[5493] in bugtraq
Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client
daemon@ATHENA.MIT.EDU (Troy A. Bollinger)
Fri Nov 7 04:49:08 1997
Date: Thu, 6 Nov 1997 12:19:28 -0600
Reply-To: "Troy A. Bollinger" <troy@AUSTIN.IBM.COM>
From: "Troy A. Bollinger" <troy@AUSTIN.IBM.COM>
X-To: lutz@TARANIS.IKS-JENA.DE
To: BUGTRAQ@netspace.org
In-Reply-To: <slrn65tmlk.k7.lutz@taranis.iks-jena.de> from Lutz Donnerhacke at
"Nov 4, 97 08:20:05 am"
-----BEGIN PGP SIGNED MESSAGE-----
Lutz Donnerhacke wrote:
> * af@C4C.COM wrote:
> >I also wonder about IBM's answer:
> >SOLUTION: Remove the setuid bit from the "ftp" command.
> >
> >On our 4.2.1, ftp will not run if it is not suid.
> >Didn't somebody test this?
>
> Yep. ftp does not need suid:
The AIX ftp client MUST BE SETUID to work for non-root users.
>
> DFN-CERT corrected the solution of IBM. It was a false statment according to
> them.
>
DFN-CERT is correct. The solution listed in the advisory header should
have said to apply the fixes listed in the advisory. The setuid fiasco
was a mistake on my part.
The correct fix for the AIX ftp client bug is to apply the following
fixes:
AIX 3.2: upgrade to v4
AIX 4.1: IX70885
AIX 4.2: IX70886
AIX 4.3: fix already contained in the release
These fixes are available and may be obtained using FixDist or from the
IBM Support Center. For more information on FixDist, reference URL:
http://service.software.ibm.com/aixsupport/
Questions relating to AIX security advisories can be emailed to
security-alert@austin.ibm.com. New AIX vulnerabilities can be PGP
encrypted using the AIX Security public key available by sending email
to security-alert@austin.ibm.com with a subject of "get key".
- --
Troy Bollinger troy@austin.ibm.com
AIX Security Development security-alert@austin.ibm.com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBNGIJtcjqvEm3eDEpAQF+PQP+LtKAfV94QozA+ZlIUJDFhC7M5qZjKMgJ
lsFHt0lEBA74umHI5/B3FkSsrPewrYQx7FEdmVI493BrDwHZOCr3xEJNlEjcsGOf
DRzlvDYtwMGN9GQn2XSEeO8C5/w2MgARtqyiLWh25vaQUVVIH2xe9t/XQ3qCzEmU
fLHkUCCz41c=
=UFWn
-----END PGP SIGNATURE-----
