[9541] in bugtraq
Re: nslookup on aix 4.x
daemon@ATHENA.MIT.EDU (Troy A. Bollinger)
Fri Feb 12 23:10:28 1999
Mail-Followup-To: Andreas Mueller <andreas.mueller@STUDENT.UNI-TUEBINGEN.DE>,
BUGTRAQ@netspace.org
Date: Fri, 12 Feb 1999 17:38:11 -0600
Reply-To: "Troy A. Bollinger" <troy@AUSTIN.IBM.COM>
From: "Troy A. Bollinger" <troy@AUSTIN.IBM.COM>
X-To: Andreas Mueller <andreas.mueller@STUDENT.UNI-TUEBINGEN.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199902120012.BAA01512@serv2.mm-lab.uni-tuebingen.de>; from
Andreas Mueller on Fri, Feb 12, 1999 at 01:12:46AM +0100
Quoting Andreas Mueller (andreas.mueller@STUDENT.UNI-TUEBINGEN.DE):
>
> if nslookup is installed with the s-bit all users can
> create and overwrite files owned by root. this works
> in the interactive mode, when dumping dns-records to a
> file (with ls -d DOMAINNAME > FILE for example).
>
This was fixed over a year ago and documented in the IBM-ERS advisory
ERS-SVA-E01-1997:008.1 available from http://www.ers.ibm.com.
> p.s.: if this has already been reported to this list - sorry for
> my lazyness to search an archive of bugtraq.
> --
That's ok. It lets me plug our security newsletter. ;-)
We've fixed lots of bugs in the last year (see the recent post by Ciaran
Deignan <Ciaran.Deignan@BULL.NET> titled "Security_APARs"). I encourage
AIX customers to subscribe to the AIX security newsletter by sending a
note to aixserv@austin.ibm.com with a subject of:
subscribe Security Security_APARs
And remember, you can always send new AIX vulnerabilities to
security-alert@austin.ibm.com. I promise to work just as hard on bugs
reported there as I do on bugs reported here (even if they're reported
the day before Valentine's Day. ;-)
Thanks.
--
Troy Bollinger troy@austin.ibm.com
AIX Security Development security-alert@austin.ibm.com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
