lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20021204110620.Q334@caldera.com>
From: security at caldera.com (security@...dera.com)
Subject: Security Update: [CSSA-2002-054.0] Linux: exploitable memory leak in ypserv

To: bugtraq@...urityfocus.com announce@...ts.caldera.com security-alerts@...uxsecurity.com full-disclosure@...ts.netsys.com

______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: exploitable memory leak in ypserv
Advisory number: 	CSSA-2002-054.0
Issue date: 		2002 December 04
Cross reference:
______________________________________________________________________________


1. Problem Description

	Requesting a map that doesn't exist will cause a memory leak in
	the server.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to nis-client-2.0-23.i386.rpm
					prior to nis-server-2.0-23.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to nis-client-2.0-23.i386.rpm

	OpenLinux 3.1 Server		prior to nis-client-2.0-23.i386.rpm
					prior to nis-server-2.0-23.i386.rpm

	OpenLinux 3.1 Workstation	prior to nis-client-2.0-23.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-054.0/RPMS

	4.2 Packages

	f416f2e39a29d419832f3b18c04491a2	nis-client-2.0-23.i386.rpm
	b86300ae67587b447262d31f123bc12e	nis-server-2.0-23.i386.rpm

	4.3 Installation

	rpm -Fvh nis-client-2.0-23.i386.rpm
	rpm -Fvh nis-server-2.0-23.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-054.0/SRPMS

	4.5 Source Packages

	477ddd735eaedab628ddacd7c71576fe	nis-2.0-23.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-054.0/RPMS

	5.2 Packages

	09070643b7c116d8df429cdcd66ef798	nis-client-2.0-23.i386.rpm

	5.3 Installation

	rpm -Fvh nis-client-2.0-23.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-054.0/SRPMS

	5.5 Source Packages

	ec0fd36c02cde15d529b7dd8b2ec9592	nis-2.0-23.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-054.0/RPMS

	6.2 Packages

	6d94363827067eae7b1401d9e560317a	nis-client-2.0-23.i386.rpm
	0873bfed5da6fff398d491477ced4fe1	nis-server-2.0-23.i386.rpm

	6.3 Installation

	rpm -Fvh nis-client-2.0-23.i386.rpm
	rpm -Fvh nis-server-2.0-23.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-054.0/SRPMS

	6.5 Source Packages

	73957cff9e49efc38d0a7b4e5bfb9c37	nis-2.0-23.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-054.0/RPMS

	7.2 Packages

	de89d9852c09c79199dd4a82c4c27481	nis-client-2.0-23.i386.rpm

	7.3 Installation

	rpm -Fvh nis-client-2.0-23.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-054.0/SRPMS

	7.5 Source Packages

	5bc2cf815670d44e117394e1a98cf28a	nis-2.0-23.src.rpm


8. References

	Specific references for this advisory:

		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr870793, fz526450,
	erg712149.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


10. Acknowledgements

	Thorsten Kukuck discovered and researched this vulnerability.

______________________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 237 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021204/8275ea77/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ