viktor%fine.Princeton.EDU@princeton.edu (Viktor Dukhovni) (02/01/89)
[[ I saw this on Sun-Nets and decided that many people here would also be interested in seeing it. I changed the subject line to more accurately reflect the message's content. --wnl ]] Turn off your unpatched yppasswdd servers immediately!!! Anyone on the internet can convince these to create a passwordless root account. I will post the method in two weeks time unless strongly urged not to do so. (This gives everyone plenty of time to get the SUN patch tape, or turn off yppasswdd. I do believe though in giving people a chance to take action before compromising whatever measure of security they have left.) Viktor. [[ This bug apparently exists in all known yp implementations: 3.x, 4.0, 4.0.1, and even implementations that aren't Sun's. Our system manager called Sun for a patch tape, but I haven't heard yet if they even returned her call or acknowledged that such a tape exists. --wnl ]]
graham%ee.surrey.ac.uk@nss.cs.ucl.ac.uk (Graham J Carpenter) (02/10/89)
>This bug apparently exists in all known yp implementations: 3.x, 4.0, >4.0.1, and even implementations that aren't Sun's. Our system manager >called Sun for a patch tape, but I haven't heard yet... --wnl Does anyone have a Sun Bug Report ID number for this? It's easier to refer to an existing bug report than to try and describe to Software Support details of a bug about which we have no details. -- Graham Carpenter - graham@ee.surrey.ac.uk Dept of Electronic and Electrical Engineering University of Surrey, Guildford, Surrey, GU2 5XH. [[ Sure. We have the tape now. It has new 4.0 executables (for 010, 020, and sparc) for in.ftpd, sendmail, sendmail.mx, ypbind, rpc.yppasswdd, and portmap. There are also 3.5 versions for ypbind and rpc.yppasswdd. These are fixes for the following Bug IDs: 1015127, 1015111, 1016711, 1015128, 1016786, 1010710. But I have it on reasonably good authority (not from within Sun) that the yppasswdd fix is still not sufficient. Those concerned should seriously consider joining the mailing list "Sun-Nets". Mail requests to "Sun-Nets-request@brillig.umd.edu". This is being discussed fairly regularly there. --wnl ]]