linux, säkerhet

88712 2003-01-22  22:34  /128 rader/  <security@caldera.com>
Importerad: 2003-01-22  22:34  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Extern mottagare: full-disclosure@lists.netsys.com
Externa svar till: please_reply_to_security@caldera.com
Mottagare: Bugtraq (import) <3155>
Ärende: Security Update: [CSSA-2003-005.0] Linux: canna buffer overflow and denial of service
------------------------------------------------------------
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys.com


______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: canna buffer overflow and denial of service
Advisory number: 	CSSA-2003-005.0
Issue date: 		2003 January 21
Cross reference:
______________________________________________________________________________


1. Problem Description

	Buffer overflow in canna allows local users to execute
	arbitrary code as the bin user.

	canna does not properly validate requests, which allows remote
	attackers to cause a denial of service or information leak.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to canna-3.5b2-8.i386.rpm
					prior to canna-devel-3.5b2-8.i386.rpm
					prior to canna-devel-static-3.5b2-8.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to canna-3.5b2-8.i386.rpm
					prior to canna-devel-3.5b2-8.i386.rpm
					prior to canna-devel-static-3.5b2-8.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater,
	called cupdate (or kcupdate under the KDE environment), to
	update these packages rather than downloading and installing
	them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-005.0/RPMS

	4.2 Packages

	91acd89bd9041e06c0a22e4d73b5bb1f
	canna-3.5b2-8.i386.rpm
	890df673f86a9e3ef23d1770e75cc5e8
	canna-devel-3.5b2-8.i386.rpm
	513aedd7b706851975e4cee968a2c66a
	canna-devel-static-3.5b2-8.i386.rpm

	4.3 Installation

	rpm -Fvh canna-3.5b2-8.i386.rpm
	rpm -Fvh canna-devel-3.5b2-8.i386.rpm
	rpm -Fvh canna-devel-static-3.5b2-8.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-005.0/SRPMS

	4.5 Source Packages

	3e92b7252f01b1cb0e074cbe1bcd9227	canna-3.5b2-8.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-005.0/RPMS

	5.2 Packages

	198b5ab5f66121a177db0090a727552d
	canna-3.5b2-8.i386.rpm
	17f7e5c1090eae3842b0e96e24d24852
	canna-devel-3.5b2-8.i386.rpm
	00c131c99ffc54975e1a7c1b2b95441f
	canna-devel-static-3.5b2-8.i386.rpm

	5.3 Installation

	rpm -Fvh canna-3.5b2-8.i386.rpm
	rpm -Fvh canna-devel-3.5b2-8.i386.rpm
	rpm -Fvh canna-devel-static-3.5b2-8.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-005.0/SRPMS

	5.5 Source Packages

	e824ab48c8e0e363d36ed1ad6b105b0c	canna-3.5b2-8.src.rpm


6. References

	Specific references for this advisory:

		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1158
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1159

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr873579, fz527128,
	erg712199.


7. Disclaimer

	SCO is not responsible for the misuse of any of the
	information we provide on this website and/or through our
	security advisories. Our advisories are a service to our
	customers intended to promote secure installation and use of
	SCO products.


8. Acknowledgements

	Shinra Aida of the Canna project and "hsj" of Shadow Penguin
	Security discovered and researched these vulnerabilities.

______________________________________________________________________________
(88712) / <security@caldera.com>/---------(Ombruten)
Bilaga (application/pgp-signature) i text 88713
88713 2003-01-22  22:34  /9 rader/  <security@caldera.com>
Importerad: 2003-01-22  22:34  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: announce@lists.caldera.com
Extern mottagare: security-alerts@linuxsecurity.com
Extern mottagare: full-disclosure@lists.netsys.com
Externa svar till: please_reply_to_security@caldera.com
Mottagare: Bugtraq (import) <3156>
Bilaga (text/plain) till text 88712
Ärende: Bilaga till: Security Update: [CSSA-2003-005.0] Linux: canna buffer overflow and denial of service
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj4txQ4ACgkQbluZssSXDTGS3gCg55hxC3heZakZPWxjS9fgIgxe
/lAAn3jiCdBAKNkrPUNDXchC68OIUxRB
=WPZs
-----END PGP SIGNATURE-----
(88713) / <security@caldera.com>/-------------------