Patch 2181 : login security fixes : [IRIX 6.2]
INDEX
RELATIONS
RELEASE NOTES
1. Patch SG0002181 Release Note This release note describes patch SG0002181 to IRIX 6.2.1.1 Supported Hardware Platforms This patch contains bug fixes for all hardware platforms.1.2 Supported Software Platforms This patch contains bug fixes for IRIX 6.2.1.3 Bugs Fixed by Patch SG0002181 This patch contains fixes for the following bugs in IRIX 6.2. Bug numbers from Silicon Graphics bug tracking system are included for reference. o The login/scheme program has a buffer overrun issue which results in an exploitable security vulnerability (Bug #494134). o A security issue has been discovered with the LOCKOUT parameter in /etc/default/login (Bug #491422). This incident resulted in CERT advisory CA-97.15 and AUSCERT advisory AA-97.12. Part of the fix for this problem is a new /etc/default/login option, LOCKOUTEXEMPT. The file /etc/default/login must be updated with the LOCKOUTEXEMPT option from /etc/default/login.N before this feature can be used. Description follows: If LOCKOUT is greater than zero, the users listed as LOCKOUTEXEMPT will NOT be subject to the LOCKOUT option. Usernames are separated by spaces, the list must be terminated by end-of-line, maximum list length is 240 characters. LOCKOUTEXEMPT is ignored unless LOCKOUT is enabled, and the list is not empty. Including privileged accounts (such as root) in the LOCKOUTEXEMPT list is not recommended, as it allows an indefinite number of attacks on the exempt accounts. Also, if LOCKOUTEXEMPT is enabled, the /etc/default/login file should be protected at mode 400 or 600 to prevent unauthorized viewing and/or tampering with the LOCKOUTEXEMPT list. LOCKOUTEXEMPT=oper1 niteop o A security issue has been discovered with the LOCKOUT parameter in /etc/default/login (Bug #506487). o This patch is based on an earlier patch (2092) which addressed SGI bug #437585 where login fails with "unable to change directory"/"Connection closed" message when the permission mode of the NFS mounted home directory is 700 (Bug #437585).1.4 Subsystems Included in Patch SG0002181 This patch release includes these subsystems: o patchSG0002181.eoe_sw.unix o patchSG0002181.eoe_man1.5 Installation Instructions Because you want to install only the patches for problems you have encountered, patch software is not installed by default. After reading the descriptions of the bugs fixed in this patch (see Section 1.3), determine the patches that meet your specific needs. If, after reading Sections 1.1 and 1.2 of these release notes, you are unsure whether your hardware and software meet the requirements for installing a particular patch, run inst. The inst program does not allow you to install patches that are incompatible with your hardware or software. Patch software is installed like any other Silicon Graphics software product. Follow the instructions in your Software Installation Administrator's Guide to bring up the miniroot form of the software installation tools. Follow these steps to select a patch for installation: 1. At the Inst> prompt, type install patchSGxxxxxxx where xxxxxxx is the patch number. 2. Initiate the installation sequence. Type Inst> go 3. You may find that two patches have been marked as incompatible. (The installation tools reject an installation request if an incompatibility is detected.) If this occurs, you must deselect one of the patches. Inst> keep patchSGxxxxxxx where xxxxxxx is the patch number. 4. After completing the installation process, exit the inst program by typing Inst> quit1.6 Patch Removal Instructions To remove a patch, use the versions remove command as you would for any other software subsystem. The removal process reinstates the original version of software unless you have specifically removed the patch history from your system. versions remove patchSGxxxxxxx where xxxxxxx is the patch number. To keep a patch but increase your disk space, use the versions removehist command to remove the patch history. versions removehist patchSGxxxxxxx where xxxxxxx is the patch number.1.7 Known Problems INST SUBSYSTEM REQUIREMENTS No Requirements Information Available. INST SUBSYSTEM CHECKSUMS These checksums help to provide a 'signature' for the patch inst image which can be used to authenticate other inst images. You can obtain this kind of output by running sum -r on the image (from the command line): 40880 2 patchSG0002181 12558 35 patchSG0002181.eoe_man 24729 73 patchSG0002181.eoe_sw 19924 2 patchSG0002181.idb INST SUBSYSTEM FILE LISTINGS The following lists the files which get installed from each subsystem in the patch:
DOWNLOAD PATCH
|
||||||||||||||||||||||||||||||||||||
Document Id: 20021117065510-IRIXPatch-1098
|