Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client

[troy () AUSTIN IBM COM (Troy A. Bollinger)]

-----BEGIN PGP SIGNED MESSAGE-----

Lutz Donnerhacke wrote:
> * af () C4C COM wrote:
> > I also wonder about IBM's answer:
> > SOLUTION:         Remove the setuid bit from the "ftp" command.
> >
> > On our 4.2.1, ftp will not run if it is not suid.
> > Didn't somebody test this?
>
> Yep. ftp does not need suid:

The AIX ftp client MUST BE SETUID to work for non-root users.

> DFN-CERT corrected the solution of IBM. It was a false statment according to
> them.

DFN-CERT is correct.  The solution listed in the advisory header should
have said to apply the fixes listed in the advisory.  The setuid fiasco
was a mistake on my part.

The correct fix for the AIX ftp client bug is to apply the following
fixes:

   AIX 3.2: upgrade to v4
   AIX 4.1: IX70885
   AIX 4.2: IX70886
   AIX 4.3: fix already contained in the release

These fixes are available and may be obtained using FixDist or from the
IBM Support Center.  For more information on FixDist, reference URL:

   http://service.software.ibm.com/aixsupport/

Questions relating to AIX security advisories can be emailed to
security-alert () austin ibm com.  New AIX vulnerabilities can be PGP
encrypted using the AIX Security public key available by sending email
to security-alert () austin ibm com with a subject of "get key".


- --
Troy Bollinger                            troy () austin ibm com
AIX Security Development        security-alert () austin ibm com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBNGIJtcjqvEm3eDEpAQF+PQP+LtKAfV94QozA+ZlIUJDFhC7M5qZjKMgJ
lsFHt0lEBA74umHI5/B3FkSsrPewrYQx7FEdmVI493BrDwHZOCr3xEJNlEjcsGOf
DRzlvDYtwMGN9GQn2XSEeO8C5/w2MgARtqyiLWh25vaQUVVIH2xe9t/XQ3qCzEmU
fLHkUCCz41c=
=UFWn
-----END PGP SIGNATURE-----