[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] SCOSA-2006.25 OpenServer 6.0.0: Sendmail Arbitrary Code Execution Vulnerability
- To: security-announce@xxxxxxxxxxxx
- Subject: [Full-disclosure] SCOSA-2006.25 OpenServer 6.0.0: Sendmail Arbitrary Code Execution Vulnerability
- From: SCO Security Advisories <security@xxxxxxx>
- Date: Wed, 31 May 2006 15:18:14 -0700
--
Dr. Ronald Joe Record
SCO Security Officer
rr@xxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenServer 6.0.0: Sendmail Arbitrary Code Execution
Vulnerability
Advisory number: SCOSA-2006.25
Issue date: 2006 May 30
Cross reference: fz533700
CVE-2006-0058
______________________________________________________________________________
1. Problem Description
Sendmail could allow a remote attacker to execute arbitrary code as
root, caused by a signal race vulnerability.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2006-0058 to
this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
OpenServer 6.0.0 sendmail
mailstats
praliiases
rmail
smrsh
makemap
3. Solution
The proper solution is to install the latest packages.
4. OpenServer 6.0.0
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.25
4.2 Verification
MD5 (p533700.600_vol.tar) = 398f2d470a02adf4c9e6b1dd546bde50
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following sequence:
1) Download p533700.600_vol.tar to a directory.
2) Extract VOL* files.
# tar xvf p533700.600_vol.tar
3) Run the custom command, specify an install
from media images, and specify the directory as
the location of the images.
5. References
Specific references for this advisory:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
http://www.securityfocus.com/archive/1/428536/100/0/threaded
http://www.sendmail.org/
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents fz533700.
6. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
7. Acknowledgments
Marc Bejarano is credited with the discovery of this vulnerability.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (SCO_SV)
iD8DBQFEfHaLaqoBO7ipriERAjgHAJwJWdpCI0Pb4wFUYiYj/8+OVCIttwCfdJNe
SSrTod2AJfbXui2OOsmp/L8=
=Bdad
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/