============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00133, 8 March 1996 ============================================================================= BULLETIN TOPICS In this bulletin Sun summarizes the status of security work with regard to two related UNIX components, sendmail and BIND/DNS. We survey existing patches and explain our plans for the near future, for both Solaris 2.x (SunOS 5.x) and Solaris 1.x (SunOS 4.1.x). None of the patches or vulnerabilities discussed here are new; however, not all have been announced in previous bulletins. In addition, we detail here a few improvements to the Customer Warning System. I. Status of sendmail and BIND security work II. Vulnerabilities closed by this work III. Estimated dates of release for upcoming patches IV. List of Current Sendmail Patches V. Checksum Table VI. Changes to the Customer Warning System APPENDICES A. How to obtain Sun security patches B. How to report or inquire about Sun security problems C. How to obtain Sun security bulletins or short status updates Send Replies or Inquiries To: Mark Graff Sun Security Coordinator MS MPK17-103 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-786-5274 Fax: 415-786-7994 E-mail: security-alert@Sun.COM ----------- Permission is granted for the redistribution of this Bulletin for the purpose of alerting Sun customers to problems, as long as the Bulletin is not edited and is attributed to Sun Microsystems. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00133, 8 March 1996 ============================================================================= I. Status of sendmail and BIND security work Sun's plan with regard to both sendmail and BIND is to move all supported releases towards the latest versions produced by the authors of the software (Eric Allman and Paul Vixie, respectively). That is, we are migrating Sun's versions of these programs away from our traditional proprietary versions (based on old public versions) and towards the publicly available versions (to which we will apply proprietary enhancements and bug fixes). It is a matter of applying our changes to the authors' newest versions, rather than applying the authors' changes to our base. This new scheme will ensure that the software we sell has the latest features and security fixes designed by the program authors, and also is in sync with software used by Sun customers in mixed shops. In the case of sendmail, we began the switch in 1994. The version shipped with SunOS 5.5 was based on Eric Allman's sendmail 8.6.12. Current patches for SunOS 5.4 and 5.3 are also based on 8.6.12, and we have almost completed a parallel backport of 8.6.x for supported versions of SunOS 4.1.3, 4.1.3_U1, and 4.1.4. When that backport is complete, the V5-based sendmails originally released with 4.1.x systems will no longer be supported; all Solaris sendmails will be V8-based. With regard to BIND, we are moving towards incorporation of the fixes and features found in BIND 4.9.3. In the case of SunOS 5.5, 5.5_x86, 5.4, 5.4_x86, 5.3, 4.1.4, 4.1.3_U1, and 4.1.3, the changes will be in the form of patches. For the upcoming SunOS 5.6 and 5.5.1 releases, we expect that the changes will be incorporated into the software at FCS; failing that, we will release patches soon after FCS. See Section III of this bulletin for a list of estimated patch release dates. II. Vulnerabilities closed by this work Several advisories by Sun, CERT, and other security teams have described security weaknesses in sendmail and BIND. Most of the problems result from design choices, and are common to every major vendor's release. Recent bulletins discussing these security vulnerabilities include CERT CA-96.02 (15 February 1996) and CERT CA-96.04 (22 February 1996). In general the latest problems center around intruders being able to cause BIND (and other name servers) to provide incorrect name data. Programs which make use of the information (especially those which do not verify it) may in some cases be tricked into allowing remote access to unauthorized users, or root access by either local or remote users. Over the years Sun has patched a dozen or so security holes in sendmail which were not related to DNS. Our currently available sendmail patches address all of the security problems we are aware of, except those involving DNS. These latter problems will be fixed in the upcoming patches discussed in Section III. III. Estimated dates of release for upcoming patches We present here good-faith estimates of the delivery dates for all related upcoming patches. Note that as of this writing both SunOS 5.5.1 nor SunOS 5.6 are yet to be released. (SunOS 5.5.1 is a version of SunOS which will accommodate some of our newest hardware platforms.) The estimates listed below for SunOS 5.6, 5.5.1, 5.5, and 5.4 also apply, respectively, to the corresponding "x86" releases. For example, we expect to issue patches for SunOS 5.5_x86 at the same time as SunOS 5.5. A. BIND/DNS fixes Here are our estimates for the availability of 4.9.3 BIND features and fixes. In the case of SunOS 5.x, a "fix" means we deliver a new version of libresolv, in.named, and nslookup. Note that we may find it necessary to make minor API changes for backwards compatibility. For SunOS 4.1.x, a "fix" means we deliver a new ypserv as well as a V8-based sendmail, statically linked with a 4.9.3-based libresolv. (As shown in Section B, the sendmail patches will precede ypserv.) OS version Est. date ---------- --------- 5.6 in 5.6 FCS release 5.5.1 in 5.5.1 FCS release 5.5 May '96 5.4 May '96 5.3 May '96 4.1.4 Jun '96 4.1.3_U1 Jun '96 4.1.3 Jun '96 B. Sendmail fixes Here are our estimates for the availability of fixes incorporating into sendmail more strenuous checks against name-server-based attacks. Note that the upcoming SunOS 4.1.x patches will represent the first backport of sendmail 8.6.x to those platforms, and will probably be assigned new patch numbers (instead of being recorded as revisions of the existing patches). OS version Est. date ---------- --------- 5.6 in 5.6 FCS release 5.5.1 in 5.5.1 FCS release 5.5 Apr '96 5.4 Apr '96 5.3 Apr '96 4.1.4 May '96 4.1.3_U1 May '96 4.1.3 May '96 IV. List of Current Sendmail Patches Until the patches listed above are available, Sun recommends that every customer run the following sendmail patches on their systems. A. Current sendmail patches The latest sendmail patch for each supported version of SunOS is shown below. All current SunOS 5.x patches are based on sendmail V8; all SunOS 4.1.x patches are currently based on sendmail V5. Note that no sendmail patches exists for SunOS 5.5 and SunOS 5.5_x86. All earlier fixes were built into these releases. OS version Patch ID Released ---------- --------- --------- 5.4_x86 102064-05 19 Jan 96 5.4 102066-06 19 Jan 96 5.3 101739-08 19 Jan 96 4.1.4 102423-04 5 Oct 95 4.1.3_U1 101665-07 5 Oct 95 4.1.3 100377-22 5 Oct 95 Patch 100377-22 was issued jointly for SunOS 4.1.3 and SunOS 4.1.3c. B. Obsolete sendmail patches The following sendmail patches are now obsolete, and will no longer be maintained. Each is superseded by a patch listed above. OS version Patch ID Date Released ---------- --------- ------------- 5.4_x86 102320-01 26 May 95 5.4 102319-01 26 May 95 5.3 101235-01 1 May 95 5.3 (sic) 101371-04 9 Feb 94 4.1.4 102356-01 22 Feb 95 4.1.3_U1 101436-08 28 Oct 94 4.1.3 100224-13 28 Oct 94 V. Checksum Table In the checksum table we show the BSD and SVR4 checksums and MD5 digital signatures for the compressed tar archives. File BSD SVR4 MD5 Name Checksum Checksum Digital Signature --------------- ----------- ---------- -------------------------------- 102064-05.tar.Z 08423 335 16923 669 2816EF17F40E2FA5E8260CD98D349875 102066-06.tar.Z 62613 385 52067 770 666E6D6075E40D2BFDB539830EF1BCDA 101739-08.tar.Z 60842 385 28595 770 369D4E0758672ADCDAD2219179B8A062 102423-04.tar.Z 40900 216 33691 432 022B546A882B42FF826FE28429B2EDD8 101665-07.tar.Z 44656 216 37045 431 86F942F8CCBAD905AB2AE8CA33490D2B 100377-22.tar.Z 39051 214 58206 427 7B55564E6104FABAD7283DAE1CDD3D4A The checksums shown above are from the BSD-based checksum (on 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on on SunOS 5.x (/usr/bin/sum). VI. Changes to the Customer Warning System Lately we have updated the CWS in several respects. First, we have automated the handling of bulletin subscriptions. Second, we now have in place a modest query system by which customers can look up the status of security fixes in progress, or retrieve previous Sun Security Bulletins. An expanded, WWW-based version is planned for later this year. See Appendix C for details. Finally, we are discontinuing support of the old "security patch" sites ftp.uu.net and ftp.eu.net. These sites, set up long before SunSolve and SunSite were in existence, were innovative at the time but are now seldom used. Further (because patches were uploaded "manually") they are now almost always out of date. We will not be uploading any more security patches to them in the future, although we have no plans to remove the patches which are already there. APPENDICES A. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain any patches listed in this bulletin (and any other patches--and a list of patches) from: - SunSolve Online - Local Sun answer centers, worldwide - SunSITEs worldwide The patches are available via World Wide Web at http://sunsolve1.sun.com. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Customers without support contracts may now obtain security patches, "recommended" patches, and patch lists via SunSolve Online. Sun does not furnish patches to any external distribution sites other than the ones mentioned here. The ftp.uu.net and ftp.eu.net sites are no longer supported. 3. About the checksums So that you can quickly verify the integrity of the patch files themselves, we supply in each bulletin checksums for the tar archives. Occasionally, you may find that the listed checksums do not match the patches on the SunSolve or SunSite database. This does not necessarily mean that the patch has been tampered with. More likely, a non-substantive change (such as a revision to the README file) has altered the checksum of the tar file. The SunSolve patch database is refreshed nightly, and will sometimes contain versions of a patch newer than the one on which the checksums were based. In the future we plan to provide checksum information for the individual components of a patch as well as the compressed archive file. This will allow customers to determine, if need be, which file(s) have been changed since we issued the bulletin containing the checksums. In the meantime, if you would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. B. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK17-103 2550 Garcia Avenue Mountain View, CA 94043-1100 Phone: 415-786-5274 Fax: 415-786-7994 E-mail: security-alert@Sun.COM We strongly recommend that you report problems to your local Answer Center. In some cases they will accept a report of a security bug even if you do not have a support contract. An additional notification to the security-alert alias is suggested but should not be used as your primary vehicle for reporting a bug. C. How to obtain Sun security bulletins or short status updates 1. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To receive information or to subscribe or unsubscribe from our mailing list, send mail to security-alert@sun.com with a subject line containing one of the following commands. Subject Information Returned/Action Taken ------- --------------------------------- HELP An explanation of how to get information LIST A list of current security topics QUERY [topic] The mail containing the question is relayed to a Security Coordinator for a response. REPORT [topic] The mail containing the text is treated as a security bug report and forwarded to a Security Coordinator for handling. Please note that this channel of communications does not supersede the use of Sun Solution Centers for this purpose. Note also that we do not recommend that detailed problem descriptions be sent in plain text. SEND topic Summary of the status of selected topic. (To retrieve a Sun Security Bulletin, supply the number of the bulletin, as in "SEND #103".) SUBSCRIBE Sender is added to the CWS (Customer Warning System) list. The subscribe feature requires that the sender include on the subject line the word "cws" and the reply email address. So the subject line might look like the following: SUBSCRIBE cws graff@sun.com UNSUBSCRIBE Sender is removed from the CWS list. Should your email not fit into one of the above subjects, a help message will be returned to you. Due to the volume of subscription requests we receive, we cannot guarantee to acknowledge requests. Please contact this office if you wish to verify that your subscription request was received, or if you would like your bulletin delivered via postal mail or fax. 2. Obtaining old bulletins Sun Security Bulletins are available via the security-alert alias and on SunSolve. Please try these sources first before contacting this office for old bulletins. ------------