6164179 2001-03-02 11:58 -0700  /141 rader/ Caldera Support Info <sup-info@LOCUTUS4.CALDERASYSTEMS.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-02  23:15  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: sup-info@LOCUTUS4.CALDERASYSTEMS.COM
Mottagare: Bugtraq (import) <15721>
Ärende: Security Update: buffer overflow in /bin/mail CSSA-2001-010.0
------------------------------------------------------------
From: Caldera Support Info <sup-info@LOCUTUS4.CALDERASYSTEMS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010302115848.A10091@locutus4.calderasystems.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		buffer overflow in /bin/mail
Advisory number: 	CSSA-2001-010.0
Issue date: 		2001 March, 3
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a buffer overflow in /bin/mail which allows a local
   attacker to read, modify and delete mails of other users on the
   system.


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3		All packages previous to
   				mailx-8.1.1-12OL

   OpenLinux eServer 2.3.1      All packages previous to
   and OpenLinux eBuilder  	mailx-8.1.1-12

   OpenLinux eDesktop 2.4       All packages previous to
   				mailx-8.1.1-12

3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

   4.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:
        
       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS

   4.2 Verification

       abc1ee0ce4d52ba1dd7059167af66cdc  RPMS/mailx-8.1.1-12OL.i386.rpm
       d88d071f083e7548837fb07aaf3e431d  SRPMS/mailx-8.1.1-12OL.src.rpm

   4.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fhv mailx*.i386.rpm

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

   5.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS

   5.2 Verification

       eb76e3238d1832ce648c8fe8abcdeb53  RPMS/mailx-8.1.1-12.i386.rpm
       6e0e4ae06009c54bee2385353b4d3d5c  SRPMS/mailx-8.1.1-12.src.rpm

   5.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

          rpm -Fvh mailx*i386.rpm

6. OpenLinux eDesktop 2.4

   6.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/

       The corresponding source code package can be found at:

       ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS

   6.2 Verification

       f99f489b3e748147d8ccfa9377158b55  RPMS/mailx-8.1.1-12.i386.rpm
       6e0e4ae06009c54bee2385353b4d3d5c  SRPMS/mailx-8.1.1-12.src.rpm

   6.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

       rpm -Fvh mailx*i386.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 9327.

8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of
   the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera
   OpenLinux.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6n6cK18sy83A/qfwRAvfXAJsF1bdKbW4TqKNvpxb94GUZaKa9zACgvrpK
8x+YlIW94nAw664llDguces=
=RrQ/
-----END PGP SIGNATURE-----

(6164179) --------------------------------(Ombruten)