========================================================================== The checksum's (found through sum -r) of the files that you have received (other than this README) are as follows: 03669 3 patchSG0002216 31290 33 patchSG0002216.eoe1_man 27451 73 patchSG0002216.eoe1_sw 22903 46 patchSG0002216.eoe2_sw 12991 3 patchSG0002216.idb ========================================================================== - 1 - 1. Patch_SG0002216_Release_Note This patch contains bug fixes for IRIX 5.3. The software cannot be installed on other versions. 1.1 Supported_Hardware_Platforms This patch contains bug fixes for all hardware platforms. 1.2 Bugs_Fixed_by_Patch_SG0002216 This patch contains fixes for the following bugs . Bug numbers from Silicon Graphics bug tracking system are included for reference. o The login/scheme program has a buffer overrun issue which results in an exploitable security vulnerability (Bug #494134). o A security issue has been discovered with the LOCKOUT parameter in /etc/default/login (Bug #491422). This incident resulted in CERT advisory CA-97.15 and AUSCERT advisory AA-97.12. Part of the fix for this problem is a new /etc/default/login option, LOCKOUTEXEMPT. The file /etc/default/login must be updated with the LOCKOUTEXEMPT option from /etc/default/login.N before this feature can be used. Description follows: If LOCKOUT is greater than zero, the users listed as LOCKOUTEXEMPT will NOT be subject to the LOCKOUT option. Usernames are separated by spaces, the list must be terminated by end-of-line, maximum list length is 240 characters. LOCKOUTEXEMPT is ignored unless LOCKOUT is enabled, and the list is not empty. Including privileged accounts (such as root) in the LOCKOUTEXEMPT list is not recommended, as it allows an indefinite number of attacks on the exempt accounts. Also, if LOCKOUTEXEMPT is enabled, the /etc/default/login file should be protected at mode 400 or 600 to prevent unauthorized viewing and/or tampering with the LOCKOUTEXEMPT list. LOCKOUTEXEMPT=oper1 niteop - 2 - o A security issue has been discovered with the LOCKOUT parameter in /etc/default/login (Bug #506487). o login fails with "unable to change directory"/"Connection closed" message when the permission mode of the NFS mounted home directory is 700 (Bug #437585). o This patch is based on an earlier patch (1143) which addressed SGI bug 216127, which is an incorrect interaction between the IDLEWEEKS feature in login and the forced expiration of a password via passwd -f username. This interaction caused the system to behave as if the password had expired longer than IDLEWEEKS ago which requires the system administrator to set a new password. o This patch is based on an earlier patch (1020) which addressed SGI bugs 315571, (315574, 315925 internal) which is the report of potential telnetd security problems by setting environment variables with the telnet "environ" command. This problem was discussed in CERT Advisory CA-95:14, and followup actions from this original report. A similar issue exists with the login command; it is also fixed in this patch. 1.3 Subsystems_Included_in_Patch_SG0002216 This patch release includes these subsystems: o patchSG0002216.eoe1_man o patchSG0002216.eoe1_sw o patchSG0002216.eoe2_sw 1.4 Installation_Instructions Because you want to install only the patches for problems you have encountered, patch software is not installed by default. After reading the descriptions of the bugs fixed in this patch (see Section 1.3), determine the patches that meet your specific needs. If, after reading Sections 1.1 and 1.2 of these release notes, you are unsure whether your hardware and software meet the requirements for installing a particular patch, run inst. The inst program does not allow you to install patches that are incompatible with your hardware or software. - 3 - Patch software is installed like any other Silicon Graphics software product. Follow the instructions in your Software Installation Administrator's Guide to bring up the miniroot form of the software installation tools, if you want to use the miniroot (it is not required). Follow these steps to select a patch for installation: 1. At the Inst> prompt, type install patchSGxxxxxxx where xxxxxxx is the patch number. 2. Initiate the installation sequence. Type Inst> go 3. You may find that two patches have been marked as incompatible. (The installation tools reject an installation request if an incompatibility is detected.) If this occurs, you must deselect one of the patches. Inst> keep patchSGxxxxxxx where xxxxxxx is the patch number. 4. After completing the installation process, exit the inst program by typing Inst> quit 1.5 Patch_Removal_Instructions To remove a patch, use the versions remove command as you would for any other software subsystem. The removal process reinstates the original version of software unless you have specifically removed the patch history from your system. versions remove patchSGxxxxxxx where xxxxxxx is the patch number. To keep a patch but increase your disk space, use the versions removehist command to remove the patch history. versions removehist patchSGxxxxxxx - 4 - where xxxxxxx is the patch number.