ECO NUMBER: SSRT038301_DUNIX1032D2 ----------- PRODUCT: Digital UNIX Operating System -------- UPDATED PRODUCT: Digital UNIX Operating System 3.2D ---------------- APPRX BLCK SIZE: 190 ---------------- SOURCE: Digital Equipment Corporation Author: Software Security Response Team Op/SYS: Digital UNIX (DEC OSF/1) Kit Applies To: V3.0, V3.0b, V3.2, V3.2b, V3.2c, V3.2d1, V3.2d2 COMPONENT: Security - DIGITAL UNIX (rpc.statd) A potential security vulnerability has been identified with rpc.statd, that may allow unauthorized file access from unauthorized systems users. PROBLEM: This potential vulnerability may allow under certain circumstances users to gain unauthorized access to privileged files remotely. SOLUTION: Digital has corrected this potential vulnerability and provided a kit containing new binaries. The contents are identified below: Image names ECO ID within the tar file Checksum ------------------ ------------------- -------- SSRT038301_DUNIX1032D2 ./rpc.statd_v30 62059 40 ./rpc.statd_v30b 62059 40 ./rpc.statd_v32 15854 40 ./rpc.statd_v32b 14302 40 ./rpc.statd_v32c 62608 40 ./rpc.statd_v32d1 58072 40 ./rpc.statd_v32d2 58072 40 and the text files: ./README.SSRT038301_DUNIX1032D2 ./SSRT038301_DUNIX1032D2.cvr_ltr ! this document AVAILABILITY: For software service contract or warranty customers this kit can be obtained through your normal Digital support channels. Note: Non-contract/non-warranty customers should contact your local Digital support channels for information regarding the kit. APPLICABILITY: Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of DEC OSF/1 V3.0, then apply the Security ECO As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. INSTALLATION NOTES: This ECO is a compressed tar image and once uncompressed the following files are available: NOTE: If you receive this ECO on media from the Digital Software Supply Distribution Center it will be in uncompressed format rather than a compressed tar as indicated above. Image names within the tar file Checksum ------------------- ------------------------ ./rpc.statd_v30 62059 40 ./rpc.statd_v30b 62059 40 ./rpc.statd_v32 15854 40 ./rpc.statd_v32b 14302 40 ./rpc.statd_v32c 62608 40 ./rpc.statd_v32d1 58072 40 ./rpc.statd_v32d2 58072 40 A reboot is required. Refer to the README files for additional installation details. Copyright Digital Equipment Corporation 1996. All Rights reserved. This software is proprietary to and embodies the confidential technology of Digital Equipment Corporation. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Digital or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Digital makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.