The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


REVISION: Security Update: [CSSA-2001-SCO.24.1] OpenServer: shell here-documents allow various security breaches


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 4 Dec 2001 12:37:51 -0800
From: [email protected]
To: [email protected], [email protected],
Subject: REVISION: Security Update: [CSSA-2001-SCO.24.1] OpenServer: shell here-documents allow various security breaches

--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

To: [email protected] [email protected] scoannmod@xenitec.=
on.ca

___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		REVISION: OpenServer: shell here-documents allow various security=
 breaches
Advisory number: 	CSSA-2001-SCO.24.1
Issue date: 		2001 December 4
Cross reference:	CSSA-2001-SCO.24
___________________________________________________________________________


1. Problem Description
=09
	*************************************************************
	The original binaries supplied to fix this vulnerability were
	flawed, exhibiting a variety of unusual behaviors. If you have
	already applied CSSA-2001-SCO.24, Caldera recommends that you
	immediately apply this new version, CSSA-2001-SCO.24.1.
	*************************************************************=09

	Shell here-document processing is vulnerable to a variety of
	security attacks.


2. Vulnerable Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	OpenServer		<=3D 5.0.6a	/bin/sh
						/sbin/sh
						/bin/csh
						/bin/ksh
						/usr/bin/euc/ksh
						/usr/lib/scosh/utilbin/oash

3. Workaround

	None.


4. OpenServer

  4.1 Location of Fixed Binaries

	ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.24.1/


  4.2 Verification

	md5 checksums:
=09
	05a3f8b4a00f806f919d0dd723d2b2db	shells.tar.Z


	md5 is available for download from

		ftp://stage.caldera.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	# uncompress /tmp/shells.tar.Z
	# for i in /bin/csh /bin/ksh /bin/sh /sbin/sh /usr/bin/euc/ksh /usr/lib/sc=
osh/utilbin/oash
	> do
	> mv $i ${i}-
	> done
	# cd /
	# tar xvf /tmp/shells.tar

5. References

	http://www.kb.cert.org/vuls/id/10277

	This and other advisories are located at
		http://stage.caldera.com/support/security

	This advisory addresses Caldera Security internal incidents
	sr847825, erg711733.

6. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on our website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera International products.


7. Acknowledgements

	The original discoverer of this vulnerability was Gordon Irlam
	of the Univeristy of Adelaide, Australia.

	=20
___________________________________________________________________________

--n8g4imXOkfNTN/H1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwNNB8ACgkQaqoBO7ipriEA7QCfbyIE22dIDY1wTL1N8QIVwPNG
jC8An3SfByzOlCgOBiNXTMAR9QAQb+TU
=zgNe
-----END PGP SIGNATURE-----

--n8g4imXOkfNTN/H1--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру