lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031107105625.A19864@caldera.com>
From: security at sco.com (security@....com)
Subject: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability.

To: announce@...ts.caldera.com bugtraq@...urityfocus.com full-disclosure@...ts.netsys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5 : Perl cross-site scripting vulnerability. 
Advisory number: 	CSSA-2003-SCO.30
Issue date: 		2003 November 06
Cross reference:	sr883606 fz528215 erg712409
______________________________________________________________________________


1. Problem Description

	Perl is a high-level interpreted programming language well
	known for its flexibility and ability to work with text
	streams. 

	Obscure^ (obscure@...onsecurity.org) reported a cross site
	scripting vulnerability in the CGI.pm perl module. This
	module is used to facilitate the creation of web forms and
	is part of the perl-modules RPM package.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.7 		Perl distribution
	OpenServer 5.0.6		Perl distribution
	OpenServer 5.0.5 		Perl distribution


3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.7 
	
	4.1 First install Maintenance Pack 1
	
	ftp://ftp.sco.com/pub/openserver5/507/osr507mp/

	4.2 Next install gxwlibs

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29

	4.2 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30

	4.3 Verification

	MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e
	MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1
	MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350
	MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.4 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.


5. OpenServer 5.0.6 / OpenServer 5.0.5

	5.1 First install OSS646B - Execution Environment Supplement
	
	ftp://ftp.sco.com/pub/openserver5/oss646b

	5.2 Next install gwxlibs

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.29

	5.3 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.30

	5.4 Verification

	MD5 (VOL.000.000) = af4167c4c52e3af6dcc94289807b008e
	MD5 (VOL.000.001) = 2129b31fbde991c7ecdba826de8fc4b1
	MD5 (VOL.000.002) = a6ee80a4f937f985dbe4eb247e98d350
	MD5 (VOL.000.003) = b84437579b43fa8cc57ff8936490543d

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	5.5 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to the /tmp directory

	2) Run the custom command, specify an install from media
	images, and specify the /tmp directory as the location of
	the images.



6. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 
		http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2 
		http://eyeonsecurity.org/advisories/CGI.pm/adv.html

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr883606 fz528215 
	erg712409.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.

8. Acknowledgments

	SCO would like to thank Obscure^ for reporting this issue.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/qve+aqoBO7ipriERAqUtAJ9MBKogbCSdqJ8UrBA6YDmu2dXosQCgiaI9
LzUtvWmI6sIIeitugMgsyRg=
=2/ex
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ