-----------------------------------------------------------------------------
         SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 23 December 93
-----------------------------------------------------------------------------


BULLETIN TOPICS

     This bulletin does not discuss any new security problems. We
     are announcing the availability of a new set of patches for a
     known set of holes.

I.   Sendmail patch

     A. Resolution
     B. Configuration file notes
     C. List of platforms, operating system versions, and patches

II.  How to obtain Sun security patches

     A. If you have a support contract
     B. If you do not have a support contract

III. How to report or inquire about Sun security problems

IV.  How to obtain Sun security bulletins

     A. Subscription information
     B. Obtaining old bulletins



          /\         
         \\ \        Send Replies or Inquiries To:
        \ \\ /       
       / \/ / /      Sun Security Coordinator
      / /   \//\     MS MPK2-04
      \//\   / /     2550 Garcia Avenue
       / / /\ /      Mountain View, CA 94043-1100
        / \\ \       Phone: 415-688-9081
         \ \\        Fax:   415-688-9101
          \/         E-mail: security-alert@Sun.COM
 
                                -----------

Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.

Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.

-----------------------------------------------------------------------------
         SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 23 December 93
-----------------------------------------------------------------------------

I.  Sendmail

     A. Resolution

     This new set of sendmail patches fixes several security holes which
     came to light after the release of our 21 October set. Aside from
     101352-02, a forthcoming x86-based patch which corresponds to the
     SPARC-based patches being released today, no further security-
     related sendmail patches are planned at this time. Our plans for
     101352-02 are described in section I.C.1 below.

     We have included with these patches a new set of sample
     configuration files. These illustrate the use of the "%l"
     operator, a feature from the Solaris 2.x sendmail which, with
     these patches, is now available in the 4.1.x sendmail as well. No
     changes have been made to the documented Solaris 2.x
     functionality.

     The new set of patches is available on ftp.uu.net now. The patches
     will be available via all Sun-supported access channels within 24
     hours. See section II for a discussion of distribution channels.

     B. Configuration file notes

  1. Any 4.1.x customers who are currently running an FCS
  (unpatched) sendmail may need to change sendmail configuration
  files on "subsidiary" systems when installing 100377-08. This
  is because the interpretation of the "%y" operator underwent a
  small undocumented change in sendmail patch 100377-04.

  In addition, those 4.1.x customers who implemented workarounds
  in response to that change---which many did not encounter until
  they installed the highly publicized 100377-07--may wish to
  adapt the configuration files to use the new "%l" operator.
  However, any configuration file which worked correctly under
  100377-07 will continue to work under -08.

  No configuration file changes are needed on Solaris 2.x
  systems.

  2. The following instructions describe how to adapt your 4.1.x
  configuration files to use the "%l" operator. For more detailed
  information please refer to the Solaris 2.x sendmail
  documentation or your local Answer Center.

     a. If you used the workaround suggested in our bulletin
     #123, you added a line to the configuration file on
     subsidiary systems such as

    DYhosts.byname

     which had the effect of defining a %Y operator. To use the new
     the %l (local) operator instead, delete the above line and
     change all references to "%Y" to refer to "%l" instead.

     b. If you are currently using the sample subsidiary.cf file,
     unchanged, as your configuration file ("etc/sendmail.cf"),
     you may substitute the new sendmail.subsidiary.cf file
     distributed with this patch. It incorporates the "%l"
     operator. You could also use the new sample as a base,
     applying to it the same local changes you made to the last
     sample.

     c. In adapting any customized configuration file, follow the
     principle of replacing "%y" with "%l" whenever the reference
     is to a machine which is inside the current domain.

  3. On 4.1.x systems it is necessary to recreate the frozen
  configuration file, then kill and restart sendmail for changes
  to /etc/sendmail.cf to take effect. The command

    /usr/lib/sendmail -bz

  will recreate the frozen configuration file.

        When restarting sendmail be sure to supply the appropriate
  command line options. You can get these either from your
  rc.local file or via a command like "ps -auxw | grep
  sendmail".

     Please direct any comments or questions to your local answer
     center.

     C. List of platforms, operating system versions, and patches

  1. Platforms. This new set of patches covers the sun3 and sun4
  platforms.

        A corresponding patch for the x86 platform, 101352-02, is in
  the last stages of testing. It will be available early in
  January 1994, and will be announced in a bulletin similar to
  this one.  We recommend that x86 customers who have not already
  done so install the previous patch, 101352-01, until 101352-02
  is ready.

  2. OS Versions. Sendmail patches are available for the
  following versions of the operating system: 4.1.1, 4.1.2,
  4.1.3, 5.1 (Solaris 2.1), 5.2 (Solaris 2.2), and 5.3 (Solaris
  2.3). Customers running 4.1.3c can use the 4.1.3 patch.

  No patches will be produced for SunOS 4.1, or earlier versions
        such as 4.0.3.

        Running the 4.1.1 sendmail on a 4.1 system is not a supported
  configuration and we cannot recommend it. Many customers who
  have tried it report that it works satisfactorily, despite the
  many error messages (displayed when the program starts up)
  complaining about old library versions. For further information
        on this subject please contact your local answer center.
  
  3. Patches. Available patches are tabulated below.

        System       Patch ID    Filename        BSD         SVR4
                                                 Checksum    Checksum
        ------       --------   ---------------  ---------   ---------
        SunOS 4.1.x  100377-08  100377-08.tar.Z  05320 755   58761 1510
        Solaris 2.1  100840-06  100840-06.tar.Z  59489 195   61100 390
        Solaris 2.2  101077-06  101077-06.tar.Z  63001 179   28185 358
        Solaris 2.3  101371-03  101371-03.tar.Z  27539 189   51272 377

        The checksums shown above are from the BSD-based checksum
  (on 4.1.x, /bin/sum;  on Solaris 2.x, /usr/ucb/sum) and from
  the SVR4 version on Solaris 2.x (/usr/bin/sum).

        Some customers have reported that checksums on patch files
        obtained via SunSolve (see section II.A) do not always match
        the checksums shown in our Security Bulletins. This happens
        because the checksums shown here are for the files uploaded
        by us to ftp.uu.net, which are sometimes different--though
        functionally equivalent--to the files created for SunSolve.
        The checksums shown above should always match the files on
        ftp.uu.net, unless a correction has been noted in the
        "checksums" file we maintain there.

        We will resolve this anomaly in the future. For the present,
  we advise customers to check with their Answer Centers or this
  office if a question of patch authenticity arises.

    
II. How to obtain Sun security patches

    A. If you have a support contract

    Customers with Sun support contracts can obtain the patches listed
    here--and all other Sun security patches--from:

       - Local Sun answer centers, worldwide
       - SunSolve Online

    Please refer to the bug ID and patch ID when requesting patches
    from Sun answer centers.

    You should also contact your answer center if you have a support
    contract and:

       - You need assistance in installing a patch 
       - You need additional patches
       - You want an existing patch ported to another platform
       - You believe you have encountered a bug in a Sun patch
       - You want to know if a patch exists, or when one will be ready

    B. If you do not have a support contract

    Sun also makes its security patches available to customers who do
    not have a support contract, via anonymous ftp:

       - In the US, from /systems/sun/sun-dist on ftp.uu.net
       - In Europe, from ~ftp/sun/fixes on ftp.eu.net

    Patches announced in a Sun security bulletin are uploaded to these
    two sites just before the bulletin is released, and seldom updated.
    In contrast, the "supported" patch databases are refreshed nightly,
    and will often contain newer versions of a patch incorporating
    changes which are not security-related.


III. How to report or inquire about Sun security problems

   If you discover a security problem with Sun software or wish to
   inquire about a possible problem, contact one or more of the
   following:

      - Your local Sun answer centers
      - Your representative computer security response team, such as CERT 
      - This office. Address postal mail to:

        Sun Security Coordinator
        MS MPK2-04
        2550 Garcia Avenue Mountain
  View, CA 94043-1100

  Phone: 415-688-9081
        Fax:   415-688-9101
        E-mail: security-alert@Sun.COM


IV.  How to obtain Sun security bulletins

     A. Subscription information

     Sun Security Bulletins are available free of charge as part of
     our Customer Warning System. It is not necessary to have a Sun
     support contract in order to receive them.

     To subscribe to this bulletin series, send mail to the address
     "security-alert@Sun.COM" with the subject "subscribe CWS
     [mail-address]" and a message body containing affiliation and contact
     information. To request that your name be removed from the mailing
     list, send mail to the same address with the subject "unsubscribe CWS
     [mail-address]". Do not include other requests or reports in a
     subscription message.

     Due to the volume of subscription requests which we receive, we cannot
     guarantee to acknowledge or execute requests which are not in the
     format described above. Normally we will acknowledge your request
     within 24 hours of receipt.  

     If you would like your bulletin delivered via postal mail or fax,
     please contact this office directly to make arrangements.

     B. Obtaining old bulletins

     Recent bulletins (#119 and later) are archived on ftp.uu.net, in the
     same directory as the patches. Many earlier bulletins are available
     from SunSolve. Please try these sources first before contacting this
     office for old bulletins.

                                ------------