Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security_APARs (fwd)

From: Valdis.Kletnieks () vt edu
Date: Tue, 26 Jun 2001 23:09:48 -0400
On Tue, 26 Jun 2001 11:44:45 CDT, uid0 () catastrophe net  said:

This is from IBM. I don't know why they do not post to BUGTRAQ directly.


I don't speak for IBM, but I think I know why...


  AIX 4.3:   IY19897  (updated 6/2001)


This is the 'packaging APAR' that rolls all these fixes up so you can
do a one-stop order.  They cut a new roll-up ever 4-5 months.

Due to the way IBM packages things, it includes *EVERY* security fix
that IBM has put into an APAR since AIX 4.3.0 was released.

I just checked the machine in my office - I installed AIX 4.3.0
on November 14, 1997.  That's why there's such a long list - it
goes back that far.


IX72045  CDE LOGIN GIVES INVALID USER NAME MESSAGE BEFORE PW ENTERED


This is a fix for a bug originally reported against AIX 4.2.1.  It's *so*
old that I can't even get accurate date info on when it was released.
Looks around late 97.

I don't think anybody really wants to see *all* 133 bugfixes every
time.  Over and over.  For 4 year old fixes.  I do AIX for a living,
and even *I* yawn at this posting and diff it against the previous
one for any *NEW* ones.

IBM *DOES* post their ERS alerts to Bugtraq (such as the 'diagrpt'
one the other day).  In addition, they have a summary posting that
you can subscribe to that lists the last 7-8 alerts.  Those include
impact, workaround, and fix info - much more helpful..

Diff against the January posting:

*** 17,23 ****
  To facilitate ease of ordering all security related APARs for each
  release can be ordered using the following packaging APARs.
  
!   AIX 4.3:   IY15473  (updated 1/2001)
  
  APARs can be ordered using FixDist.  For additional information on FixDist
  send e-mail with a subject of "FixDist" to aixserv () austin ibm com, or
--- 17,23 ----
  To facilitate ease of ordering all security related APARs for each
  release can be ordered using the following packaging APARs.
  
!   AIX 4.3:   IY19897  (updated 6/2001)
  
  APARs can be ordered using FixDist.  For additional information on FixDist
  send e-mail with a subject of "FixDist" to aixserv () austin ibm com, or
***************
*** 94,100 ****
  IX81507  SECURITY: MORE VULNERABILITIES IN PCNFSD
  IX81999  POST COMMAND SHOULD NOT BE SUID
  IX82002  FORCE REXECD USER PRIVILEDGES
- IX83542  AIX 4.3.3.0 MAINTENANCE LEVEL
  IX83752  SECURITY: VULNERABILITY IN AUTOFS
  IX84493  SECURITY: VULNERABILITY IN SETGID EXECUTABLES
  IX84642  SECURITY: VULNERABILITY IN INFOEXPLORER DAEMON (INFOD)
--- 94,99 ----
***************
*** 114,120 ****
  IX89687  SECURITY: NFS SCRIPTS CREATE INSECURE TEMPORARY FILES
  IY00892  INSECURE TEMPORARY FILES IN BOS.PERF PACKAGING SCRIPT
  IY01439  SECURITY: INSECURE TEMPORARY FILES IN /ETC/RC.POWERFAIL
- IY02033  RESERVED
  IY02120  SECURITY: BUFFER OVERFLOW IN NSLOOKUP
  IY02397  SECURITY: NON-ROOT USERS CAN USE PTRACE TO CRASH THE SYSTEM
  IY02944  SECURITY: BUFFER OVERFLOW IN "DTACTION -U"
--- 113,118 ----
***************
*** 150,158 ****
--- 148,164 ----
  IY12147  NON-ROOT USERS CAN ISSUE THE NETSTAT -Z FLAG
  IY12251  SECURITY: POSSIBLE VULNERABILITIES IN ERRPT
  IY12638  SECURITY: BUFFER OVERFLOW IN PRINT CMDS
+ IY13753  SECURITY: FORMAT STRING VULNERABILITY IN LOCALE SUBSYSTEM
  IY13780  SECURITY: BUFFER OVERFLOW  IN LIBNTP
  IY13781  SECURITY: FORMAT STRING VULNERABILITY IN FTP CLIENT
  IY13783  FORMAT STRING VULNERABILITIES IN GETTY'S ERROR LOGGING FUNCS
  IY14512  DNS CERT ADVISORY FOR SRV & ZXFR BUGS
+ IY14537  BUFFER OVERFLOW IN BELLMAIL
+ IY15146  SYSLOGD:BUFFER OVERFLOW AND IMPROPER CONTROL CHARACTER ESCAPES
+ IY16182  SECURITY: BUFFER OVERFLOW IN BIND8
+ IY16214  BUFFER OVERFLOW AND FORMAT STRING VULNERABILITIES IN BIND 4.X
+ IY16271  SECURITY: INFOLEAK IN NUMEROUS VERSIONS OF NAMED4 AND NAMED8
+ IY17048  SECURITY: POSSIBLE BUFFER OVERFLOW VULNERABILITY IN CRONTAB
+ IY17932  SECURITY: IMAPD BUFFER OVERFLOW
  ===========================================================================

*yawn*.  The ERS summaries are much more helpful... Let's encourage those instead.

                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech
Previous By Date Next
Previous By Thread Next

Current thread: