----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 23 December 93 ----------------------------------------------------------------------------- BULLETIN TOPICS This bulletin does not discuss any new security problems. We are announcing the availability of a new set of patches for a known set of holes. I. Sendmail patch A. Resolution B. Configuration file notes C. List of platforms, operating system versions, and patches II. How to obtain Sun security patches A. If you have a support contract B. If you do not have a support contract III. How to report or inquire about Sun security problems IV. How to obtain Sun security bulletins A. Subscription information B. Obtaining old bulletins /\ \\ \ Send Replies or Inquiries To: \ \\ / / \/ / / Sun Security Coordinator / / \//\ MS MPK2-04 \//\ / / 2550 Garcia Avenue / / /\ / Mountain View, CA 94043-1100 / \\ \ Phone: 415-688-9081 \ \\ Fax: 415-688-9101 \/ E-mail: security-alert@Sun.COM ----------- Permission is granted for the redistribution of this Bulletin for the purpose of alerting Sun customers to problems, as long as the Bulletin is not edited and is attributed to Sun Microsystems. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ----------------------------------------------------------------------------- SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 23 December 93 ----------------------------------------------------------------------------- I. Sendmail A. Resolution This new set of sendmail patches fixes several security holes which came to light after the release of our 21 October set. Aside from 101352-02, a forthcoming x86-based patch which corresponds to the SPARC-based patches being released today, no further security- related sendmail patches are planned at this time. Our plans for 101352-02 are described in section I.C.1 below. We have included with these patches a new set of sample configuration files. These illustrate the use of the "%l" operator, a feature from the Solaris 2.x sendmail which, with these patches, is now available in the 4.1.x sendmail as well. No changes have been made to the documented Solaris 2.x functionality. The new set of patches is available on ftp.uu.net now. The patches will be available via all Sun-supported access channels within 24 hours. See section II for a discussion of distribution channels. B. Configuration file notes 1. Any 4.1.x customers who are currently running an FCS (unpatched) sendmail may need to change sendmail configuration files on "subsidiary" systems when installing 100377-08. This is because the interpretation of the "%y" operator underwent a small undocumented change in sendmail patch 100377-04. In addition, those 4.1.x customers who implemented workarounds in response to that change---which many did not encounter until they installed the highly publicized 100377-07--may wish to adapt the configuration files to use the new "%l" operator. However, any configuration file which worked correctly under 100377-07 will continue to work under -08. No configuration file changes are needed on Solaris 2.x systems. 2. The following instructions describe how to adapt your 4.1.x configuration files to use the "%l" operator. For more detailed information please refer to the Solaris 2.x sendmail documentation or your local Answer Center. a. If you used the workaround suggested in our bulletin #123, you added a line to the configuration file on subsidiary systems such as DYhosts.byname which had the effect of defining a %Y operator. To use the new the %l (local) operator instead, delete the above line and change all references to "%Y" to refer to "%l" instead. b. If you are currently using the sample subsidiary.cf file, unchanged, as your configuration file ("etc/sendmail.cf"), you may substitute the new sendmail.subsidiary.cf file distributed with this patch. It incorporates the "%l" operator. You could also use the new sample as a base, applying to it the same local changes you made to the last sample. c. In adapting any customized configuration file, follow the principle of replacing "%y" with "%l" whenever the reference is to a machine which is inside the current domain. 3. On 4.1.x systems it is necessary to recreate the frozen configuration file, then kill and restart sendmail for changes to /etc/sendmail.cf to take effect. The command /usr/lib/sendmail -bz will recreate the frozen configuration file. When restarting sendmail be sure to supply the appropriate command line options. You can get these either from your rc.local file or via a command like "ps -auxw | grep sendmail". Please direct any comments or questions to your local answer center. C. List of platforms, operating system versions, and patches 1. Platforms. This new set of patches covers the sun3 and sun4 platforms. A corresponding patch for the x86 platform, 101352-02, is in the last stages of testing. It will be available early in January 1994, and will be announced in a bulletin similar to this one. We recommend that x86 customers who have not already done so install the previous patch, 101352-01, until 101352-02 is ready. 2. OS Versions. Sendmail patches are available for the following versions of the operating system: 4.1.1, 4.1.2, 4.1.3, 5.1 (Solaris 2.1), 5.2 (Solaris 2.2), and 5.3 (Solaris 2.3). Customers running 4.1.3c can use the 4.1.3 patch. No patches will be produced for SunOS 4.1, or earlier versions such as 4.0.3. Running the 4.1.1 sendmail on a 4.1 system is not a supported configuration and we cannot recommend it. Many customers who have tried it report that it works satisfactorily, despite the many error messages (displayed when the program starts up) complaining about old library versions. For further information on this subject please contact your local answer center. 3. Patches. Available patches are tabulated below. System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- --------- SunOS 4.1.x 100377-08 100377-08.tar.Z 05320 755 58761 1510 Solaris 2.1 100840-06 100840-06.tar.Z 59489 195 61100 390 Solaris 2.2 101077-06 101077-06.tar.Z 63001 179 28185 358 Solaris 2.3 101371-03 101371-03.tar.Z 27539 189 51272 377 The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version on Solaris 2.x (/usr/bin/sum). Some customers have reported that checksums on patch files obtained via SunSolve (see section II.A) do not always match the checksums shown in our Security Bulletins. This happens because the checksums shown here are for the files uploaded by us to ftp.uu.net, which are sometimes different--though functionally equivalent--to the files created for SunSolve. The checksums shown above should always match the files on ftp.uu.net, unless a correction has been noted in the "checksums" file we maintain there. We will resolve this anomaly in the future. For the present, we advise customers to check with their Answer Centers or this office if a question of patch authenticity arises. II. How to obtain Sun security patches A. If you have a support contract Customers with Sun support contracts can obtain the patches listed here--and all other Sun security patches--from: - Local Sun answer centers, worldwide - SunSolve Online Please refer to the bug ID and patch ID when requesting patches from Sun answer centers. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready B. If you do not have a support contract Sun also makes its security patches available to customers who do not have a support contract, via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net Patches announced in a Sun security bulletin are uploaded to these two sites just before the bulletin is released, and seldom updated. In contrast, the "supported" patch databases are refreshed nightly, and will often contain newer versions of a patch incorporating changes which are not security-related. III. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK2-04 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-688-9081 Fax: 415-688-9101 E-mail: security-alert@Sun.COM IV. How to obtain Sun security bulletins A. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To subscribe to this bulletin series, send mail to the address "security-alert@Sun.COM" with the subject "subscribe CWS [mail-address]" and a message body containing affiliation and contact information. To request that your name be removed from the mailing list, send mail to the same address with the subject "unsubscribe CWS [mail-address]". Do not include other requests or reports in a subscription message. Due to the volume of subscription requests which we receive, we cannot guarantee to acknowledge or execute requests which are not in the format described above. Normally we will acknowledge your request within 24 hours of receipt. If you would like your bulletin delivered via postal mail or fax, please contact this office directly to make arrangements. B. Obtaining old bulletins Recent bulletins (#119 and later) are archived on ftp.uu.net, in the same directory as the patches. Many earlier bulletins are available from SunSolve. Please try these sources first before contacting this office for old bulletins. ------------