[22438] in bugtraq

home help back first fref pref prev next nref lref last post

Security Update: [CSSA-2001-SCO.13] OpenServer: BIND buffer overflows

daemon@ATHENA.MIT.EDU (sco-security@caldera.com)
Mon Aug 27 18:03:25 2001

To: security-announce@lists.securityportal.com, bugtraq@securityfocus.com,
        announce@lists.caldera.com
From: sco-security@caldera.com
Date: Mon, 27 Aug 2001 14:19:37 -0700
Message-ID: <20010827141937.F4999@caldera.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


To: security-announce@lists.securityportal.com bugtraq@securityfocus.com announce@lists.caldera.com

___________________________________________________________________________

	    Caldera International, Inc. Security Advisory

Subject:		OpenServer: BIND buffer overflows
Advisory number: 	CSSA-2001-SCO.13
Issue date: 		2001 August 20
Cross reference:
___________________________________________________________________________



1. Problem Description
	
	The BIND subsystem contains several buffer overflows, detailed
	in CERT advisory CA-2001-02. This advisory announces the
	availability of a preliminary version of BIND 8.2.5. Since
	there is no packaged installation of this preliminary
	offering, it should only be installed by experienced system
	administrators. A formal installable fix containing this
	version of BIND is forthcoming.


2. Vulnerable Versions

	Operating System	Version		Affected Files
	------------------------------------------------------------------
	OpenServer		<= 5.0.6a	./etc/addr
						./etc/nsupdate
						./etc/dig
						./etc/dnsquery
						./etc/host
						./etc/named
						./etc/named-xfer
						./etc/ndc
						./usr/lib/libresolv.so.1
						./usr/lib/libsocket.so.2
						./usr/lib/libresolv.a
						./usr/lib/libsocket.a
						./usr/lib/libp/libresolv.so.1
						./usr/lib/libp/libsocket.a
						./usr/lib/libp/libsocket.so.2
						./usr/lib/libp/libresolv.a
						./usr/bin/nslookup
						./usr/include/resolv.h


3. Workaround

	None.


4. OpenServer

  4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/security/openserver/sr379322/


  4.2 Verification

	md5 checksums:

	84e3a058fb2af36235e99831fb44d200	newbind.tar.Z


	md5 is available for download from

		ftp://ftp.sco.com/pub/security/tools/


  4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following commands:

	# uncompress /tmp/newbind.tar.Z
	# mkdir /tmp/newbind
	# cd /tmp/newbind
	# tar xvf /tmp/newbind.tar

	Replace each of the associated binaries with the one from this
	directory (after saving them somewhere else).


5. References

	http://www.cert.org/advisories/CA-2001-02.html


6. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on our website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera International products.
	 
___________________________________________________________________________
home help back first fref pref prev next nref lref last post