US TurboLinux Security Severely Out of Date

 Date: Thu, 30 May 2002 14:40:01 -0400 From: David Endler  To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,      security-basics@lists.securityfocus.com, focus-linux@securityfocus.com Subject: US TurboLinux Security Severely Out of Date                 iDEFENSE Security Advisory 05.30.2002   DESCRIPTION  As of the time of this report, the last security update announced on  the US TurboLinux website () was  on January 24, 2002, regarding a problem in xinetd. The last security  updates released on the official US FTP site were on February 8,  2002. Additionally, the US TurboLinux security announcement mailing  list () has  been inactive since January 2002 as well.  Inferring from these  lapses, it would seem that TurboLinux Inc.'s Linux distribution  contains multiple security vulnerabilities that remain exploitable at  the time of this advisory.  The security patches necessary to patch  these systems are in fact available on the TurboLinux Japanese  servers.  This is the second time TurboLinux has let security support for its  US products lapse for an extended period, the first being about two  years ago, when budget cutbacks resulted in the Linux distribution  security staff at TurboLinux being let go. It was not until several  months later that new security staff was hired (at the time only a  single person) and security updates for the products were made  available once again.  Because of this security lag in the US notification and security  update sites, administrators may have also lapsed in installing  updates. Since the last US update, this includes more than a dozen  serious issues, ranging from remote root compromise via anonymous  access to local root compromises. A number of these problems are  present in software packages that are mandatory (such as zlib) or  very popular (such as Apache, OpenSSH, OpenSSL, at, squid, etc.).    ANALYSIS  The collective security weakness of the outstanding issues listed  below is staggering.  The following is a list of the most serious  problems for which most other Linux vendors have provided updates on  their US sites. It represents the outstanding security problems  associated with the limited TurboLinux distributions and updates that  have been available on the US sites only. The list is by no means  complete. Listed is the most current version of the software package  available on the US servers that ships with TurboLinux 7.0 and the  particular vulnerability CAN or CVE ID from Mitre Corp.'s Common  Vulnerabilities and Exposures (CVE) Project at  http://cve.mitre.org/cve, also searchable at https://nvd.nist.gov:   * apache 1.3.20 (CVE-2001-0730) * at 3.1.8 (CAN-2002-0004) * enscript 1.6.1 (CAN-2002-0044) * imlib 1.9.10 (CAN-2002-0167, CAN-2002-0168) * mod_ssl 2.8.4 (CAN-2002-0082) * ncurses4 4.2 (CAN-2002-0062) * OpenSSH 2.9p2 (CAN-2002-0083) * php 4.0.5 (CAN-2002-0081) * rsync 2.4.6 (CAN-2002-0048) * sane 1.0.3 (CAN-2001-0887) * squid 2.3STABLE4 (CAN-2002-0067, CAN-2002-0068, CAN-2002-0069) * sudo 1.6.3p7 (CAN-2002-0184) * ucd-snmp 4.2.1 (CAN-2002-0012, CAN-2002-0012) * xchat 1.6.4 (CAN-2002-0006) * xsane 0.78 (CAN-2001-0887) * zlib 1.1.3 (CAN-2001-0059)   DETECTION  The above outstanding security issues pertain to the latest US  available TurboLinux 6 and 7 distribution and possibly other earlier  versions.    VENDOR RESPONSE  Marjo Mercado, Director of Solutions and Support, pointed out the  availability of updates on the Japanese servers.  He could not  provide an explanation as to why the US servers had not been synced  in months.  Updated packages for the above security issues are available at:     and   Additionally while it may be inconvenient to many non-Japanese  customers, users can also get notification of new security issues in  Japanese for the time being from  .      David Endler, CISSP Director, iDEFENSE Labs 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071  dendler@idefense.com https://www.accenture.com/us-en/services/cybersecurity/cyber-resilience