Security Update: [CSSA-2002-SCO.33] OpenServer 5.0.5 OpenServer 5.0.6 : timed does not enforce nulls
From: security@caldera.comDate: 07/16/02
- Previous message: security@caldera.com: "Security Update: [CSSA-2002-SCO.34] OpenServer 5.0.5 OpenServer 5.0.6 : uux status file name buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com, announce@lists.caldera.com, scoannmod@xenitec.on.ca From: security@caldera.com Date: Mon, 15 Jul 2002 17:05:04 -0700
To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: OpenServer 5.0.5 OpenServer 5.0.6 : timed does not enforce nulls
Advisory number: CSSA-2002-SCO.33
Issue date: 2002 July 15
Cross reference:
______________________________________________________________________________
1. Problem Description
The timed program does not enforce null-termination of
strings in certain situations. It is possible that this
could be used by a malicious user to perform a remote
denial-of-service attack.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.5 /etc/timed
OpenServer 5.0.6 /etc/timed
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.5
4.1 Location of Fixed Binaries
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.33
4.2 Verification
MD5 (VOL.000.000) = 8f818406b55b806e10b05c3647517265
md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
1) Download the VOL* files to the /tmp directory
Run the custom command, specify an install from media images,
and specify the /tmp directory as the location of the images.
5. OpenServer 5.0.6
5.1 Location of Fixed Binaries
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.33
5.2 Verification
MD5 (VOL.000.000) = 8f818406b55b806e10b05c3647517265
md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
1) Download the VOL* files to the /tmp directory
Run the custom command, specify an install from media images,
and specify the /tmp directory as the location of the images.
6. References
Specific references for this advisory:
http://xforce.iss.net/static/6228.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0388
Caldera security resources:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera incidents sr855195,
SCO-559-1321, erg711889.
7. Disclaimer
Caldera International, Inc. is not responsible for the
misuse of any of the information we provide on this website
and/or through our security advisories. Our advisories are
a service to our customers intended to promote secure
installation and use of Caldera products.
8. Acknowledgements
This vulnerability was discovered and researched by David
A. Holland <dholland@www.linux.org.uk>.
______________________________________________________________________________
- application/pgp-signature attachment: stored
- Previous message: security@caldera.com: "Security Update: [CSSA-2002-SCO.34] OpenServer 5.0.5 OpenServer 5.0.6 : uux status file name buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
