-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.x : Security vulnerability in Merge 
					   prior to Release 5.3.23a
Advisory number: 	CSSA-2003-SCO.11
Issue date: 		2003 July 21
Cross reference:	CAN-2003-0597
______________________________________________________________________________


1. Problem Description

	 Previous versions of Merge may include a security vulnerability
	 in /usr/lib/merge/display that could be exploited to allow
	 unauthorized root access to the UNIX system by an unprivileged
	 user with a UNIX login. Release 5.3.23a includes an
	 automatically installed fix for the problem.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	OpenServer 5.0.6 		distribution
	OpenServer 5.0.7 		distribution

3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.6, OpenServer 5.0.7

	4.1 Location of Fixed Binaries

	http://www.sco.com/download.

	Select NeTraverse Merge 5.3.23 for OpenServer 5.0.6 and 5.0.7

	4.2 Verification

	MD5 (osr5_merge5323a_vol.cpio) = 1fd2355f30f2269a2eb79e0f60078b66

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Uncpio the file into the /tmp directory.
	
	2) Run the custom command.  Specifty and install from media 
	   images, and specify the /tmp directory as the location
	   of the images.

7. References

	Specific references for this advisory:
		The Common Vulnerabilities and Exposures (CVE) project
		has assigned the name CAN-2003-0597 to this issue.  This
		is a candidate for inclusion in the CVE list 
		(http://cve.mitre.org), which standardized names for 
		security problems.

	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0597

	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr875154, erg712239,
	fz527466.


8. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this web site and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


9. Acknowledgments

	The Merge development team created the fix for the
	vulnerability.
______________________________________________________________________________


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj8cOJ0ACgkQaqoBO7ipriH9rwCbBPVnANMHhCpW4XgDq6RxX3tn
rrQAoKRLcX9VCDi/iWwkQ5I76ZLA1zup
=dP4F
-----END PGP SIGNATURE-----