-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SCO Security Advisory Subject: OpenServer 5.0.7 OpenServer 6.0.0 : CUPS Multiple Buffer Overflow Vulnerabilities Advisory number: SCOSA-2006.20 Issue date: 2006 April 18 Cross reference: fz533446 CVE-2005-3191 CVE-2005-3192 CVE-2005-3193 ______________________________________________________________________________ 1. Problem Description Some vulnerabilities have been reported in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system. The vulnerabilities are caused due to the use of a vulnerable version of Xpdf. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-3191, CVE-2005-3192, and CVE-2005-3193 to these issues. 2. Vulnerable Supported Versions System Binaries ---------------------------------------------------------------------- OpenServer 5.0.7 Cups package OpenServer 6.0.0 Cups package 3. Solution The proper solution is to install the latest packages. 4. OpenServer 5.0.7 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.20 4.2 Verification MD5 (p533446.507_vol.tar) = 6150ddaec1548e98e543ae030b2c9de4 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 4.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download p533446.507_vol.tar to a directory. 2) Extract VOL* files. # tar xvf p533446.507_vol.tar 3) Run the custom command, specify an install from media images, and specify the directory as the location of the images. 5. OpenServer 6.0.0 5.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.20 5.2 Verification MD5 (p533446.600_vol.tar) = c4e87cee43acf3e6a55d0416601c92a6 md5 is available for download from ftp://ftp.sco.com/pub/security/tools 5.3 Installing Fixed Binaries Upgrade the affected binaries with the following sequence: 1) Download p533446.600_vol.tar to a directory. 2) Extract VOL* files. # tar xvf p533446.600_vol.tar 3) Run the custom command, specify an install from media images, and specify the directory as the location of the images. 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 http://secunia.com/advisories/17976/ SCO security resources: http://www.sco.com/support/security/index.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents fz533446. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (SCO_SV) iD8DBQFERVAUaqoBO7ipriERAoq6AJ4rV8/X01VWf+DQ33T4P4vVtDR5cwCfQiOP 09BcDpxsRtRb5saMVbPOsVs= =TlR1 -----END PGP SIGNATURE-----