Description

This article is from the Security Patches FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.

3 - Particular Vulnerabilities (Security Patches) p1

Ftp

Check the Sendmail Patches

IBM Corporation

A possible security exposure exists in the bos.obj sendmail subsystem in all
AIX releases.

The user can cause arbitrary data to be written into the sendmail queue
file. Non-privileged users can affect the delivery of mail, as well as run
programs as other users.

Workaround

A. Apply the patch for this problem. The patch is available from
software.watson.ibm.com. The files will be located in the /pub/aix/sendmail
in compressed tar format. The MD5 checksum for the binary file is listed
below, ordinary "sum" checksums follow as well.

           File            sum             MD5 Checksum
           ----            ---             ------------
           sendmail.tar.Z 35990           e172fac410a1b31f3a8c0188f5fd3edb

B. The official fix for this problem can be ordered as Authorized Program
Analysis Report (APAR) IX49257

To order an APAR from IBM in the U.S. call 1-800-237-5511 and ask for
shipment as soon as it is available (in approximately two weeks). APARs may
be obtained outside the U.S. by contacting a local IBM representative.

Motorola Computer Group (MCG)

The following MCG platforms are vulnerable:

R40
R32 running CNEP add-on product
R3 running CNEP add-on product

The following MCG platforms are not vulnerable:

R32 not including CNEP add-on product
R3 not including CNEP add-on product
R2
VMEEXEC
VERSADOS

The patch is available and is identified as "patch_43004 p001" or
"SCML#5552". It is applicable to OS revisions from R40V3 to R40V4.3. For
availability of patches for other versions of the product contact your
regional MCG office at the numbers listed below.

Obtain and install the appropriate patch according to the instructions
included with the patch.

The patch can be obtained through anonymous ftp from ftp.mcd.mot.com
[144.191.210.3] in the pub/patches/r4 directory. The patch can also be
obtained via sales and support channels. Questions regarding the patch
should be forwarded to sales or support channels.

For verification of the patch file:

        Results of      sum -r  == 27479 661
                        sum     == 32917 661
                        md5     == 8210c9ef9441da4c9a81c527b44defa6

Contact numbers for Sales and Support for MCG:

United States (Tempe, Arizona)
Tel: +1-800-624-0077
Fax: +1-602-438-3865

Europe (Brussels, Belgium)
Tel: +32-2-718-5411
Fax: +32-2-718-5566

Asia Pacific / Japan (Hong Kong)
Tel: +852-966-3210
Fax: +852-966-3202

Latin America / Australia / New Zealand (U.S.)
Tel: +1 602-438-5633
Fax: +1 602-438-3592

Open Software Foundation

The local vulnerability described in the advisory can be exploited in OSF's
OSF/1 R1.3 (this is different from DEC's OSF/1). Customers should apply the
relevant portions of cert's fix to their source base. For more information
please contact OSF's support organization at osf1-defect@osf.org.

 

Continue to:

• prev: 2 - SGI (Security Patches)
• Index
• next: 3 - Particular Vulnerabilities (Security Patches) p2

Share and Enjoy

Tags

security, patches