SUN MICROSYSTEMS SECURITY BULLETIN: #00115, 17 April 92

This information is only to be used for the purpose of alerting
customers to problems.  Any other use or re-broadcast of this 
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information
by any third party.
---------------------------------------------------------------------------
Please note that the following contains updated information:

   All patches listed are available through your local Sun answer centers
   worldwide as well as through anonymous ftp:  in the US, ftp to ftp.uu.net 
   and obtain the patch from the /systems/sun/sun-dist directory; in Europe,
   ftp to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory.
   Note that Sun does not have direct access to mcsun.eu.net and must request
   that patches be copied from ftp.uu.net to mcsun.eu.net.  Therefore, there
   may be a time lag before patches appear on mcsun.eu.net.

Please refer to the BugId and PatchId when requesting patches from Sun
answer centers.

----------------------------------------------------------------------------

BULLETIN TOPICS
I.   New Patches
     A.  100387-02 (100388-02), 4.1.1 BSM-C2 INTERNATIONAL (US_ENCRYPTION_KIT) 
         version patch release
     B.  100478-01, OpenWindows V3: xlock crashes leaving system open
     C.  100564-01, 4.1.2 C2 Jumbo, rpc.yppasswdd rpc.pwdauthd
II.  Upgraded Patches - The patches below have been updated to reflect
     applicability to SunOS 4.1.2
     A.  100188-02, TIOCCONS patch combines fix for 100414-01 
     B.  100296-02, rpc.mountd
     C.  100305-07, lpd/lpr, combines fixes for patch 100301-01
     D.  100383-04, rdist
     E.  100448-01, OpenWindows 3.0, loadmodule

==============================================================================
NEW PATCH INFORMATION

Sun Patch ID:  100387-02
Sun Bug IDs:   Not available
SunOS release: 4.1.1
Synopsis:      This 8.5 MByte patch provides many bug fixes and enhancements
   to the C2 and Basic Security Module.  It obsoletes the 4.1.1 C2 Jumbo
   patch, 100201-04.
Checksum of compressed tarfile 100387-02.tar.Z on ftp.uu.net =   07868  4400

Please note that the US_ENCRYPTION_KIT version BSM-C2 patch release (100388-02)
cannot be loaded onto anonymous ftp sites because of export restrictions.
Please contact your Answer Center for availability.

BSM-C2 patches compatible with SunOS 4.1.2 are currently being developed and 
will be made available for distribution later this summer.


Sun Patch ID:  100478-01
Sun Bug IDs:   1077337
SunOS release: 4.1.1, 4.1.2
Synopsis:      xlock does not process keypresses quickly enough, posing
   a potential security problem.
Checksum of compressed tarfile 100478-01.tar.Z on ftp.uu.net =  64588    58


Sun Patch ID:  100564-01
Sun Bug IDs:   1040334 1043667 1058378 1059261 1063796
SunOS release: 4.1.2
Synopsis:      This is a port of the C2 Jumbo patch (100201-04) to SunOS 
   4.1.2.  It is required if you wish to run C2 security on SunOS 4.1.2
   machines.  Problems fixed are:

   1. yppasswd will not allow a user to change a password from the client, 
      the yppasswdd daemon dies on the server (bug 1040334)
   2. rpc.yppasswdd uses an incorrect lock file (bug 1043667)
   3. rpc.pwdauthd logs cleartext passwords via auditd (bug 1058378)
   4. NIS and C2 Security passwd.adjunct file can get overwritten by 
      /etc/passwd (bug 1059261)
   5. When running C2 with NIS, ypppasswd password changes from client system
      would take 5 minutes of delay before taking effect (bug 1063796)
Checksum of compressed tarfile 100564-01.tar.Z on ftp.uu.net =  29774   415

==============================================================================
UPGRADED PATCH INFORMATION

Sun Patch ID:  100188-02
Sun Bug IDs:   1008324 1040722 1070495
SunOS release: 4.1.1, 4.1.2
Synopsis:      This patch combines 3 fixes:
   1. TIOCCONS can be used to re-direct console output/input away from
      "console" (bug 1008324)
   2. Kernel programs using pty can get output from previous application.
      (Formerly patch 100414-01, bug 1070495)
   3. Process not letting go of a pty (bug 1040722)
Checksum of compressed tarfile 100188-02.tar.Z on ftp.uu.net =  52332   132

Please note that patch 100414-01 has been obsoleted by this patch.


Sun Patch ID:  100296-02
Sun Bug IDs:   2000680 1044852 1048890
SunOS release: 4.1.1, 4.1.2
Synopsis:  The README file for this patch has been modified to reflect
   the patch's applicability to SunOS 4.1.2.

   Fixes:
   If the cached list of netgroups that a client is not a member of
   exceeds the cache capacity then the mount daemon will acknowledge
   the client's membership of any netgroup even if it is not a member.

   If the access list of hosts is a string under 256 chars then things
   work as expected, but if it is longer everyone can mount the filesystem.

   Additionally this patch also fixes a problem where the cached netgroup
   entry may contain groups from the previous mount.
Checksum of compressed tarfile 100296-02.tar.Z on ftp.uu.net =  30606    23

 
Sun Patch ID:  100305-07
Sun Bug IDs:   1016437 1040453 1057834 1058003 1059620 1061504 1063772
               1081850 1081968
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis:      The patch integrates changes made by patch 100301-01 (BugId
   1059620, lpr -r does not work on NFS mounted files) and fixes a new
   bug (BugId 1081850, lpr -r allows you to delete files without the proper
   permissions).  The patch has also been updated to reflect applicability 
   to SunOS 4.1.2.
Checksum of compressed tarfile 100305-07.tar.Z on ftp.uu.net =  25894   283


Sun Patch ID:  100383-04
Sun Bug IDs:   1069497 1074961
SunOS release: 4.0.3, 4.1, 4.1.1, 4.1.2
Synopsis:  /usr/ucb/rdist can be used to create setuid root programs.  The 
   patch has been modified to reflect the patch's applicability to SunOS 
   4.1.2.
Checksum of compressed tarfile 100383-04.tar.Z on ftp.uu.net =  42306   113

Sun Patch ID:  100448-01
Sun Bug IDs:   1076118
SunOS release: 4.1.1, 4.1.2
Synopsis:  OpenWindows 3.0: loadmodule is a security hole.  The patch 
   has been modified to reflect the patch's applicability to SunOS 4.1.2.
Checksum of compressed tarfile 100448-01.tar.Z on ftp.uu.net =  02672     5



Sun Microsystems recommends that all customers concerned with the security
of their SunOS systems obtain and load the patches that are applicable to 
their system(s).

Kenneth L. Pon
Sun Microsystems, Inc. 
Software Security Coordinator