I can't tell you if it was fixed in ML8 we went from ML3 to ML9 overnight
(or a very long weekend) ..
The security people, waived it in my face the other day and said get it
fixed.
Since we are at ML9 + there was no need , it was already there.
If you go to the software website it says you need to install 388 or so
filesets to be legit.. (Wrong not in this env.)
There have been buffer overflow issues in every version of AIX so far..
Problem Summar y
The tsm family of commands (tsm,getty,login) does not
properly validate the port name entered on the command
line.
This can allow unpriviledged users to become root.
Gabriel C. Wiley
ADSM/TSM Administrator
AIX Support
Phone 1-614-308-6709
Pager 1-877-489-2867
Fax 1-614-308-6637
Cell 1-740-972-6441
Siempre Hay Esperanza
|---------+---------------------------->
| | Justin Derrick |
| | <jderrick@CANADA.|
| | COM> |
| | Sent by: "ADSM: |
| | Dist Stor |
| | Manager" |
| | <[EMAIL PROTECTED]|
| | .EDU> |
| | |
| | |
| | 04/02/2002 03:16 |
| | PM |
| | Please respond to|
| | "ADSM: Dist Stor |
| | Manager" |
| | |
|---------+---------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: [EMAIL PROTECTED]
|
| cc:
|
| Subject: Re: For those Security conscious people running AIX
|
|
|
|
|
>------------------------------------------------------------------------------------------------------------------------------|
I think I had to install this separately at a client site because it
required a few steps in order to take proper effect... But to be
absolutely clear, this isn't Tivoli Storage Manager related. For some
reason, the 'login' program on AIX is a link (an alias, if you will) to the
'tsm' program, which, again, has nothing to do with Tivoli Storage Manager.
-JD.
>Isn't/Wasn't this taken care of in ML8?
>
>
>
> Gabriel Wiley
> <[EMAIL PROTECTED] To: [EMAIL PROTECTED]
> .COM> cc:
> Sent by: Subject: For those Security
>conscious people running AIX
> "ADSM: Dist
> Stor Manager"
> <[EMAIL PROTECTED]
> IST.EDU>
>
>
> 04/02/2002
> 12:14 PM
> Please respond
> to "ADSM: Dist
> Stor Manager"
>
>
>
>
>
>
>If you are not aware .. FYI ****
>
>SECURITY: MULTIPLE BUFFER OVERFLOW VULNERABILITIES IN TSMLOGIN
>
>Created: 01/04/2002 at 03:22 PM
>
>
> Published Date: 01/04/2002
>
>
>
>
>
>
> OS or Applications Affected: AIX
>
> Versions Affected: 4.3
>
>
>
>
>
> Severity: Medium
>
>
>
>
>
> APAR/Patch ID: IY26443
>
> Workaround Available?: No
>
>
>
>
>
>
>
>
>
>Run this command to see if you have it ;
>
>instfix -ik IY26443
>
> or
>
>instfix -ick IY26443
>
>Keyword:Fileset:ReqLevel:InstLevel:Status:Abstract
>Y26443:bos.rte.security:4.3.3.79:4.3.3.79:=:SECURITY: Multiple buffer
>overflow vulnerabilities in tsmlogin
>
>
>Gabriel C. Wiley
>ADSM/TSM Administrator
>AIX Support
>Phone 1-614-308-6709
>Pager 1-877-489-2867
>Fax 1-614-308-6637
>Cell 1-740-972-6441
>
>Siempre Hay Esperanza
