Security Update: [CSSA-2001-SCO.13] OpenServer: BIND buffer overflows
From: sco-security@caldera.comDate: 08/27/01
- Previous message: Paul Szabo: "Re: Solaris Patchadd symlink exploit."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-announce@lists.securityportal.com, bugtraq@securityfocus.com, announce@lists.caldera.com From: sco-security@caldera.com Date: Mon, 27 Aug 2001 14:19:37 -0700 Subject: Security Update: [CSSA-2001-SCO.13] OpenServer: BIND buffer overflows Message-ID: <20010827141937.F4999@caldera.com>
To: security-announce@lists.securityportal.com bugtraq@securityfocus.com announce@lists.caldera.com
___________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: OpenServer: BIND buffer overflows
Advisory number: CSSA-2001-SCO.13
Issue date: 2001 August 20
Cross reference:
___________________________________________________________________________
1. Problem Description
The BIND subsystem contains several buffer overflows, detailed
in CERT advisory CA-2001-02. This advisory announces the
availability of a preliminary version of BIND 8.2.5. Since
there is no packaged installation of this preliminary
offering, it should only be installed by experienced system
administrators. A formal installable fix containing this
version of BIND is forthcoming.
2. Vulnerable Versions
Operating System Version Affected Files
------------------------------------------------------------------
OpenServer <= 5.0.6a ./etc/addr
./etc/nsupdate
./etc/dig
./etc/dnsquery
./etc/host
./etc/named
./etc/named-xfer
./etc/ndc
./usr/lib/libresolv.so.1
./usr/lib/libsocket.so.2
./usr/lib/libresolv.a
./usr/lib/libsocket.a
./usr/lib/libp/libresolv.so.1
./usr/lib/libp/libsocket.a
./usr/lib/libp/libsocket.so.2
./usr/lib/libp/libresolv.a
./usr/bin/nslookup
./usr/include/resolv.h
3. Workaround
None.
4. OpenServer
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/security/openserver/sr379322/
4.2 Verification
md5 checksums:
84e3a058fb2af36235e99831fb44d200 newbind.tar.Z
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools/
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
# uncompress /tmp/newbind.tar.Z
# mkdir /tmp/newbind
# cd /tmp/newbind
# tar xvf /tmp/newbind.tar
Replace each of the associated binaries with the one from this
directory (after saving them somewhere else).
5. References
http://www.cert.org/advisories/CA-2001-02.html
6. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.
___________________________________________________________________________
- Previous message: Paul Szabo: "Re: Solaris Patchadd symlink exploit."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
