Bugtraq mailing list archives
Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client
From: troy () AUSTIN IBM COM (Troy A. Bollinger)
Date: Thu, 6 Nov 1997 12:19:28 -0600
-----BEGIN PGP SIGNED MESSAGE----- Lutz Donnerhacke wrote:
* af () C4C COM wrote:I also wonder about IBM's answer: SOLUTION: Remove the setuid bit from the "ftp" command. On our 4.2.1, ftp will not run if it is not suid. Didn't somebody test this?Yep. ftp does not need suid:
The AIX ftp client MUST BE SETUID to work for non-root users.
DFN-CERT corrected the solution of IBM. It was a false statment according to them.
DFN-CERT is correct. The solution listed in the advisory header should have said to apply the fixes listed in the advisory. The setuid fiasco was a mistake on my part. The correct fix for the AIX ftp client bug is to apply the following fixes: AIX 3.2: upgrade to v4 AIX 4.1: IX70885 AIX 4.2: IX70886 AIX 4.3: fix already contained in the release These fixes are available and may be obtained using FixDist or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ Questions relating to AIX security advisories can be emailed to security-alert () austin ibm com. New AIX vulnerabilities can be PGP encrypted using the AIX Security public key available by sending email to security-alert () austin ibm com with a subject of "get key". - -- Troy Bollinger troy () austin ibm com AIX Security Development security-alert () austin ibm com PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBNGIJtcjqvEm3eDEpAQF+PQP+LtKAfV94QozA+ZlIUJDFhC7M5qZjKMgJ lsFHt0lEBA74umHI5/B3FkSsrPewrYQx7FEdmVI493BrDwHZOCr3xEJNlEjcsGOf DRzlvDYtwMGN9GQn2XSEeO8C5/w2MgARtqyiLWh25vaQUVVIH2xe9t/XQ3qCzEmU fLHkUCCz41c= =UFWn -----END PGP SIGNATURE-----
Current thread:
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client af () C4C COM (Nov 03)
- <Possible follow-ups>
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Lutz Donnerhacke (Nov 04)
- netapp NFS server crash by FreeBSD client [w/patch] Dmitry Kohmanyuk Дмитрий Кохманюк (Nov 05)
- simptcp hotfix renewed on 03/11/1997 Yves Kreis (Nov 05)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Wolfgang Ley (Nov 06)
- HPSBUX9710-072 Sec. Vulnerability in CDE on HP-UX 10.[10, 20, Aleph One (Nov 06)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Troy A. Bollinger (Nov 06)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Giulio E. D. Botto (Nov 04)