lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040511002453.8BE9B391DF@helix.pdev.ca.sco.com>
Date: Mon, 10 May 2004 17:24:53 -0700 (PDT)
From: please_reply_to_security@....com
To: security-announce@...t.sco.com, bugtraq@...urityfocus.com,
   full-disclosure@...ts.netsys.com
Subject: UPDATED OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol
Advisory number: 	SCOSA-2004.5
Issue date: 		2004 April 07
Cross reference: 	sr862325 fz520452 erg712002 CAN-2004-0390
______________________________________________________________________________


1. Problem Description

	As noted in the Xsecurity(X) man page, OpenServer 5 provides
	multiple X display access control mechanisms. 

	The least secure is the Host Access method, where any 
	client on a host in the host access control list (which 
	is managed by the xhost command) is allowed access to 
	the X server. 

	More secure access methods are provided using the X 
	authorization protocol (Xauthority). Currently, OpenServer 5 
	supports the X authorization protocol only for X sessions 
	which are started by scologin. 

	This supplement provides support for the X authorization 
	protocol for X sessions which are not started by scologin 
	(e.g., sessions which are started via startx).

	In order to prevent unauthorized access to your system, do not 
	use the xhost command to grant access to your X server.  Instead, 
	it is recommended that you use the access provided by the 
	.Xauthority file.  

	With this supplement applied, scologin, startx, and xinit can all 
	be used to start the X server using the MIT-MAGIC-COOKIE-1 access 	
	control system as described in the Xsecurity(X) man page.  
	If the X server is started directly (by running X or Xsco), 
	Xauthority-style access control will not be enabled.

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0390 to this issue. 

2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.5		X display system 	
	OpenServer 5.0.6 		X display system
	OpenServer 5.0.7		X display system

3. Solution

	The proper solution is to install the latest packages 
	and enable Xauthority.


4. OpenServer 5.0.5, OpenServer 5.0.6, OpenServer 5.0.7

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.5

	4.2 Verification

	MD5 (VOL.000.000) = 628f0f07d63bc12978fff3dc93d44a40

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to a directory

	2) Run the custom command, specify then install from media
	images, and specify the directory as the location of
	the images.

	4.4 Set up a .Xauthority file (see the xauth(X) man page).

	4.5 Quit & restart the X server.

5. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0390

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr862325 fz520452
	erg712002.


6. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


7. Acknowledgments

	SCO would like to thank Kevin R Finisterre

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFAoB0HaqoBO7ipriERAg7xAKCI5A+YHtpM5PLm+VYlKu7R14+U2wCffk/8
Iuf+dACi59/YfKVor4G1Zu0=
=65Jx
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ