OpenServer 5.0.x : Samba security update available avaliable for download.
Date: 08/16/03

  • Next message: Stephan S.: "Security hole in MatrikzGB"
    Date: Fri, 15 Aug 2003 17:04:03 -0700


    Hash: SHA1


                            SCO Security Advisory

    Subject: UnixWare 7.1.2 Open UNIX 8.0.0 UnixWare 7.1.1 UnixWare 7.1.2 : exploitable buffer overrun in metamail
    Advisory number: CSSA-2003-SCO.15
    Issue date: 2003 August 15
    Cross reference:

    1. Problem Description

            Metamail is a package that implements MIME. Using a
            configurable "mailcap" file, metamail determines how to
            treat blocks of electronic mail text based on the content
            as described by email headers. Some popular packages for
            handling electronic mail have hooks that allow metamail to
            be called automatically while a message is being processed.

            Many buffer overflow conditions exist in version <= 2.7.
            The lack of boundary checks could lead to execution an
            arbitrary commands if the receiver processes the messages
            using the metamail package.

            The Common Vulnerabilities and Exposures (CVE) project has
            assigned the name CVE-1999-1263, CVE-1999-0365, and CVE-1999-0037
            to this issue. This is a candidate for inclusion in the CVE list
            (, which standardizes names for security problems.


    2. Vulnerable Supported Versions

            System Binaries
            Open UNIX 8.0.0 /usr/bin/metamail
            UnixWare 7.1.1 /usr/bin/metamail
            UnixWare 7.1.2 /usr/bin/metamail
            UnixWare 7.1.3 /usr/bin/metamail

    3. Solution

            The proper solution is to install the latest packages.

    4. UnixWare 7.1.3, Open UNIX 8.0.0, UnixWare 7.1.2, UnixWare 7.1.1

            4.1 Location of Fixed Binaries


            4.2 Verification

            MD5 (erg712265.Z) = 0c528e7fb5efe8156e6b460cebe0bbb6

            md5 is available for download from

            4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following sequence:

            Download erg712265.Z to the /tmp directory

            # zcat erg712265.Z | pkgadd -d -

    8. References

            Specific references for this advisory:
            sr875867, fz527543, erg712265,
            CVE-1999-1263, CVE-1999-0365, CVE-1999-0037

            SCO security resources:

            This security fix closes SCO incidents sr875867, fz527543,

    9. Disclaimer

            SCO is not responsible for the misuse of any of the information
            we provide on this website and/or through our security
            advisories. Our advisories are a service to our customers
            intended to promote secure installation and use of SCO

    10. Acknowledgments

            The SCO group would like to thank Peter Maydell and the
            Debian Security team.

    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see

    -----END PGP SIGNATURE-----

  • Next message: Stephan S.: "Security hole in MatrikzGB"

    Relevant Pages