What is Security Supplement p535239, the sco_pmd security fix for OpenServer 6.0.0? KEYWORDS: openserver 6.0.0 600 security supplement p535239 fz535239 SCOSA-2011.2 sco_pmd dos denial service vulnerability RELEASE: SCO OpenServer Release 6.0.0 PROBLEM: What is Security Supplement p535239, the sco_pmd security fix for OpenServer 6.0.0? SOLUTION: The supplement fixes a potential DOS vulnerability of sco_pmd. What follows is the Security Advisory for this fix: ______________________________________________________________________________ SCO Security Advisory Subject: sco_pmd security fix for OpenServer 6.0.0 Advisory number: SCOSA-2011.2 Issue date: 20th July 2011 Cross reference: fz535239 ______________________________________________________________________________ 1. Problem Description Security Supplement p535239, the sco_pmd security fix for OpenServer 6.0.0, addresses a potential denial of service vulnerability of sco_pmd. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenServer 6.0.0 Maintenance Pack 4 3. Solution The proper solution is to install the relevant package below. 4. OpenServer 6.0.0 This patch should only be installed on OpenServer 6.0.0 systems with Maintenance Pack 4 installed. 4.1 Location of Fixed Binaries ftp://ftp.sco.com/pub/openserver6/600/security/p535239b_osr6/ 4.2 Verification # sum -r p535239b_vol.tar 12225 107 p535239b_vol.tar MD5 (p535239b_vol.tar) = cae430782b7d499ce1dea1e31bbec460 md5 is available for download from ftp://ftp.sco.com/pub/security/tools # /usr/bin/shasum p535239b_vol.tar 9f535672663e78682a6b1494eda2bae897d295e8 p535239b_vol.tar /usr/bin/shasum is part of the perl-5.8.8 extension package included in Maintenance Pack . Alternatively /usr/gnu/bin/sha1sum included in the GNU Utilities can be used: # /usr/gnu/bin/sha1sum p535239b_vol.tar 9f535672663e78682a6b1494eda2bae897d295e8 p535239b_vol.tar 4.3 Installation Instructions To install P535239B follow these steps: 1. Login as root 2. Create an empty directory, such as /tmp/p535239b, to which the patch will be downloaded. 3. Download the P535239B patch file p535239b_vol.tar to the directory created in step 2. 4. After the download is complete, change to the directory containing the p535239b_vol.tar file and run the following to extract the media image files: tar xvf p535239b_vol.tar 5. Run the Software Manager with the command: scoadmin software or double-click on the Software Manager icon in the desktop. 6. Pull down the "Software" menu and select "Install New". 7. When prompted for the host from which to install, choose the local machine and then "Continue". 8. In the "Select Media" menu, pull down the "Media Device" menu. Select "Media Images", then choose "Continue". 9. When prompted for the "Image Directory", enter "/tmp/p535239b" (or the directory where you placed the P535239B patch file p535239b_vol.tar in step 2) and choose "OK." 10. When prompted to select software to install, make sure that the "P535239B" entry is highlighted. Choose "Install". Once installation is complete, select "OK". 11. Installation of Escalation Supplement P535239B is now complete. To exit the Software Manager, select "Exit" from the "Host" menu. 12. Once the installation has completed, you can remove or archive the P535239B patch file p535239b_vol.tar, the media image files, and the containing directory created in step 2. 13. Reboot the system after installing this supplement. 4.4 Removal Instructions Note: Patches must be rolled back in the reverse order in which they were installed on a per-component basis. 1. Log in as root. 2. Execute the command: scoadmin software or double-click on the Software Manager icon in the desktop. 3. Highlight the "P535239B" entry. 4. Pull down the "Software" menu and select "Remove Software". 5. Once the removal finishes, quit the Software Manager. 6. It is necessary to reboot your system after removal. 5. References SCO security resources: http://www.sco.com/support/download.html SCO security advisories via email http://www.sco.com/support/forums/security.html This security fix closes SCO incidents fz535239. 6. Disclaimers SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 7. Acknowledgments N/A