Security

Unnecessary privilege granted to packaging commands

Unnecessary privilege has been given to some packaging commands, and as a result system security can be compromised. See ``Before you install or upgrade your system'' for details.

Security vulnerability in sendmail

A security vulnerability has been found in sendmail, caused by an error in the sendmail.cf configuration file. A patch is available from the SCO ftp archive (ftp.sco.com) to correct this error:

• Cover letter (ASCII text)

• Tar archive

Defeating SYN flood attacks

Denial-of-service attacks which flood listening server ports with bogus TCP SYN packets may now be countered by using the new parameter tcp_q0limit to the inconfig(1Mtcp) command. Services which are vulnerable to such attacks include FTP, telnet, and rlogin (all serviced by inetd), mail (sendmail), and HTTP (Netscape FastTrack Server).

As root, you can set the value of the parameter by entering the following command:

   inconfig tcp_q0limit value

Here value is the value that you want to assign to tcp_q0limit.

The default value of this parameter is 0 which produces the same behavior as in previous releases. Bogus connection requests can quickly fill the pending queue and so prevent valid connections from being established.

If set to a value greater than 0, tcp_q0limit determines the maximum length of the pending connection queue for a TCP endpoint. (Pending connections must complete the 3-way TCP handshake before they can be moved to the queue of established connections.) When the pending connection queue is full and a new connection request arrives, the kernel randomly drops an outstanding partial connection from the pending queue and adds the new connection to the queue.

You must set the value high enough to cope with peak demand by both valid and bogus incoming connection requests so that not too many valid pending connections are dropped. You may need to set an even higher value if most of the physical links are low speed and/or high latency (the TCP handshake for these takes longer to process). The amount of memory that is required for the queue of pending connections is 800 tcp_q0limit bytes for each listening port. For example, 20 listening ports would require approximately 8MB of memory if tcp_q0limit were set to 500.

Strong Encryption Supplement

A Strong Encryption Supplement is included on the UnixWare 7 CD-ROM. This turns on the Netscape 128-bit encryption.

Both weak encryption (40-bit) and strong encryption binaries for the Netscape products (FastTrack, NavGold) are packaged as part of UnixWare. By default, the 40-bit binaries are in place. Installing and licensing the Strong Encryption Supplement causes the 128-bit binaries to be moved into place. Any Netscape products subsequently loaded onto the system will also get the strong encryption binaries.

The Strong Encryption Supplement is separate from the encryption included in the base UnixWare 7, in that it currently applies to the Netscape products only (and the Internet Security package on SCO OpenServer).

Domestic encryption disabled

Domestic encryption is disabled when update710 is installed. If the crypt(1) version of libnsl or the ``crypt'' package are already installed, the following warning is given:

   Overriding the installed domestic libnsl

You should update your system with a new version of the ``crypt'' package, obtained by ordering the UnixWare Base Encryption Utilities This package is for North American customers only.

The ``crypt'' package contains a domestic libnsl that is UNIX95 conformant.

If you do not update the ``crypt'' package, the secure rpc functionality in libnsl is disabled.

Obtaining up-to-date information about security

You can access the SCO Secure Technologies Group web site at the URL http://www.sco.com/security to find out more information about security in SCO products. This site also reports the latest security vulnerabilities and the fixes that are available for these. In addition, you can download various security tools and libraries on an unsupported basis.