_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
New patch for OpenWindows V.3 available for SunOS systems
December 12 1630 PST 1991 Number C-10
_________________________________________________________________________
PROBLEM: A vulnerability in OpenWindows V.3 can be exploited to gain
unauthorized root access.
PLATFORM: OpenWindows, version 3
DAMAGE: Allows unauthorized root access with unrestricted access to the
system
SOLUTION: Apply Sun Patch ID: 100448-01 available from Sun or ftp.uu.net
_________________________________________________________________________
Critical Facts about OpenWindows V.3 patch
CIAC has learned from Sun Microsystems Inc. that it has a security
vulnerability in its OpenWindows V 3.0 product that should be
corrected immediately. CIAC advises that you replace the exploitable
executable file with the patch described below. Please note that Sun
only supports this product on sun4 and sun4c architectures running
SunOS 4.1.1. The product is not available for sun3 architectures.
The README file included with the patch has specific installation
instructions that should read and understand before you attempt
installation.
Below is an excerpt from an alert distributed by SUN providing
additional information on this patch.
--------------------------------------------------------------------------
Sun Bug ID : 1076118
Sun Patch ID: 100448-01
Checksum of compressed tarfile 100448-01.tar.Z on ftp.uu.net = 04354 5
Sun advises that you replace the exploitable executable file with
the appropriate replacement provided in the patch. Please refer to
the patch's README file for more information.
All patches listed are available through local Sun answer centers
worldwide as well as through anonymous ftp: in the US, ftp to ftp.uu.net
and obtain the patch from the ~ftp/sun-dist directory; in Europe, ftp to
mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes
directory. Please refer to the BugID and PatchID when requesting
patches from Sun answer centers.
--------------------------------------------------------------------------
For additional information or assistance, please contact CIAC:
David Brown
(510)423-9878** or (FTS) 543-9878
(FAX) (510) 423-8002** or (FTS) 543-8002
dsbrown@llnl.gov
Send e-mail to ciac@llnl.gov or call CIAC at
(510) 422-8193**/(FTS)532-8193.
**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response team,
DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
CIAC would like to thank Ken Pon at Sun Microsystems for providing
some of the information described in this bulletin. Neither the
United States Government nor the University of California nor any of
their employees, makes any warranty, expressed or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
