AusCERT - SA-93.08 -- MegaPatch v1.7 available

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
SA-93.08 -- MegaPatch v1.7 available
Date: 21 July 1993

Click here for printable version
=============================================================================
SA-93.08			SERT Advisory
				 21-Jul-1993
			    MegaPatch v1.7 available
-----------------------------------------------------------------------------

Announcing MegaPatch version 1.7
================================

Release Date: 21/07/1993

This MegaPatch has been developed to apply a number of security patches in a
one time manner to SunOS.  The MegaPatch is an un-productised version of Sun
Microsystems's ConSePT and as such may have additional features/enhancements/
improvements which are not supported  by Sun.

The MegaPatch currently works for SunOS systems 4.1.3 and 4.1.2 only and
will require approximately 20Mb of free disk space to install and execute.
It is recommended that the MegaPatch be run on a freshly installed version
of SunOS to avoid patch conflicts and to ensure the integrity of the operating
system is observed.

MegaPatch is supplied as a compressed tar archive, there is a script file
(called "installmega") supplied for easy installation.

MegaPatch currently includes these patches: 100103-12 files, 100173-10 NFS,
100224-06 /bin/mail, 100257-04 ld.so, 100296-04 NFS, 100305-10 lpr,
100372-02 C2 & tfs, 100376-04 int div/mult, 100377-05 sendmail,
100383-05 rdist, 100448-01 OW3, 100478-01 OW3, 100482-04 NIS, 100507-04 tmpfs,
100513-02 tty, 100532-03 libc, 100564-05 C2 & NIS, 100567-04 network,
100623-03 UFS, 100630-01 login/su, 100632-05 arm, 100891-02 libc,
101080-01 expreserve

Additional localisation routines have been added to the MegaPatch, these
can enhance site security.  The local scripts are detailed below:

perm		A script to fix some of the permissions after the installation
		of the MegaPatch.
log_tcp		A script to install the TCP/IP firewall program log_tcp version
		4.3.  This restricts TCP/IP access to telnet and ftp by
		changing /etc/inetd.conf and further restricts these
		connections to this hosts.  To allow wider access edit the
		file /etc/hosts.allow to add hosts or domains in comma
		separated lists.
rhosts		This script removes all .rhosts files and /etc/hosts.equiv,
		this makes the use of rsh... a little more secure.
rread		This script processes the binary system executables and removes
		the read permission on these.  This make it more difficult for
		users to pull apart programs with the strings command or for
		users to accidentally copy large amounts of data or to copy a
		program such as telnet to a file such as vi in their directory
		to evade system accounting.
tripwire	This script installes a default installation of tripwire 1.02
		in the directory /usr/local/etc, with the database of file
		signatures being stored in /usr/local/etc/databases.
ttytab		This script ensures that secure is set ONLY for the console in
		the /etc/ttytab file.  This way root can only login on the
		console.
cops		This script will install a minimal installation of COPS in
		/usr/local/etc and produce a report on the security of your
		system.  The report will be placed in the directory
		/usr/local/etc/cops_104/`hostname`.
kernel		This script will ask additional questions with regard to which
		options you wish added or deleted from the kernel.  To ensure
		maximum security, answer y to all questions (but be aware that
		this may limit the use of some subsystems).  Then the kernel
		will be re-configured and rebuilt, even if their is no
		pre-existing kernel configuration file.
		THE KERNEL MUST BE REBUILT EITHER BY THIS SCRIPT OR MANUALLY AS
		SOME OF THE PATCHES CONTAIN FILES WHICH WILL AFFECT THE
		OPERATION OF THE KERNEL.

The MegaPatch can be obtained free of charge by anonymous ftp from

	ftp.sert.edu.au: /security/sert/tools/MegaPatch.1.7.tar.Z

Please read the file MegaPatch/DISCLAIMER before using this software.

MegaPatch version 1.7 is a significant change from version 1.6, so we expect
that a number of bugs may have been introduced. If you have any queries,
problems or bug reports, please send an email message to megapatch@sert.edu.au.
Your input will ensure that future releases of this software are as bug-free
and stable as possible.

New features for release 1.7
============================

1. The following patches have been upgraded to the latest release:

   Previous version     Current version         Detail
   --------------------------------------------------------------
   100103-11		100103-12		file permissions incorrect
   100891-01		100891-02		libc jumbo patch

2. The following patch has been added according to advice from
   Sun Microsystems (Sun Microsystems Security Bulletin #00120,
   10 June 93).

   Patch number		Detail
   ----------------------------------------
   101080-01		security problem with expreserve

3. A bug in the install script for patch 100305-11 caused it to fail if
   the directory /dev/lpd existed. This has now been fixed.

4. Support for 4.1.2 has been added. The installmega script will now
   recognise 4.1.2 systems and install extra patches. The additional
   patches that have been provided are:

   Patch number		Detail
   ----------------------------------------
   100376-04		Integer division/multiplication bug
   100532-03		libc jumbo patch

5. The MegaPatch will now detect if SunSHIELD has been installed, and if
   so will install the relevant patches. The SunSHIELD patches that have
   been added are:

   Patch number		Detail
   ----------------------------------------
   100632-05		ARM Jumbo patch

6. Support for localisation scripts has been redesigned. The file
   PATCHLIST.local contains a description of the patches, and lists
   the order in which they will be applied. Patches have been renamed
   to "install" and moved into sub-directories.

7. The patches that are installed by the MegaPatch are now recorded in
   /etc/install as patch_<patch-number>. This allows the "showrev -p"
   command to be used to check the patches that have been applied. It is
   expected that future releases of the MegaPatch will rely on this method
   to determine if patches have been applied.

8. Manual pages have been included with LogTCP, Tripwire and COPS.

9. Logging output now goes to a file called "patch_log" in /tmp.

10. Uninstall scripts have been provided to aid in the testing and development
    of the MegaPatch. They have been included in the distribution in case they
    prove useful. For Sun patches, the scripts are called <patch-number>/
    uninstall. For localisation, the scripts are called <name>/uninstall
    where <name> is the name of the patch.

----------------------------------------------------------------------------

If you believe that your system has been compromised, contact SERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email:	sert@sert.edu.au
Facsimile:	(07) 365 4477
Telephone:	(07) 365 4417
		SERT personnel answer during business hours (AEST - GMT+10:00).

Security Emergency Response Team
Prentice Centre
The University of Queensland
Qld.  4072.