OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: securitycaldera.com
Date: Tue May 28 2002 - 18:05:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: bugtraqsecurityfocus.com announcelists.caldera.com scoannmodxenitec.on.ca

    ______________________________________________________________________________

                    Caldera International, Inc. Security Advisory

    Subject: OpenServer 5.0.5 OpenServer 5.0.6 : sort command creates temporary files insecurely
    Advisory number: CSSA-2002-SCO.21
    Issue date: 2002 May 28
    Cross reference:
    ______________________________________________________________________________

    1. Problem Description

            The sort command creates and uses temporary files insecurely.
            Names can be predicted, and spoofed with symbolic links.

    2. Vulnerable Supported Versions

            System Binaries
            ----------------------------------------------------------------------
            OpenServer 5.0.5 /bin/sort
            OpenServer 5.0.6 /bin/sort

    3. Solution

            The proper solution is to install the latest packages.

    4. OpenServer 5.0.5

            4.1 Location of Fixed Binaries

            ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.21

            4.2 Verification

            MD5 (VOL.000.000) = ebaac320d491aae20385b0c54af794fb

            md5 is available for download from
                    ftp://stage.caldera.com/pub/security/tools/

            4.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following commands:

            1) Download the VOL* files to the /tmp directory

            Run the custom command, specify an install from media images,
            and specify the /tmp directory as the location of the images.

    5. OpenServer 5.0.6

            5.1 Location of Fixed Binaries

            ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.21

            5.2 Verification

            MD5 (VOL.000.000) = ebaac320d491aae20385b0c54af794fb

            md5 is available for download from
                    ftp://stage.caldera.com/pub/security/tools/

            5.3 Installing Fixed Binaries

            Upgrade the affected binaries with the following commands:

            1) Download the VOL* files to the /tmp directory

            Run the custom command, specify an install from media images,
            and specify the /tmp directory as the location of the images.

    6. References

            Specific references for this advisory:
                    none

            Caldera UNIX security resources:
                    http://stage.caldera.com/support/security/

            Caldera OpenLinux security resources:
                    http://www.caldera.com/support/security/index.html

            This security fix closes Caldera incidents sr848813,
            SCO-1-238, erg711767 .

    7. Disclaimer

            Caldera International, Inc. is not responsible for the
            misuse of any of the information we provide on this website
            and/or through our security advisories. Our advisories are
            a service to our customers intended to promote secure
            installation and use of Caldera products.

    ______________________________________________________________________________

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (SCO_SV)
    Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAjz0DUQACgkQaqoBO7ipriGzeACeLTEqdz3KhQa1RPtWzs3tzD+J
    TOwAnidDF5vA/izv5kaVd30D+F5ZtviT
    =M+fA
    -----END PGP SIGNATURE-----