SCO, the makers of OpenServer, have released information regarding patches for OpenServer and UnixWare and the status of other security holes where patches were not released yet.
Here is SCO OpenServer's status regarding the recent (and some not so recent) vulnerabilities in UnixWare:
UnixWare pkg* command exploits:
"OpenServer is not vulnerable in exactly the same way via dacread privilege but vulnerabilities exist through buffer overflows - we're working on fixing them."
(See: UnixWare pkg* command exploits, UnixWare pkg vulnerability)
UnixWare core-dumps following symlinks:
"OpenServer does not have same exact vulnerability wrt s[ug]id programs allowed to dump core but there are vulnerabilities with programs that were s[ug]id and have relaxed it and general issues of core dumping on symlinked names - SCO is working on fixing both issues."
(See: UnixWare core dumps follow symlinks)
UnixWare read/modify users' mail (/var/spool/mail):
"This is also not applicable on OpenServer. OpenServer's equivalent is /usr/spool/mail which has 1777 perms (world-writable, but sticky so only owner can delete files). The local delivery agent will not deliver to a file not owned by the recipient; will not follow symlinks or write to a file with multiple names (hard links); and is designed to avoid race conditions."
(See: UnixWare allows reading/modifying of users' email )
UnixWare and the dacread permission:
"OpenServer has a different security model to UW7 so this is not applicable."
SCO are working on the first two vulnerabilities and will have fixes available by December 31st.
In addition to the first two vulnerabilities, SCO are also putting the finishing touches on another large collection of previously reported OpenServer vulnerabilities (and vulnerabilities SCO discovered by themselves), which will be available by December 25th.
The current contents include (but will not be limited to):
