[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Security Enhanced Kit for DECNET-ULTRIX

Title: Security Enhanced Kit for DECNET-ULTRIX
Released by: DEC
Date: 17th March 1994
Printable version: Click here
SOURCE:  Digital Equipment Corporation  - ( DSIN / DSNlink FLASH MAIL )

         Software Security Response Team                             17.MAY.94

PRODUCT: ULTRIX        Versions 4.3, 4.3A, V4.4

         DECnet-ULTRIX Version 4.2

         DEC OSF/1     Versions 1.2, 1.3, 1.3A, 2.0


SUBJECT:  Security Enhanced Kit for DECNET-ULTRIX V4.2, ULTRIX V4.3 (VAX/RISC),

          ULTRIX V4.3A (RISC), ULTRIX V4.4 (VAX/RISC),

          ULTRIX Worksystem Software and DEC OSF/1 V1.2 - V2.0

IMPACT:   Potential security vulnerabilities exist where, under certain

          circumstances user access or privilege may be expanded.

SOLUTION: ULTRIX: Upgrade/Install ULTRIX to an minimum of V4.4 and install the

          Security Enhanced Kit

          DEC OSF/1: Upgrade/Install to a minimum of V1.2 and install

          the Security Enhanced Kit

          [Note: In the text below, Digital identifies OSF/1 V2.0 as the

          minimum. Digital has confirmed that 2.0 is correct. --CERT staff]


These kits are available from Digital Equipment Corporation by contacting your

normal Digital support channel or by request via DSNlink for electronic




Digital has discovered the existence of potential security vulnerabilities in

the ULTRIX V4.3, V4.3a, V4.4 and DEC OSF/1 V1.2, V1.3, V2.0 Operating Systems,

and DECnet-ULTRIX V4.2.  These potential vulnerabilities were discovered as a

result of evaluating recent reports of potential security vulnerabilities

which were distributed on the INTERNET and as a result of Digital's continued

engineering efforts.  The solutions to these vulnerabilities have been

included in the next release of ULTRIX and DEC OSF/1.

The kits have been created to correct potential security vulnerabilities

which, under certain circumstances may expand user access or privilege.

Digital Equipment Corporation strongly urges Customers to upgrade to a

minimum of ULTRIX V4.4 and DEC OSF/1 V2.0 then apply the Security Enhanced


        - Please refer to the applicable Release Note information prior to

          upgrading your installation.




CSCPAT_4060  V1.0   ULTRIX    V4.3 thru V4.4  (Includes DECnet-ULTRIX V4.2)

CSCPAT_4061  V1.0   DEC OSF/1 V1.2 thru V2.0


         These kits will not install on versions previous to ULTRIX V4.3

         or DEC OSF/1 V1.2.




The ULTRIX Security Enhanced kit replaces the following images:

/usr/etc/comsat                 ULTRIX V4.3, V4.3a, V4.4

/usr/ucb/lpr                    "                      "

/usr/bin/mail                   "                      "

/usr/lib/sendmail               "                      "

/usr/etc/telnetd                ULTRIX V4.3, V4.3a only


for DECnet-ULTRIX V4.2  installations:



                *sendmail - is a previously distributed solution.


The DEC OSF/1 Security Enhanced kit replaces the following images:

/usr/sbin/comsat                DEC OSF/1 V1.2, V1.3 V2.0


/usr/bin/lpr                    "                       "

/usr/sbin/sendmail              DEC OSF/1 V1.2, V1.3  only

/usr/bin/rdist                  "                       "

/usr/shlib/libsecurity.so       DEC OSF/1 V2.0 only

                *sendmail - is a previously distributed solution.


Digital urges you to periodically review your system management and

security procedures.  Digital will continue to review and enhance the

security features of its products and work with customers to maintain

and improve the security and integrity of their systems.


    NOTE: For non-contract/non-warranty customers contact your local Digital

          support channels for information regarding these kits.


(C) 1999-2000 All rights reserved.