The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Security Update: [CSSA-2001-021.0] Volution 1.0 security update


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 8 Jun 2001 12:22:59 -0600
From: Caldera Support Information <[email protected]>
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2001-021.0] Volution 1.0 security update


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

___________________________________________________________________________=
___
		   Caldera International, Inc.  Security Advisory

Subject:		Volution 1.0 security update
Advisory number: 	CSSA-2001-021.0
Issue date: 		2001 June, 08
Cross reference:
___________________________________________________________________________=
___


1. Problem Description

   The Volution client and server components have been enhanced from
   the currently shipping (English and International) components to
   provide a higher level of security.

   If you are using the Volution client that comes with OpenLinux 3.1,=20
   you do not need to apply the client RPM listed here.=20
   However, you will need to apply the server RPM.

   Volution Client

   One of the security enhancements made affects the way the Volution
   client interacts with the Volution Computer Creation Daemon.

   The new Volution client by default, WILL NOT use the Computer
   Creation Daemon. To use the Computer Creation Daemon, edit the
   /etc/opt/csm/csm.conf file and add a <useCCD/> entry.

   Here is an example where the <useCCD/> entry has been added:

   <?xml version=3D'1.0' encoding=3D'UTF-8'?>
   <authentication>
          <useCCD/>
          <gateway>
                  <primaryGateway/>
                  <url>INSERT_YOUR_URL_HERE</url>
                  <authname>INSERT_YOUR_OBJECT_NAME_HERE</authname>
                 <password>INSERT_PASSWORD_HERE</password>
                 <objectname>INSERT_YOUR_OBJECT_NAME_HERE</objectname>
                 <cat name =3D "catSWRepository">
                         <location>INSERT_SWR_LOCATION_HERE</location>
                 </cat>
         </gateway>
   <authentication>

   A Volution client with this csm.conf file change contacts the Volution
   Computer Creation daemon and a new csm.conf file with the proper authnam=
e,=20
   password, etc., is created.

   The risk of having a <useCCD/> entry in the csm.conf file is that the=20
   machine could be vulnerable to control by a rogue Volution server.=20
   If a Volution client has <useCCD/> in the csm.conf file and it is unable=
=20
   to authenticate to the LDAP directory server, it will attempt to contact=
=20
   a Computer Creation Daemon which it finds using SLP.=20
   If a rogue Volution system has been brought up inside your network,=20
   the Volution client could communicate with the rogue Volution system.
   If this happens, the rogue Volution system now has control of the client.

   Volution Server

   Security enhancements have also been made to the Volution server. =20
   We recommend that you upgrade the Volution server components to=20
   csm-server-1.0.8-47. The file /etc/opt/csm/csmccd.conf on the Volution=
=20
   server is used as a template for new client csm.conf files that are crea=
ted=20
   as a result from a Volution client / Volution Computer Creation Daemon=
=20
   communication.  If you want Volution clients to continue to use the=20
   Computer Creation Daemon, a <useCCD/> entry must be placed in the=20
   csmccd.conf file.

   Here is an example where the <useCCD/> entry has been added to the=20
   csmccd.conf file:

   <?xml version=3D'1.0' encoding=3D'UTF-8'?>
   <csmwsc>
          <authentication>
          <useCCD/>
               <gateway>
                          <primaryGateway/>
                          <url>LDAP://ldap.calderalabs.com:389</url>
                          <authname>INSERT_YOUR_OBJECT_NAME_HERE</authname>
                          <password>INSERT_YOUR_PASSWORD_HERE</password>
                          <objectname>INSERT_YOUR_OBJECT_NAME_HERE</objectn=
ame>
                          <cat name=3D"catRPMRepository">
                                  <location>ou=3Drpms,o=3Dcaldera</location>
                          </cat>
                          <cat name=3D"catHWInventory"/>
                          <cat name=3D"catSWInventory"/>
               </gateway>
          </authentication>
          <workstationcreation>
               <creationLocation>LOCATION_WORKSTATIONS_WILL_BE_CREATED</cre=
ationLocation>
               <searchLocation>SEARCH_FOR_WORKSTATIONS_HERE_ON_UPDATES</sea=
rchLocation>
               <searchLocation>AND_ALSO_SEARCH_HERE</searchLocation>
               <searchLocation>AND_HERE (You can have as many as you need)<=
/searchLocation>
        </workstationcreation>
  </csmwsc>


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   Volution 1.0			All packages previous to
   				csm-1.0.8-47
				csm-server-1.0.8.47

3. Solution

   Workaround

      none

   The proper solution is to upgrade to the latest packages.

4. Volution 1.0

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/Volution/1.0/current/RPMS/
  =20
   4.2 Verification

       eb708eb65a667a7108726a1fecc0b56f  RPMS/csm-1.0.8-47.i386.rpm
       c0cbc125afd8aae3ecec143432359750  RPMS/csm-server-1.0.8-47.i386.rpm

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv csm*.i386.rpm

5. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix addresses Caldera's internal Problem Report 9547.

6. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of any of
   the information we provide on this web site and /or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure intallation and use of Caldera Volution.

7. Licence Agreement

   Downloading this software upgrade does not grant you a license for the
   software. If you have and existing license for the software, this upgrad=
e is
   bound by the terms of the software license agreement included with the
   original software.
___________________________________________________________________________=
___
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7IJZc18sy83A/qfwRAvTDAJ4iOz5pO/b4kMSjgxlLlsQO3o1dtQCbBcdk
GjgmKRlr7rar5bVu93J3IJg=3D
=3DyZ1W
-----END PGP SIGNATURE-----
=00

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру