Subject: UnixWare 7.1.x : Security vulnerability in Merge prior
to Release 5.3.23a
Advisory number: CSSA-2003-SCO-11
Issue date: 2003 July 21
Cross reference: CAN-2003-0597
________________________________________________________________________
______
1. Problem Description
Previous versions of Merge may include a security vulnerability
in /usr/lib/merge/display that could be exploited to allow
unauthorized root access to the UNIX system by an unprivileged
user with a UNIX login. Release 5.3.23a includes an
automatically installed fix for the problem.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.2 distribution
UnixWare 7.1.3 distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3, 7.1.3
4.1 Location of Fixed Binaries
http://www.sco.com/download.
Select NeTraverse Merge 5.3.23 for UnixWare 7.1.2 and UnixWare 7.1.3
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download uw7_merge5323a.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/uw7_merge5323a.pkg
7. References
Specific references for this advisory:
Specific references for this advisory:
The Common Vulnerabilities and Exposures (CVE) project
has assigned the name CAN-2003-0597 to this issue. This
is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardized names for
security problems.
This security fix closes SCO incidents sr875154, fz527518,
erg712239.
8. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this web site and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
9. Acknowledgments
The Merge development team created the fix for the
vulnerability.
To: bugtraq (at) securityfocus (dot) com [email concealed] announce (at) lists.caldera (dot) com [email concealed]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
______
SCO Security Advisory
Subject: UnixWare 7.1.x : Security vulnerability in Merge prior
to Release 5.3.23a
Advisory number: CSSA-2003-SCO-11
Issue date: 2003 July 21
Cross reference: CAN-2003-0597
________________________________________________________________________
______
1. Problem Description
Previous versions of Merge may include a security vulnerability
in /usr/lib/merge/display that could be exploited to allow
unauthorized root access to the UNIX system by an unprivileged
user with a UNIX login. Release 5.3.23a includes an
automatically installed fix for the problem.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.2 distribution
UnixWare 7.1.3 distribution
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3, 7.1.3
4.1 Location of Fixed Binaries
http://www.sco.com/download.
Select NeTraverse Merge 5.3.23 for UnixWare 7.1.2 and UnixWare 7.1.3
4.2 Verification
MD5 (uw7_merge5323a.pkg) = 6b28bb98d01d36a098a81413fd8e3f66
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
Download uw7_merge5323a.pkg to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/uw7_merge5323a.pkg
7. References
Specific references for this advisory:
Specific references for this advisory:
The Common Vulnerabilities and Exposures (CVE) project
has assigned the name CAN-2003-0597 to this issue. This
is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardized names for
security problems.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0597
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr875154, fz527518,
erg712239.
8. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this web site and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
9. Acknowledgments
The Merge development team created the fix for the
vulnerability.
________________________________________________________________________
______
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj8cOPIACgkQaqoBO7ipriGD3QCeKfB8xVe6dHlZtNzgn0i7l0Ny
kocAn0dGGSHV4umpP5VdH5sIslVD2WgY
=Y+bn
-----END PGP SIGNATURE-----
[ reply ]