6599910 2001-06-08 12:22 -0600 /176 rader/ Caldera Support Information <sup-info@opus.caldera.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-09 01:11 av Brevbäraren
Extern mottagare: announce@lists.caldera.com
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: linux-security@redhat.com
Extern mottagare: linuxlist@securityportal.com
Mottagare: Bugtraq (import) <17338>
Ärende: Security Update: [CSSA-2001-021.0] Volution 1.0 security update
------------------------------------------------------------
From: Caldera Support Information <sup-info@opus.caldera.com>
To: announce@lists.caldera.com, bugtraq@securityfocus.com,
linux-security@redhat.com, linuxlist@securityportal.com
Message-ID: <20010608122259.B2166@opus.caldera.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Volution 1.0 security update
Advisory number: CSSA-2001-021.0
Issue date: 2001 June, 08
Cross reference:
______________________________________________________________________________
1. Problem Description
The Volution client and server components have been enhanced from
the currently shipping (English and International) components to
provide a higher level of security.
If you are using the Volution client that comes with OpenLinux 3.1,
you do not need to apply the client RPM listed here.
However, you will need to apply the server RPM.
Volution Client
One of the security enhancements made affects the way the Volution
client interacts with the Volution Computer Creation Daemon.
The new Volution client by default, WILL NOT use the Computer
Creation Daemon. To use the Computer Creation Daemon, edit the
/etc/opt/csm/csm.conf file and add a <useCCD/> entry.
Here is an example where the <useCCD/> entry has been added:
<?xml version='1.0' encoding='UTF-8'?>
<authentication>
<useCCD/>
<gateway>
<primaryGateway/>
<url>INSERT_YOUR_URL_HERE</url>
<authname>INSERT_YOUR_OBJECT_NAME_HERE</authname>
<password>INSERT_PASSWORD_HERE</password>
<objectname>INSERT_YOUR_OBJECT_NAME_HERE</objectname>
<cat name = "catSWRepository">
<location>INSERT_SWR_LOCATION_HERE</location>
</cat>
</gateway>
<authentication>
A Volution client with this csm.conf file change contacts the
Volution Computer Creation daemon and a new csm.conf file with the
proper authname, password, etc., is created.
The risk of having a <useCCD/> entry in the csm.conf file is that
the machine could be vulnerable to control by a rogue Volution
server. If a Volution client has <useCCD/> in the csm.conf file
and it is unable to authenticate to the LDAP directory server, it
will attempt to contact a Computer Creation Daemon which it finds
using SLP. If a rogue Volution system has been brought up inside
your network, the Volution client could communicate with the
rogue Volution system. If this happens, the rogue Volution system
now has control of the client.
Volution Server
Security enhancements have also been made to the Volution server.
We recommend that you upgrade the Volution server components to
csm-server-1.0.8-47. The file /etc/opt/csm/csmccd.conf on the
Volution server is used as a template for new client csm.conf
files that are created as a result from a Volution client /
Volution Computer Creation Daemon communication. If you want
Volution clients to continue to use the Computer Creation Daemon,
a <useCCD/> entry must be placed in the csmccd.conf file.
Here is an example where the <useCCD/> entry has been added to the
csmccd.conf file:
<?xml version='1.0' encoding='UTF-8'?>
<csmwsc>
<authentication>
<useCCD/>
<gateway>
<primaryGateway/>
<url>LDAP://ldap.calderalabs.com:389</url>
<authname>INSERT_YOUR_OBJECT_NAME_HERE</authname>
<password>INSERT_YOUR_PASSWORD_HERE</password>
<objectname>INSERT_YOUR_OBJECT_NAME_HERE</objectname>
<cat name="catRPMRepository">
<location>ou=rpms,o=caldera</location>
</cat>
<cat name="catHWInventory"/>
<cat name="catSWInventory"/>
</gateway>
</authentication>
<workstationcreation>
<creationLocation>LOCATION_WORKSTATIONS_WILL_BE_CREATED</creationLocation>
<searchLocation>SEARCH_FOR_WORKSTATIONS_HERE_ON_UPDATES</searchLocation>
<searchLocation>AND_ALSO_SEARCH_HERE</searchLocation>
<searchLocation>AND_HERE (You can have as many as you need)</searchLocation>
</workstationcreation>
</csmwsc>
2. Vulnerable Versions
System Package
-----------------------------------------------------------
Volution 1.0 All packages previous to
csm-1.0.8-47
csm-server-1.0.8.47
3. Solution
Workaround
none
The proper solution is to upgrade to the latest packages.
4. Volution 1.0
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/Volution/1.0/current/RPMS/
4.2 Verification
eb708eb65a667a7108726a1fecc0b56f RPMS/csm-1.0.8-47.i386.rpm
c0cbc125afd8aae3ecec143432359750
RPMS/csm-server-1.0.8-47.i386.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fhv csm*.i386.rpm
5. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix addresses Caldera's internal Problem Report 9547.
6. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this web site and /or through
our security advisories. Our advisories are a service to our
customers intended to promote secure intallation and use of
Caldera Volution.
7. Licence Agreement
Downloading this software upgrade does not grant you a license for
the software. If you have and existing license for the software,
this upgrade is bound by the terms of the software license
agreement included with the
original software.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7IJZc18sy83A/qfwRAvTDAJ4iOz5pO/b4kMSjgxlLlsQO3o1dtQCbBcdk
GjgmKRlr7rar5bVu93J3IJg=
=yZ1W
-----END PGP SIGNATURE-----
�
(6599910) /Caldera Support Information <sup-info@opus.caldera.com>/(Ombruten)