| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031107105625.A19864@caldera.com> Date: Fri, 7 Nov 2003 10:56:25 -0800 From: security@....com To: announce@...ts.caldera.com, bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability. To: announce@...ts.caldera.com bugtraq@...urityfocus.com full-disclosure@...ts.netsys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability. Advisory number: CSSA-2003-SCO.30 Issue date: 2003 November 06 Cross reference: sr883606 fz528215 erg712409 ______________________________________________________________________________ 1. Problem Description Perl is a high-level interpreted programming language well known for its flexibility and ability to work with text streams. Obscure^ (obscure@...onsecurity.org) reported a cross site scripting vulnerability in the CGI.pm perl module. This module is used to facilitate the creation of web forms and is part of the perl-modules RPM package. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.7 Perl distribution OpenServer 5.0.6 Perl distribution OpenServer 5.0.5 Perl distribution 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.7 4.1 First install Maintenance Pack 1 ftp://ftp.sco.com/pub/openserver5/507/osr507mp/ 4.2 Next install gxwlibs ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29 4.2 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30 4.3 Verification MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1 MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350 MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.4 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 5. OpenServer 5.0.6 / OpenServer 5.0.5 5.1 First install OSS646B - Execution Environment Supplement ftp://ftp.sco.com/pub/openserver5/oss646b 5.2 Next install gwxlibs ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29 5.3 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30 5.4 Verification MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1 MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350 MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.5 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download the VOL* files to the /tmp directory 2) Run the custom command, specify an install from media images, and specify the /tmp directory as the location of the images. 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2 http://eyeonsecurity.org/advisories/CGI.pm/adv.html SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr883606 fz528215 erg712409. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgments SCO would like to thank Obscure^ for reporting this issue. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (SCO/UNIX_SVR5) iD8DBQE/qve+aqoBO7ipriERAqUtAJ9MBKogbCSdqJ8UrBA6YDmu2dXosQCgiaI9 LzUtvWmI6sIIeitugMgsyRg= =2/ex -----END PGP SIGNATURE-----
Powered by blists - more mailing lists