Security Update: [ CSSA-2003-SCO.12 ] OpenServer 5.0.6, OpenServer 5.0.7 : Security vulnerability in Merge prior to Release 5.3.23a

security_at_sco.com
Date: 07/22/03

  • Next message: Last Stage of Delirium: "Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"
    To: bugtraq@securityfocus.com, announce@lists.caldera.com
    Date: Mon, 21 Jul 2003 18:32:05 -0700
    
    

    To: bugtraq@securityfocus.com announce@lists.caldera.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ______________________________________________________________________________

                            SCO Security Advisory

    Subject: UnixWare 7.1.x : Security vulnerability in Merge prior
                                             to Release 5.3.23a
    Advisory number: CSSA-2003-SCO-11
    Issue date: 2003 July 21
    Cross reference: CAN-2003-0597
    ______________________________________________________________________________

    1. Problem Description

             Previous versions of Merge may include a security vulnerability
             in /usr/lib/merge/display that could be exploited to allow
             unauthorized root access to the UNIX system by an unprivileged
             user with a UNIX login. Release 5.3.23a includes an
             automatically installed fix for the problem.

    2. Vulnerable Supported Versions

            System Binaries
            ----------------------------------------------------------------------
            UnixWare 7.1.2 distribution
            UnixWare 7.1.3 distribution

    3. Solution

            The proper solution is to install the latest packages.

    4. UnixWare 7.1.3, 7.1.3

            4.1 Location of Fixed Binaries

            http://www.sco.com/download.

            Select NeTraverse Merge 5.3.23 for UnixWare 7.1.2 and UnixWare 7.1.3

            4.2 Verification

            MD5 (uw7_merge5323a.pkg) = 6b28bb98d01d36a098a81413fd8e3f66

            md5 is available for download from
                    ftp://ftp.sco.com/pub/security/tools

            4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following sequence:

            Download uw7_merge5323a.pkg to the /var/spool/pkg directory

            # pkgadd -d /var/spool/pkg/uw7_merge5323a.pkg

    7. References

            Specific references for this advisory:

            Specific references for this advisory:
                    The Common Vulnerabilities and Exposures (CVE) project
                    has assigned the name CAN-2003-0597 to this issue. This
                    is a candidate for inclusion in the CVE list
                    (http://cve.mitre.org), which standardized names for
                    security problems.

            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0597

            SCO security resources:
                    http://www.sco.com/support/security/index.html

            This security fix closes SCO incidents sr875154, fz527518,
            erg712239.

    8. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this web site and/or through our security
            advisories. Our advisories are a service to our customers
            intended to promote secure installation and use of SCO
            products.

    9. Acknowledgments

            The Merge development team created the fix for the
            vulnerability.

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAj8cOPIACgkQaqoBO7ipriGD3QCeKfB8xVe6dHlZtNzgn0i7l0Ny
    kocAn0dGGSHV4umpP5VdH5sIslVD2WgY
    =Y+bn
    -----END PGP SIGNATURE-----


  • Next message: Last Stage of Delirium: "Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"

    Relevant Pages