OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Date: Mon Jan 28 2002 - 21:41:51 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TITLE: Tru64 UNIX Potential Security Vulnerability,
           Privileged App. Core Files and Temp File/Symbolic
           Links With Temp Files (SSRT1-41U, SSRT0742U, SSRT0759U)

    NOTICE: There are no restrictions for distribution of
            this advisory provided that it remains complete and intact.

    RELEASE DATE: 28 JANUARY 2002

    SOURCE: Compaq Computer Corporation
            Compaq Services
            Software Security Response Team

    CROSS REFERENCE: (CVE CAN-2000-1134, CERT/CC VU#10277)

    PROBLEM SUMMARY:

    (1). (SSRT1-41U) It has been reported to Compaq that
    Tru64 UNIX has a potential security vulnerability with
    it's utilization of temporary files in the shell programs
    and system startup or management scripts.

    Because the potential security vulnerability can only be
    exploited by users who have access to your local security
    domain, the risk is diminished. Many systems operate in
    a "turn key" mode where login access exists only for system
    administration. These systems are not at risk.
    Examples of these systems are file servers and web servers.

    There are things that can be done to reduce the potential
    vulnerability and exposure. A set of Compaq guidelines are
    available from the Compaq Services web page at:

    http://www.support.compaq.com/sec/system-protections-tru64.html

    (2). (SSRT0742U, SSRT0759U) A potential security vulnerability
    has been reported, where under certain circumstances, system
    integrity may be compromised. This may be in the form of
    improper privileged application core file access.

    VERSIONS IMPACTED:

    All supported versions as well as recent prior versions.
    The affected versions include but are not limited to Tru64 UNIX
    versions V5.1a, V5.1, V5.0a, V5.0, V4.0g, V4.0f and V4.0d.

    RESOLUTION:

    Early Release Patches (ERPs) are available for all supported
    versions of Tru64 UNIX Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1 and 5.1A
    and as a courtesy, for V4.0D and V4.0F as support for these two have
    just recently ended.

    To obtain a the patch or patches needed, connect to the
    FTP site ftp://ftp.support.compaq.com/public/unix/
    choose the version directory required and download the
    appropriate patch.

     ---------------------
     Early Release Patches
     ---------------------

     Until the Tru64 UNIX fixes are generally available in
     mainstream patch kits, Compaq recommends use of the following
     Early Release Patches(ERP) kits:

     Tru64 UNIX 4.0D
       Prerequisite: 4.0D with Patch Kit 9 (BL17) installed
       ERP Kit Name: DUV40DB17-C0061401-12858-E-20020115.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0d/

     Tru64 UNIX 4.0F:
       Prerequisite: 4.0F with Patch Kit 6 (BL17) installed
       ERP Kit Name: DUV40FB17-C0061801-12860-E-20020115.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/

       Prerequisite: 4.0F with Patch Kit 7 (BL18) installed
       ERP Kit Name: DUV40FB18-C0065000-12930-E-20020122.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/

     Tru64 UNIX 4.0G:
       Prerequisite: 4.0G with Patch Kit 3 (BL17) installed
       ERP Kit Name: T64V40GB17-C0009303-12856-E-20020115.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0g/

     Tru64 UNIX 5.0:
       Prerequisite: 5.0 with Patch Kit 4 (BL17) installed
       ERP Kit Name: T64V50B17-C0006900-12861-E-20020115.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0/

     Tru64 UNIX 5.0A:
       Prerequisite: 5.0A with Patch Kit 3 (BL17) installed
       ERP Kit Name: T64V50AB17-C0017601-12862-E-20020115.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0a/

     Tru64 UNIX 5.1:
       Prerequisite: 5.1 with Patch Kit 3 (BL17) installed
       ERP Kit Name: T64V51B17-C0095501-12931-E-20020122.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/

       Prerequisite: 5.1 with Patch Kit 4 (BL18) installed
       ERP Kit Name: T64V51B18-C0094800-12864-E-20020115.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/

     Tru64 UNIX 5.1A:
       Prerequisite: 5.1A with Patch Kit 1 (BL1) installed
       ERP Kit Name: T64V51AB1-C0008900-12954-E-20020124.tar
       Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1a/

     MD5 and SHA1 checksums are available in the public patch notice for
     the ERP kits. You can find information on how to verify MD5 and SHA1
     checksums at:
            http://www.support.compaq.com/patches/whats-new.shtml

    The fixes contained in the early release patch (ERP) kits will be
    available in the next aggregate patch kits for each supported product
    release as follows:
            - Tru64 UNIX 4.0F PK8
            - Tru64 UNIX 4.0G PK3
            - Tru64 UNIX 5.0A PK4
            - Tru64 UNIX 5.1 PK5
            - Tru64 UNIX 5.1A PK2

      NOTE: (1) Please review the README file(s) for each patch prior
                 to installation.

    After completing the update, Compaq strongly recommends that
    you perform an immediate backup of your system disk so that
    any subsequent restore operations begin with updated software.
    Otherwise, you must reapply the update after a future
    restore operation. Also, if at some future time you upgrade your
    system to a later patch version, you may need to reapply the
    appropriate update.

    SUPPORT:

    For further information, please contact your normal
    Compaq Global Services support channel.

    SUBSCRIBE:

    To subscribe to automatically receive future Security
    Advisories from the Compaq's Software Security Response Team via
    electronic mail:
    http://www.support.compaq.com/patches/mailing-list.shtml

    REPORT:

    To report a potential security vulnerability with any Compaq

    Compaq appreciates your cooperation and patience. We regret
    any inconvenience applying this information may cause. As
    always, Compaq urges you to periodically review your system
    management and security procedures. Compaq will continue to
    review and enhance the security features of its products and
    work with customers to maintain and improve the security
    and integrity of their systems.

    "Compaq is broadly distributing this Security Advisory to
    notify all users of Compaq products of the important security
    information contained in this Advisory. Compaq recommends that
    all users determine the applicability of this information to
    their individual situations and take appropriate action. Compaq
    does not warrant that this information is necessarily accurate or
    complete for all user situations and, consequently, Compaq
    will not be responsible for any damages resulting from user's use
    or disregard of the information provided in this Advisory."

    Copyright 2002 Compaq Computer Corporation. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1

    iQA/AwUBPFYaNTnTu2ckvbFuEQLfDgCfQ6zbGIYxQBFkxtUKCFNWEg4Ppu4AoJTo
    VzLhn3dOvL7oXdtXIVDd6Zfa
    =BpRr
    -----END PGP SIGNATURE-----

    ---