Date: Wed, 4 Dec 2002 11:06:20 -0800
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2002-054.0] Linux: exploitable memory leak in ypserv
--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: [email protected][email protected][email protected][email protected]
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: exploitable memory leak in ypserv
Advisory number: CSSA-2002-054.0
Issue date: 2002 December 04
Cross reference:
______________________________________________________________________________
1. Problem Description
Requesting a map that doesn't exist will cause a memory leak in
the server.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to nis-client-2.0-23.i386.rpm
prior to nis-server-2.0-23.i386.rpm
OpenLinux 3.1.1 Workstation prior to nis-client-2.0-23.i386.rpm
OpenLinux 3.1 Server prior to nis-client-2.0-23.i386.rpm
prior to nis-server-2.0-23.i386.rpm
OpenLinux 3.1 Workstation prior to nis-client-2.0-23.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-054.0/RPMS
4.2 Packages
f416f2e39a29d419832f3b18c04491a2 nis-client-2.0-23.i386.rpm
b86300ae67587b447262d31f123bc12e nis-server-2.0-23.i386.rpm
4.3 Installation
rpm -Fvh nis-client-2.0-23.i386.rpm
rpm -Fvh nis-server-2.0-23.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-054.0/SRPMS
4.5 Source Packages
477ddd735eaedab628ddacd7c71576fe nis-2.0-23.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-054.0/RPMS
5.2 Packages
09070643b7c116d8df429cdcd66ef798 nis-client-2.0-23.i386.rpm
5.3 Installation
rpm -Fvh nis-client-2.0-23.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-054.0/SRPMS
5.5 Source Packages
ec0fd36c02cde15d529b7dd8b2ec9592 nis-2.0-23.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-054.0/RPMS
6.2 Packages
6d94363827067eae7b1401d9e560317a nis-client-2.0-23.i386.rpm
0873bfed5da6fff398d491477ced4fe1 nis-server-2.0-23.i386.rpm
6.3 Installation
rpm -Fvh nis-client-2.0-23.i386.rpm
rpm -Fvh nis-server-2.0-23.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-054.0/SRPMS
6.5 Source Packages
73957cff9e49efc38d0a7b4e5bfb9c37 nis-2.0-23.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-054.0/RPMS
7.2 Packages
de89d9852c09c79199dd4a82c4c27481 nis-client-2.0-23.i386.rpm
7.3 Installation
rpm -Fvh nis-client-2.0-23.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-054.0/SRPMS
7.5 Source Packages
5bc2cf815670d44e117394e1a98cf28a nis-2.0-23.src.rpm
8. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr870793, fz526450,
erg712149.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
10. Acknowledgements
Thorsten Kukuck discovered and researched this vulnerability.
______________________________________________________________________________
--HlL+5n6rz5pIUxbD
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj3uUiwACgkQbluZssSXDTF/xACfRYrJAJsUP0JDqB/xlpiuPQqT
k6EAnRWEo6FLklxdpRfylsGt7QEGzLFy
=COmk
-----END PGP SIGNATURE-----
--HlL+5n6rz5pIUxbD--
