Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CERT Vendor-Initiated Bulletin VB-96.04 - BSDI

0 views
Skip to first unread message

CERT Bulletin

unread,
Mar 18, 1996, 3:00:00 AM3/18/96
to
=============================================================================
CERT(sm) Vendor-Initiated Bulletin VB-96.04
March 18, 1996

Topic: BSD/OS 2.0/2.0.1 kernel vulnerability
Source: Berkeley Software Design, Inc.

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Berkeley
Software Design, Inc. (BSDI), who urges you to act on this information as soon
as possible. BSDI contact information is included in the forwarded text below;
please contact them if you have any questions or need further information.


========================FORWARDED TEXT STARTS HERE============================

=============================================================================
Security Advisory
Berkeley Software Design, Inc.

Topic: BSD/OS 2.0/2.0.1 kernel vulnerability
Number: 1996-03-05
Date: March 5, 1996
Patch: ftp://ftp.bsdi.com/bsdi/patches/patches-2.0.1/K201-008
=============================================================================


I. Background

A bug was found in an unused portion of the ptrace code in
BSD/OS 2.0 and 2.0.1 that caused a system vulnerability. The
bug is not present in the current release, BSD/OS 2.1. BSDI
is not aware of anyone who is actively exploiting this bug.

All BSDI customers with current support contracts were mailed
floppies containing the patch for this problem. Customers
without current support contracts can and should download the
patch from the ftp server.


II. Problem Description

Permssion checking for an unused operation was incorrect.


III. Impact

The problem could allow local users to control privileged
processes, and could thus allow users to acquire unauthorized
permissions.

This vulnerability can only be exploited by users with a valid
account on the local system.


IV. Solution(s)

Install BSDI patch K201-008 on all BSD/OS 2.0 or 2.0.1 systems,
or upgrade to BSD/OS 2.1.


=============================================================================
Berkeley Software Design, Inc.
5579 Tech Center Drive, Suite 110
Colorado Springs, CO 80919

Web Site: http://www.bsdi.com/
BSDI Support: +1 800 ITS BSD8 / +1 719 536 9346
Support Email: sup...@bsdi.com
PGP Key: ftp://ftp.bsdi.com/bsdi/info/pgp_key

=========================FORWARDED TEXT ENDS HERE=============================

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advis...@cert.org

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key


CERT Contact Information
------------------------
Email ce...@cert.org

Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.

Fax +1 412-268-6989

Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA

CERT is a service mark of Carnegie Mellon University.


0 new messages