lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030826100743.A10489@caldera.com>
Date: Tue, 26 Aug 2003 10:07:43 -0700
From: security@....com
To: bugtraq@...urityfocus.com, announce@...ts.caldera.com,
   full-disclosure@...ts.netsys.com, security-alerts@...uxsecurity.com
Subject: OpenLinux: The docview package allows anonymous remote users to view any publicly readable files on a OpenLinux 3.1.1 system.



To: bugtraq@...urityfocus.com announce@...ts.caldera.com full-disclosure@...ts.netsys.com security-alerts@...uxsecurity.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__________________________________________________________
 
                        SCO Security Advisory 
 
Subject:                OpenLinux: The docview package allows anonymous remote users to view any publicly readable files on a OpenLinux 3.1.1 system. 
Advisory number:        CSSA-2003-021.0 
Issue date:             2003 Aug 25
Cross reference: 
__________________________________________________________
 
 
1. Problem Description 
 
Docview provides the OpenLinux System Administration Guide, 
available in browser HTML format.  
            
Due to a misconfiguration of the apache server, anonymous 
remote users are able to craft a URL in such a way as to 
view any publicly readable file.  
            
The Common Vulnerabilities and Exposures (CVE) project has 
assigned the name CAN-2003-0658 to this issue. This is a 
candidate for inclusion in the CVE list 
(http://cve.mitre.org), which standardizes names for 
security problems.  
 
 
2. Vulnerable Supported Versions 
 
System                          Package 
- ----------------------------------------------------------
OpenLinux 3.1.1                 docview < 1.1-18 
        
3. Solution 
 
The proper solution is to install the latest packages. 
Many customers find it easier to use the Caldera System 
Updater, called cupdate (or kcupdate under the KDE 
environment), to update these packages rather than 
downloading and installing them by hand. 
 
 
4. OpenLinux 3.1.1 Server 
 
        4.1 Package Location 
            
          ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-023.0/RPMS 
 
        4.2 Packages 
 
          3a13ac10c8dea683b04857f15c0ccf0d  docview-1.1-18.i386.rpm 
 
        4.3 Installation 
 
          rpm -Fvh docview-1.1-18.i386.rpm 
 
        4.4 Source Package Location 
 
          ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-023.0/SRPMS 
 
        4.5 Source Packages 
 
          3e46a0b62c1f792972adc56eaf9393b9  docview-1.1-18.src.rpm 
 
 
5. OpenLinux 3.1.1 Workstation 
 
        5.1 Package Location 
 
          ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-023.0/RPMS 
 
        5.2 Packages 
 
          3a13ac10c8dea683b04857f15c0ccf0d  docview-1.1-18.i386.rpm 
 
        5.3 Installation 
 
          rpm -Fvh docview-1.1-18.i386.rpm 
 
 
        5.4 Source Package Location 
 
          ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-023.0/SRPMS 
 
        5.5 Source Packages 
 
          3e46a0b62c1f792972adc56eaf9393b9  docview-1.1-18.src.rpm 
 
6. References 
 
        Specific references for this advisory: 
 
                
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0658 
                 
 
        SCO security resources: 
 
                
http://www.sco.com/support/security/index.html 

        This security fix closes SCO incidents: sr882676 
fz528140 erg712374. 
 
 
7. Disclaimer 
 
        SCO is not responsible for the misuse of any of 
the information we provide on this websiteon this website 
through our security advisories. Our advisories are 
ce to our customers intended to promote secure 
ation and use of SCO products. 
 
_________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj9KsOQACgkQbluZssSXDTFfKQCg49Zb5dWz2zR/jNIQ2I2b/HKE
roUAoP0bzvV4/YEPfdptTMZDAMcw49sY
=sbjm
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ