what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

b-14.ciac-sunos-mail

b-14.ciac-sunos-mail
Posted Sep 23, 1999

b-14.ciac-sunos-mail

systems | solaris
SHA-256 | a502e0235ad45ababff1a4d578c895746bff991b444cfddc22c4dc78855b12d4

b-14.ciac-sunos-mail

Change Mirror Download

_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin

February 22, 1991, 1300 PST Number B-14

Additional Information about UNIX Security Problem with /bin/mail in SunOS

Sun Microsystems has released additional information about the security
problem with /bin/mail described in CIAC Bulletin B-13. There are
significant changes to the patch installation procedure. The new patch
installation procedure is:
________________________________________________________________________

Patch ID: 100224-01
BugIDs fixed by this patch: 1045636 and 1047340
Availability: Anonymous FTP from ftp.uu.net:/sun-dist/100224-01.tar.Z
Checksum of the compressed tarfile
100224-01.tar.Z = 64102 109
Patches Obsoleted: 100161-01
Obsoleted by: SysV Release 4

Patch installation instructions are as follows:

(Login as root - you must have root access to apply this patch!)
(Create a temporary directory and "cd" to it)
(Use anonymous FTP to obtain the file sun-dist/100224-01.tar.Z
from ftp.uu.net)
# uncompress 100224-01.tar
# tar xvf 100224-01.tar
# mv /bin/mail /bin/mail.old
NEW --> # chmod 400 /bin/mail.old
# cp $arch/$os/mail /bin/mail
(where $arch is either sun3 sun4 sun4c or sun3x)
(and where $os is either 4.0.3 4.1 or 4.1.1)
(change the permissions for the newly installed mail binary)
UPDATED --> # chmod 4711 /bin/mail
(Sun actually recommends setting the permissions to 4111,
but CIAC considers 4711 a wiser choice.)
NEW --> # ls -l /bin/mail
(Verify that /bin/mail is owned by "root" and the file
permissions are correct.)
(You will probably wish to delete the 100224-01.tar file and
the files created by "de-tar-ing" 100224-01.tar at this time!)
________________________________________________________________________


CIAC recommends that you delete /bin/mail.old altogether after
verifying that the new version of /bin/mail just installed is
functioning correctly. If you take this course of action, you should
first make a backup copy of /bin/mail.old and store it off-line.

For your information, we have included the Sun addendum below:
________________________________________________________________________

This is an addendum to the Security bulletin (#00105) that went out
recently. Two points were brought to Sun's attention by the security
community.

First point: It is not advisable to leave the old version of /bin/mail
around as this version can be exploited. After first verifying that the
new version was not mangled in the transfer, either remove the old
version (/bin/mail.old) or change the permissions to 100. example:
chmod 100 /bin/mail.old

Second point: The permissions on the new version of /bin/mail do not
have to be set to 4755 as they come on the installation tape. setting
the mode to 4111 allows /bin/mail to work, but keeps people from
reading the binary (with strings)

Special Thanks to Gordon O'Connor and Hal Brand for pointing out these
flaws in the posting.

Brad Powell
Sun Microsystems
________________________________________________________________________

For additional information or assistance contact:

Hal R. Brand
(415) 422-6312 or (FTS) 532-6312

During working hours, call CIAC at (415) 422-8193 or (FTS)
532-8193. For non-working hour emergencies , call (415)
422-7222 or (FTS) 532-7222 and ask for CIAC (this is a new
emergency number).

send e-mail to ciac@cheetah.llnl.gov (this is a new Internet
address)

send FAX messages to: (415) 423-0913 or (FTS) 543-0913

Joe Ilacqua and Sun Microsystems provided information contained in this
bulletin. Neither the United States Government nor the University of
California nor any of their employees, makes any warranty, expressed
or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe
privately owned rights. Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close