========================================================================== The checksum's (found through sum -r) of the files that you have received (other than this README) are as follows: 18405 3 patchSG0002233 43804 36 patchSG0002233.eoe_man 24542 347 patchSG0002233.eoe_sw 50085 3 patchSG0002233.idb ========================================================================== - 1 - 1. Patch_SG0002233_Release_Note This release note describes patch SG0002233 to IRIX 6.4. Patch SG0002233 replaces patches SG0002217. 1.1 Supported_Hardware_Platforms This patch contains bug fixes for all hardware platforms. 1.2 Supported_Software_Platforms This patch contains bug fixes for IRIX 6.4. 1.3 Bugs_Fixed_by_Patch_SG0002233 This patch contains fixes for the following bugs in IRIX 6.4. Bug numbers from Silicon Graphics bug tracking system are included for reference. o The login/scheme program has a buffer overrun issue which results in an exploitable security vulnerability (Bug #494134). o A security issue has been discovered with the LOCKOUT parameter in /etc/default/login (Bug #491422). This incident resulted in CERT advisory CA-97.15 and AUSCERT advisory AA-97.12. Part of the fix for this problem is a new /etc/default/login option, LOCKOUTEXEMPT. The file /etc/default/login must be updated with the LOCKOUTEXEMPT option from /etc/default/login.N before this feature can be used. Description follows: If LOCKOUT is greater than zero, the users listed as LOCKOUTEXEMPT will NOT be subject to the LOCKOUT option. Usernames are separated by spaces, the list must be terminated by end-of-line, maximum list length is 240 characters. LOCKOUTEXEMPT is ignored unless LOCKOUT is enabled, and the list is not empty. Including privileged accounts (such as root) in the LOCKOUTEXEMPT list is not recommended, as it allows an indefinite number of attacks on the exempt accounts. Also, if LOCKOUTEXEMPT is enabled, the /etc/default/login file should be protected at mode 400 or 600 to prevent unauthorized viewing and/or tampering with the LOCKOUTEXEMPT list. - 2 - LOCKOUTEXEMPT=oper1 niteop o A security issue has been discovered with the LOCKOUT parameter in /etc/default/login (Bug #506487). o The df program has a buffer overrun issue which results in an exploitable security vulnerability (Bug #494131). o The eject program has a buffer overrun issue which results in an exploitable security vulnerability (Bug #494133). o The /bin/at program appears to have a buffer overrun issue which results in an exploitable security vulnerability (Bug #498852). o DAT drives other than Archive Python were mis- identified as type "cartridge", rather than DAT (Bug #514461). 1.4 Subsystems_Included_in_Patch_SG0002233 This patch release includes these subsystems: o patchSG0002181.eoe_sw.unix o patchSG0002181.eoe_man 1.5 Installation_Instructions Because you want to install only the patches for problems you have encountered, patch software is not installed by default. After reading the descriptions of the bugs fixed in this patch (see Section 1.3), determine the patches that meet your specific needs. If, after reading Sections 1.1 and 1.2 of these release notes, you are unsure whether your hardware and software meet the requirements for installing a particular patch, run inst. The inst program does not allow you to install patches that are incompatible with your hardware or software. Patch software is installed like any other Silicon Graphics software product. Follow the instructions in your Software Installation Administrator's Guide to bring up the miniroot form of the software installation tools. - 3 - Follow these steps to select a patch for installation: 1. At the Inst> prompt, type install patchSGxxxxxxx where xxxxxxx is the patch number. 2. Initiate the installation sequence. Type Inst> go 3. You may find that two patches have been marked as incompatible. (The installation tools reject an installation request if an incompatibility is detected.) If this occurs, you must deselect one of the patches. Inst> keep patchSGxxxxxxx where xxxxxxx is the patch number. 4. After completing the installation process, exit the inst program by typing Inst> quit 1.6 Patch_Removal_Instructions To remove a patch, use the versions remove command as you would for any other software subsystem. The removal process reinstates the original version of software unless you have specifically removed the patch history from your system. versions remove patchSGxxxxxxx where xxxxxxx is the patch number. To keep a patch but increase your disk space, use the versions removehist command to remove the patch history. versions removehist patchSGxxxxxxx where xxxxxxx is the patch number. - 4 - 1.7 Known_Problems