Fixes for security now available from Verity

[rcalhoun () VERITY COM (Ron Calhoun)]

To Whom It May Concern:

This is in response to the recent posting on the BUGTRAQ list server
concerning security issues with Verity's SEARCH'97 Information Server.

Verity, Inc. takes security issues very seriously and we have moved quickly
to make a patch release available that addresses these concerns.  Verity
recommends that all current users of Verity Information Server v3.1
download and install the patch.

Both issues have been addressed and the fixes are available immediately
through Verity's Technical Support group.  While there are ways to
configure your web server to protect against both issues, the solution
being made available by Verity is implemented in the applications.  This is
the preferred method to address the problem.

Patch information and downloads for Information Server 3.1 are available at:

https://customers.verity.com/products/server/310/patches/

The problems:

The DCM application, which listens to a particular port, did not require
authentication.  The daemon now restricts connections to localhost (IP
address 127.0.0.1).  The port number of the application can also be
changed. If you are running the DCM daemon behind a firewall, you should
assign a port that is below the firewall restricted ports threshold.

The result template variable was allowing users to substitute any file on
the system using a relative path.  This could provide access to any file on
the system that the user account running the HTTP server had permission to
read.

The result template issue has been addressed by blocking the use of
templates from anything other than result template directories registered
in the Information Server.  In addition, it is advised that you do not run
the HTTP server on a system using an account with high privileges.

For further details, please contact Verity Technical Support at (403)
294-1107 or mailto:tech-support () verity com.


Sincerely,

Ron Calhoun
Director, Server Applications
Verity, Inc.