OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: securitycaldera.com
Date: Mon Dec 10 2001 - 19:42:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: bugtraqsecurityfocus.com announcelists.caldera.com scoannmodxenitec.on.ca

    ___________________________________________________________________________

                Caldera International, Inc. Security Advisory

    Subject: Open UNIX, UnixWare 7: timed does not enforce nulls
    Advisory number: CSSA-2001-SCO.39
    Issue date: 2001 December 10
    Cross reference:
    ___________________________________________________________________________

    1. Problem Description
            
            The timed program does not enforce null-termination of strings
            in certain situations. It is possible that this could be used
            by a malicious user to perform a remote denial-of-service
            attack.

    2. Vulnerable Versions

            Operating System Version Affected Files
            ------------------------------------------------------------------
            UnixWare 7 All /usr/sbin/in.timed
            Open UNIX 8.0.0 /usr/sbin/in.timed

    3. Workaround

            If the in.timed service is not needed, it may be disabled.

    4. UnixWare 7, Open UNIX 8

      4.1 Location of Fixed Binaries

            ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.39/

      4.2 Verification

            md5 checksums:
            
            87c68b618f4317dd92460aaa49e6a522 erg711890.Z

            md5 is available for download from

                    ftp://stage.caldera.com/pub/security/tools/

      4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following commands:

            # uncompress /tmp/erg711890.Z
            # pkgadd -d /tmp/erg711890

    5. References

            http://xforce.iss.net/static/6228.php
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0388

            This and other advisories are located at
                    http://stage.caldera.com/support/security

            This advisory addresses Caldera Security internal incidents
            sr855196, fz519311, erg711890.

    6. Disclaimer

            Caldera International, Inc. is not responsible for the misuse
            of any of the information we provide on our website and/or
            through our security advisories. Our advisories are a service
            to our customers intended to promote secure installation and
            use of Caldera International products.

    7. Acknowledgements

            This vulnerability was discovered and researched by David A.
            Holland <dhollandwww.linux.org.uk>.
         

             
    ___________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjwVZHIACgkQaqoBO7ipriHEGACdGTuhPlva0PpRiIE6neJUhEsw
    acoAn2K5PyT45yeOM8Zt8VseaSIzJX6h
    =CY9g
    -----END PGP SIGNATURE-----