[Veritas-bu] VMD Buffer Overflow patch

Has anyone heard if this fix is going to be rolled into MP4 for 5.1?

Nardello, John wrote:

>Took a while to dig this info up - you'd think something this important
>would be in bold flashing letters at the top or something....
>
>From the NB_CLT_51_3S2_M patch release notes,
>http://seer.support.veritas.com/docs/280098.htm
>---------------------
>Etrack Incident = ET494041 ET494466 ET498548 
>Description: 
>A vulnerability has been confirmed in the NetBackup Volume Manager
>daemon (vmd). By sending a specially crafted packet to the Volume
>Manager, a stack overflow occurs. This is caused by improper bounds
>checking. 
>Exploitation does not require authentication, thereby allowing a remote
>attacker to take over the system or disrupt the backup capabilities. 
>Further testing and code inspection has revealed that all other
>NetBackup 5.1 daemons are potentially affected in the same manner. 
>Therefore, any Master Servers, Media Servers, CLIENTS and Console
>machines at this version level are subject to this vulnerability.
>However, NetBackup 5.1 database agents are not affected by this issue. 
>---------------------
>
>Looking at the .cab file, it's applying new bpcd, bpfis, bpinetd,
>bpjava_msvc, bpjava_usvc, mtfrd, and ssm executables, plus a new
>netbackup.dll and version file. I expect the UNIX patch has much the
>same stuff. 
>
>Going by this, you have to patch everything. Again. =) 
>
>- John Nardello
>
>-----Original Message-----
>From: veritas-bu-admin AT mailman.eng.auburn DOT edu
>[mailto:veritas-bu-admin AT mailman.eng.auburn DOT edu] On Behalf Of Williams,
>Kristopher L
>Sent: Saturday, November 12, 2005 11:00 AM
>To: Veritas-bu AT mailman.eng.auburn DOT edu
>Subject: RE: [Veritas-bu] VMD Buffer Overflow patch
>
>
>From what I can tell, the problem really isn't just with VMD, it's with
>a shared library that VMD uses. Other things use that same library, so
>I'm thinking both the clients and master/media servers need to be
>upgraded.
>
>I've opened a support call, but it seems like I keep getting different
>answers from them. It sure would be nice for Veritas/Symantec to give a
>definitive answer on something than is so important. Below is the
>technote where I got my info. Check it out and see if you read it the
>same way I do.
>
>
>http://seer.support.veritas.com/docs/279553.htm
>
>http://support.veritas.com/docs/280091 
>
>
>Thanks,
>
>Kris 
>
>-----Original Message-----
>From: James Pattinson [mailto:jamesp AT hisser DOT org] 
>Sent: Friday, November 11, 2005 10:46 AM
>To: Williams, Kristopher L; Veritas-bu AT mailman.eng.auburn DOT edu
>Subject: Re: [Veritas-bu] VMD Buffer Overflow patch
>
>Hi
>
>There is no vmd on a client so I think we are ok!
>
>Cheers
>
>James
>
>Williams, Kristopher L wrote:
>
>  
>
>> 
>>
>>I'm sure everyone is aware of the latest security patch release for NB
>>    
>>
>
>  
>
>>5.0 and 5.1.
>> 
>>Has anyone figured out yet if both clients and master/media servers 
>>need to patched? For the sake of long nights of patching, I certainly 
>>hope it's just the master/media servers!
>> 
>> 
>>Thanks guys,
>> 
>> 
>>Kris
>>
>>--
>>This message has been scanned for viruses and dangerous content by 
>>*MailScanner* <http://www.mailscanner.info/>, and is believed to be 
>>clean.
>>    
>>
>
>
>
>--
>This message has been scanned for viruses and dangerous content by
>MailScanner, and is believed to be clean.
>
>
>_______________________________________________
>Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
>http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>
>_______________________________________________
>Veritas-bu maillist  -  Veritas-bu AT mailman.eng.auburn DOT edu
>http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu
>  
>


-- 
Jack L. Forester, Jr.
UNIX Systems Administrator, Stf
Lockheed Martin Information Technology
(304) 625-3946