FW: Security Notice: Big Brother System and Network Monitor

[stace.cunningham () KEESLER AF MIL (Cunningham Stace D MSgt 2 AF/XTI)]

-----Original Message-----
From: Robert-Andre Croteau [mailto:robert () www bb4 com]
Sent: Thursday, May 18, 2000 2:53 PM
To: stace.cunningham () keesler af mil
Subject: Security Notice: Big Brother System and Network Monitor

                 ===========================
                 Big Brother Security Notice
                 ===========================

Versions: All prior to 1.4g

Module:   bbd.c  (the bb server: BBDISPLAY/BBPAGER)

Affects:  All BBDISPLAY/BBPAGER machines (running bbd)

Summary:  Vulnerabilities exists such that
          arbitrary commands can be executed with the same
          userid/permissions as the user running bbd.

Fix:      Download and install version 1.4g from http://bb4.com

          or

          If you have a fairly recent version of BB (1.3a+) you may
          be able to download version 1.4g from http://bb4.com and replace
          your current bbd.c/bb.h with the ones from the 1.4g archive.
          Recompile bbd (make) and reinstall(make install). YMMV !

Note:     BB should not be run as root!

          Particularly vulnerable are the servers that are not
          protected by firewalls (nothing new!) , that do not
          use the etc/security file and use the enable/disable
          feature (optional and user compiled-in).

          This is a different notice than the one sent out
          on May 4th 2000.

          If you wish to be removed from this list please send mail
          to robert () bb4 com.  Some of you may receive multiple
          due to the fact that you downloaded BB multiples times
          and entered a different e-mail address each time.  Let
          me know which address is valid and which are not.

Found by: Bryan Deeney <bdeeney () astro ocis temple edu>, Thanks!

---
Robert-Andre Croteau
BB4 Technologies Inc.
robert () bb4 com