lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200310032309.h93N99h08851@rafiki.ca.caldera.com>
Date: Fri, 3 Oct 2003 16:09:09 -0700
From: security@....com
To: announce@...ts.sco.com, bugtraq@...urityfocus.com,
   security-alerts@...uxsecurity.com, full-disclosure@...ts.netsys.com
Subject: OpenLinux: wu-ftpd fb_realpath() off-by-one bug



To: announce@...ts.sco.com bugtraq@...urityfocus.com security-alerts@...uxsecurity.com full-disclosure@...ts.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: wu-ftpd fb_realpath() off-by-one bug
Advisory number: 	CSSA-2003-024.0
Issue date: 		2003 September 26
Cross reference: 	sr882340 fz528117 erg712364
______________________________________________________________________________


1. Problem Description

	Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A
	local or remote attacker could exploit this vulnerability to gain
	root privileges on a vulnerable system. The Common Vulnerabilities
	and Exposures project (cve.mitre.org) has assigned the name
	CAN-2003-0466 to this issue.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server			prior to wu-ftpd-2.6.1-14.i386.rpm

	OpenLinux 3.1.1 Workstation		prior to wu-ftpd-2.6.1-14.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-024.0/RPMS

	4.2 Packages

	5dfb4811abe8ccf46d8c523b13ef34d1	wu-ftpd-2.6.1-14.i386.rpm

	4.3 Installation

	rpm -Fvh wu-ftpd-2.6.1-14.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-024.0/SRPMS

	4.5 Source Packages

	13d7a9857c9151477e20e49f25d48169	wu-ftpd-2.6.1-14.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-024.0/RPMS

	5.2 Packages

	05b6a116c8160033f16b7c52611c1f86	wu-ftpd-2.6.1-14.i386.rpm

	5.3 Installation

	rpm -Fvh wu-ftpd-2.6.1-14.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-024.0/SRPMS

	5.5 Source Packages

	b53bca2a2dcce72aa0f15c661961d2b6	wu-ftpd-2.6.1-14.src.rpm


6. References


	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr882340 fz528117
	erg712364.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj94iDAACgkQbluZssSXDTFPOgCfUrIFx1+jG+51w04qHaFxD4eT
KGgAni1FaEkMP36sPMlA6vkkPgLHsHwV
=zh3M
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ