lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040304011753.C28EC25FBD@helix.pdev.ca.sco.com>
Date: Wed,  3 Mar 2004 17:17:53 -0800 (PST)
From: please_reply_to_security@....com
To: announce@...ts.caldera.com, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com, security-alerts@...uxsecurity.com
Subject: OpenLinux: cups denial of service vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: cups denial of service vulnerability
Advisory number: 	CSSA-2004-012.0
Issue date: 		2004 March 03
Cross reference:	sr887386 fz528509 erg712497 CAN-2003-0788
______________________________________________________________________________


1. Problem Description

	Unknown vulnerability in the Internet Printing Protocol (IPP)
	implementation in CUPS before 1.1.19 allows remote attackers to
	cause a denial of service via certain inputs to the IPP port. 

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
	has assigned the name CAN-2003-0788 to this issue.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------
	OpenLinux 3.1.1 Server		prior to cups-1.1.20-1.i386.rpm
					prior to cups-devel-1.1.20-1.i386.rpm
					prior to cups-libs-1.1.20-1.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to cups-1.1.20-1.i386.rpm
					prior to cups-devel-1.1.20-1.i386.rpm
					prior to cups-libs-1.1.20-1.i386.rpm


3. Solution

	The proper solution is to install the latest packages.  This patch 
	obsoletes two cups rpm packages namely cups-client and cups-ppd.  
	These packages need to be removed from the system. 

	To remove cups-client and cups-ppd from your system, as the root 
	user issue the following commands:

	#rpm -e cups-client
	#rpm -e cups-ppd

	Note: Warning messages about directories not removed is expected.
	
	After the two obsoleted packages are removed, you can install the 
	updated packages manually or use the Caldera System Updater, 
	called cupdate (or kcupdate under the KDE environment).


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-012.0/RPMS

	4.2 Packages

	dd11d44b98062be3cf02023e647b5ec8	cups-1.1.20-1.i386.rpm
	94adce8cea263d4d5fa9ed24f9c269d4	cups-devel-1.1.20-1.i386.rpm
	5b9a9ebee31a22c9eea412f0453316c2	cups-libs-1.1.20-1.i386.rpm

	4.3 Installation

	rpm -Fvh cups-1.1.20-1.i386.rpm
	rpm -Fvh cups-devel-1.1.20-1.i386.rpm
	rpm -Fvh cups-libs-1.1.20-1.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-012.0/SRPMS

	4.5 Source Packages

	93c8d369c251667a3c1cef458d855a9d	cups-1.1.20-1.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-012.0/RPMS

	5.2 Packages

	88e5b7473c89a7508d59e03aa7cdb8cf	cups-1.1.20-1.i386.rpm
	8884706cafa18004acf4f409acdd0b3a	cups-devel-1.1.20-1.i386.rpm
	a588bcafea49cb3c816a0cbf39684250	cups-libs-1.1.20-1.i386.rpm

	5.3 Installation

	rpm -Fvh cups-1.1.20-1.i386.rpm
	rpm -Fvh cups-devel-1.1.20-1.i386.rpm
	rpm -Fvh cups-libs-1.1.20-1.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-012.0/SRPMS

	5.5 Source Packages

	5ade3a153244bbbe26c802b4e8650520	cups-1.1.20-1.src.rpm


6. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0788


	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr887386 fz528509
	erg712497.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


8. Acknowledgements

	SCO would like to thank Paul Mitcheson

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFARn12bluZssSXDTERAvL/AKDUAbqVdgNfVO5x7QzdSC0+1SLUbQCbB8Sc
Ynt32rtj2Ms2GplGjA8Sykk=
=zne0
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ