-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: wu-ftpd fb_realpath() off-by-one bug
Advisory number: 	CSSA-2003-024.0
Issue date: 		2003 September 26
Cross reference: 	sr882340 fz528117 erg712364
______________________________________________________________________________


1. Problem Description

	Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A
	local or remote attacker could exploit this vulnerability to gain
	root privileges on a vulnerable system. The Common Vulnerabilities
	and Exposures project (cve.mitre.org) has assigned the name
	CAN-2003-0466 to this issue.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server			prior to wu-ftpd-2.6.1-14.i386.rpm

	OpenLinux 3.1.1 Workstation		prior to wu-ftpd-2.6.1-14.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-024.0/RPMS

	4.2 Packages

	5dfb4811abe8ccf46d8c523b13ef34d1	wu-ftpd-2.6.1-14.i386.rpm

	4.3 Installation

	rpm -Fvh wu-ftpd-2.6.1-14.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-024.0/SRPMS

	4.5 Source Packages

	13d7a9857c9151477e20e49f25d48169	wu-ftpd-2.6.1-14.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-024.0/RPMS

	5.2 Packages

	05b6a116c8160033f16b7c52611c1f86	wu-ftpd-2.6.1-14.i386.rpm

	5.3 Installation

	rpm -Fvh wu-ftpd-2.6.1-14.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-024.0/SRPMS

	5.5 Source Packages

	b53bca2a2dcce72aa0f15c661961d2b6	wu-ftpd-2.6.1-14.src.rpm


6. References


	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr882340 fz528117
	erg712364.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj94iDAACgkQbluZssSXDTFPOgCfUrIFx1+jG+51w04qHaFxD4eT
KGgAni1FaEkMP36sPMlA6vkkPgLHsHwV
=zh3M
-----END PGP SIGNATURE-----