[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenServer 5.0.x : Samba security update available avaliable for download.



To: full-disclosure@xxxxxxxxxxxxxxxx bugtraq@xxxxxxxxxxxxxxxxx announce@xxxxxxxxxxxxxxxxx scoannmod@xxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

			SCO Security Advisory

Subject:		UnixWare 7.1.2 Open UNIX 8.0.0 UnixWare 7.1.1 UnixWare 7.1.2 : exploitable buffer overrun in metamail
Advisory number: 	CSSA-2003-SCO.15
Issue date: 		2003 August 15
Cross reference:
______________________________________________________________________________


1. Problem Description

	Metamail is a package that implements MIME. Using a
	configurable "mailcap" file, metamail determines how to
	treat blocks of electronic mail text based on the content
	as described by email headers. Some popular packages for
	handling electronic mail have hooks that allow metamail to
	be called automatically while a message is being processed.

	Many buffer overflow conditions exist in version <= 2.7.
	The lack of boundary checks could lead to execution an
	arbitrary commands if the receiver processes the messages
	using the metamail package.

	The Common Vulnerabilities and Exposures (CVE) project has 
	assigned the name CVE-1999-1263, CVE-1999-0365, and CVE-1999-0037 
	to this issue. This is a candidate for inclusion in the CVE list 
	(http://cve.mitre.org), which standardizes names for security problems.  

	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1263
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0365
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0037

2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	Open UNIX 8.0.0 		/usr/bin/metamail	
	UnixWare 7.1.1 			/usr/bin/metamail	
	UnixWare 7.1.2			/usr/bin/metamail	
	UnixWare 7.1.3 			/usr/bin/metamail	

3. Solution

	The proper solution is to install the latest packages.


4. UnixWare 7.1.3, Open UNIX 8.0.0, UnixWare 7.1.2, UnixWare 7.1.1

	4.1 Location of Fixed Binaries

	ftp://ftp.caldera.com/pub/updates/UnixWare/CSSA-2003-SCO.15


	4.2 Verification

	MD5 (erg712265.Z) = 0c528e7fb5efe8156e6b460cebe0bbb6

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download erg712265.Z to the /tmp directory

	# zcat erg712265.Z | pkgadd -d -


8. References

	Specific references for this advisory:
	sr875867, fz527543, erg712265, 
	CVE-1999-1263, CVE-1999-0365, CVE-1999-0037 

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr875867, fz527543,
	erg712265.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


10. Acknowledgments

	The SCO group would like to thank Peter Maydell and the
	Debian Security team.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj89YRAACgkQaqoBO7ipriGcLwCePPWl4nIpwmrYN9TNgaH1b+FT
Uf4An0AQoOByNvRWQU7NWlbMJfM3PUq0
=+cp3
-----END PGP SIGNATURE-----