Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!mit-eddie!bloom-beacon!eru!hagbard!sunic!mcsun!ukc!slxsys!jpp
From: jpp@specialix.co.uk (John Pettitt)
Newsgroups: comp.unix.sysv386
Subject: SCO Responds to security bugs (was: SCO UNIX C2 Security)
Keywords: unx257 c2 sco unix
Message-ID: <1991Feb22.093441.8639@specialix.co.uk>
Date: 22 Feb 91 09:34:41 GMT
References: <27B93F44.5606@tct.uucp> <1013@tuura.UUCP> <43@talgras.UUCP> <14791@scorn.sco.COM>
Organization: Specialix International, London
Lines: 28

paulz@sco.COM (W. Paul Zola) writes:
>I have good news for all those who have been having problems with 
>SCO's C2 Security.  SCO Support has just released a Support Level
>Supplement (SLS) which is designed to resolve many of these problems.
>The supplement name is "The SCO UNIX System V/386 Release 3.2 Security
>Supplement", and the SLS number is unx257.  This SLS is availible 
>for anonymous UUCP via sosco, and through the usual support channels.
>-

What they don't tell you is that the SLS also fixes
a rather interesting root security bug related to TCP/IP.

In the light of the recent ISC uarea problems the way SCO responded
deserves some publicity.   We found a bug that allowed any user to
log in as root by manipulating the network (probably a physical attack).
We reported this to SCO with a note saying that we would like a fix ASAP
(we have an Engineering Services agreement with SCO).

Withing 2 weeks we had a beta of the SLS (unx257) that did indeed fix the
problem.   Before you ask - no I am not going to post the bug, however
if you are running ODT or SCO Unix with TCP/IP and NFS you should
get and install the upgrade ASAP.


-- 
John Pettitt, Specialix International, 
Email: jpp@specialix.com Tel +44 (0) 9323 54254 Fax +44 (0) 9323 52781
Disclaimer: Me, say that ?  Never, it's a forged posting !