-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________


                        SCO Security Advisory


Subject:                OpenServer 6.0.0: Sendmail Arbitrary Code Execution Vulnerability
Advisory number:        SCOSA-2006.25
Issue date:             2006 May 30
Cross reference:        fz533700
                        CVE-2006-0058
______________________________________________________________________________


1. Problem Description

        Sendmail could allow a remote attacker to execute arbitrary code as
        root, caused by a signal race vulnerability. 
	
        The Common Vulnerabilities and Exposures project
        (cve.mitre.org) has assigned the name CVE-2006-0058 to
        this issue.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        OpenServer 6.0.0                sendmail
                                        mailstats
                                        praliiases
                                        rmail
                                        smrsh
                                        makemap


3. Solution

        The proper solution is to install the latest packages.


4. OpenServer 6.0.0

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.25


        4.2 Verification

        MD5 (p533700.600_vol.tar) = 398f2d470a02adf4c9e6b1dd546bde50

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download p533700.600_vol.tar to a directory.

	2) Extract VOL* files.

	   # tar xvf p533700.600_vol.tar

	3) Run the custom command, specify an install
	   from media images, and specify the directory as
	   the location of the images.

5. References

        Specific references for this advisory:
                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
                http://www.securityfocus.com/archive/1/428536/100/0/threaded
                http://www.sendmail.org/

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents fz533700.


6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


7. Acknowledgments

        Marc Bejarano is credited with the discovery of this vulnerability.


______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (SCO_SV)

iD8DBQFEfHaLaqoBO7ipriERAjgHAJwJWdpCI0Pb4wFUYiYj/8+OVCIttwCfdJNe
SSrTod2AJfbXui2OOsmp/L8=
=Bdad
-----END PGP SIGNATURE-----