_______________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                         Information Bulletin
 
  Patch Available for SunOS ypserv, ypxfrd, and portmap  
 
May 27, 1992 0900 PDT                                       Number C-25
__________________________________________________________________________
PROBLEM:  Bugs in ypserv, ypxfrd, and portmap permit NIS maps to be
          obtained by unauthorized individuals.
PLATFORM: All Sun3 and Sun4 computers running SunOS 4.1, 4.1.1, or 4.1.2
DAMAGE:   Any user may obtain the password map.
SOLUTION: Apply patch available from Sun.
__________________________________________________________________________
    Critical Facts about SunOS patch for ypserv, ypxfrd, and portmap.

Sun Microsystems has announced the availability of a new patch for the
ypserv, ypxfrd, and portmap utilities.  If not patched, these utilities
may permit unauthorized distribution of NIS maps, including the password
map.

The patch is available from Sun Microsystems as Patch ID# 100482-02.
This patch, along with other Sun patches, is available both through your
local Sun answer centers and though anonymous ftp.

In the US, ftp to ftp.uu.net and retrieve the patch from the directory
~ftp/systems/sun/sun-dist.  In Europe, ftp to mcsun.eu.net and retrieve
the patch from the ~ftp/sun/fixes directory.  The patch is contained in
the compressed tarfile 100482-02.tar.Z, and must be retrieved in binary
mode, then uncompressed and untarred on the local system:

      local% ftp ftp.uu.net
      Connected to ftp.uu.net...
      Name: ftp
      Password: <email-address>
      ftp> cd ~ftp/systems/sun/sun-dist
      ftp> binary
      ftp> get 100482-02.tar.Z
      ftp> bye
      local% uncompress 100482-02.tar.Z
      local% tar xf 100482-02.tar

The checksum of the compressed tarfile is 53416 284.  This patch includes
new versions of the utilities ypserv, ypxfrd, and portmap.  To install
the patch on your system, follow the instructions available in the README
file which accompanies the patch.

For additional information or assistance, please contact CIAC:

  Steve Weeber
  (510) 423-9878 (Commercial/FTS)
  weeber@llnl.gov

Call CIAC at (510) 422-8193 (Commercial/FTS) or send e-mail to
ciac@llnl.gov.  FAX messages to: (510) 423-8002 (Commercial/FTS).

Previous CIAC bulletins and other information is available via 
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

CIAC would like to thank Kenneth Pon of Sun Microsystems for his
assistance with this bulletin.

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.