Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Update: [CSSA-2001-SCO.13] OpenServer: BIND buffer overflows

From: sco-security () caldera com
Date: Mon, 27 Aug 2001 14:19:37 -0700

To: security-announce () lists securityportal com bugtraq () securityfocus com announce () lists caldera com

___________________________________________________________________________

            Caldera International, Inc. Security Advisory

Subject:                OpenServer: BIND buffer overflows
Advisory number:        CSSA-2001-SCO.13
Issue date:             2001 August 20
Cross reference:
___________________________________________________________________________



1. Problem Description
        
        The BIND subsystem contains several buffer overflows, detailed
        in CERT advisory CA-2001-02. This advisory announces the
        availability of a preliminary version of BIND 8.2.5. Since
        there is no packaged installation of this preliminary
        offering, it should only be installed by experienced system
        administrators. A formal installable fix containing this
        version of BIND is forthcoming.


2. Vulnerable Versions

        Operating System        Version         Affected Files
        ------------------------------------------------------------------
        OpenServer              <= 5.0.6a       ./etc/addr
                                                ./etc/nsupdate
                                                ./etc/dig
                                                ./etc/dnsquery
                                                ./etc/host
                                                ./etc/named
                                                ./etc/named-xfer
                                                ./etc/ndc
                                                ./usr/lib/libresolv.so.1
                                                ./usr/lib/libsocket.so.2
                                                ./usr/lib/libresolv.a
                                                ./usr/lib/libsocket.a
                                                ./usr/lib/libp/libresolv.so.1
                                                ./usr/lib/libp/libsocket.a
                                                ./usr/lib/libp/libsocket.so.2
                                                ./usr/lib/libp/libresolv.a
                                                ./usr/bin/nslookup
                                                ./usr/include/resolv.h


3. Workaround

        None.


4. OpenServer

  4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/security/openserver/sr379322/


  4.2 Verification

        md5 checksums:

        84e3a058fb2af36235e99831fb44d200        newbind.tar.Z


        md5 is available for download from

                ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following commands:

        # uncompress /tmp/newbind.tar.Z
        # mkdir /tmp/newbind
        # cd /tmp/newbind
        # tar xvf /tmp/newbind.tar

        Replace each of the associated binaries with the one from this
        directory (after saving them somewhere else).


5. References

        http://www.cert.org/advisories/CA-2001-02.html


6. Disclaimer

        Caldera International, Inc. is not responsible for the misuse
        of any of the information we provide on our website and/or
        through our security advisories. Our advisories are a service
        to our customers intended to promote secure installation and
        use of Caldera International products.
         
___________________________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: