Bugtraq mailing list archives
SGI Security Advisory 19960203
From: agent99 () boytoy csd sgi com (SGI Security Coordinator)
Date: Tue, 27 Feb 1996 17:19:38 -0800
FOR PUBLIC RELEASE
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: Sendmail update for CERT Advisory CA-96.04
Title: Corrupt Information from Network Servers
Number: 19960203-01-P1146
Date: February 27, 1996
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as possible.
Silicon Graphics will not be liable for any indirect, special, or
consequential damages arising from the use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
As a followup to the CERT Advisory CA-96.04 ("Corrupt Information from
Network Servers"), SGI recommends the following steps for neutralizing the
possible means of exploit. It is HIGHLY RECOMMENDED that these measures
be done on ALL SGI systems running IRIX 3.x, 4.x, 5.x and 6.x. The issue
will be permanently corrected in a future release of IRIX.
- --------------
- --- Impact ---
- --------------
Dependant on system configuration, network topology and other factors,
exploitation of this vulnerability could possibly allow remote access
by unauthorized users. This could possibly lead to elevated privilege
access including root by both local and remote users.
- ----------------
- --- Solution ---
- ----------------
**** IRIX 3.x ****
Silicon Graphics Inc, no longer supports the IRIX 3.x operating system
and therefore has no patches or binaries to provide.
However, two possible actions still remain: 1) upgrade the system to a
supported version of IRIX (see below) and then install the patch or
2) obtain the sendmail source code from anonymous FTP at
ftp.cs.berkeley.edu and compile the program manually. Please, note
that SGI will not assist with or support 3rd party sendmail programs.
**** IRIX 4.x ****
As of the date of this document, SGI does not have a IRIX 4.x binary
replacement that addresses this particular issue. If in the future,
a replacement binary is generated, additional advisory information will
be provided.
However, two other possible actions are: 1) upgrade the system to a
supported version of IRIX (see below) and then install the patch or
2) obtain the sendmail source code from anonymous FTP at
ftp.cs.berkeley.edu and compile the program manually. Please, note
that SGI will not assist with or support 3rd party sendmail programs.
**** IRIX 5.0.x, 5.1.x ****
For the IRIX operating systems versions 5.0.x and 5.1.x, an upgrade
to 5.2 or better is required first. When the upgrade is completed,
then the patches described in the following sections can be applied
depending on the final version of the upgrade.
**** IRIX 5.2, 5.3, 6.0, 6.0.1, 6.1 ****
For the IRIX operating system versions 5.2, 5.3, 6.0, 6.0.1, and 6.1
an inst-able patch has been generated and made available via anonymous
FTP and your service/support provider. The patch is number 1146
and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1.
The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com. Patch 1146 can be found in the following
directories on the FTP server:
~ftp/Security
or
~ftp/Patches/5.2
~ftp/Patches/5.3
~ftp/Patches/6.0
~ftp/Patches/6.0.1
~ftp/Patches/6.1
##### Checksums ####
The actual patch will be a tar file containing the following files:
Filename: patchSG0001146
Algorithm #1 (sum -r): 15709 3 patchSG0001146
Algorithm #2 (sum): 16842 3 patchSG0001146
MD5 checksum: 055B660E1D5C1E38BC3128ADE7FC9A95
Filename: patchSG0001146.eoe1_man
Algorithm #1 (sum -r): 26276 76 patchSG0001146.eoe1_man
Algorithm #2 (sum): 1567 76 patchSG0001146.eoe1_man
MD5 checksum: 883BC696F0A57B47F1CBAFA74BF53E81
Filename: patchSG0001146.eoe1_sw
Algorithm #1 (sum -r): 61872 382 patchSG0001146.eoe1_sw
Algorithm #2 (sum): 42032 382 patchSG0001146.eoe1_sw
MD5 checksum: 412AB1A279A030192EA2A082CBA0D6E7
Filename: patchSG0001146.idb
Algorithm #1 (sum -r): 39588 4 patchSG0001146.idb
Algorithm #2 (sum): 10621 4 patchSG0001146.idb
MD5 checksum: 259DD47E4574DAF9041675D64C39102E
- -----------------------
- --- Acknowledgments ---
- -----------------------
Silicon Graphics wishes to thank the CERT Coordination Center, Eric
Allman of Pangaea Reference Systems, Eric Halil of AUSCERT, Wolfgang
Ley of DFN-CERT, Andrew Gross of San Diego Supercomputer Center,
and Paul Vixie for their assistance in this issue.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
Past SGI Advisories and security patches can be obtained via
anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com.
These security patches and advisories are provided freely to
all interested parties. For issues with the patches on the
FTP sites, email can be sent to cse-security-alert () csd sgi com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
If there are questions about this document, email can be sent to
cse-security-alert () csd sgi com.
For reporting *NEW* SGI security issues, email can be sent to
security-alert () sgi com or contact your SGI support provider. A
support contract is not required for submitting a security report.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAwUBMTOnkrQ4cFApAP75AQG2pAP/bNFKSW4Xb09lZ33JoI/+hbw/Mfut2itK
h/orPCndZP11feMLANELrRQAOYepZ2HOWXuAJbSsfMjf6cUjPV3KX4JzuXRtRy0k
lQUV0w5MbGcQqby39dI6wmV7HBHr0irBodBaKz/GE/4wINPwGP507WZwo33njIOM
opjKjz9zzyA=
=Whtr
-----END PGP SIGNATURE-----
Current thread:
- SGI Security Advisory 19960203 SGI Security Coordinator (Feb 27)