Date: Thu, 24 Oct 2002 17:42:26 -0700
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2002-038.0] Linux: inn format string and insecure open vulnerabilities
--RnlQjJ0d97Da+TV1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys.com
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: inn format string and insecure open vulnerabilities
Advisory number: CSSA-2002-038.0
Issue date: 2002 October 24
Cross reference:
______________________________________________________________________________
1. Problem Description
There are several format string coding bugs as well as unsecure
open() calls in the inn program.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to inn-2.2.3-13.i386.rpm
OpenLinux 3.1 Server prior to inn-2.2.3-13.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-038.0/RPMS
4.2 Packages
f707c8840d70ffb02e6377a4f1adb539 inn-2.2.3-13.i386.rpm
4.3 Installation
rpm -Fvh inn-2.2.3-13.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-038.0/SRPMS
4.5 Source Packages
698bb36510be3d8b9b7215b873c51d81 inn-2.2.3-13.src.rpm
5. OpenLinux 3.1 Server
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-038.0/RPMS
5.2 Packages
f1fe7fe3f9c85e6d240b69ec4b193649 inn-2.2.3-13.i386.rpm
5.3 Installation
rpm -Fvh inn-2.2.3-13.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-038.0/SRPMS
5.5 Source Packages
acbd7f418b5bf1d70ec0d14aadd69d30 inn-2.2.3-13.src.rpm
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0525http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0526
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr863008, fz520651,
erg712019.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
8. Acknowledgements
Paul Starzetz <paul@starzetz.de> discovered and researched this
vulnerability.
______________________________________________________________________________
--RnlQjJ0d97Da+TV1
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj24k3IACgkQbluZssSXDTG8UwCePv8inwSKEOEHAI17dbBLycv+
K9sAn2lw8tnXhOCd613I6AjWotabRT8y
=35Kq
-----END PGP SIGNATURE-----
--RnlQjJ0d97Da+TV1--
