Security Update: [ CSSA-2003-SCO.12 ] OpenServer 5.0.6, OpenServer 5.0.7 : Security vulnerability in Merge prior to Release 5.3.23a
Date: 07/22/03

  • Next message: Last Stage of Delirium: "Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"
    Date: Mon, 21 Jul 2003 18:32:05 -0700


    Hash: SHA1


                            SCO Security Advisory

    Subject: UnixWare 7.1.x : Security vulnerability in Merge prior
                                             to Release 5.3.23a
    Advisory number: CSSA-2003-SCO-11
    Issue date: 2003 July 21
    Cross reference: CAN-2003-0597

    1. Problem Description

             Previous versions of Merge may include a security vulnerability
             in /usr/lib/merge/display that could be exploited to allow
             unauthorized root access to the UNIX system by an unprivileged
             user with a UNIX login. Release 5.3.23a includes an
             automatically installed fix for the problem.

    2. Vulnerable Supported Versions

            System Binaries
            UnixWare 7.1.2 distribution
            UnixWare 7.1.3 distribution

    3. Solution

            The proper solution is to install the latest packages.

    4. UnixWare 7.1.3, 7.1.3

            4.1 Location of Fixed Binaries


            Select NeTraverse Merge 5.3.23 for UnixWare 7.1.2 and UnixWare 7.1.3

            4.2 Verification

            MD5 (uw7_merge5323a.pkg) = 6b28bb98d01d36a098a81413fd8e3f66

            md5 is available for download from

            4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following sequence:

            Download uw7_merge5323a.pkg to the /var/spool/pkg directory

            # pkgadd -d /var/spool/pkg/uw7_merge5323a.pkg

    7. References

            Specific references for this advisory:

            Specific references for this advisory:
                    The Common Vulnerabilities and Exposures (CVE) project
                    has assigned the name CAN-2003-0597 to this issue. This
                    is a candidate for inclusion in the CVE list
                    (, which standardized names for
                    security problems.


            SCO security resources:

            This security fix closes SCO incidents sr875154, fz527518,

    8. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this web site and/or through our security
            advisories. Our advisories are a service to our customers
            intended to promote secure installation and use of SCO

    9. Acknowledgments

            The Merge development team created the fix for the


    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see

    -----END PGP SIGNATURE-----

  • Next message: Last Stage of Delirium: "Re: [LSD] Critical security vulnerability in Microsoft Operating Systems"

    Relevant Pages