From security@caldera.com Wed Nov 20 23:19:26 2002 From: security@caldera.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com, full-disclosure@lists.netsys.com Date: Mon, 18 Nov 2002 15:30:40 -0800 Reply-To: please_reply_to_security@caldera.com Subject: [Full-Disclosure] Security Update: [CSSA-2002-048.0] Linux: wwwoffled remote access vulnerability To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com full-disclosure@lists.netsys.com ______________________________________________________________________________ SCO Security Advisory Subject: Linux: wwwoffled remote access vulnerability Advisory number: CSSA-2002-048.0 Issue date: 2002 November 18 Cross reference: ______________________________________________________________________________ 1. Problem Description wwwoffled allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative Content-Length value. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Workstation prior to wwwoffle-2.6b-3MR.i386.rpm OpenLinux 3.1 Workstation prior to wwwoffle-2.6b-3MR.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Workstation 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-048.0/RPMS 4.2 Packages d54de95d9db4d19501e6b50ef63f2e31 wwwoffle-2.6b-3MR.i386.rpm 4.3 Installation rpm -Fvh wwwoffle-2.6b-3MR.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-048.0/SRPMS 4.5 Source Packages 1e8f25979fdc99dc6b3652927fa1a98a wwwoffle-2.6b-3MR.src.rpm 5. OpenLinux 3.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-048.0/RPMS 5.2 Packages c75848533ab650ef06bb7910eca73946 wwwoffle-2.6b-3MR.i386.rpm 5.3 Installation rpm -Fvh wwwoffle-2.6b-3MR.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-048.0/SRPMS 5.5 Source Packages 9b8e3cf1987bc4d08cf9782eea2e2c9e wwwoffle-2.6b-3MR.src.rpm 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0818 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr867510, fz525781, erg501645. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. ______________________________________________________________________________ [ Part 2, Application/PGP-SIGNATURE 245bytes. ] [ Unable to print this part. ]