Get APLawrence.com by RSSRecent SCO/Linux News
Index
Recent SCO Security Info
Recent SCO TA's
There is a LOT more here: try Searching this site
From: security@sco.com
Subject: OpenServer 5.0.x : Samba security update available avaliable for download.
Date: Mon, 1 Sep 2003 00:04:03 GMT
To: full-disclosure@lists.netsys.com bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: UnixWare 7.1.2 Open UNIX 8.0.0 UnixWare 7.1.1 UnixWare 7.1.2 : exploitable buffer overrun in metamail
Advisory number: CSSA-2003-SCO.15
Issue date: 2003 August 15
Cross reference:
______________________________________________________________________________
1. Problem Description
Metamail is a package that implements MIME. Using a
configurable "mailcap" file, metamail determines how to
treat blocks of electronic mail text based on the content
as described by email headers. Some popular packages for
handling electronic mail have hooks that allow metamail to
be called automatically while a message is being processed.
Many buffer overflow conditions exist in version <= 2.7.
The lack of boundary checks could lead to execution an
arbitrary commands if the receiver processes the messages
using the metamail package.
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CVE-1999-1263, CVE-1999-0365, and CVE-1999-0037
to this issue. This is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security problems.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0037
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
Open UNIX 8.0.0 /usr/bin/metamail
UnixWare 7.1.1 /usr/bin/metamail
UnixWare 7.1.2 /usr/bin/metamail
UnixWare 7.1.3 /usr/bin/metamail
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3, Open UNIX 8.0.0, UnixWare 7.1.2, UnixWare 7.1.1
4.1 Location of Fixed Binaries
ftp://ftp.caldera.com/pub/updates/UnixWare/CSSA-2003-SCO.15
4.2 Verification
MD5 (erg712265.Z) = 0c528e7fb5efe8156e6b460cebe0bbb6
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download erg712265.Z to the /tmp directory
# zcat erg712265.Z | pkgadd -d -
8. References
Specific references for this advisory:
sr875867, fz527543, erg712265,
CVE-1999-1263, CVE-1999-0365, CVE-1999-0037
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr875867, fz527543,
erg712265.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
10. Acknowledgments
The SCO group would like to thank Peter Maydell and the
Debian Security team.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj89YRAACgkQaqoBO7ipriGcLwCePPWl4nIpwmrYN9TNgaH1b+FT
Uf4An0AQoOByNvRWQU7NWlbMJfM3PUq0
=+cp3
-----END PGP SIGNATURE-----
/News/sconews0618.html copyright All Rights Reserved
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
Click here to add your comments
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar