Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!metro!metro!asstdc.scgt.oz.au!nsw.news.telstra.net!act.news.telstra.net!psgrain!newsfeed.internetmci.com!in3.uu.net!omega.metrics.com!omega.metrics.com!not-for-mail
From: polk@BSDI.COM
Newsgroups: comp.unix.bsd.bsdi.announce
Subject: BSDI: New patches for BSD/OS 2.1, all security related
Followup-To: comp.unix.bsd.bsdi.misc
Date: 5 Sep 1996 08:16:03 -0400
Organization: Software Metrics Inc.
Lines: 77
Sender: tomh@omega.metrics.com
Approved: tomh@metrics.com
Message-ID: <50mga3$2s3@omega.metrics.com>
NNTP-Posting-Host: omega.metrics.com
There are several new patches available from the patches@bsdi.com
server or via the ftp archive at ftp://ftp.bsdi.com/bsdi/patches/patches-2.1
These patches (U210-021, U210-022, and U210-023) fix security
problems in rlogin, bash, and libXt respectively. The holes closed
by these patches are all exploitable only by users with accounts
on the local system.
The libXt problem in particular has received some press over the
last few days and an exploitation program (which exploits the hole
via the setuid X program ``xterm'') is available on the Internet.
The libXt patch replaces both the shared and normal versions of
the Xt library. Any programs linked against the shared version of
the library are fixed by installing the patch. This includes all
of the potentially exploitable programs shipped as part of the
BSD/OS release.
The U210-021 patch for rlogin comes in two flavors -- the
D210-021 version of the patch is for people who have installed
and are running Kerberos (from the Domestic floppy). The U210-021
version of the patch is for customers in the US and Canada
not using Kerberos, and for all other international customers.
You should only need to install one version of this patch.
Jeff
--
/\ Jeff Polk Berkeley Software Design, Inc. (BSDI)
/\/ \ polk@BSDI.COM 5575 Tech Center Dr. #110, Colo Spgs, CO 80919
===================================================================
PATCH:
U210-021
D210-021
SUMMARY:
This patch fixes a vulnerability with rlogin.
THE D210-021 VERSION OF THIS PATCH IS FOR THE KERBEROS PACKAGE
FROM THE DOMESTIC FLOPPY. IT CONTAINS DES CODE AND MAY NOT BE
LEGALLY EXPORTED FROM THE UNITED STATES WITHOUT A SPECIFIC
LICENSE.
md5 checksum: 710f30873d4199cb9cc8f1ed95c8f205 U210-021
md5 checksum: c3e1249337942bf5656b99f5ddbd3267 D210-021
===================================================================
PATCH:
U210-022
SUMMARY:
A security vulnerability exists in bash 1.14.5 which was
shipped with BSD/OS 2.1. This patch replaces that version with
batch 1.14.7
md5 checksum: 1d6ea7a97e27f45967e762916e0e5aea U210-022
===================================================================
PATCH:
U210-023
SUMMARY:
A security vulnerability exists in the Xt library distributed
with BSD/OS 2.1. This vulnerability can and has been exploited
via setuid-root programs such as xterm. The enclosed replacements
for the shared and un-shared Xt libraries fixes the problem
md5 checksum: 30990e1e8eeb70f26a20df54fb5d01cc U210-023
===================================================================
--
[ /tom haapanen -- tomh@metrics.com -- software metrics inc -- waterloo, ont ]
[ "until the lions have their own historians, ]
[ tales of hunting will always glorify the hunter." -- zulu proverb ]