Lisa,
I just upgraded another server to ML9 + yesterday..
I ordered the CD(s) in Feb. when they arrived it did not have the fileset.
(CD was ML9 as of 02/06/02)
It is an add on if you wish to call it that..
Gabriel C. Wiley
ADSM/TSM Administrator
AIX Support
Phone 1-614-308-6709
Pager 1-877-489-2867
Fax 1-614-308-6637
Cell 1-740-972-6441
Siempre Hay Esperanza
Lisa Cabanas
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
> cc:
Sent by: "ADSM: Subject: Re: For those Security
conscious people running AIX
Dist Stor
Manager"
<[EMAIL PROTECTED]
.EDU>
04/03/2002 09:07
AM
Please respond to
"ADSM: Dist Stor
Manager"
I think what Justin said about having to do extra steps is right (needing
additional filesets, specifically)-- I am at ML9, but when I look at the
levels of the filesets, they are still below what is indicated as being
unaffected, and the instfix doesn't show that APAR.
bummer.
lisa
Gabriel Wiley
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
.COM> cc:
Sent by: Subject: Re: For those
Security conscious people running AIX
"ADSM: Dist
Stor Manager"
<[EMAIL PROTECTED]
IST.EDU>
04/02/2002
04:13 PM
Please respond
to "ADSM: Dist
Stor Manager"
I can't tell you if it was fixed in ML8 we went from ML3 to ML9 overnight
(or a very long weekend) ..
The security people, waived it in my face the other day and said get it
fixed.
Since we are at ML9 + there was no need , it was already there.
If you go to the software website it says you need to install 388 or so
filesets to be legit.. (Wrong not in this env.)
There have been buffer overflow issues in every version of AIX so far..
Problem Summar y
The tsm family of commands (tsm,getty,login) does not
properly validate the port name entered on the command
line.
This can allow unpriviledged users to become root.
Gabriel C. Wiley
ADSM/TSM Administrator
AIX Support
Phone 1-614-308-6709
Pager 1-877-489-2867
Fax 1-614-308-6637
Cell 1-740-972-6441
Siempre Hay Esperanza
|---------+---------------------------->
| | Justin Derrick |
| | <jderrick@CANADA.|
| | COM> |
| | Sent by: "ADSM: |
| | Dist Stor |
| | Manager" |
| | <[EMAIL PROTECTED]|
| | .EDU> |
| | |
| | |
| | 04/02/2002 03:16 |
| | PM |
| | Please respond to|
| | "ADSM: Dist Stor |
| | Manager" |
| | |
|---------+---------------------------->
>
------------------------------------------------------------------------------------------------------------------------------|
|
|
| To: [EMAIL PROTECTED]
|
| cc:
|
| Subject: Re: For those Security conscious people running AIX
|
|
|
|
|
>
------------------------------------------------------------------------------------------------------------------------------|
I think I had to install this separately at a client site because it
required a few steps in order to take proper effect... But to be
absolutely clear, this isn't Tivoli Storage Manager related. For some
reason, the 'login' program on AIX is a link (an alias, if you will) to the
'tsm' program, which, again, has nothing to do with Tivoli Storage Manager.
-JD.
>Isn't/Wasn't this taken care of in ML8?
>
>
>
> Gabriel Wiley
> <[EMAIL PROTECTED] To: [EMAIL PROTECTED]
> .COM> cc:
> Sent by: Subject: For those Security
>conscious people running AIX
> "ADSM: Dist
> Stor Manager"
> <[EMAIL PROTECTED]
> IST.EDU>
>
>
> 04/02/2002
> 12:14 PM
> Please respond
> to "ADSM: Dist
> Stor Manager"
>
>
>
>
>
>
>If you are not aware .. FYI ****
>
>SECURITY: MULTIPLE BUFFER OVERFLOW VULNERABILITIES IN TSMLOGIN
>
>Created: 01/04/2002 at 03:22 PM
>
>
> Published Date: 01/04/2002
>
>
>
>
>
>
> OS or Applications Affected: AIX
>
> Versions Affected: 4.3
>
>
>
>
>
> Severity: Medium
>
>
>
>
>
> APAR/Patch ID: IY26443
>
> Workaround Available?: No
>
>
>
>
>
>
>
>
>
>Run this command to see if you have it ;
>
>instfix -ik IY26443
>
> or
>
>instfix -ick IY26443
>
>Keyword:Fileset:ReqLevel:InstLevel:Status:Abstract
>Y26443:bos.rte.security:4.3.3.79:4.3.3.79:=:SECURITY: Multiple buffer
>overflow vulnerabilities in tsmlogin
>
>
>Gabriel C. Wiley
>ADSM/TSM Administrator
>AIX Support
>Phone 1-614-308-6709
>Pager 1-877-489-2867
>Fax 1-614-308-6637
>Cell 1-740-972-6441
>
>Siempre Hay Esperanza
