I issued a security bulletin Monday about rdist and /etc/utmp. Since then a few
questions have come up, mostly over private email. I thought I would summarize
them here to save everyone (but especially me) some trouble.
1. Several people have pointed out that the Sun bulletin said that Solaris 1.1.1
(4.1.3_U1) is not vulnerable to the /etc/utmp attacks, but that the CERT
bulletin said the reverse. The Sun bulletin is correct and, the CERT bulletin is,
on this point only, inaccurate. The discrepancy was missed both by CERT
reviewers and by me. Certainly we all regret the confusion.
2. The installation instructions for the rdist patch recommend renaming the
old executable and changing permissions on the obsolete version to 100. Of
course there is no particular advantage to leaving it executable, even by
root, so 000 would probably be a better choice. (Patch number 100383-06.)
3. The installation instructions on the syslogd patch do not point out that,
until you stop and restart syslogd (or reboot the system), the old version is
still running and the security hole has not been closed. (Patch 100909-02.)
4. The most important point concerns file checksums. The bulletin shows
checksums (and, for the first time, md5 values) for the compressed tar files
on ftp.uu.net and ftp.eu.net. This will be different, lamentably, from the
checksums for the files you might obtain via the sunsolve service. The
discrepancy results from a difference in the way the tar files are handled
inside of Sun and do not indicate that the files have been tampered with.
I recognize that this state of affairs is inconvenient and (because it would
make it harder to detect any tampering in the future) risky; I will resolve
this as soon as I can. In the meantime please continue to contact
the legitimacy of the patch files.
As far as points #2 and #3 go, we will probably change the README files at
some point. But I don't plan to upload compressed tar files with the
new README files because they would necessarily have different checksums
and I think the result would be more confusion rather then less.
place to go to get copies of the bulletin or subscribe to the mailing list.