home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Columbia Kermit
/
kermit.zip
/
newsgroups
/
misc.20030409-20031118
/
000088_fdc@columbia.edu_Mon May 19 11:33:47 EDT 2003.msg
< prev
next >
Wrap
Text File
|
2020-01-01
|
3KB
|
62 lines
Article: 14308 of comp.protocols.kermit.misc
Path: newsmaster.cc.columbia.edu!news.columbia.edu!news-not-for-mail
From: fdc@columbia.edu (Frank da Cruz)
Newsgroups: comp.sys.hp.hpux,comp.security.unix,comp.security.misc,comp.protocols.kermit.misc
Subject: Re: SSRT3555 Potential Security Vulnerability in kermit
Date: 19 May 2003 11:20:51 -0400
Organization: Columbia University
Lines: 45
Message-ID: <baasoj$e3d$1@watsol.cc.columbia.edu>
References: <3ec8ed8d$1_2@hpb10302.boi.hp.com>
NNTP-Posting-Host: watsol.cc.columbia.edu
X-Trace: newsmaster.cc.columbia.edu 1053357652 4850 128.59.39.139 (19 May 2003 15:20:52 GMT)
X-Complaints-To: postmaster@columbia.edu
NNTP-Posting-Date: 19 May 2003 15:20:52 GMT
Xref: newsmaster.cc.columbia.edu comp.sys.hp.hpux:156621 comp.security.unix:80576 comp.security.misc:91519 comp.protocols.kermit.misc:14308
In article <3ec8ed8d$1_2@hpb10302.boi.hp.com>,
Security Alert <secure@cup.hp.com> wrote:
: PROBLEM: Potential security vulnerability in kermit
:
What version of Kermit?
: IMPACT: Potential increase in privilege.
:
: PLATFORM: HP9000 Series 700/800 running HP-UX releases 10.20
: and 11.00.
:
: SOLUTION: Until a fix is available remove suid permissions
: from /usr/bin/kermit.
:
If I'm not mistaken, this report refers to buffer overflow
vulnerabilities in C-Kermit 6.0 from 1996, or C-Kermit 7.0 from 2000.
A thorough audit of buffer-overflow vulnerabilities was performed for
C-Kermit 8.0, which was released in 2001 and furnished to HP at that
time. If you have HP-UX 11.22, then you also have C-Kermit 8.0 --
problem solved.
But if you have HP-UX 11.11, you have C-Kermit 7.0.
And If you have HP-UX 11.00 or earlier, you still have C-Kermit 6.0.
Thus the problem is that HP does not make new C-Kermit releases available
for previous HP-UX releases. There is no excuse for this. I furnish all
new C-Kermit releases to HP and include them in the development cycle. I
ensure that each new version of C-Kermit builds and runs correctly on every
version of HP-UX from 5.21 to the very latest, and I make prebuilt binaries
available for more than SIXTY (60) different combinations of HP hardware and
HP-UX version.
Therefore the "patch" for the above mentioned "problem" is to install an
up-to-date version of Kermit, which is available for all to download right
here:
http://www.columbia.edu/kermit/ckermit.html
Prebuilt HP-UX binaries can be found here:
http://www.columbia.edu/kermit/ck80binaries.html#hp
- Frank