Security Update: [CSSA-2002-SCO.25] OpenServer 5.0.5 OpenServer 5.0.6 : snmpd denial-of-service vulnerabilities.

[security () caldera com]

To: bugtraq () securityfocus com announce () lists caldera com scoannmod () xenitec on ca

______________________________________________________________________________

                Caldera International, Inc.  Security Advisory

Subject:                OpenServer 5.0.5 OpenServer 5.0.6 : snmpd denial-of-service vulnerabilities.
Advisory number:        CSSA-2002-SCO.25
Issue date:             2002 June 10
Cross reference:
______________________________________________________________________________


1. Problem Description

        The University of Oulu (Finland) wrote approximately 53000
        tests for snmpd error conditions. For OpenServer, many of
        the tests caused the snmp daemon to grow in size. This could
        lead to denial-of-service attacks.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.5                /usr/lib/libsnmp.so.1.Z
        OpenServer 5.0.6                /usr/lib/libsnmp.so.1.Z


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 5.0.5

        4.1 Location of Fixed Binaries

        ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.25


        4.2 Verification

        MD5 (VOL.000.000) = 5cd988029bb6da765d2e4040759dbd33

        md5 is available for download from
                ftp://ftp.caldera.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        1) Download the VOL* file to the /tmp directory

        Run the custom command, specify an install from media images,
        and specify the /tmp directory as the location of the images.


5. OpenServer 5.0.6

        5.1 Location of Fixed Binaries

        ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.25


        5.2 Verification

        MD5 (VOL.000.000) = 5cd988029bb6da765d2e4040759dbd33

        md5 is available for download from
                ftp://ftp.caldera.com/pub/security/tools


        5.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        1) Download the VOL* file to the /tmp directory

        Run the custom command, specify an install from media images,
        and specify the /tmp directory as the location of the images.


6. References

        Specific references for this advisory:
                http://www.cert.org/advisories/CA-2002-03.html

        Caldera security resources:
                http://www.caldera.com/support/security/index.html

        This security fix closes Caldera incidents sr858202,SCO-559-1345
        and erg711930.


7. Disclaimer

        Caldera International, Inc. is not responsible for the
        misuse of any of the information we provide on this website
        and/or through our security advisories. Our advisories are
        a service to our customers intended to promote secure
        installation and use of Caldera products.


8. Acknowledgements

        This vulnerability was discovered and researched by the
        University of Oulu (oulu.fi).

______________________________________________________________________________

Attachment: _bin
Description: