-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: fetchmail remote vulnerabilities in multidrop mode
Advisory number: 	CSSA-2002-051.0
Issue date: 		2002 November 21
Cross reference:
______________________________________________________________________________


1. Problem Description

	Several buffer overflows have been found in fetchmail. These
	bugs may be remotely exploited if fetchmail is running in
	multidrop mode.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to fetchmail-6.1.0-3.i386.rpm
					prior to fetchmailconf-6.1.0-3.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to fetchmail-6.1.0-3.i386.rpm
					prior to fetchmailconf-6.1.0-3.i386.rpm

	OpenLinux 3.1 Server		prior to fetchmail-6.1.0-3.i386.rpm
					prior to fetchmailconf-6.1.0-3.i386.rpm

	OpenLinux 3.1 Workstation	prior to fetchmail-6.1.0-3.i386.rpm
					prior to fetchmailconf-6.1.0-3.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-051.0/RPMS

	4.2 Packages

	434fea1951a0d2f3b84aacef99c64406	fetchmail-6.1.0-3.i386.rpm
	f4a95f399c696a47d30cb42076a16537	fetchmailconf-6.1.0-3.i386.rpm

	4.3 Installation

	rpm -Fvh fetchmail-6.1.0-3.i386.rpm
	rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-051.0/SRPMS

	4.5 Source Packages

	4c7bc139f6e47d9971d65496e60a076b	fetchmail-6.1.0-3.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-051.0/RPMS

	5.2 Packages

	645cf83c0c1619d544a18b9ce5f9d075	fetchmail-6.1.0-3.i386.rpm
	cc9e945ccf9d649683a4f5dfca3b771a	fetchmailconf-6.1.0-3.i386.rpm

	5.3 Installation

	rpm -Fvh fetchmail-6.1.0-3.i386.rpm
	rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-051.0/SRPMS

	5.5 Source Packages

	cb48bec8553df5c52f625ecad3a9411b	fetchmail-6.1.0-3.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-051.0/RPMS

	6.2 Packages

	65173695a1ed34351d66264d194612b7	fetchmail-6.1.0-3.i386.rpm
	00f87fcb9ce0d8b1253ccc0e10d488a6	fetchmailconf-6.1.0-3.i386.rpm

	6.3 Installation

	rpm -Fvh fetchmail-6.1.0-3.i386.rpm
	rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-051.0/SRPMS

	6.5 Source Packages

	4554b6c1ba5cc11ab5a0dae47c742605	fetchmail-6.1.0-3.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-051.0/RPMS

	7.2 Packages

	84ef9db93e4e3ecf962332495efb4979	fetchmail-6.1.0-3.i386.rpm
	48b5987e053098ba15c9105386b9b32d	fetchmailconf-6.1.0-3.i386.rpm

	7.3 Installation

	rpm -Fvh fetchmail-6.1.0-3.i386.rpm
	rpm -Fvh fetchmailconf-6.1.0-3.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-051.0/SRPMS

	7.5 Source Packages

	9ee9d217103d8ca4b8ac97d6e7709a4d	fetchmail-6.1.0-3.src.rpm


8. References

	Specific references for this advisory:

		http://security.e-matters.de/advisories/032002.html
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1174

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr869910, fz526231,
	erg712133.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


10. Acknowledgements

	Stefan Esser [s.esser@e-matters.de] discovered and researched
	these vulnerabilities.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj3dOVYACgkQbluZssSXDTGpNACg0eNyvn1nR495dDVSnLUqACbr
qF8AoMZmtCf/NpuuRtNf/RsX2lUN1twZ
=mKL0
-----END PGP SIGNATURE-----