-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 --------------------------------------------------------------------------
   Turbolinux Security Advisory TLSA-2008-14
   http://www.turbolinux.co.jp/security/
                                             security-team@turbolinux.co.jp
 --------------------------------------------------------------------------

 Original released date: 16 Apr 2008
 Last revised: 16 Apr 2008

 Package: openssh

 Summary: Hijack forwarded X connections

 More information:
    Ssh (Secure Shell) a program for logging into a remote machine and for
    executing commands in a remote machine.  It is intended to replace
    rlogin and rsh, and provide secure encrypted communications between
    two untrusted hosts over an insecure network.  X11 connections and
    arbitrary TCP/IP ports can also be forwarded over the secure channel.

    OpenSSH 4.3p2, and probably other versions, allows local users to hijack
    forwarded X connections by causing ssh to set DISPLAY to :10,
    even when another process is listening on the associated port,
    as demonstrated by opening TCP port 6010 (IPv4) and sniffing
    a cookie sent by Emacs. (CVE-2008-1483)

 Affected Products:
    - Turbolinux 11 Server x64 Edition
    - Turbolinux 11 Server
    - Turbolinux Appliance Server 2.0
    - Turbolinux FUJI
    - Turbolinux 10 Server x64 Edition
    - Turbolinux Appliance Server 1.0 Hosting Edition
    - Turbolinux Appliance Server 1.0 Workgroup Edition
    - Turbolinux 10 Server
    - Turbolinux Multimedia
    - Turbolinux Personal


 <Turbolinux 11 Server x64 Edition>
 
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/11/updates/SRPMS/openssh-4.7p1-5.src.rpm
      1044751 9d811a1d12440d8e2800cb49c19ee556

   Binary Packages
   Size: MD5

   openssh-4.7p1-5.x86_64.rpm
       281793 e2974ee62a3e17daacf93f75f0c15b7f
   openssh-askpass-4.7p1-5.x86_64.rpm
        40130 53f56e2d7ce96581e8e3c65260801977
   openssh-clients-4.7p1-5.x86_64.rpm
       304513 fc1e023094bcc1c79afc9795b4123d2c
   openssh-server-4.7p1-5.x86_64.rpm
       311108 43ed7d4e1d0465f86c22dc9d5604beb2

 <Turbolinux 11 Server>
 
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/11/updates/SRPMS/openssh-4.7p1-5.src.rpm
      1044751 9d811a1d12440d8e2800cb49c19ee556

   Binary Packages
   Size: MD5

   openssh-4.7p1-5.i686.rpm
       264124 5c9599252caae7f4efd8892a3fc26e14
   openssh-askpass-4.7p1-5.i686.rpm
        37683 4b1a040c8f6fbcc2639c668375a56ea1
   openssh-clients-4.7p1-5.i686.rpm
       277692 ee06322eaf16a5524e70405cfd5e8ad5
   openssh-server-4.7p1-5.i686.rpm
       279930 0d55c476f55b073c49d2e72b14f84fd4

 <Turbolinux Appliance Server 2.0>

   Source Packages
   Size: MD5

   openssh-3.9p1-11.src.rpm
       912775 899a450aef79c7c4351a14ee7136a716

   Binary Packages
   Size: MD5

   openssh-3.9p1-11.i586.rpm
       189593 d275338c45f3e88b3f2c4724bb6b3231
   openssh-askpass-3.9p1-11.i586.rpm
        36839 aa85586a80b92a0ff5857c6547000797
   openssh-clients-3.9p1-11.i586.rpm
       215596 bdde972adeb885d1f3e4d7a5926d4cf8
   openssh-server-3.9p1-11.i586.rpm
       217661 64ba51072c34ccbc482d24963a7c1e2d

 <Turbolinux FUJI>

   Source Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/11/updates/SRPMS/openssh-4.1p1-7.src.rpm
       954390 9b89ef9a0302252eaa402d387d870909

   Binary Packages
   Size: MD5

   openssh-4.1p1-7.i686.rpm
       235391 8766f33e5979b11304ef52cfa97d9399
   openssh-askpass-4.1p1-7.i686.rpm
        37828 50a149c08d9b9eebacf700aefd884df3
   openssh-clients-4.1p1-7.i686.rpm
       254143 c5977fdef6d5fabf18f6258bec3a044e
   openssh-server-4.1p1-7.i686.rpm
       256675 de0606502b90e6b8b34c0a0b84db70ea

 <Turbolinux 10 Server x64 Edition>

   Source Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/SRPMS/openssh-3.9p1-11.src.rpm
       912775 bfbd5e52ccd6f277e2357018574afab4

   Binary Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/openssh-3.9p1-11.x86_64.rpm
       203158 836474590aaf90c2fd71a59057c23f91
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/openssh-askpass-3.9p1-11.x86_64.rpm
        38759 ea9a4be7fa0897e11f462b29fc9e9ba8
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/openssh-clients-3.9p1-11.x86_64.rpm
       237512 470fa1d23046888b4b9a4b75d45f9c7d
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/openssh-server-3.9p1-11.x86_64.rpm
       246205 3dc32e46f727f979874df468477bef7b

 <Turbolinux Appliance Server 1.0 Hosting Edition>

   Source Packages
   Size: MD5

   openssh-3.7.1p2-12.src.rpm
       852697 f935bc8af0596a399dbd1a81b9004c97

   Binary Packages
   Size: MD5

   openssh-3.7.1p2-12.i586.rpm
       195368 12d7ca23f5b44ed1b0e543c9e80f9080
   openssh-askpass-3.7.1p2-12.i586.rpm
        34449 4ac6c92397b17f0c8d5373333f4a6418
   openssh-clients-3.7.1p2-12.i586.rpm
       216920 213fe392ae8da64a87abcd70b10d3ba7
   openssh-server-3.7.1p2-12.i586.rpm
       225725 f3976e3f4ab8ddc0db7c5c4b4f42b3c1

 <Turbolinux Appliance Server 1.0 Workgroup Edition>

   Source Packages
   Size: MD5

   openssh-3.7.1p2-12.src.rpm
       852697 172f9af1e9ca9e719b163983217a1392

   Binary Packages
   Size: MD5

   openssh-3.7.1p2-12.i586.rpm
       195585 8bf0e54d89219c28012d67709a407589
   openssh-askpass-3.7.1p2-12.i586.rpm
        34620 c2b1b3b53dd177e06e560709d85ff316
   openssh-clients-3.7.1p2-12.i586.rpm
       217116 89d75fb9b71829e0b1c843e30c372368
   openssh-server-3.7.1p2-12.i586.rpm
       225765 0ceaa7a33eed3e47da89a17247350d0e

 <Turbolinux 10 Server>

   Source Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/openssh-3.9p1-11.src.rpm
       912775 899a450aef79c7c4351a14ee7136a716

   Binary Packages
   Size: MD5

   openssh-3.9p1-11.i586.rpm
       189593 d275338c45f3e88b3f2c4724bb6b3231
   openssh-askpass-3.9p1-11.i586.rpm
        36839 aa85586a80b92a0ff5857c6547000797
   openssh-clients-3.9p1-11.i586.rpm
       215596 bdde972adeb885d1f3e4d7a5926d4cf8
   openssh-server-3.9p1-11.i586.rpm
       217661 64ba51072c34ccbc482d24963a7c1e2d

 <Turbolinux Multimedia, Turbolinux Personal>

   Source Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/openssh-3.8p1-12.src.rpm
       883428 8e72662fce91ebf1bde3900dfe2b8e11

   Binary Packages
   Size: MD5

   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssh-3.8p1-12.i586.rpm
       193169 8e541aa44cbfa3e392a62108f29f9dfa
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssh-askpass-3.8p1-12.i586.rpm
        36820 2694941633aacdbc017c0358ce4f4b37
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssh-clients-3.8p1-12.i586.rpm
       212001 39cce0fd1de5aedf609250cf07efdb71
   ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/openssh-server-3.8p1-12.i586.rpm
       214623 c5228f93034bcec290404a70414f11d6


 References:

 CVE
   [CVE-2008-1483]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483

 --------------------------------------------------------------------------
 Revision History
    16 Apr 2008 Initial release
 --------------------------------------------------------------------------

 Copyright(C) 2008 Turbolinux, Inc. All rights reserved. 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iEYEARECAAYFAkgF7LcACgkQK0LzjOqIJMzsFACdF4e8tAS8AxlIwFC0jCTnyaPG
O54AnAuIR4mYDzlrJv5eIz2xOn2NT8N1
=OZ/p
-----END PGP SIGNATURE-----