Security Update: [ CSSA-2003-SCO.12 ] OpenServer 5.0.6, OpenServer 5.0.7 : Security vulnerability in Merge prior to Release 5.3.23a

From: securityat_private
Date: Mon Jul 21 2003 - 18:32:05 PDT

Next message: flashsky fangxing: "Re: Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability"

Previous message: phil dunn: "sorry, wrong file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: bugtraqat_private announceat_private

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		UnixWare 7.1.x : Security vulnerability in Merge prior 
					 to Release 5.3.23a
Advisory number: 	CSSA-2003-SCO-11
Issue date: 		2003 July 21
Cross reference:	CAN-2003-0597
______________________________________________________________________________


1. Problem Description

	 Previous versions of Merge may include a security vulnerability
	 in /usr/lib/merge/display that could be exploited to allow
	 unauthorized root access to the UNIX system by an unprivileged
	 user with a UNIX login. Release 5.3.23a includes an
	 automatically installed fix for the problem.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.2			distribution
	UnixWare 7.1.3			distribution

3. Solution

	The proper solution is to install the latest packages.

4. UnixWare 7.1.3, 7.1.3

	4.1 Location of Fixed Binaries

	http://www.sco.com/download.

        Select NeTraverse Merge 5.3.23 for UnixWare 7.1.2 and UnixWare 7.1.3

	4.2 Verification

	MD5 (uw7_merge5323a.pkg) = 6b28bb98d01d36a098a81413fd8e3f66

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download uw7_merge5323a.pkg to the /var/spool/pkg directory

	# pkgadd -d /var/spool/pkg/uw7_merge5323a.pkg

7. References

	Specific references for this advisory:

	Specific references for this advisory:
                The Common Vulnerabilities and Exposures (CVE) project
                has assigned the name CAN-2003-0597 to this issue.  This
                is a candidate for inclusion in the CVE list
                (http://cve.mitre.org), which standardized names for
                security problems.

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0597

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr875154, fz527518,
	erg712239.


8. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this web site and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


9. Acknowledgments

	The Merge development team created the fix for the
	vulnerability.

______________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj8cOPIACgkQaqoBO7ipriGD3QCeKfB8xVe6dHlZtNzgn0i7l0Ny
kocAn0dGGSHV4umpP5VdH5sIslVD2WgY
=Y+bn
-----END PGP SIGNATURE-----

Next message: flashsky fangxing: "Re: Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability"
Previous message: phil dunn: "sorry, wrong file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 09:56:54 PDT