|
To: bugtraq@securityfocus.com announce@lists.caldera.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: UnixWare 7.1.x : Security vulnerability in Merge prior to Release 5.3.23a Advisory number: CSSA-2003-SCO-11 Issue date: 2003 July 21 Cross reference: CAN-2003-0597 ______________________________________________________________________________ 1. Problem Description Previous versions of Merge may include a security vulnerability in /usr/lib/merge/display that could be exploited to allow unauthorized root access to the UNIX system by an unprivileged user with a UNIX login. Release 5.3.23a includes an automatically installed fix for the problem. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- UnixWare 7.1.2 distribution UnixWare 7.1.3 distribution 3. Solution The proper solution is to install the latest packages. 4. UnixWare 7.1.3, 7.1.3 4.1 Location of Fixed Binaries http://www.sco.com/download. Select NeTraverse Merge 5.3.23 for UnixWare 7.1.2 and UnixWare 7.1.3 4.2 Verification MD5 (uw7_merge5323a.pkg) = 6b28bb98d01d36a098a81413fd8e3f66 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: Download uw7_merge5323a.pkg to the /var/spool/pkg directory # pkgadd -d /var/spool/pkg/uw7_merge5323a.pkg 7. References Specific references for this advisory: Specific references for this advisory: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0597 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardized names for security problems. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0597 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr875154, fz527518, erg712239. 8. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this web site and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 9. Acknowledgments The Merge development team created the fix for the vulnerability. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (SCO_SV) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj8cOPIACgkQaqoBO7ipriGD3QCeKfB8xVe6dHlZtNzgn0i7l0Ny kocAn0dGGSHV4umpP5VdH5sIslVD2WgY =Y+bn -----END PGP SIGNATURE-----