Dear SCO Customer, Support Level Supplement (SLS) ptf7408e, the UnixWare 7.1.0 Security Supplement, addresses all of the problems listed below. SLS ptf7408b addressed these issues: 1. Unnecessary privileges are given to some packaging commands that allow users to compromise system security by adding or removing privileged files. 2. Users can use packaging tools to read restricted system files. 3. Users can create arbitrary root owned directories. 4. A potential buffer overflow attack exists. 5. Slow booting occurs on systems where disks and other devices share the same controller. 6. sdighost -r does not remove ghosts permanently. SLS ptf7408c addressed these issues: 7. The checking of incompatibility definitions specified in 'depend' files was previously performed only for the package being installed. This SLS extends this process to include re-checking of the 'depend' definitions for packages already installed on the system. Any packages declaring an incompatibility with the package being installed will cause the installation to be terminated. These changes in "checking flags" are included: - Added the 'S' flag (Supersedes) to support superseding packages. - Added the 'X' flag (eXcludes) to support genuinely incompatible packages. That is, the presence of a package declaring this flag will prevent the corresponding package being installed, regardless of the dependencies specified in that package. The 'X' flag allows new incompatibilities with released packages to be managed effectively. - Restored the original 'I' flag behaviors for packages other than PTFs. SLS ptf7408d addressed these issues: 8. After installing SLS ptf7408b or ptf7408c, it is no longer possible to install packages from tape devices. Errors similar to this may be displayed from a command such as pkgadd -d /dev/rmt/ctape1: UX:pkginstall: ERROR: attempt to process package from failed - process /dev/null> failed, exit code 3 UX:pkginstall: ERROR: unable to unpack datastream SLS ptf7408e now addresses these issues: 9. sdighost -r [see sdighost(1M)] does not permanently remove the names of disks in the sdi database that do not correspond to any physical disks on the system ('phantom' disks). This is achieved by removing unwanted "vtoc" entries from the resmgr database and updating the configuration regardless of whether there are any ghost disks or not. SLS ptf7408e contains: /usr/lib/libadm.a /etc/scsi/pdimkdev /sbin/putdev /usr/bin/ddbconv /usr/bin/devattr /usr/bin/getdev /usr/bin/pkginfo /usr/bin/pkgparam /usr/bin/pkgtrans /usr/bin/getdgrp /usr/bin/getvol /usr/sbin/pkgadd /usr/sbin/pkgrm /usr/sbin/pkgchk /usr/sbin/installf /usr/sbin/pkgcat /usr/sbin/pkginstall /usr/sbin/prtconf /usr/sadm/install/bin/pkgaudit /usr/sadm/install/bin/pkginstall /usr/sadm/install/bin/pkgname /usr/sadm/install/bin/pkgremove Software Notes and Recommendations ---------------------------------- SLS ptf7408e should only be installed on: UnixWare 7 Release 7.1.0 Installation Instructions ------------------------- 1. Download the ptf7408e.Z file to the /tmp directory on your machine. 2. As root, uncompress the file and add the SLS package to your system using these commands: $ su Password: # uncompress /tmp/ptf7408e.Z # pkgadd -d /tmp/ptf7408e # rm /tmp/ptf7408e 3. It is essential to reboot the system after installing this SLS package. The release notes displayed prior to installation can be found in: /var/sadm/pkg/ptf7408/install/ptf7408.txt Removal Instructions -------------------- Removing this SLS leaves your system exposed to a serious security problem that allows any of your users to make arbitrary changes to the packages that are installed on your system. SCO strongly recommends that this SLS be removed only if you intend to subsequently remove Update 7.1.0 from your system. 1. As root, remove the SLS package using these commands: $ su Password: # pkgrm ptf7408 2. The system should be shut down and rebooted after removing this SLS package. If you have questions regarding this SLS, or the product on which it is installed, please contact your software supplier.