ECO NUMBER: SSRT035901_OSF1030B ----------- PRODUCT: Digital UNIX Operating System -------- UPDATED PRODUCT: Digital UNIX Operating System 3.0B ---------------- APPRX BLCK SIZE: 9047 ---------------- SOURCE: Digital Equipment Corporation Author: Software Security Response Team Op/SYS: DEC OSF/1 V3.0b COMPONENT: Security A potential security vulnerability has been identified with syslog internal buffering for DEC OSF/1. A second potential security vulnerability has been identified with disabled accounts for DEC OSF/1 running C2 enhanced security. A number of non-security related problem fixes have also been supplied with this ECO. Refer to the README file for more details. PROBLEM: These potential vulnerabilities may allow under certain circumstances users to gain unauthorized access or authorized users to gain unauthorized privileges. SOLUTION: Digital has corrected these potential vulnerabilities and provided a kit containing new binaries. The binaries are identified below: DEC OSF/1 KIT ------------- SSRT035901_OSF1030B.tar.Z Image names ECO ID within the tar file Checksum ------------------ ------------------- -------- SSRT035901_OSF1030B /sbin/date 56506 256 /sbin/loader 34208 168 /sbin/init 47290 176 /usr/include/rpcsvc/ypclnt.h 58184 5 /usr/sbin/getty 45750 160 /usr/sbin/rlogind 45681 32 /usr/ccs/lib/libc.a 40226 4778 /usr/ccs/lib/libc_r.a 02201 2803 /usr/shlib/libc.so 48996 1728 /usr/shlib/libc_r.so 43961 1102 /usr/ccs/lib/libsecurity.a 30806 1180 /usr/shlib/libsecurity.so 11814 424 and the text files: ./README.SSRT035901_OSF1030B AVAILABILITY: For software service contract or warranty customers this kit can be obtained through your normal Digital support channels. Note: Non-contract/non-warranty customers should contact your local Digital support channels for information regarding the kit. APPLICABILITY: Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of DEC OSF/1 V3.0, then apply the Security ECO As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. INSTALLATION NOTES: This ECO is a compressed tar image and once uncompressed the following files are available: NOTE: If you receive this ECO on media from the Digital Software Supply Distribution Center it will be in uncompressed format rather than a compressed tar as indicated above. ./date ./loader ./init ./getty ./rlogind ./ypclnt.h ./libc.a ./libc_r.a ./libsecurity.a ./libc.so ./libc_r.so ./libsecurity.so ./README.SSRT035901_OSF1030B A reboot is required in order to have the currently running processes use the new shared library. Copyright Digital Equipment Corporation 1996. All Rights reserved. This software is proprietary to and embodies the confidential technology of Digital Equipment Corporation. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Digital or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Digital makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.