Bugtraq mailing list archives
SGI Security Advisory 19960203
From: agent99 () boytoy csd sgi com (SGI Security Coordinator)
Date: Tue, 27 Feb 1996 17:19:38 -0800
FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Sendmail update for CERT Advisory CA-96.04 Title: Corrupt Information from Network Servers Number: 19960203-01-P1146 Date: February 27, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ As a followup to the CERT Advisory CA-96.04 ("Corrupt Information from Network Servers"), SGI recommends the following steps for neutralizing the possible means of exploit. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 3.x, 4.x, 5.x and 6.x. The issue will be permanently corrected in a future release of IRIX. - -------------- - --- Impact --- - -------------- Dependant on system configuration, network topology and other factors, exploitation of this vulnerability could possibly allow remote access by unauthorized users. This could possibly lead to elevated privilege access including root by both local and remote users. - ---------------- - --- Solution --- - ---------------- **** IRIX 3.x **** Silicon Graphics Inc, no longer supports the IRIX 3.x operating system and therefore has no patches or binaries to provide. However, two possible actions still remain: 1) upgrade the system to a supported version of IRIX (see below) and then install the patch or 2) obtain the sendmail source code from anonymous FTP at ftp.cs.berkeley.edu and compile the program manually. Please, note that SGI will not assist with or support 3rd party sendmail programs. **** IRIX 4.x **** As of the date of this document, SGI does not have a IRIX 4.x binary replacement that addresses this particular issue. If in the future, a replacement binary is generated, additional advisory information will be provided. However, two other possible actions are: 1) upgrade the system to a supported version of IRIX (see below) and then install the patch or 2) obtain the sendmail source code from anonymous FTP at ftp.cs.berkeley.edu and compile the program manually. Please, note that SGI will not assist with or support 3rd party sendmail programs. **** IRIX 5.0.x, 5.1.x **** For the IRIX operating systems versions 5.0.x and 5.1.x, an upgrade to 5.2 or better is required first. When the upgrade is completed, then the patches described in the following sections can be applied depending on the final version of the upgrade. **** IRIX 5.2, 5.3, 6.0, 6.0.1, 6.1 **** For the IRIX operating system versions 5.2, 5.3, 6.0, 6.0.1, and 6.1 an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1146 and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1146 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/5.2 ~ftp/Patches/5.3 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0001146 Algorithm #1 (sum -r): 15709 3 patchSG0001146 Algorithm #2 (sum): 16842 3 patchSG0001146 MD5 checksum: 055B660E1D5C1E38BC3128ADE7FC9A95 Filename: patchSG0001146.eoe1_man Algorithm #1 (sum -r): 26276 76 patchSG0001146.eoe1_man Algorithm #2 (sum): 1567 76 patchSG0001146.eoe1_man MD5 checksum: 883BC696F0A57B47F1CBAFA74BF53E81 Filename: patchSG0001146.eoe1_sw Algorithm #1 (sum -r): 61872 382 patchSG0001146.eoe1_sw Algorithm #2 (sum): 42032 382 patchSG0001146.eoe1_sw MD5 checksum: 412AB1A279A030192EA2A082CBA0D6E7 Filename: patchSG0001146.idb Algorithm #1 (sum -r): 39588 4 patchSG0001146.idb Algorithm #2 (sum): 10621 4 patchSG0001146.idb MD5 checksum: 259DD47E4574DAF9041675D64C39102E - ----------------------- - --- Acknowledgments --- - ----------------------- Silicon Graphics wishes to thank the CERT Coordination Center, Eric Allman of Pangaea Reference Systems, Eric Halil of AUSCERT, Wolfgang Ley of DFN-CERT, Andrew Gross of San Diego Supercomputer Center, and Paul Vixie for their assistance in this issue. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com. These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert () csd sgi com. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert () csd sgi com. For reporting *NEW* SGI security issues, email can be sent to security-alert () sgi com or contact your SGI support provider. A support contract is not required for submitting a security report. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMTOnkrQ4cFApAP75AQG2pAP/bNFKSW4Xb09lZ33JoI/+hbw/Mfut2itK h/orPCndZP11feMLANELrRQAOYepZ2HOWXuAJbSsfMjf6cUjPV3KX4JzuXRtRy0k lQUV0w5MbGcQqby39dI6wmV7HBHr0irBodBaKz/GE/4wINPwGP507WZwo33njIOM opjKjz9zzyA= =Whtr -----END PGP SIGNATURE-----
Current thread:
- SGI Security Advisory 19960203 SGI Security Coordinator (Feb 27)