SGI Logo
 
 

Patch 2314 : OutBox security fix : [IRIX 6.2]
INDEX

  • Relations
  • Release Notes
  • Inst Subsystem Requirements
  • Inst Subsystem Checksums
  • Inst Subsystem File Listings
  • Download Patch


    RELATIONS

    This patch does not replace any other patches.

    This patch has no known incompatiblities with other patches.

    This patch fixes the following bugs:
    484580 - webdist has security hole
    498919 - OUTBOX has numerous security vulnerabilities


    RELEASE NOTES

    1. Patch SG0002314 Release Note

           This release note describes patch SG0002314 to IRIX 6.2
    
    
    1.1 Supported Hardware Platforms
           This patch contains bug fixes suitable for all hardware
           platforms running the supported software platforms described
           below.
    
    
    1.2 Supported Software Platforms
           This patch contains bug fixes for OutBox 1.2 on a system
           running IRIX 6.2
    
           The software cannot be installed on other configurations.
    
    
    1.3 Bugs Fixed by Patch SG0002314
           This patch contains fixes for the following bugs in IRIX 6.2
           Bug numbers from Silicon Graphics bug tracking system are
           included for reference.
    
              o 498919 - OutBox has numerous security vulnerabilities.
    
              o 484580 - webdist has security hole.
    
           Side effects: The fixes for the security-related bugs 498919
           and 484580 required removal of the functionality responsible
           for the security problems. The resulting changes in OutBox
           behavior are described below:
    
              o On the OutBox user page, published files no longer
                display the "View" and "Download" buttons.  Those
                features were not secure, and have been removed. The
                secure way to view a document is to click on the
                document name or icon. The secure way to download a
                document is by using the browser 'Save Link As'
                feature. (In Netscape, press Shift-Button1 on the
                OutBox file, or press the right mouse button over the
                link to access the feature via a popup menu.)
    
              o The script "/cgi-bin/wrap" has been modified. A URL
                containing the text "/cgi-bin/wrap" can no longer be
                used to view a document.  To access a document from
                such a URL, simply remove the text "/cgi-bin/wrap" from
                the URL.  Note: the "/cgi-bin/wrap" script is still
                used in URL's pointing to OutBox folders. URL's
                pointing to OutBox folders should not be modified.
    
    
              o The script "/cgi-bin/handler" has been disabled. A URL
                containing the text "/cgi-bin/handler" can no longer be
                used to download a document. To access the document
                from such a URL, remove the text "/cgi-bin/handler"
                from the URL.
    
              o The script "/cgi-bin/webdist.cgi" has been disabled for
                security reasons.  To generate a Web Software
                Distribution Page, use the tool "/usr/etc/webdist" from
                the command line. See the "webdist" man page for more
                information.
    
    
    1.4 Subsystems Included in Patch SG0002314
           This patch release includes these subsystems:
    
              o patchSG0002314.outbox_sw.outbox
    
              o patchSG0002314.outbox_sw.webdist
    
    
    1.5 Installation Instructions
           Because you want to install only the patches for problems
           you have encountered, patch software is not installed by
           default.  After reading the descriptions of the bugs fixed
           in this patch (see Section 1.3), determine the patches that
           meet your specific needs.
    
           If, after reading Sections 1.1 and 1.2 of these release
           notes, you are unsure whether your hardware and software
           meet the requirements for installing a particular patch, run
           inst.  The inst program does not allow you to install
           patches that are incompatible with your hardware or
           software.
    
           Patch software is installed like any other Silicon Graphics
           software product.  Follow the instructions in your Software
           Installation Administrator's Guide to bring up the miniroot
           form of the software installation tools.
    
           Follow these steps to select a patch for installation:
    
             1.  At the Inst> prompt, type
    
                 install patchSGxxxxxxx
    
                 where xxxxxxx is the patch number.
    
             2.  Initiate the installation sequence. Type
    
    
                 Inst> go
    
             3.  You may find that two patches have been marked as
                 incompatible.  (The installation tools reject an
                 installation request if an incompatibility is
                 detected.)  If this occurs, you must deselect one of
                 the patches.
    
                 Inst> keep patchSGxxxxxxx
    
                 where xxxxxxx is the patch number.
    
             4.  After completing the installation process, exit the
                 inst program by typing
    
                 Inst> quit
    
    
    1.6 Patch Removal Instructions
           To remove a patch, use the versions remove command as you
           would for any other software subsystem.  The removal process
           reinstates the original version of software unless you have
           specifically removed the patch history from your system.
    
           versions remove patchSGxxxxxxx
    
           where xxxxxxx is the patch number.
    
           To keep a patch but increase your disk space, use the
           versions removehist command to remove the patch history.
    
           versions removehist patchSGxxxxxxx
    
           where xxxxxxx is the patch number.
    
    
    1.7 Known Problems
           There are no known problems with the patch at this time.
    
    

    INST SUBSYSTEM REQUIREMENTS
    No Requirements Information Available.
    

    INST SUBSYSTEM CHECKSUMS

    These checksums help to provide a 'signature' for the patch inst image which can be used to authenticate other inst images. You can obtain this kind of output by running sum -r on the image (from the command line):

    18667      2   patchSG0002314
    23116      3   patchSG0002314.idb
    56643     35   patchSG0002314.outbox_sw
    

    INST SUBSYSTEM FILE LISTINGS

    The following lists the files which get installed from each subsystem in the patch:

    patchSG0002314.outbox_sw.outbox
    usr/relnotes/patchSG0002314/TC
    usr/relnotes/patchSG0002314/ch1.z
    var/X11/xdm/firsttime/makejumpicon
    var/www/cgi-bin/handler
    var/www/cgi-bin/wrap

    patchSG0002314.outbox_sw.webdist
    var/www/cgi-bin/webdist.cgi
    var/www/htdocs/webdist.html


    DOWNLOAD PATCH
    Download Server File Name Date Added Size Download
    download.sgi.com patchSG0002314.tar 14-Aug-1997 30 K FTP HTTP Add to download cart 
    download.sgi.com patchSG0002314.tardist 14-Aug-1997 30 K FTP HTTP
     
    FTP = download using FTP protocol
    HTTP = download using HTTP protocol
    Add to shopping list= store in your basket for downloading later
  •  


    Document Id: 20021117065945-IRIXPatch-1121