Security Update: [CSSA-2003-SCO.2] UnixWare 7.1.1 : multiple vulnerabilities in BIND (CERT CA-2002-31)

[security () caldera com]

To: bugtraq () securityfocus com announce () lists caldera com scoannmod () xenitec on ca full-disclosure () lists 
netsys com

______________________________________________________________________________

                        SCO Security Advisory

Subject:                UnixWare 7.1.1 : multiple vulnerabilities in BIND (CERT CA-2002-31)
Advisory number:        CSSA-2003-SCO.2
Issue date:             2003 January 15
Cross reference:
______________________________________________________________________________


1. Problem Description

         From CERT CA-2002-31:

         Multiple vulnerabilities have been found in BIND (Berkeley
         Internet Name Domain).

         One of these vulnerabilities may allow remote attackers to
         execute arbitrary code with the privileges of the user
         running named, typically root.

         Other vulnerabilities may allow remote attackers to disrupt
         the normal operation of your name server, possibly causing a
         crash.

         A vulnerability in the DNS resolver library may allow remote
         attackers to execute arbitrary code with the privileges of
         applications that issue network name or address requests.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.1                  /usr/lib/nslookup.help
                                        /usr/sbin/addr
                                        /usr/sbin/dig
                                        /usr/sbin/dnskeygen
                                        /usr/sbin/dnsquery
                                        /usr/sbin/host
                                        /usr/sbin/in.named
                                        /usr/sbin/irpd
                                        /usr/sbin/mkservdb
                                        /usr/sbin/named-bootconf
                                        /usr/sbin/named-xfer
                                        /usr/sbin/ndc
                                        /usr/sbin/nslookup
                                        /usr/sbin/nsupdate


3. Solution

        The proper solution is to install the latest packages.


4. UnixWare 7.1.1

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.2


        4.2 Verification

        MD5 (erg712161.pkg.Z) = 834f2766a46d684c40d7637f6b2be2f4

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download erg712161.pkg.Z to the /var/spool/pkg directory

        # uncompress /var/spool/pkg/erg712161.pkg.Z
        # pkgadd -d /var/spool/pkg/erg712161.pkg


5. References

        Specific references for this advisory:

                 http://www.cert.org/advisories/CA-2002-31.html
                 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219
                 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1220
                 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221

        SCO security resources:

                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr871600, fz526634,
        erg712161.


6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

______________________________________________________________________________

Attachment: _bin
Description: