-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Niels den Otter                             Index  :    S-98-24
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Digital Unix ftpd vulnerability             Date   :  08-May-98
===============================================================================

By courtesy of the Software Security Response Team (SSRT) of Digital
Equipment Corporation we received information on a vulnerability in Digital
Unix ftpd, where under certain circumstances, a user may gain unauthorized
file access.

CERT-NL recommends to follow the Digital recommendation, which is to upgrade
to a minimum of Digital UNIX V4.0b, and to install the appropriate patch kit
immediately.

==============================================================================
       * No Restrictions For Distribution *

______________________________________________________________
UPDATE:            APR 30, 1998

  TITLE: DIGITAL UNIX ftpd    V3.2g, V4.0, V4.0a, V4.0b, V4.0c
         Potential Security Vulnerability
 Ref #: SSRT0505U

  SOURCE: Digital Equipment Corporation
          Software Security Response Team USA

 "Digital is broadly distributing this Security Advisory in order
 to bring to the attention of users of Digital's products the
 important security information contained in this Advisory.
 Digital recommends that all users determine the applicability of
 this information to their individual situations and take
 appropriate action.

 Digital does not warrant that this information is necessarily
 accurate or complete for all user situations and, consequently,
 Digital will not be responsible for any damages resulting from
 user's use or disregard of the information provided in this
 Advisory."

- ----------------------------------------------------------------------
IMPACT:

  Digital has discovered a potential vulnerability with  ftp
  for DIGITAL UNIX software, where under certain circumstances, a user
  may gain unauthorized file access.

  Digital strongly recommends upgrading to a minimum of
  Digital UNIX V4.0b accordingly, and that the appropriate
  patch kit be installed immediately.

- ----------------------------------------------------------------------
RESOLUTION:

 This potential security problem has been resolved in V4.0d and an official
 patch for this problem has been made available as an early release
 kit for DIGITAL UNIX V4.0a (duv40ass0000600039300-19980317.*)
 and included in the latest DIGITAL UNIX V4.0b
 aggregate DUPATCH Kit.
  The V3.2g aggregate BL 10 patch kit #5
  is scheduled for release in late June 1998.
  The V4.0 aggregate  BL 9 patch kit #6
  is scheduled for release mid May 1998.
  The V4.0c aggregate BL10 patch kit #6
  is scheduled for release mid May 1998.

 *This potential problem was included in the distributed release of
 DIGITAL UNIX V4.0d



  o the World Wide Web at the following FTP address:

    http://www.service.digital.com/html/patch_service.html
    Use the FTP access option, select DIGITAL_UNIX directory
    then choose the appropriate version directory
    and download the patch accordingly.


  Note: [1]The appropriate patch kit must be installed
   following any upgrade to V4.0a, V4.0b, or V4.0c

        [2] Please review the appropriate release notes
        prior to installation.

 If you need further information, please contact your normal DIGITAL
 support channel.

 DIGITAL appreciates your cooperation and patience. We regret any
 inconvenience applying this information may cause.

 As always, Digital urges you to periodically review your system
 management and security procedures.

  Digital will continue to review and enhance the security
  features of its products and work with customers to maintain and
  improve the security and integrity of their systems.

  ______________________________________________________________

  Copyright (c) Digital Equipment Corporation, 1998 All
  Rights Reserved.
  Unpublished Rights Reserved Under The Copyright Laws Of
  The United States.
______________________________________________________________


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IgzSYjBqwfc9jEQJZrQCeMUCs7+2P3BcVm3XertLO0LVxrWQAoMVA
hkc2eMfBzRDoKttAns0rrxZI
=agEr
-----END PGP SIGNATURE-----