| T.R | Title | User | Personal Name
 | Date | Lines | 
|---|
| 8745.1 |  | BSS::BOREN |  | Wed Feb 12 1997 19:14 | 50 | 
|  | Subj:	**UPDATE: rlogin security information (patches) as of 8.feb.1997
                     *** DIGITAL INTERNAL USE ONLY ***
DATE: 08.FEB.1997				
Title/Problem Summary: ** UPDATE: ** DIGITAL UNIX and ULTRIX (rlogin) 
******************************************************************************
* This message supersedes the previous message dated 04.FEB.1997 to properly *
* identify the status of solutions to rlogin (case SSRT0416U)  identified in *
* the CERT(sm) advisory CA-97.06 dated 06.FEB.1997.                          *
******************************************************************************
   The previous message also included what was believed to be an accumulative
   fix for rlogin addressing case SSRT0416U and SSRT0430U, it turns out the
   SSRT0430U case solution is not yet available. The problem identified in case
   SSRT0430U is not related to the problem defined in the current CERT rlogin
   advisory. This problem and the availibility of patches will be covered in a
   separate communication.
   I apologize for any problems caused by the previous mail, at the time it
    was believed to be correct.
                     *** DIGITAL INTERNAL USE ONLY ***
===============================================================================
0416 U UEG rlogin -                  		Status as of 08.FEB.1997 
===============================================================================
  DIGITAL UNIX Patch Status:
   V4.0    - OSF400-074		- Patch currently available, V4.0 patch kit 
   V4.0A   - OSF405-400074	- Patch currently available, V4.0A patch kit
   V4.0B   - Patch not required	- Fix is in the V4.0B release.
 
   V3.2C   - OSF350-275     	- Patch currently available, V3.2C patch kit 
   V3.2D-1 / V3.2E-1
	   - OSF360-350275	- Patch currently available, V3.2DE-1 patch kit
   V3.2D-2 / V3.2E-2
	   - OSF365-350275	- Patch currently available, V3.2DE-2 patch kit
   V3.2F   -			- PATCH NOT YET AVAILABLE 
   V3.2G   - 			- PATCH NOT YET AVAILABLE
  Patch Status:  ULTRIV4.4  & V4.5 (VAX & MIPS) patches are in progress
   		 but not yet available, but expected very soon.
   		 An update will be sent with pointers as they become available.
===============================================================================
                      *** DIGITAL INTERNAL USE ONLY ***
 | 
| 8745.2 |  | BSS::BOREN |  | Tue Mar 04 1997 18:14 | 45 | 
|  | RE: 8745.* & SSRt0430U rlogin problem
    
		RLOGIN and Security issue CASE ID SSRT0430U TERMINATED
Subj:	*UA* Info - UPDATE - RLOGIN CASE ID SSRT0430U
The information in the attached mail concerning CASE ID SSRT0430 for rlogin
has been terminated.  It was discovered that particular problem must be
fixed with a change in the documentation and man pages for RLOGIN. 
Engineering has this action and will complete the doc changes according to
established procedures.
                                    --o--
RE: Attached.
DATE: 04.FEB.1997
Title/Problem Summary: Security for DIGITAL UNIX and ULTRIX (rlogin)
                     *** DIGITAL INTERNAL USE ONLY ***
      PROBLEM: Recently Reported Potential Security Vulnerabilities
               For Digital UNIX and ULTRIX Operating Systems.
      RESOLUTION/WORKAROUND:
   This is an advance informational message of pending advisories
   for reported "potential" security vulnerabilities to DIGITAL UNIX and 
   ULTRIX rlogin.
<snip>
.
.
.
===============================================================================
0430 U UEG rlogin -                                          	25-Oct-1996
===============================================================================
  Patch Status: 21-Jan-1997
  Other:
  -----
  V3.2c-OSF-310 
  V3.2de1-OSF360-350310 
  V3.2de2-OSF360-350310 
  V3.2f - OSF370-350310 
  V3.2g - OSF375-350310 
  V4.0 - OSF400-134     
  V4.0a - OSF405-400134 
  V4.0b - OSF410-400134 
                      *** DIGITAL INTERNAL USE ONLY ***
                
 | 
| 8745.3 | the man page change is in hosts.equiv(4) | SMURF::MENNER | it's just a box of Pax.. | Tue Mar 04 1997 23:33 | 1 | 
|  |     
 | 
| 8745.4 | clarification please | KAOFS::G_STOFKO |  | Wed Mar 05 1997 14:02 | 12 | 
|  |     So, what do I tell my V3.2G customer that has been waiting for this ?
    .1 says  V3.2G   -PATCH NOT YET AVAILABLE
    .2 says  V3.2g - OSF375-350310  (where is this ??) 
    and that this problem is corrected by a man page change ?
    
    Meanwhile, the V3.2G patch directory on guru/oskits has not been updated 
    for 5 months.
    
    Could we please get a clarification.
    
    Thanks
    George CSC/Canada
 | 
| 8745.5 |  | BSS::BOREN |  | Wed Mar 05 1997 21:11 | 11 | 
|  |     re: .4  good question - we've been waiting as well.  the only option we
    have is sending requests to reng :^) asking for when............
    
    The patch ID for v3.2g is what should be valid searching for this patch
    after it gets built/updated. It's not there yet, nor v3.2f, but the
    rest are available from the various patch files.
    
    Hopefully the 3.2f&g kits will be out soon.
    
    rich
    
 | 
| 8745.6 | a clarification (hopefully) | SMURF::MENNER | it's just a box of Pax.. | Thu Mar 06 1997 00:38 | 18 | 
|  |     The reported problem was that a username in the hosts.equiv file
    allowed that user access to any local user without being prompted
    for a passwd.  This is known/correct  behaviour.  By including
    a username in the hosts.equiv file you are effective saying this
    is a trusted user.
    
    e.g.,
    
    host1 user1
    
    Allows user1 from host1 access to any user (aside from root) on the system
    where the hosts.equiv file resides. i believe this was originally done for 
    tasks like remote backup.  The point is only root can modify 
    /etc/hosts.equiv.  If you don't want this behaviour don't include a 
    username in hosts.equiv.  Removing this feature has the distinct
    possiblity of breaking scripts which are *purposefully* taken advantage
    of this feature. Other UNIXes also support this (e.g. Solaris, Ultrix)  
                
 | 
| 8745.7 | RE: 8745.6 speaks to SSRT0430U ONLY | BSS::BOREN |  | Thu Mar 06 1997 08:37 | 13 | 
|  |  RE: Note 8745.6 by SMURF::MENNER -< a clarification (hopefully) >
    
    
    Note the previous explanation is for CASE ID SSRT0430U which remedials
    have been terminated.
    
    It is not related to case SSRT0416U, which requires remedial patches be
    delivered to customers, and has patches available for the affected
    versions, except V3.2g & v3.2f 
    
    rich
    
    
 | 
| 8745.8 | Thanks, I guess we'll keep waiting. | KAOFS::G_STOFKO |  | Thu Mar 06 1997 09:51 | 1 | 
|  |     
 | 
| 8745.9 | Not in the public FTP area? | NETRIX::"[email protected]" | John McNulty | Mon Mar 10 1997 10:15 | 18 | 
|  | I note that none of the patches that are available are in the 
public security FTP area:
	ftp://ftp.service.digital.com/pub/osf
This is becoming a major embarassment for us.  Customer are 
questioning the value of searching this FTP site at all, as
some patches are there, others they've heard about are not,
and it's increasingly difficuly to browse because there are
no README style overviews for the directory contents.
I appreciate you guys are busy, but please can you either
keep this information source up to date, or remove it. Half
correct/current information is worse than none at all.
John
 
[Posted by WWW Notes gateway]
 | 
| 8745.10 | OSF375-350310 not in new patch kit | KAOFS::G_STOFKO |  | Mon Mar 24 1997 13:37 | 5 | 
|  |     Now that the V3.2G dupatch kit is out (DUV32GAS00001-19970314.tar)
    I still don't see the security patch quoted in .0 (OSF375-350310)
    Does anyone know if this exists ?
    
    George CSC/Canada
 | 
| 8745.11 | Try patch #124 | SMURF::FENSTER | Yaacov Fenster - System Engineering, Troubleshooting and other m | Mon Mar 24 1997 19:25 | 1 | 
|  |     Try patch #124 in the patch kit. It seems to be replacing rlogin.
 | 
| 8745.12 |  | KAOFS::G_STOFKO |  | Tue Mar 25 1997 09:32 | 2 | 
|  |     Thanks.
    I guess they must have change the patch number.
 |