| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 8745.1 | | BSS::BOREN | | Wed Feb 12 1997 19:14 | 50 |
| Subj: **UPDATE: rlogin security information (patches) as of 8.feb.1997
*** DIGITAL INTERNAL USE ONLY ***
DATE: 08.FEB.1997
Title/Problem Summary: ** UPDATE: ** DIGITAL UNIX and ULTRIX (rlogin)
******************************************************************************
* This message supersedes the previous message dated 04.FEB.1997 to properly *
* identify the status of solutions to rlogin (case SSRT0416U) identified in *
* the CERT(sm) advisory CA-97.06 dated 06.FEB.1997. *
******************************************************************************
The previous message also included what was believed to be an accumulative
fix for rlogin addressing case SSRT0416U and SSRT0430U, it turns out the
SSRT0430U case solution is not yet available. The problem identified in case
SSRT0430U is not related to the problem defined in the current CERT rlogin
advisory. This problem and the availibility of patches will be covered in a
separate communication.
I apologize for any problems caused by the previous mail, at the time it
was believed to be correct.
*** DIGITAL INTERNAL USE ONLY ***
===============================================================================
0416 U UEG rlogin - Status as of 08.FEB.1997
===============================================================================
DIGITAL UNIX Patch Status:
V4.0 - OSF400-074 - Patch currently available, V4.0 patch kit
V4.0A - OSF405-400074 - Patch currently available, V4.0A patch kit
V4.0B - Patch not required - Fix is in the V4.0B release.
V3.2C - OSF350-275 - Patch currently available, V3.2C patch kit
V3.2D-1 / V3.2E-1
- OSF360-350275 - Patch currently available, V3.2DE-1 patch kit
V3.2D-2 / V3.2E-2
- OSF365-350275 - Patch currently available, V3.2DE-2 patch kit
V3.2F - - PATCH NOT YET AVAILABLE
V3.2G - - PATCH NOT YET AVAILABLE
Patch Status: ULTRIV4.4 & V4.5 (VAX & MIPS) patches are in progress
but not yet available, but expected very soon.
An update will be sent with pointers as they become available.
===============================================================================
*** DIGITAL INTERNAL USE ONLY ***
|
| 8745.2 | | BSS::BOREN | | Tue Mar 04 1997 18:14 | 45 |
| RE: 8745.* & SSRt0430U rlogin problem
RLOGIN and Security issue CASE ID SSRT0430U TERMINATED
Subj: *UA* Info - UPDATE - RLOGIN CASE ID SSRT0430U
The information in the attached mail concerning CASE ID SSRT0430 for rlogin
has been terminated. It was discovered that particular problem must be
fixed with a change in the documentation and man pages for RLOGIN.
Engineering has this action and will complete the doc changes according to
established procedures.
--o--
RE: Attached.
DATE: 04.FEB.1997
Title/Problem Summary: Security for DIGITAL UNIX and ULTRIX (rlogin)
*** DIGITAL INTERNAL USE ONLY ***
PROBLEM: Recently Reported Potential Security Vulnerabilities
For Digital UNIX and ULTRIX Operating Systems.
RESOLUTION/WORKAROUND:
This is an advance informational message of pending advisories
for reported "potential" security vulnerabilities to DIGITAL UNIX and
ULTRIX rlogin.
<snip>
.
.
.
===============================================================================
0430 U UEG rlogin - 25-Oct-1996
===============================================================================
Patch Status: 21-Jan-1997
Other:
-----
V3.2c-OSF-310
V3.2de1-OSF360-350310
V3.2de2-OSF360-350310
V3.2f - OSF370-350310
V3.2g - OSF375-350310
V4.0 - OSF400-134
V4.0a - OSF405-400134
V4.0b - OSF410-400134
*** DIGITAL INTERNAL USE ONLY ***
|
| 8745.3 | the man page change is in hosts.equiv(4) | SMURF::MENNER | it's just a box of Pax.. | Tue Mar 04 1997 23:33 | 1 |
|
|
| 8745.4 | clarification please | KAOFS::G_STOFKO | | Wed Mar 05 1997 14:02 | 12 |
| So, what do I tell my V3.2G customer that has been waiting for this ?
.1 says V3.2G -PATCH NOT YET AVAILABLE
.2 says V3.2g - OSF375-350310 (where is this ??)
and that this problem is corrected by a man page change ?
Meanwhile, the V3.2G patch directory on guru/oskits has not been updated
for 5 months.
Could we please get a clarification.
Thanks
George CSC/Canada
|
| 8745.5 | | BSS::BOREN | | Wed Mar 05 1997 21:11 | 11 |
| re: .4 good question - we've been waiting as well. the only option we
have is sending requests to reng :^) asking for when............
The patch ID for v3.2g is what should be valid searching for this patch
after it gets built/updated. It's not there yet, nor v3.2f, but the
rest are available from the various patch files.
Hopefully the 3.2f&g kits will be out soon.
rich
|
| 8745.6 | a clarification (hopefully) | SMURF::MENNER | it's just a box of Pax.. | Thu Mar 06 1997 00:38 | 18 |
| The reported problem was that a username in the hosts.equiv file
allowed that user access to any local user without being prompted
for a passwd. This is known/correct behaviour. By including
a username in the hosts.equiv file you are effective saying this
is a trusted user.
e.g.,
host1 user1
Allows user1 from host1 access to any user (aside from root) on the system
where the hosts.equiv file resides. i believe this was originally done for
tasks like remote backup. The point is only root can modify
/etc/hosts.equiv. If you don't want this behaviour don't include a
username in hosts.equiv. Removing this feature has the distinct
possiblity of breaking scripts which are *purposefully* taken advantage
of this feature. Other UNIXes also support this (e.g. Solaris, Ultrix)
|
| 8745.7 | RE: 8745.6 speaks to SSRT0430U ONLY | BSS::BOREN | | Thu Mar 06 1997 08:37 | 13 |
| RE: Note 8745.6 by SMURF::MENNER -< a clarification (hopefully) >
Note the previous explanation is for CASE ID SSRT0430U which remedials
have been terminated.
It is not related to case SSRT0416U, which requires remedial patches be
delivered to customers, and has patches available for the affected
versions, except V3.2g & v3.2f
rich
|
| 8745.8 | Thanks, I guess we'll keep waiting. | KAOFS::G_STOFKO | | Thu Mar 06 1997 09:51 | 1 |
|
|
| 8745.9 | Not in the public FTP area? | NETRIX::"[email protected]" | John McNulty | Mon Mar 10 1997 10:15 | 18 |
| I note that none of the patches that are available are in the
public security FTP area:
ftp://ftp.service.digital.com/pub/osf
This is becoming a major embarassment for us. Customer are
questioning the value of searching this FTP site at all, as
some patches are there, others they've heard about are not,
and it's increasingly difficuly to browse because there are
no README style overviews for the directory contents.
I appreciate you guys are busy, but please can you either
keep this information source up to date, or remove it. Half
correct/current information is worse than none at all.
John
[Posted by WWW Notes gateway]
|
| 8745.10 | OSF375-350310 not in new patch kit | KAOFS::G_STOFKO | | Mon Mar 24 1997 13:37 | 5 |
| Now that the V3.2G dupatch kit is out (DUV32GAS00001-19970314.tar)
I still don't see the security patch quoted in .0 (OSF375-350310)
Does anyone know if this exists ?
George CSC/Canada
|
| 8745.11 | Try patch #124 | SMURF::FENSTER | Yaacov Fenster - System Engineering, Troubleshooting and other m | Mon Mar 24 1997 19:25 | 1 |
| Try patch #124 in the patch kit. It seems to be replacing rlogin.
|
| 8745.12 | | KAOFS::G_STOFKO | | Tue Mar 25 1997 09:32 | 2 |
| Thanks.
I guess they must have change the patch number.
|