Patch advisory for Sun Microsystems. Please read for details.
299f9fb5d6db40e37c02269320a3a7726d8b40ea506af0c04f69c17b3f45ee28-----------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00123, 10 November 93
-----------------------------------------------------------------------------
BULLETIN TOPICS
I. Sendmail update
A. Summary of ongoing efforts
B. Comments on the recent CERT, CIAC, and NASIRC advisories
C. Workaround needed by some 4.1.x sites to run 100377-07
D. List of platforms, operating system versions, and patches
II. How to obtain Sun security patches
A. If you have a support contract
B. If you do not have a support contract
III. How to report Sun security problems
/\
\\ \ Send Replies or Inquiries To:
\ \\ /
/ \/ / / Sun Security Coordinator
/ / \//\ MS MPK2-04
\//\ / / 2550 Garcia Avenue
/ / /\ / Mountain View, CA 94043-1100
/ \\ \ Phone: 415-688-9081
\ \\ Fax: 415-688-9101
\/ E-mail: security-alert@Sun.COM
-----------
This information is only to be used for the purpose of alerting Sun
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited. Sun Microsystems expressly disclaims all liability
for any misuse of this information by any third party.
Sun Microsystems recommends that all customers concerned with the
security of their SunOS system(s) obtain and install all patches that
are applicable to their computing environment.
-----------------------------------------------------------------------------
SUN MICROSYSTEMS SECURITY BULLETIN: #00123, 10 November 93
-----------------------------------------------------------------------------
I. Sendmail update
Many Sun customers have asked for an update concerning the security
holes in sendmail. This bulletin summarizes the state of our work
to close those holes. No new vulnerabilities are discussed.
We also provide in this bulletin a workaround for the benefit of
customers whose mail system configurations proved incompatible with
patch 100377-07 (see section C below).
A. Summary of ongoing efforts
Since the release of Sun's 21 October sendmail patch (see our
bulletin #122), sendmail has been closely scrutinized for possible
security holes. As a result of this scrutiny, new bugs--both
generic and Sun-specific--have come to light.
We are now working on fixes for the newly-discovered bugs in our
version of sendmail, and will release a patch as soon as testing
is complete. In this effort we are collaborating with several
external sendmail experts; CERT; and, through CERT, with other
UNIX vendors.
We expect to release the next sendmail patch in seven to ten
days--that is, about 19 November. However, the release may be
delayed if more holes are discovered in the interim or if the
known bugs prove more difficult than expected to resolve. We will
announce the patch in a bulletin similar to this one.
B. Comments on the recent CERT, CIAC, SERT, and NASIRC advisories
Several customers have asked this office to comment on the recent
advisories (CERT CA 93:16; CIAC E-03; SERT SA-93.10; and NASIRC
#96-06). These bulletins state that every commercial sendmail has
known security holes. Most recommend that sites consider some
additional security measures, such as running the 8.6.4 sendmail
(and perhaps the new smrsh program) from Berkeley.
Beyond recommending that customers apply the Sun patches and
follow documented procedures, we cannot give advice. But here is
what we know.
1. The sendmail patches we released on 21 October fixed all of
the security holes we were aware of at that time. The next
patch will fix all of the holes we are aware of now.
2. As of this writing we are aware of no reports from Sun
customers concerning undesirable interactions with the Berkeley
software, or of any unanticipated side effects, or bugs,
associated with the smrsh program.
3. The CERT advisory, in particular, contains sound advice
prepared by recognized experts in the field. In light of the
unavoidable delay until the release of our next patch, we
suggest that every customer carefully evaluate the alternatives
presented there.
Lastly--while taking no position on the use of the smrsh program
itself--we recommend extreme caution in the selection of those
programs for which remote execution is allowed.
C. Workaround needed by some 4.1.x sites to run 100377-07
Some of our customers have experienced problems after installing
sendmail patch 100377-07 (SunOS 4.1.x). These problems result from
an undocumented change--a correction, in fact--to the behavior of
the "$%y" operator in subsidiary sendmail.cf files. We apologize
for our previous oversight in not documenting the change.
Under the old interpretation of "$%y", only unqualified names,
presumably indicating hosts on the local Ethernet segment, would
match, thus getting local delivery. Using the new interpretation
of "$%y", any name which succeeds in a "gethostbyname" call (which
is any valid DNS name if DNS forwarding through NIS is enabled)
will match, so the "subsidiary" file is fooled into thinking all
Internet hosts are "local". In this case mail cannot successfully
be delivered by the subsidiary host.
This problem does not arise on Solaris 2.x systems.
We recommend the following workaround (on "subsidiary" systems
only):
1. Become root. Make a backup copy of your /etc/sendmail.cf
file, with a command such as:
%cp /etc/sendmail.cf /etc/sendmail.cf-FCS
2. Edit the /etc/sendmail.cf file, adding one line and changing
approximately two others. The line to be inserted is:
DYhosts.byname
and it is most conveniently placed directly after the comment,
"#known hosts in this domain are obtained from gethostbyname()
call". This comment is found in line 52 in the sample .cf file.
In that same file, replace all references (there are two in the
sample file) from "$%y" to "$%Y". (That is, change references
to the lower-case y operator so that they instead refer to the
newly defined upper-case Y macro.)
3. Kill and restart sendmail. Be sure to supply the appropriate
command line options. You can get these either from your
rc.local file or via a command like "ps -auxw | grep
sendmail".
Sun Microsystems wishes to acknowledge the contributions of
customers Paul Quare, Greg Jumper, and Logan Thomas in the
development and testing of this workaround.
Please direct any comments or questions to your local answer
center.
D. List of platforms, operating system versions, and patches
1. Platforms. Sun has now made the sendmail security patches
available on its sun3 and x86 architectures. All supported
architectures (sun3, sun4, and x86) now have patches.
A sun3 version has been added to the existing patch 100377-07.
The bug ID for all 4.1.x platforms is 1144946.
The patch for the x86 platform is 101352-01, as shown below.
The bug ID for all Solaris 2.x platforms is 1142888. Note that
this patch also includes an x86 fix for the tar security bug
discussed in the 21 October bulletin.
2. OS Versions. Sendmail patches are available for the
following versions of the operating system: 4.1.1, 4.1.2,
4.1.3, 5.1 (Solaris 2.1) and 5.2 (Solaris 2.2). No 5.3 (Solaris
2.3) version of the existing patch is available; but 5.3 will
be included in all future sendmail patches.
No patches will be produced for SunOS 4.1, or earlier versions
such as 4.0.3.
Running the 4.1.1 version on a 4.1 system is not a supported
configuration and we cannot recommend it. Many customers who
have tried it report that it works satisfactorily, despite the
many error messages (displayed when the program starts up)
complaining about old library versions. For further information
on this subject please contact your local answer center.
3. Patches. Available patches are tabulated below. Note that the
checksum for 100377-07.tar.Z is different than that shown in our
bulletin of 21 October because of the addition of the sun3 patch.
System Patch ID Filename BSD SVR4
Checksum Checksum
------ -------- --------------- --------- -----------
SunOS 4.1.x 100377-07 100377-07.tar.Z 39017 741 6982 1482
Solaris 2.1 100840-03 100840-03.tar.Z 01153 194 39753 388
Solaris 2.2 101077-03 101077-03.tar.Z 49343 177 63311 353
Solaris x86 101352-01 101352-01.tar.Z 31564 551 37608 1101
The checksums shown above are from the BSD-based checksum
(on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from
the SVR4 version on Solaris 2.x (/usr/bin/sum).
II. How to obtain Sun security patches
A. If you have a support contract
Customers with Sun support contracts can obtain the patches listed
here--and all other Sun security patches--from:
- Local Sun answer centers, worldwide
- SunSolve Online
Please refer to the bug ID and patch ID when requesting patches
from Sun answer centers.
You should also contact your answer center if you have a support
contract and:
- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
B. If you do not have a support contract
Sun also makes its security patches available to customers who do
not have a support contract, via anonymous ftp:
- In the US, from /systems/sun/sun-dist on ftp.uu.net
- In Europe, from ~ftp/sun/fixes on ftp.eu.net
Patches announced in a Sun security bulletin are uploaded to these
two sites just before the bulletin is released, and seldom updated.
In contrast, the "supported" patch databases are refreshed nightly,
and will often contain newer versions of a patch incorporating
changes which are not security-related.
III. How to report Sun security problems
If you discover a security problem with Sun software, please contact
one or more of the following:
- Your local Sun answer centers, worldwide
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:
Sun Security Coordinator
MS MPK2-04
2550 Garcia Avenue Mountain
View, CA 94043-1100
Phone: 415-688-9081
Fax: 415-688-9101
E-mail: security-alert@Sun.COM
-----------
If you received this bulletin indirectly, and would like to be added
to Sun's Customer Warning System mailing list, send a request to the
address above with your affiliation and contact information. If you
have e-mail access, send mail to "security-alert@Sun.COM" with the
subject "subscribe" and your affiliation and contact information in
the message body.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed