Advisories : Security Enhanced Kit for DECNET-ULTRIX

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Security Enhanced Kit for DECNET-ULTRIX

Title:	Security Enhanced Kit for DECNET-ULTRIX
Released by:	DEC
Date:	17th March 1994
Printable version:	Click here

SOURCE:  Digital Equipment Corporation  - ( DSIN / DSNlink FLASH MAIL )

         Software Security Response Team                             17.MAY.94



PRODUCT: ULTRIX        Versions 4.3, 4.3A, V4.4

         DECnet-ULTRIX Version 4.2

         DEC OSF/1     Versions 1.2, 1.3, 1.3A, 2.0



ADVISORY INFORMATION:



SUBJECT:  Security Enhanced Kit for DECNET-ULTRIX V4.2, ULTRIX V4.3 (VAX/RISC),

          ULTRIX V4.3A (RISC), ULTRIX V4.4 (VAX/RISC),

          ULTRIX Worksystem Software and DEC OSF/1 V1.2 - V2.0



IMPACT:   Potential security vulnerabilities exist where, under certain

          circumstances user access or privilege may be expanded.



SOLUTION: ULTRIX: Upgrade/Install ULTRIX to an minimum of V4.4 and install the

          Security Enhanced Kit



          DEC OSF/1: Upgrade/Install to a minimum of V1.2 and install

          the Security Enhanced Kit

          [Note: In the text below, Digital identifies OSF/1 V2.0 as the

          minimum. Digital has confirmed that 2.0 is correct. --CERT staff]



_______________________________________________________________________________

These kits are available from Digital Equipment Corporation by contacting your

normal Digital support channel or by request via DSNlink for electronic

transfer.

_______________________________________________________________________________



IMPACT:



Digital has discovered the existence of potential security vulnerabilities in

the ULTRIX V4.3, V4.3a, V4.4 and DEC OSF/1 V1.2, V1.3, V2.0 Operating Systems,

and DECnet-ULTRIX V4.2.  These potential vulnerabilities were discovered as a

result of evaluating recent reports of potential security vulnerabilities

which were distributed on the INTERNET and as a result of Digital's continued

engineering efforts.  The solutions to these vulnerabilities have been

included in the next release of ULTRIX and DEC OSF/1.



The kits have been created to correct potential security vulnerabilities

which, under certain circumstances may expand user access or privilege.



Digital Equipment Corporation strongly urges Customers to upgrade to a

minimum of ULTRIX V4.4 and DEC OSF/1 V2.0 then apply the Security Enhanced

Kit.  

        - Please refer to the applicable Release Note information prior to

          upgrading your installation.



_______________________________________________________________________________

KIT PART NUMBERS and DESCRIPTIONS



CSC PATCH #



CSCPAT_4060  V1.0   ULTRIX    V4.3 thru V4.4  (Includes DECnet-ULTRIX V4.2)

CSCPAT_4061  V1.0   DEC OSF/1 V1.2 thru V2.0



         _______________________________________________________________

         These kits will not install on versions previous to ULTRIX V4.3

         or DEC OSF/1 V1.2.

         _______________________________________________________________



_______________________________________________________________________________

_______________________________________________________________________________

The ULTRIX Security Enhanced kit replaces the following images:





/usr/etc/comsat                 ULTRIX V4.3, V4.3a, V4.4

/usr/ucb/lpr                    "                      "

/usr/bin/mail                   "                      "

/usr/lib/sendmail               "                      "



/usr/etc/telnetd                ULTRIX V4.3, V4.3a only



______________________________________

for DECnet-ULTRIX V4.2  installations:



/usr/etc/dlogind

/usr/etc/telnetd.gw

                *sendmail - is a previously distributed solution.



_______________________________________________________________________________

The DEC OSF/1 Security Enhanced kit replaces the following images:



/usr/sbin/comsat                DEC OSF/1 V1.2, V1.3 V2.0

/usr/bin/binmail

/usr/bin/lpr                    "                       "



/usr/sbin/sendmail              DEC OSF/1 V1.2, V1.3  only

/usr/bin/rdist                  "                       "

/usr/shlib/libsecurity.so       DEC OSF/1 V2.0 only

                *sendmail - is a previously distributed solution.

_______________________________________________________________________________



Digital urges you to periodically review your system management and

security procedures.  Digital will continue to review and enhance the

security features of its products and work with customers to maintain

and improve the security and integrity of their systems.

_______________________________________________________________________________



    NOTE: For non-contract/non-warranty customers contact your local Digital

          support channels for information regarding these kits.

______________________________________________________________________________