-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -------------------------------------------------------------------------- Turbolinux Security Advisory TLSA-2008-34 http://www.turbolinux.co.jp/security/ security-team@turbolinux.co.jp -------------------------------------------------------------------------- Original released date: 18 Sep 2008 Last revised: 18 Sep 2008 Package: httpd Summary: Cross-site scripting (XSS) vulnerability More information: Apache is a powerful, full-featured, efficient, and freely-available Web server. Apache is also the most popular Web server on the Internet. Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. (CVE-2008-2939) Affected Products: - Turbolinux Client 2008 - Turbolinux 11 Server x64 Edition - Turbolinux 11 Server - Turbolinux Appliance Server 2.0 - Turbolinux FUJI - Turbolinux 10 Server x64 Edition - Turbolinux 10 Server - Turbolinux Multimedia - Turbolinux Personal Source Packages Size: MD5 http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-source/httpd-2.2.6-10.src.rpm 4776718 5b5cdcd203ced7cc9e5bdd190c0aa41d Binary Packages Size: MD5 http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-updates/httpd-2.2.6-10.i586.rpm 1232148 3d67295de4fa3477b87755c905fce93f http://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Client/12/turbolinux-updates/httpd-devel-2.2.6-10.i586.rpm 148740 3c4e55459b21d274f0a29df736fae492 Source Packages Size: MD5 httpd-2.2.6-10.src.rpm 4776445 6fe54e202d38be1172e7ead5b6866691 Binary Packages Size: MD5 httpd-2.2.6-10.x86_64.rpm 1249458 86daa821650cdaf21479572c0dd74e4c httpd-manual-2.2.6-10.x86_64.rpm 859031 8913f45ff4d9361b7cac18d268ccae24 httpd-rootsrv-2.2.6-10.x86_64.rpm 230037 faf1d57f2ef3672fe63dd9b15f0fc4c8 mod_ssl-2.2.6-10.x86_64.rpm 89708 5a5ebccfe29ed2076643de0ce71eb250 Source Packages Size: MD5 httpd-2.2.6-10.src.rpm 4776445 6fe54e202d38be1172e7ead5b6866691 Binary Packages Size: MD5 httpd-2.2.6-10.i686.rpm 1177558 75f6c47cc25eccce3c87943d41746d53 httpd-manual-2.2.6-10.i686.rpm 858875 76d04221d155557759f5c8a208cc081b httpd-rootsrv-2.2.6-10.i686.rpm 216647 7d7e002de353deb9947894e0317ed8e3 mod_ssl-2.2.6-10.i686.rpm 85565 3d9e5f9e8e7d64e469f00c8d219919f8 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/11/updates/SRPMS/httpd-2.2.6-10.src.rpm 4776445 6fe54e202d38be1172e7ead5b6866691 Binary Packages Size: MD5 httpd-2.2.6-10.x86_64.rpm 1249458 86daa821650cdaf21479572c0dd74e4c httpd-devel-2.2.6-10.x86_64.rpm 153169 f0cbf32797f2bff7194f51e9eae260c8 httpd-manual-2.2.6-10.x86_64.rpm 859031 8913f45ff4d9361b7cac18d268ccae24 mod_ssl-2.2.6-10.x86_64.rpm 89708 5a5ebccfe29ed2076643de0ce71eb250 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/11/updates/SRPMS/httpd-2.2.6-10.src.rpm 4776445 6fe54e202d38be1172e7ead5b6866691 Binary Packages Size: MD5 httpd-2.2.6-10.i686.rpm 1177558 75f6c47cc25eccce3c87943d41746d53 httpd-devel-2.2.6-10.i686.rpm 153815 45b3045146fd0b71e32234fbf7234354 httpd-manual-2.2.6-10.i686.rpm 858875 76d04221d155557759f5c8a208cc081b mod_ssl-2.2.6-10.i686.rpm 85565 3d9e5f9e8e7d64e469f00c8d219919f8 Source Packages Size: MD5 httpd-2.0.51-37.src.rpm 6859863 a5fc776ad33967968604c0c09697bd0b Binary Packages Size: MD5 httpd-2.0.51-37.i586.rpm 1033210 2df72789c4eeb281407b090908f308a8 httpd-devel-2.0.51-37.i586.rpm 225599 39642f98e411cdc570d1709b4e8ec3e5 httpd-manual-2.0.51-37.i586.rpm 1133919 331ba82dfde87bbcf260b4a4daa8165c mod_bwshare-2.0.51-37.i586.rpm 41830 0e5dc163c80325308002cd39dac3ab56 mod_ssl-2.0.51-37.i586.rpm 89774 dd58a30d3c8f2704e06b4adb57084636 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/11/updates/SRPMS/httpd-2.0.54-23.src.rpm 7625833 6da89085b3ef3767b60c55cf84305b29 Binary Packages Size: MD5 httpd-2.0.54-23.i686.rpm 1266820 572764e31beac54e5f95603f9595251e httpd-devel-2.0.54-23.i686.rpm 276783 536dce88edc52ccdf1076454b876987e Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/SRPMS/httpd-2.0.51-37.src.rpm 6859863 86f2cb2c8069dc8f7e6a9013affa63de Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/httpd-2.0.51-37.x86_64.rpm 1144126 ee207355cba106c32b3911688a471bef ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/httpd-debug-2.0.51-37.x86_64.rpm 3534454 5fea25ab4f67909850b5f73b7c2d70a6 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/httpd-devel-2.0.51-37.x86_64.rpm 225621 6170d6d5d2035ac7a14f0ab1ce4eb804 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/httpd-manual-2.0.51-37.x86_64.rpm 1133835 4d207056a48e94fd3f92e9f59bfc8cec ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/mod_bwshare-2.0.51-37.x86_64.rpm 42563 c59c911bd4849689d67c5aaba1961a72 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/updates/RPMS/mod_ssl-2.0.51-37.x86_64.rpm 97411 1aad117df22a1c892474f5c776bc5630 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/httpd-2.0.51-37.src.rpm 6859863 a5fc776ad33967968604c0c09697bd0b Binary Packages Size: MD5 httpd-2.0.51-37.i586.rpm 1033210 2df72789c4eeb281407b090908f308a8 httpd-debug-2.0.51-37.i586.rpm 3542082 fdbde072e9a85b2246167023f28bc694 httpd-devel-2.0.51-37.i586.rpm 225599 39642f98e411cdc570d1709b4e8ec3e5 httpd-manual-2.0.51-37.i586.rpm 1133919 331ba82dfde87bbcf260b4a4daa8165c mod_bwshare-2.0.51-37.i586.rpm 41830 0e5dc163c80325308002cd39dac3ab56 mod_ssl-2.0.51-37.i586.rpm 89774 dd58a30d3c8f2704e06b4adb57084636 Source Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/SRPMS/httpd-2.0.48-25.src.rpm 6328038 f41706615f4c90774a269c472cebbe4f Binary Packages Size: MD5 ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/updates/RPMS/httpd-2.0.48-25.i586.rpm 893308 aa1effc96d0cb0ae52a548d32b1cb63a References: CVE [CVE-2008-2939] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939 -------------------------------------------------------------------------- Revision History 18 Sep 2008 Initial release -------------------------------------------------------------------------- Copyright(C) 2008 Turbolinux, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjSC+UACgkQK0LzjOqIJMzgJwCgieZt3RUmBOpef8PWPkE0EpSk rtgAniq0r/+aCrW0cxWvRvGlQc556Jns =2Msj -----END PGP SIGNATURE-----