From: "Boren, Rich" <Rich.Borenat_private> Subject: COMPAQ Security Advisory SSRT1-85U Tru64 UNIX - xntpd overflow Date: Wed, 2 May 2001 21:26:44 -0500 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ** NO RESTRICTIONS ** ** FOR DISTRIBUTION ** ==================================================== TITLE: SSRT1-85U - xntpd potential buffer overflow SOURCE: Compaq Computer Corporation, Software Security Response Team ==================================================== Date: 02-MAY-2001 SEVERITY: HIGH PROBLEM STATEMENT SUMMARY: Compaq continues to take a serious approach to the quality and security of all its software products and makes every effort to address issues and provide solutions in a timely manner. In line with this commitment, Compaq is responding to recent concerns of a potential buffer overflow with xntpd. The Network Time Protocol daemon for Compaq Tru64 UNIX contains a potential buffer overflow (even though it would be difficult to exploit) that may allow unauthorized access to bin privileges. IMPACT: Compaq's Tru64 UNIX V4.0d, V4.0f, V4.0g, V5.0, V5.0a, V5.1 SOLUTION: Compaq Tru64 UNIX engineering has provided a fix for this potential problem. NOTE: The solutions will be included in future releases of Tru64 UNIX aggregate patch kits. Until that has happened the kits identified should be reinstalled accordingly after an upgrade to any affected version listed. The patches identified are available from the Compaq FTP site http://ftp1.support.compaq.com/public/dunix/ then choose the version directory needed and search for the patch by name. Please review the applicable readme and install files prior to installation. Patches: V4.0D: DUV40D16-C0058302-10580-20010430.tar V4.0F: DUV40F16-C0042002-10579-20010430.tar V4.0G: T64V40G16-C0003502-10577-20010430.tar V5.0: T64V5016-C0006102-10575-20010430.tar V5.0A: T64V50A16-C0010402-10574-20010430.tar V5.1: T64V513-C0027202-10573-20010430.tar NOTE: A patch for Compaq Tru64 UNIX V4.0e is not available as it is no longer supported by Compaq. If you require a patch for V4.0e please contact your normal Compaq Services channel. Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. (c) Copyright 2001 Compaq Computer Corporation. All rights reserved To subscribe to automatically receive future NEW Security Advisories from the Compaq's Software Security Response Team via electronic mail, Use your browser select the URL http://www.support.compaq.com/patches/mailing-list.shtml Select "Security and Individual Notices" for immediate dispatch notifications directly to your mailbox. To report new Security Vulnerabilities, send mail to: security-ssrtat_private ============================================= COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED ON THIS SERVER FOR ANY PURPOSE. ALL SUCH DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND AND ARE SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT. IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR OTHER DAMAGES WHATSOEVER (INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION), EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOvDA+KgxZJFjvD74EQIcQgCfTZEG+9t09c6DPEZB/Ez/VehVI5sAnAhQ X4McRxZlZeJ27lWFf6ndo+PV =FExB -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 19:50:49 PDT