Re: For those Security conscious people running AIX

Lisa,

I just upgraded another server to ML9 + yesterday..

I ordered the CD(s) in Feb. when they arrived it did not have the fileset.
(CD was ML9 as of 02/06/02)

It is an add on if you wish to call it that..

Gabriel C. Wiley
ADSM/TSM Administrator
AIX Support
Phone 1-614-308-6709
Pager  1-877-489-2867
Fax      1-614-308-6637
Cell       1-740-972-6441

Siempre Hay Esperanza




                      Lisa Cabanas
                      <CABANL AT MODOT DOT NET        To:       ADSM-L AT 
VM.MARIST DOT EDU
                      >                        cc:
                      Sent by: "ADSM:          Subject:  Re: For those Security 
conscious people running AIX
                      Dist Stor
                      Manager"
                      <[email protected]
                      .EDU>


                      04/03/2002 09:07
                      AM
                      Please respond to
                      "ADSM: Dist Stor
                      Manager"





I think what Justin said about having to do extra steps is right (needing
additional filesets, specifically)-- I am at ML9, but when I look at the
levels of the filesets, they are still below what is indicated as being
unaffected, and the instfix doesn't show that APAR.

bummer.

lisa



                    Gabriel Wiley
                    <wileyg AT US DOT IBM       To:     ADSM-L AT VM.MARIST DOT 
EDU
                    .COM>                cc:
                    Sent by:             Subject:     Re: For those
Security conscious people running AIX
                    "ADSM: Dist
                    Stor Manager"
                    <ADSM-L AT VM DOT MAR
                    IST.EDU>


                    04/02/2002
                    04:13 PM
                    Please respond
                    to "ADSM: Dist
                    Stor Manager"






I can't tell you if it was fixed in ML8 we went from ML3 to ML9 overnight
(or a very long weekend) ..

The security people, waived it in my face the other day and said get it
fixed.

Since we are at ML9 + there was no need , it was already there.

If you go to the software website it says you need to install 388 or so
filesets to be legit.. (Wrong not in this env.)

There have been buffer overflow issues in every version of AIX so far..

Problem Summar y

                   The tsm family of commands (tsm,getty,login) does not
                   properly validate the port name entered on the command
line.
                   This can allow unpriviledged users to become root.


Gabriel C. Wiley
ADSM/TSM Administrator
AIX Support
Phone 1-614-308-6709
Pager  1-877-489-2867
Fax      1-614-308-6637
Cell       1-740-972-6441

Siempre Hay Esperanza



|---------+---------------------------->
|         |           Justin Derrick   |
|         |           <jderrick@CANADA.|
|         |           COM>             |
|         |           Sent by: "ADSM:  |
|         |           Dist Stor        |
|         |           Manager"         |
|         |           <[email protected]|
|         |           .EDU>            |
|         |                            |
|         |                            |
|         |           04/02/2002 03:16 |
|         |           PM               |
|         |           Please respond to|
|         |           "ADSM: Dist Stor |
|         |           Manager"         |
|         |                            |
|---------+---------------------------->
  >
------------------------------------------------------------------------------------------------------------------------------|
  |
  |
|
  |       To:       ADSM-L AT VM.MARIST DOT EDU
|
  |       cc:
|
  |       Subject:  Re: For those Security conscious people running AIX
|
  |
|
  |
|
  >
------------------------------------------------------------------------------------------------------------------------------|
I think I had to install this separately at a client site because it
I think I had to install this separately at a client site because it
required a few steps in order to take proper effect...  But to be
absolutely clear, this isn't Tivoli Storage Manager related.  For some
reason, the 'login' program on AIX is a link (an alias, if you will) to the
'tsm' program, which, again, has nothing to do with Tivoli Storage Manager.

-JD.
>Isn't/Wasn't this taken care of in ML8?
>Isn't/Wasn't this taken care of in ML8?
>
>
>
>                    Gabriel Wiley
>                    <wileyg AT US DOT IBM       To:     ADSM-L AT VM.MARIST 
> DOT EDU
>                    .COM>                cc:
>                    Sent by:             Subject:     For those Security
>conscious people running AIX
>                    "ADSM: Dist
>                    Stor Manager"
>                    <ADSM-L AT VM DOT MAR
>                    IST.EDU>
>
>
>                    04/02/2002
>                    12:14 PM
>                    Please respond
>                    to "ADSM: Dist
>                    Stor Manager"
>
>
>
>
>
>
>If you are not aware .. FYI ****
>
>SECURITY: MULTIPLE BUFFER OVERFLOW VULNERABILITIES IN TSMLOGIN
>
>Created:    01/04/2002 at 03:22 PM
>
>
>  Published Date:                      01/04/2002
>
>
>
>
>
>
>  OS or Applications Affected:         AIX
>
>  Versions Affected:                   4.3
>
>
>
>
>
>  Severity:                            Medium
>
>
>
>
>
>  APAR/Patch ID:                       IY26443
>
>  Workaround Available?:               No
>
>
>
>
>
>
>
>
>
>Run this command to see if you have it ;
>
>instfix -ik IY26443
>
>      or
>
>instfix -ick IY26443
>
>Keyword:Fileset:ReqLevel:InstLevel:Status:Abstract
>Y26443:bos.rte.security:4.3.3.79:4.3.3.79:=:SECURITY: Multiple buffer
>overflow vulnerabilities in tsmlogin
>
>
>Gabriel C. Wiley
>ADSM/TSM Administrator
>AIX Support
>Phone 1-614-308-6709
>Pager  1-877-489-2867
>Fax      1-614-308-6637
>Cell       1-740-972-6441
>
>Siempre Hay Esperanza