[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030826100743.A10489@caldera.com>
Date: Tue, 26 Aug 2003 10:07:43 -0700
From: security@....com
To: bugtraq@...urityfocus.com, announce@...ts.caldera.com,
full-disclosure@...ts.netsys.com, security-alerts@...uxsecurity.com
Subject: OpenLinux: The docview package allows anonymous remote users to view any publicly readable files on a OpenLinux 3.1.1 system.
To: bugtraq@...urityfocus.com announce@...ts.caldera.com full-disclosure@...ts.netsys.com security-alerts@...uxsecurity.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
__________________________________________________________
SCO Security Advisory
Subject: OpenLinux: The docview package allows anonymous remote users to view any publicly readable files on a OpenLinux 3.1.1 system.
Advisory number: CSSA-2003-021.0
Issue date: 2003 Aug 25
Cross reference:
__________________________________________________________
1. Problem Description
Docview provides the OpenLinux System Administration Guide,
available in browser HTML format.
Due to a misconfiguration of the apache server, anonymous
remote users are able to craft a URL in such a way as to
view any publicly readable file.
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2003-0658 to this issue. This is a
candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for
security problems.
2. Vulnerable Supported Versions
System Package
- ----------------------------------------------------------
OpenLinux 3.1.1 docview < 1.1-18
3. Solution
The proper solution is to install the latest packages.
Many customers find it easier to use the Caldera System
Updater, called cupdate (or kcupdate under the KDE
environment), to update these packages rather than
downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-023.0/RPMS
4.2 Packages
3a13ac10c8dea683b04857f15c0ccf0d docview-1.1-18.i386.rpm
4.3 Installation
rpm -Fvh docview-1.1-18.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-023.0/SRPMS
4.5 Source Packages
3e46a0b62c1f792972adc56eaf9393b9 docview-1.1-18.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-023.0/RPMS
5.2 Packages
3a13ac10c8dea683b04857f15c0ccf0d docview-1.1-18.i386.rpm
5.3 Installation
rpm -Fvh docview-1.1-18.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-023.0/SRPMS
5.5 Source Packages
3e46a0b62c1f792972adc56eaf9393b9 docview-1.1-18.src.rpm
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0658
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents: sr882676
fz528140 erg712374.
7. Disclaimer
SCO is not responsible for the misuse of any of
the information we provide on this websiteon this website
through our security advisories. Our advisories are
ce to our customers intended to promote secure
ation and use of SCO products.
_________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj9KsOQACgkQbluZssSXDTFfKQCg49Zb5dWz2zR/jNIQ2I2b/HKE
roUAoP0bzvV4/YEPfdptTMZDAMcw49sY
=sbjm
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists