENDOR RESPONSE

Marjo Mercado, Director of Solutions and Support at TurboLinux, pointed out the availability of updates on the Japanese servers. He could not provide an explanation as to why the US servers had not been synced in months. Updated packages for the above security issues are available at:

ftp://ftp.turbolinux.co.jp/pub/TurboLinux/stable/tested/6
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/stable/tested/7
and ftp://ftp.turbolinux.com/mirrors/ftp.turbolinux.co.jp/stable

Additionally while it may be inconvenient to many non-Japanese customers, users can also get notification of new security issues in Japanese for the time being from http://the.turbolinux.co.jp/bugzilla/.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the following identification numbers for each of these issues:

* apache 1.3.20: CVE-2001-0730
* at 3.1.8: CAN-2002-0004
* enscript 1.6.1: CAN-2002-0044
* imlib 1.9.10: CAN-2002-0167 and CAN-2002-0168
* mod_ssl 2.8.4: CAN-2002-0082
* ncurses4 4.2: CAN-2002-0062
* OpenSSH 2.9p2: CAN-2002-0083
* php 4.0.5: CAN-2002-0081
* rsync 2.4.6: CAN-2002-0048
* sane 1.0.3: CAN-2001-0887
* squid 2.3STABLE4: CAN-2002-0067, CAN-2002-0068 and CAN-2002-0069
* sudo 1.6.3p7: CAN-2002-0184
* ucd-snmp 4.2.1: CAN-2002-0012, CAN-2002-0012
* xchat 1.6.4: CAN-2002-0006
* xsane 0.78: CAN-2001-0887
* zlib 1.1.3: CAN-2001-0059

CREDIT

Kurt Seifried (kurt@seifried.org) is credited with discovering the lapse.