SCO Responds to security bugs (was: SCO UNIX C2 Security)

[John Pettitt]

paulz at sco.COM (W. Paul Zola) writes:
>I have good news for all those who have been having problems with 
>SCO's C2 Security.  SCO Support has just released a Support Level
>Supplement (SLS) which is designed to resolve many of these problems.
>The supplement name is "The SCO UNIX System V/386 Release 3.2 Security
>Supplement", and the SLS number is unx257.  This SLS is availible 
>for anonymous UUCP via sosco, and through the usual support channels.
>-

What they don't tell you is that the SLS also fixes
a rather interesting root security bug related to TCP/IP.

In the light of the recent ISC uarea problems the way SCO responded
deserves some publicity.   We found a bug that allowed any user to
log in as root by manipulating the network (probably a physical attack).
We reported this to SCO with a note saying that we would like a fix ASAP
(we have an Engineering Services agreement with SCO).

Withing 2 weeks we had a beta of the SLS (unx257) that did indeed fix the
problem.   Before you ask - no I am not going to post the bug, however
if you are running ODT or SCO Unix with TCP/IP and NFS you should
get and install the upgrade ASAP.


-- 
John Pettitt, Specialix International, 
Email: jpp at specialix.com Tel +44 (0) 9323 54254 Fax +44 (0) 9323 52781
Disclaimer: Me, say that ?  Never, it's a forged posting !