[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] SCOSA-2005.51 OpenServer 5.0.7 OpenServer 6.0.0 : CUPS Denial of Service Vulnerability
- To: security-announce@xxxxxxxxxxxx
- Subject: [Full-disclosure] SCOSA-2005.51 OpenServer 5.0.7 OpenServer 6.0.0 : CUPS Denial of Service Vulnerability
- From: security@xxxxxxx
- Date: Thu, 24 Nov 2005 10:54:55 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 5.0.7 OpenServer 6.0.0 : CUPS Denial of
Service Vulnerability
Advisory number: SCOSA-2005.51
Issue date: 2005 November 24
Cross reference: fz533150
sr891399 fz530152 erg712687
CVE-2004-0558 CVE-2005-2874
______________________________________________________________________________
1. Problem Description
A remote user can cause the CUPS service to hang and consume all
available CPU resources.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-2874 to this issue.
The OpenServer 5.0.7 CUPS is additionally vulnerable to the
following:
CUPS versions prior to 1.1.21 are vulnerable to a denial of
service attack. By sending a specially-crafted UDP packet to the
IPP port, a remote attacker could cause a denial of service.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2004-0558 to this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 5.0.7 cups distribution
OpenServer 6.0.0 cups distribution
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 5.0.7
4.1 Location of Fixed Binaries
The fixes are only available in SCO OpenServer Release 5.0.7
Maintenance Pack 4 or later.
ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4_vol.tar
4.2 Verification
MD5 (osr507mp4_vol.tar) = 4c87d840ff5b43221258547d19030228
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
See the SCO OpenServer Release 5.0.7 Maintenance Pack 4 Release
and Installation Notes:
ftp://ftp.sco.com/pub/openserver5/507/mp/osr507mp4/osr507mp4.htm
5. OpenServer 6.0.0
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.51
5.2 Verification
MD5 (VOL.000.000) = 99663199247aa130ffe9c3bfa4a349db
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download the VOL* files to a directory.
2) Run the custom command, specify an install
from media images, and specify the directory as
the location of the images.
6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2874
http://securitytracker.com/id?1012811
http://www.cups.org/relnotes.php#010123
http://www.cups.org/str.php?L1042+P0+S-1+C0+I0+E0+Q1042
http://xforce.iss.net/xforce/xfdb/17389
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents fz533150 sr891399
fz530152 erg712687.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (UnixWare)
iD8DBQFDhd1EaqoBO7ipriERAh+1AKCPg9uJkyo/8L09qDdwlV4EJPpmXgCgl1PK
OmLABYVUvLvCHZmG0sA5dpo=
=oM3B
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/