-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: Linux: Preboot eXecution Environment (PXE) server denial-of-service attacks Advisory number: CSSA-2002-044.0 Issue date: 2002 November 11 Cross reference: ______________________________________________________________________________ 1. Problem Description The PXE server can be crashed by using corrupt DHCP packets. This bug could be used to cause a denial-of-service attack. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to pxe-0.1-33.i386.rpm OpenLinux 3.1.1 Workstation prior to pxe-0.1-33.i386.rpm OpenLinux 3.1 Server prior to pxe-0.1-33.i386.rpm OpenLinux 3.1 Workstation prior to pxe-0.1-33.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-044.0/RPMS 4.2 Packages 75380c0629500bcb6ac3185fd7f68cf9 pxe-0.1-33.i386.rpm 4.3 Installation rpm -Fvh pxe-0.1-33.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-044.0/SRPMS 4.5 Source Packages dc85c1098a2835660007665df6140570 pxe-0.1-33.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-044.0/RPMS 5.2 Packages bfb9e544055e16500098a9fd1c058a7c pxe-0.1-33.i386.rpm 5.3 Installation rpm -Fvh pxe-0.1-33.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-044.0/SRPMS 5.5 Source Packages 1e6e6cdb4485ad55d7618ae59bb34f5a pxe-0.1-33.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-044.0/RPMS 6.2 Packages 84544318a2f9cf2f439aecf928ae3a64 pxe-0.1-33.i386.rpm 6.3 Installation rpm -Fvh pxe-0.1-33.i386.rpm 6.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-044.0/SRPMS 6.5 Source Packages b740f40b65ec56bbfa8c59439487f7a3 pxe-0.1-33.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-044.0/RPMS 7.2 Packages 0dffc10145ab632ed3190429d445cfdf pxe-0.1-33.i386.rpm 7.3 Installation rpm -Fvh pxe-0.1-33.i386.rpm 7.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-044.0/SRPMS 7.5 Source Packages e7f92ace6e801f23251fd00a1a76dd98 pxe-0.1-33.src.rpm 8. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0835 http://www.redhat.com/support/errata/RHSA-2002-162.html SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr867513, fz525783, erg501646. 9. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj3QHj8ACgkQbluZssSXDTH/8wCg7GCGWlJh1PD6uRitRK894yd2 QuIAoJlFPEx30M0hoWjVF2PYeglbhL2B =h/Ov -----END PGP SIGNATURE-----