OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Boyce, Nick (nick.boyceeds.com)
Date: Mon Sep 03 2001 - 05:15:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This HP "Weekly HP-UX Series 800 10.X Patch Digest" describes a "login
    cumulative patch" for HPUX 10.26, PHCO_24454, which seems to be highly
    security-related. It's presumably a mistake that it wasn't sent to HP's
    "Security Bulletins Digest" list ...

    Nick Boyce
    EDS, Bristol, UK

    -----Original Message-----
    From: support_feedbackus-support.external.hp.com
    [mailto:support_feedbackus-support.external.hp.com]
    Sent: 02 September 2001 15:51
    To: hpux_800_10x_patchus-support.external.hp.com
    Subject: HP-UX series 800 10.X patch digest

                            HP Support Information Digests

    ============================================================================
    ===
    o IT Resource Center World Wide Web Service
       ---------------------------------------------------

       If you subscribed through the IT Resource Center and would
       like to be REMOVED from this mailing list, access the
       IT Resource Center on the World Wide Web at:

         http://www.itresourcecenter.hp.com/

       Login using your IT Resource Center User ID and Password.
       Then select Support Information Digests (located under
       Maintenance and Support). You may then unsubscribe from the
       appropriate digest.

       To download a patch referenced below, access the
       IT Resource Center on the World Wide Web at:

         http://www.itresourcecenter.hp.com/

       Login using your IT Resource Center User ID and Password.
       Then select Individual Patches (under Maintenance and Support)
       to access the patch. You may also download a patch via anonymous
       ftp(1) from ftp.itrc.hp.com.
    ============================================================================
    ===

    Digest Name: weekly HP-UX series 800 10.X patch digest
        Created: Sun Sep 2 3:05:03 PDT 2001

    Table of Contents:

    Document ID Title
    --------------- -----------
    PHCO_24454 s700_800 10.26 login(1) cumulative patch

    The documents are listed below.
    ---------------------------------------------------------------------------- 

    ---

    Document ID:  PHCO_24454
Date Loaded:  20010828
      Title:  s700_800 10.26 login(1) cumulative patch

    Patch Name: PHCO_24454

    Patch Description: s700_800 10.26 login(1) cumulative patch

    Creation Date: 01/08/24

    Post Date:  01/08/28

    Hardware Platforms - OS Releases:
	s700: 10.26
	s800: 10.26

    Products: N/A

    Filesets:
	BLS.BLS-CORE

    Automatic Reboot?: No

    Status: General Release

    Critical: No

    Path Name: /hp-ux_patches/s700_800/10.X/PHCO_24454

    Symptoms:
	PHCO_24454:
	1. Partial port of 10.20 patch PHCO_24267
	2. Telnet/rlogin commands do not honor max_privs specified
	   in the Remote host database (M6RHDB)

    	(PHCO_24267:)
	( SR:8606189604 CR:JAGad58818 )
	Login allows certain shell users excessive freedom.

    	PHCO_20372:
	Login fails with the error:
	        Can not create temporary node
	        Cannot set host sensitivity level.

    	PHCO_17719:
	Unsuccesful login attempts are not recorded, so lastb(1)
	returns inaccurate information.

    Defect Description:
	PHCO_24454:
	1. Partial port of 10.20 patch PHCO_24267
	2. Login is not setting the base privileges of the remote
	   users based on the remote host database and user
	   authentication profile

    	   Resolution:
	   Login has been modified to set the base privileges of the
	   remote users as the intersection of max_privs for client
	   in M6RHDB and base privileges specified for user in
	   authentication profile

    	(PHCO_24267:)
	( SR:8606189604 CR:JAGad58818 )
	Login should be more stringent in which environment
	variables it allows restricted shell users to set.

    	Resolution:
	Login now only allows the DISPLAY and TERM variables to be
	set by restricted shell users unless configured otherwise in
	the security configuration file.  To change the behavior of
	this patch, the /etc/default/security file must be created
	if it does not already exist.  This file should be world
	readable and root writeable.  To this file, add one of the
	following three entries:

    	The new default behavior corresponds to a setting of:
	    RSH_SECURITY=2

    	It is possible to ease the restrictions and allow the
	setting of any environment variables which are not known to
	be potentially risky. This is done by specifying:
	    RSH_SECURITY=1

    	Finally, for compatibility reasons, it is possible to revert
	to the old, excessively permissive behavior by specifying:
	    RSH_SECURITY=0

    	PHCO_20372:
	During login, a temporary node is created.  If, for some
	reason, a file already exists with this name, login will
	generate the above error and exit.

    	PHCO_17719:
	login(1) does not write to /var/adm/btmp when an
	unsuccessful login occurs.

    	Resolution:
	Merge the lastest HP-UX 10.20 login source, which has
	had this problem resolved.

    SR:
	8606189604

    Patch Files:
	/tcb/lib/login

    what(1) Output:
	/tcb/lib/login:
		2001/08/23 Hewlett-Packard HP-UX 10.26 TOS [ ic5ga -
			 DAV17 ]
		$Revision: 78.6.1.8 $
		01/08/21 cmd/login.c, hpux, hpux_10.26, ic5ga Revisi
			on 1.8 PATCH_10.26 (PHCO_24454)
		01/08/21 cmd/login_sec.c, hpux, hpux_10.26, ic5ga Re
			vision 1.15 PATCH_10.26 (PHCO_24454)

    cksum(1) Output:
	2398677150 65536 /tcb/lib/login

    Patch Conflicts: None

    Patch Dependencies: None

    Hardware Dependencies: None

    Other Dependencies: None

    Supersedes:
	PHCO_17719 PHCO_20372

    Equivalent Patches: None

    Patch Package Size: 120 KBytes

    Installation Instructions:
	Please review all instructions and the Hewlett-Packard
	SupportLine User Guide or your Hewlett-Packard support terms
	and conditions for precautions, scope of license,
	restrictions, and, limitation of liability and warranties,
	before installing this patch.
	------------------------------------------------------------
	1. Back up your system before installing a patch.

    	2. Login as root.

    	3. Copy the patch to the /tmp directory.

    	4. Move to the /tmp directory and unshar the patch:

    		cd /tmp
		sh PHCO_24454

    	5a. For a standalone system, run swinstall to install the
	    patch:

    		swinstall -x autoreboot=true -x match_target=true \
			-s /tmp/PHCO_24454.depot

    	By default swinstall will archive the original software in
	/var/adm/sw/patch/PHCO_24454.  If you do not wish to retain a
	copy of the original software, you can create an empty file
	named /var/adm/sw/patch/PATCH_NOSAVE.

    	WARNING: If this file exists when a patch is installed, the
	         patch cannot be deinstalled.  Please be careful
		 when using this feature.

    	It is recommended that you move the PHCO_24454.text file to
	/var/adm/sw/patch for future reference.

    	To put this patch on a magnetic tape and install from the
	tape drive, use the command:

    		dd if=/tmp/PHCO_24454.depot of=/dev/rmt/0m bs=2k

    Special Installation Instructions: None
-----End of Document ID:
PHCO_24454------------------------------------------