On Tue, 26 Jun 2001 11:44:45 CDT, uid0at_private said: > This is from IBM. I don't know why they do not post to BUGTRAQ directly. I don't speak for IBM, but I think I know why... > AIX 4.3: IY19897 (updated 6/2001) This is the 'packaging APAR' that rolls all these fixes up so you can do a one-stop order. They cut a new roll-up ever 4-5 months. Due to the way IBM packages things, it includes *EVERY* security fix that IBM has put into an APAR since AIX 4.3.0 was released. I just checked the machine in my office - I installed AIX 4.3.0 on November 14, 1997. That's why there's such a long list - it goes back that far. > IX72045 CDE LOGIN GIVES INVALID USER NAME MESSAGE BEFORE PW ENTERED This is a fix for a bug originally reported against AIX 4.2.1. It's *so* old that I can't even get accurate date info on when it was released. Looks around late 97. I don't think anybody really wants to see *all* 133 bugfixes every time. Over and over. For 4 year old fixes. I do AIX for a living, and even *I* yawn at this posting and diff it against the previous one for any *NEW* ones. IBM *DOES* post their ERS alerts to Bugtraq (such as the 'diagrpt' one the other day). In addition, they have a summary posting that you can subscribe to that lists the last 7-8 alerts. Those include impact, workaround, and fix info - much more helpful.. Diff against the January posting: *** 17,23 **** To facilitate ease of ordering all security related APARs for each release can be ordered using the following packaging APARs. ! AIX 4.3: IY15473 (updated 1/2001) APARs can be ordered using FixDist. For additional information on FixDist send e-mail with a subject of "FixDist" to aixservat_private, or --- 17,23 ---- To facilitate ease of ordering all security related APARs for each release can be ordered using the following packaging APARs. ! AIX 4.3: IY19897 (updated 6/2001) APARs can be ordered using FixDist. For additional information on FixDist send e-mail with a subject of "FixDist" to aixservat_private, or *************** *** 94,100 **** IX81507 SECURITY: MORE VULNERABILITIES IN PCNFSD IX81999 POST COMMAND SHOULD NOT BE SUID IX82002 FORCE REXECD USER PRIVILEDGES - IX83542 AIX 4.3.3.0 MAINTENANCE LEVEL IX83752 SECURITY: VULNERABILITY IN AUTOFS IX84493 SECURITY: VULNERABILITY IN SETGID EXECUTABLES IX84642 SECURITY: VULNERABILITY IN INFOEXPLORER DAEMON (INFOD) --- 94,99 ---- *************** *** 114,120 **** IX89687 SECURITY: NFS SCRIPTS CREATE INSECURE TEMPORARY FILES IY00892 INSECURE TEMPORARY FILES IN BOS.PERF PACKAGING SCRIPT IY01439 SECURITY: INSECURE TEMPORARY FILES IN /ETC/RC.POWERFAIL - IY02033 RESERVED IY02120 SECURITY: BUFFER OVERFLOW IN NSLOOKUP IY02397 SECURITY: NON-ROOT USERS CAN USE PTRACE TO CRASH THE SYSTEM IY02944 SECURITY: BUFFER OVERFLOW IN "DTACTION -U" --- 113,118 ---- *************** *** 150,158 **** --- 148,164 ---- IY12147 NON-ROOT USERS CAN ISSUE THE NETSTAT -Z FLAG IY12251 SECURITY: POSSIBLE VULNERABILITIES IN ERRPT IY12638 SECURITY: BUFFER OVERFLOW IN PRINT CMDS + IY13753 SECURITY: FORMAT STRING VULNERABILITY IN LOCALE SUBSYSTEM IY13780 SECURITY: BUFFER OVERFLOW IN LIBNTP IY13781 SECURITY: FORMAT STRING VULNERABILITY IN FTP CLIENT IY13783 FORMAT STRING VULNERABILITIES IN GETTY'S ERROR LOGGING FUNCS IY14512 DNS CERT ADVISORY FOR SRV & ZXFR BUGS + IY14537 BUFFER OVERFLOW IN BELLMAIL + IY15146 SYSLOGD:BUFFER OVERFLOW AND IMPROPER CONTROL CHARACTER ESCAPES + IY16182 SECURITY: BUFFER OVERFLOW IN BIND8 + IY16214 BUFFER OVERFLOW AND FORMAT STRING VULNERABILITIES IN BIND 4.X + IY16271 SECURITY: INFOLEAK IN NUMEROUS VERSIONS OF NAMED4 AND NAMED8 + IY17048 SECURITY: POSSIBLE BUFFER OVERFLOW VULNERABILITY IN CRONTAB + IY17932 SECURITY: IMAPD BUFFER OVERFLOW =========================================================================== *yawn*. The ERS summaries are much more helpful... Let's encourage those instead. Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 15:40:33 PDT