009
8e5d439bcdf655f9058714a6b39f51f02ac6fa56ecfa9dce7f43789f28c351af
From support@us.external.hp.com Wed Mar 13 00:59:26 1996
Date: Wed, 13 Mar 1996 01:02:21 -0800
From: HPSL Mail Service <support@us.external.hp.com>
Reply to: support-feedback@us.external.hp.com
To: Damien Sorder <jericho@netcom.com>
Subject: RE: send doc HPSBUX9405-009
--------
## Regarding your request:
Send Doc HPSBUX9405-009
The following are the results of your request from the HP SupportLine mail
service.
===============================================================================
Document Id: [HPSBUX9405-009]
Date Loaded: [05-05-94]
Description: PROBLEM: Incomplete implementation of OSF/AES standard
===============================================================================
###########################################################################
---------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: #00009, 05 May 1994
---------------------------------------------------------------------------
_______________________________________________________________________
PROBLEM: Incomplete implementation of OSF/AES standard
PLATFORM: HP 9000 Series 700 running HP-UX 9.01 or 9.03
DAMAGE: Root may inadvertently grant improper ownership of files
or directories.
SOLUTION: Disable OSF/AES implementation, reverting to original 8.07
implementation by installing PHKL_4157 or PHKL_4161.
Additional patch PHCO_3533 for cpio should be used as well.
_______________________________________________________________________
I. HP OSF/AES defect Update
A. Fixing the problem
The problem can be eliminated by applying a patch that corrects the
HP OSF/AES defect. The patch reverts the behavior back to the 8.07
implementation.
Cpio had been patched to work around the problem. This avoided
the vulnerability at the cost of a minor and cosmetic loss of
normal functionality. Since PHKL_4157 or PHKL_4161 resolves the
vulnerability, the cpio work around is no longer necessary. The
cpio patch PHCO_3533 removes the work around.
B. How to Install the Patch
1. Get a copy of the patch from one of the following locations:
a. HP SupportLine Mail Service
To obtain the patch, send the following in the TEXT PORTION
OF THE MESSAGE to support@support.mayfield.hp.com
(no Subject is required):
send PHKL_4157
-or-
send PHKL_4161
-and, in another message-
send PHCO_3533
It will automatically be emailed back to you. Note that
users may also download the patch from HP SupportLine via
ftp, kermit, or uucp.
b. Response Center Support
If you need additional assistance and have a support
contract, you can contact your local Response Center for
further help.
2. The patch information is current as of May 5, 1994. You
should list the patch:
more PHKL_4157
-or-
more PHKL_4161
-and-
more PHCO_3533
If it has been replaced there will be banner text saying:
OBSOLETE
REPLACED
BY
PHKL_NNNN
3. Apply the patch to your HP-UX system. The complete instructions
for applying the patch are in PHKL_NNNN.text.
4. Examine /tmp/update.log for any relevant WARNINGs or ERRORs. This
can be done as follows:
a. At the shell prompt, type "tail -60 /tmp/update.log | more"
b. Page through the next three screens via the space bar, looking
for WARNING or ERROR messages.
---------------------------------------------------------------------------
To subscribe to automatically receive NEW future HP Security Bulletins
from the HP SupportLine mail service via electronic mail, send the
following in the TEXT PORTION OF THE MESSAGE to
support@support.mayfield.hp.com (no Subject is required):
subscribe security_info
To retrieve the index of all HP Security Bulletins, send the following:
send security_info_list
To obtain a copy of the HP SupportLine mail service user's guide,
send the following:
send guide.txt
For security concerns, write to:
security-alert@hp.com
###########################################################################