=========================================================================== SCO Security Bulletin 2001.01 (SB-01.01) 10-Jan-2001 --------------------------------------------------------------------------- Security exploits in the Verity Search Engine --------------------------------------------------------------------------- I. Description SCO recently corrected the following problems: 1. The Verity search engine can allow remote users to view world-readable system files on a UnixWare 7 server that is running scohelp(X1). 2. The Verity search engine is vulnerable to buffer overflows. II. Impact Remote users could potentially view world-readable files on a UnixWare 7. Remote users could potentially gain privilaged access to UnixWare 7. III. Releases UnixWare 7 Release 7.0.0, 7.0.1, 7.1.0 and 7.1.1 IV. Solution An immediate workaround not involving updating binaries would be to disable scohelphttp(X1M) on your systems. This can be done using the command: scohelphttp disable This workaround has the disadvantage of disabling access to man(1) pages and the online documentation of UnixWare 7. Customers with UnixWare 7 Release 7.0.0 and 7.0.1 should consider upgrading to UnixWare 7 Release 7.1.1 as 7.0.0 and 7.0.1 are no longer supported. Customers using UnixWare 7 Release 7.1.0 and 7.1.1 should apply PTF7684a to their systems. You can download PTF7684a as follows: Anonymous ftp (World Wide Web URL): ftp://ftp.sco.COM/SLS/ptf7684a.txt (cover letter, ASCII text) ftp://ftp.sco.COM/SLS/ptf7684a.Z (new binaries, compressed tar file) Checksums (sum -r): 47735 ptf7864a.txt 12440 ptf7684a.Z V. Updates This bulletin is available for anonymous ftp download from ftp://ftp.sco.COM/SSE/security_bulletins/SB-01.01a, and may be updated as new information becomes available. The latest information on security vulnerabilities and fixes from SCO is available on the world-wide web at http://www.sco.com/security/ VI. Further Information: If you have further questions, contact your support provider. If you need to contact SCO, please send electronic mail to support@sco.COM, or contact SCO as follows. USA/Canada: 6am-5pm Pacific Time (PST/PDT) ----------- 1-800-347-4381 (voice) 1-408-427-5443 (fax) Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific ------------------------------------------------ Time (PST/PDT) 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:30pm UK Time (GMT/BST) ---------------------------- +44 (0)1923 816344 (voice) +44 (0)1923 817781 (fax)