OpenServer 5.0.x : Samba security update available avaliable for download.

[security () sco com]

To: full-disclosure () lists netsys com bugtraq () securityfocus com announce () lists caldera com scoannmod () xenitec 
on ca

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

                        SCO Security Advisory

Subject:                UnixWare 7.1.2 Open UNIX 8.0.0 UnixWare 7.1.1 UnixWare 7.1.2 : exploitable buffer overrun in 
metamail
Advisory number:        CSSA-2003-SCO.15
Issue date:             2003 August 15
Cross reference:
______________________________________________________________________________


1. Problem Description

        Metamail is a package that implements MIME. Using a
        configurable "mailcap" file, metamail determines how to
        treat blocks of electronic mail text based on the content
        as described by email headers. Some popular packages for
        handling electronic mail have hooks that allow metamail to
        be called automatically while a message is being processed.

        Many buffer overflow conditions exist in version <= 2.7.
        The lack of boundary checks could lead to execution an
        arbitrary commands if the receiver processes the messages
        using the metamail package.

        The Common Vulnerabilities and Exposures (CVE) project has 
        assigned the name CVE-1999-1263, CVE-1999-0365, and CVE-1999-0037 
        to this issue. This is a candidate for inclusion in the CVE list 
        (http://cve.mitre.org), which standardizes names for security problems.  

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1263
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0365
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0037

2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        Open UNIX 8.0.0                 /usr/bin/metamail       
        UnixWare 7.1.1                  /usr/bin/metamail       
        UnixWare 7.1.2                  /usr/bin/metamail       
        UnixWare 7.1.3                  /usr/bin/metamail       

3. Solution

        The proper solution is to install the latest packages.


4. UnixWare 7.1.3, Open UNIX 8.0.0, UnixWare 7.1.2, UnixWare 7.1.1

        4.1 Location of Fixed Binaries

        ftp://ftp.caldera.com/pub/updates/UnixWare/CSSA-2003-SCO.15


        4.2 Verification

        MD5 (erg712265.Z) = 0c528e7fb5efe8156e6b460cebe0bbb6

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download erg712265.Z to the /tmp directory

        # zcat erg712265.Z | pkgadd -d -


8. References

        Specific references for this advisory:
        sr875867, fz527543, erg712265, 
        CVE-1999-1263, CVE-1999-0365, CVE-1999-0037 

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr875867, fz527543,
        erg712265.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.


10. Acknowledgments

        The SCO group would like to thank Peter Maydell and the
        Debian Security team.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj89YRAACgkQaqoBO7ipriGcLwCePPWl4nIpwmrYN9TNgaH1b+FT
Uf4An0AQoOByNvRWQU7NWlbMJfM3PUq0
=+cp3
-----END PGP SIGNATURE-----