Re: Info on some security holes reported against SCO Unixware.

[aarons () SCO COM (Aaron Sigel)]

Brock,

As far as I know UnixWare does not install any skunkware components during
your standard system installation.  The only way you would have gotten
these components onto your system would be by installing the skunkware cd
seperately.

Would you mind double checking your system for skunkware?

Also, when bug reporting, please make sure you have all of the latest
fixes on your machine, which are available from www.sco.com/security.
Note that we did implement a sticky directory patch some time ago that
would have stopped the pis, mkpid bugs from working, along with others
that involve trivial symlinks in sticky directories.

Cheers,

Aaron

On 21 Jan 2000, Brock Tellier wrote:

> Aaron Sigel <aarons () SCO COM> wrote:
> > Greetings,
> >
> > Recent Bugtraq posts have exposed security holes with a couple
> > packages distributed with SCO's Skunkware CD.  These packages
> > are:
> >         majordomo (wrapper, resend)
> >         orion (pis, mkpis)
> >
> > These issues are security holes in the distributed versions of these
> > packages, and are not SCO security holes.
>
> No, I was doing a UnixWare audit, which, as far as I know, does not include
> the Skunkware CD.  Even if it does, I'm sure I didn't install it on top of the
> normal UW CD install.  If these applications are from the Skunkware distro and
> were merely included on the UW installation CD's, the user is never notified
> that they are installing "unsupported", possibly insecure software.  From an
> end-user perspective, it doesn't make any difference that these programs are
> insecure but not written by SCO.
>
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
> btellier () usa net
>
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1

--
Aaron Sigel, Secure Technologies Group, SCO - aarons () sco com