-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : remote buffer overflow in sendmail (CERT CA-2003-07)
Advisory number: 	CSSA-2003-SCO.6.1
Issue date: 		2003 March 26
Cross reference:	CSSA-2003-SCO.6
______________________________________________________________________________


1. Problem Description

	From CA-2003-07: Researchers at Internet Security Systems
	(ISS) have discovered a remotely exploitable vulnerability
	in sendmail. This vulnerability could allow an intruder to
	gain control of a vulnerable sendmail server.

	This update clarifies installation instructions for OpenServer
	5.0.5.
			

2. Vulnerable Supported Versions

	System				Vulnerable Versions
	----------------------------------------------------------------------
	OpenServer 5.0.5		previous to sendmail 8.11.0a
	OpenServer 5.0.6		previous to sendmail 8.11.0a
	OpenServer 5.0.7		previous to sendmail 8.11.0a


3. Solution

	The proper solution is to install the latest packages.


4. OpenServer 5.0.5

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.6.1


	4.2 Verification

	MD5 (sendmail.506.tar) = da105d0a82313ed19bc10b515467e93f

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence.

	1) Download the sendmail.506.tar file
	   (OpenServer 5.0.5 uses the 5.0.6 tar image)

	2) Extract the files from the tar archive:
		tar xvf sendmail.506.tar

	3) Remove the existing version of SendMail

		- Backup your /usr/lib/sendmail.cf file
		- Backup the contents of your existing /usr/lib/mail
		  directory
		- Using custom, remove the existing version of SendMail

			- SCO OpenServer Enterprise System
				SCO OpenServer Enterprise System UNIX
					SCO OpenServer Enterprise System Mail Utilities

			- Choose the option to leave it loaded if you wish

	4) Still using the custom command, specify an install from
	   media images, and specify the security fix download
	   directory (from step 2) as the location of the images.

	5) Restore the appropriate files from your saved copies.


5. OpenServer 5.0.6

	5.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.6.1


	5.2 Verification

	MD5 (sendmail.506.tar) = da105d0a82313ed19bc10b515467e93f

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the sendmail.506.tar

	2) Extract the files from the tar archive:
		tar xvf sendmail.506.tar

	3) Run the custom command, specify an install from media
	   images, and specify the downloaded directory as the
	   location of the images.


6. OpenServer 5.0.7

	6.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.6.1


	6.2 Verification

	MD5 (sendmail.507.tar) = 807f1fa8d15a3361a589119bfca18533

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools


	6.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the sendmail.507.tar file

	2) Extract the files from the tar archive:
		tar xvf sendmail.507.tar

	3) Run the custom command, specify an install from media
	   images, and specify the downloaded directory as the
	   location of the images.


7. References

	Specific references for this advisory:

		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337
		http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
		http://www.cert.org/advisories/CA-2003-07.html
		http://www.kb.cert.org/vuls/id/398025
		http://www.sendmail.org/8.12.8.html

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr875284, fz527484,
	erg712247.


8. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


9. Acknowledgements

	Internet Security Systems, Inc. discovered and researched
	this vulnerability.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj6CPPkACgkQaqoBO7ipriE5qACfQaIyOFgu+xYqWnOdJe5CFjct
ysgAn0YLqLHzuFrub1pMd3dZwp8IoUCQ
=MM/d
-----END PGP SIGNATURE-----