[ SOURCE: http://www.secureroot.com/security/advisories/9641754642.html ]

- - -------------------------------------------------------------------------

      HEWLETT-PACKARD SECURITY BULLETIN: HPSBUX9511-028, 28 Nov 95

- - -------------------------------------------------------------------------



Hewlett-Packard recommends that the information in the following

Security Bulletin should be acted upon as soon as possible. Hewlett-

Packard will not be liable for any consequences to any customer

resulting from customer's failure to fully implement instructions

in this Security Bulletin as soon as possible.



_______________________________________________________________________

PROBLEM:  Security vulnerability in ftp in releases 9.X and 10.X of HP-UX

PLATFORM: HP 9000 series 300/400s and 700/800s

DAMAGE:   A vulnerability in ftp behavior exists which involves ftp

          server bouncing.  This is a cumulative ftp(1) and ftpd(1M)

          patch.



SOLUTION: Apply patch PHNE_6013 (series 700/800, HP-UX 9.x), or

                      PHNE_6014 (series 700/800, HP-UX 10.x), or

                      PHNE_6146 (series 300/400, HP-UX 9.x), or

                      PHNE_6170 (series 700, HP-UX 9.09), or

                      PHNE_6169 (series 700, HP-UX 9.09+), or

                      PHNE_6171 (series 800, HP-UX 9.08)

                      PHNE_5965 (series 700, HP-UX 10.09)



AVAILABILITY:

          All patches are available now, except for the 9.0X BLS patches

          which will be available after January 2, 1996.



_______________________________________________________________________

I. Update





   A. Vulnerability

   The vulnerability allows users to exploit ftp.  If these patches

   are properly installed, the vulnerability cannot be exploited.

   It has been found that all HP-UX systems have this vulnerability.



   B. Fixing the problem



   The vulnerability can be eliminated from releases 9.x and 10.x of

   HP-UX by applying a patch.  To treat only the commercial releases of

   HP-UX prior to 9.x, administrators should make plans to upgrade their

   systems to a currently supported release listed above.



   Hewlett-Packard recommends that all customers concerned with the

   security of their HP-UX systems apply the appropriate patch

   described above as soon as possible.



   Side effects: none.



   C. How to Install the Patch (for HP-UX 9.x and 10.x)





   1.  Determine which patch is appropriate for your hardware platform

       and operating system:

             For the Commercial HP-UX releases:

                      PHNE_6013 (series 700/800, HP-UX 9.x), or

                      PHNE_6014 (series 700/800, HP-UX 10.x), or

                      PHNE_6146 (series 300/400, HP-UX 9.x).

             For the BLS HP-UX releases:

                      PHNE_6169 (series 700, HP-UX 9.09+), or

                      PHNE_6170 (series 700, HP-UX 9.09), or

                      PHNE_6171 (series 800, HP-UX 9.08), or

                      PHNE_5965 (series 700, HP-UX 10.09).



       The three 9.0x B Level Security (BLS) patches will be available

       after January 2, 1996.





   2.  Hewlett Packard's HP-UX patches are available via email and

       World Wide Web.



        To obtain a copy of the HP SupportLine email service user's guide,

        send the following in the TEXT PORTION OF THE MESSAGE to

        support@us.external.hp.com (no Subject is required):



                      send guide



        The user's guide explains the process for downloading HP-UX patches

        via email and other services available.



        World Wide Web service for downloading of patches

        is available via our URL:

        (http://us.external.hp.com/)





   3.  Apply the patch to your HP-UX system.



   4.  Examine /tmp/update.log for any relevant WARNINGs or ERRORs.  This

       can be done as follows:



       a.  At the shell prompt, type "tail -60 /tmp/update.log | more"

       b.  Page through the next three screens via the space bar, looking

           for WARNING or ERROR messages.





    D. Impact of the patch and workaround



    The patch for HP-UX releases 9.x and 10.x provides a new version of

    /usr/bin/ftp and /etc/ftpd  which fixes the vulnerability.  No

    patches will be available for versions of HP-UX prior to 9.0.

    To protect those affected systems, we recommend upgrading to a

    currently supported release of HP-UX.





    E.  To subscribe to automatically receive future NEW HP Security

        Bulletins from the HP SupportLine mail service via electronic

        mail, send an email message to:



        support@us.external.hp.com   (no Subject is required)



        Multiple instructions are allowed in the TEXT PORTION OF THE

        MESSAGE, here are some basic instructions you may want to use:



        To add your name to the subscription list for new security

        bulletins, send the following in the TEXT PORTION OF THE MESSAGE:



                  subscribe security_info



        To retrieve the index of all HP Security Bulletins issued to date,

        send the following in the TEXT PORTION OF THE MESSAGE:



                  send security_info_list



        To get a patch matrix of current HP-UX and BLS security

        patches referenced by either Security Bulletin or Platform/OS,

        put the following in the text portion of your message:



                  send hp-ux_patch_matrix



        World Wide Web service for browsing of bulletins is available via

        our URL:

        (http://us.external.hp.com/)



        Choose "Support news", then under Support news,

        choose "Security Bulletins"





    F. To report new security vulnerabilities, send email to



          security-alert@hp.com



_______________________________________________________________________





==============================================================================



                  ***HP SupportLine Mail Service Notice***



This digest contains a summary of all newly received Security Bulletins.



You do not have to have any form of support from Hewlett-Packard to subscribe

to this digest or to procure the recommended patches via the HP SupportLine

mail service.



- - ----------------------------------------------------------------------------



To obtain a copy of the HP SupportLine mail service user's guide, send the

following (in the TEXT PORTION OF THE MESSAGE to) to the HP SupportLine mail

service.



To: support@us.external.hp.com



Message Text:



 send guide



- - ----------------------------------------------------------------------------





To obtain a patch identified within this Security Bulletin, send the following

(in the TEXT PORTION OF THE MESSAGE) to the HP SupportLine mail service.



To: support@us.external.hp.com



Message Text:



 send xxxxxxxxxxxx



(where xxxxxxxxxxxx represents the specified patch name).



- - ----------------------------------------------------------------------------



If you have concerns about security issues, please forward them to:



                   security-alert@hp.com



The security-alert node is monitored during working hours Pacific Daylight

Time by multiple HP Security Response Team personnel. We reply to your message

only if necessary to obtain additional information.



- - ----------------------------------------------------------------------------



If you would like to be REMOVED from this mailing lists, send the following 

(in the TEXT PORTION OF THE MESSAGE) to the HP SupportLine mail service. 



To: support@us.external.hp.com



Message Text:



 unsubscribe security_info