diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-97:03.sysinstall.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-97:03.sysinstall.asc | 106 |
1 files changed, 0 insertions, 106 deletions
diff --git a/share/security/advisories/FreeBSD-SA-97:03.sysinstall.asc b/share/security/advisories/FreeBSD-SA-97:03.sysinstall.asc deleted file mode 100644 index 122cc9bdfe..0000000000 --- a/share/security/advisories/FreeBSD-SA-97:03.sysinstall.asc +++ /dev/null @@ -1,106 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- - -============================================================================= -FreeBSD-SA-97:03 Security Advisory - FreeBSD, Inc. - -Topic: sysinstall bug - -Category: core -Module: sysinstall -Announced: 1997-04-07 -Affects: FreeBSD 2.1, FreeBSD 2.1.5, FreeBSD 2.1.6 and FreeBSD 2.1.7 - FreeBSD 2.2 and FreeBSD 2.2.1. - -Corrected: all versions as of 1997-04-01. This includes the installation floppies for FreeBSD 2.2.1 found on: - ftp://ftp.FreeBSD.org/pub/FreeBSD/2.2.1-RELEASE/floppies/newer/ - Also the CDROM of FreeBSD 2.2.1 has this problem corrected. -Source: FreeBSD -FreeBSD only: yes - -Patches: - -============================================================================= - -I. Background - - Sysinstall is used both for fresh installations of FreeBSD as - well as post installation updates, like installing packages - from CDROM or ftp sites. - -II. Problem Description - - One of the port installation options in sysinstall is to install - an anonymous ftp setup on the system. In such a setup, an extra - user needs to be created on the system, with username 'ftp'. - This user is created with the shell equal to '/bin/date' and an - empty password. - -III. Impact - - Under some circumstances, this will allow unauthorized access - of system resources. - -IV. Solution(s) - - Change the entry of the ftp user such that is has an invalid password - and an invalid shell. This can be done by becoming the superuser, - and use the vipw command. Go to the line that starts with ftp:: - and change ftp:: to ftp:*: - Also change, on the same line, the shell from /bin/date to /nonexistent. - - If you have not yet used sysinstall to create an anonymous ftp setup, - but are planning to, please apply one of the following patches: - - Patch for FreeBSD 2.1.5, 2.1.6, 2.2 and 2.2.1: - - --- anonFTP.c 1996/04/28 03:26:42 1.14 - +++ anonFTP.c 1997/04/07 17:20:16 - @@ -195,7 +195,7 @@ - return (DITEM_SUCCESS); /* succeeds if already exists */ - } - - - sprintf(pwline, "%s::%s:%d::0:0:%s:%s:/bin/date\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir); - + sprintf(pwline, "%s:*:%s:%d::0:0:%s:%s:/nonexistent\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir); - - fptr = fopen(_PATH_MASTERPASSWD,"a"); - if (! fptr) { - - Patch for FreeBSD 2.1: - - --- anonFTP.c 1995/11/12 07:27:55 1.6 - +++ anonFTP.c 1997/04/03 19:29:21 - @@ -201,7 +201,7 @@ - return (RET_SUCCESS); /* succeeds if already exists */ - } - - - sprintf(pwline, "%s::%s:%d::0:0:%s:%s:/bin/date\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir); - + sprintf(pwline, "%s:*:%s:%d::0:0:%s:%s:/nonexistent\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir); - - fptr = fopen(_PATH_MASTERPASSWD,"a"); - if (! fptr) { - -============================================================================= -FreeBSD, Inc. - -Web Site: http://www.freebsd.org/ -Confidential contacts: security-officer@freebsd.org -PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc -Security notifications: security-notifications@freebsd.org -Security public discussion: security@freebsd.org - -Notice: Any patches in this document may not apply cleanly due to - modifications caused by digital signature or mailer software. - Please reference the URL listed at the top of this document - for original copies of all patches if necessary. -============================================================================= - ------BEGIN PGP SIGNATURE----- -Version: 2.6.2 - -iQCVAwUBM0kvaFUuHi5z0oilAQHzVgP/TwmyRgBAF1Hs/jSihpAzFTRfHXdX/8+r -7mO7OHtM8vBTX1SPaYOr+DdSI2PkcSU4Y8O2OsdR3O4asV52LT5d/qWqJVQbN8bM -majL9ufeH3WotZHEJAo6nHf0/Cw+Aml2MytnaBiOHhvtiiY9aAEiYQve5TEwVbhE -92/GUaLo3uY= -=VjRL ------END PGP SIGNATURE----- |