-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: buffer overflow in /bin/mail Advisory number: CSSA-2001-010.0 Issue date: 2001 March, 3 Cross reference: ______________________________________________________________________________ 1. Problem Description There is a buffer overflow in /bin/mail which allows a local attacker to read, modify and delete mails of other users on the system. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux 2.3 All packages previous to mailx-8.1.1-12OL OpenLinux eServer 2.3.1 All packages previous to and OpenLinux eBuilder mailx-8.1.1-12 OpenLinux eDesktop 2.4 All packages previous to mailx-8.1.1-12 3. Solution Workaround none The proper solution is to upgrade to the latest packages. 4. OpenLinux 2.3 4.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS 4.2 Verification abc1ee0ce4d52ba1dd7059167af66cdc RPMS/mailx-8.1.1-12OL.i386.rpm d88d071f083e7548837fb07aaf3e431d SRPMS/mailx-8.1.1-12OL.src.rpm 4.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fhv mailx*.i386.rpm 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 5.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS 5.2 Verification eb76e3238d1832ce648c8fe8abcdeb53 RPMS/mailx-8.1.1-12.i386.rpm 6e0e4ae06009c54bee2385353b4d3d5c SRPMS/mailx-8.1.1-12.src.rpm 5.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh mailx*i386.rpm 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification f99f489b3e748147d8ccfa9377158b55 RPMS/mailx-8.1.1-12.i386.rpm 6e0e4ae06009c54bee2385353b4d3d5c SRPMS/mailx-8.1.1-12.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh mailx*i386.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Report 9327. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6n6cK18sy83A/qfwRAvfXAJsF1bdKbW4TqKNvpxb94GUZaKa9zACgvrpK 8x+YlIW94nAw664llDguces= =RrQ/ -----END PGP SIGNATURE-----