Date: Wed, 7 Nov 2001 15:44:19 -0800
From: security-alert@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2001-SCO.31] OpenServer: Sendmail debug input validation buffer overflow
--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.=
on.ca
___________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: OpenServer: Sendmail debug input validation buffer overflow
Advisory number: CSSA-2001-SCO.31
Issue date: 2001 November 7
Cross reference:
___________________________________________________________________________
1. Problem Description
=09
An input validation error exists in Sendmail's debugging
functionality. This could be used by an unauthorized user to
gain privilege.
2. Vulnerable Versions
Operating System Version Affected Files
------------------------------------------------------------------
OpenServer 5.0.4-5.0.6a /usr/lib/sendmail
3. Workaround
None.
4. OpenServer
4.1 Location of Fixed Binaries
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.31/
4.2 Verification
md5 checksums:
=09
d6fbe6e6ab98a0170c2d5029b4ade1bf sendmail.Z
md5 is available for download from
ftp://stage.caldera.com/pub/security/tools/
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
# mv /usr/lib/sendmail /usr/lib/sendmail.orig
# chmod 0 /usr/lib/sendmail.orig
# uncompress /tmp/sendmail.Z
# cp /tmp/sendmail /usr/lib
# chown root:bin /usr/lib/sendmail
# chmod 4711 /usr/lib/sendmail
5. References
http://www.securityfocus.com/archive/1/217901http://www.securityfocus.com/advisories/3583
This and other advisories are located at
http://stage.caldera.com/support/security
This advisory addresses Caldera Security internal incidents
sr851246, SCO-559-1306, and erg711828.
6. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on our website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera International products.
7. Acknowledgements
This vulnerability was discovered and researched by Cade
Cairns <cairnsc@securityfocus.com>.
=20
___________________________________________________________________________
--4Ckj6UjgE2iN1+kY
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjvpx1MACgkQaqoBO7ipriHm+QCeMM7P/1S4XxfC72uGvxKNBKyq
eMoAn1UBnjADonEAus9G+xCcFM1ycO+k
=cY5U
-----END PGP SIGNATURE-----
--4Ckj6UjgE2iN1+kY--
