Apple Computer, Inc. Affected

Notified:  May 14, 2001 Updated: September 25, 2001

Status

Affected

Vendor Statement

The vulnerability described here is fixed in Mac OS X 10.1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This vulnerability has been verified for MacOS X.

Berkeley Software Design, Inc. Not Affected

Notified:  May 14, 2001 Updated: May 15, 2001

Status

Not Affected

Vendor Statement

Vendor-distributed shells are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Third-party shells may still be vulnerable -- consult vendor.

Compaq Computer Corporation Affected

Notified:  May 14, 2001 Updated: June 13, 2003

Status

Affected

Vendor Statement

TITLE: Tru64 UNIX Potential Security Vulnerability, Privileged App. Core Files and Temp File/Symbolic Links With Temp Files (SSRT1-41U, SSRT0742U, SSRT0759U) NOTICE: There are no restrictions for distribution of this advisory provided that it remains complete and intact. RELEASE DATE: 28 JANUARY 2002 SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team CROSS REFERENCE: (CVE CAN-2000-1134, CERT/CC VU#10277) PROBLEM SUMMARY: (1) . (SSRT1-41U) It has been reported to Compaq that Tru64 UNIX has a potential security vulnerability with it's utilization of temporary files in the shell programs and system startup or management scripts. Because the potential security vulnerability can only be exploited by users who have access to your local security domain, the risk is diminished. Many systems operate in a "turn key" mode where login access exists only for system administration. These systems are not at risk. Examples of these systems are file servers and web servers. There are things that can be done to reduce the potential vulnerability and exposure. A set of Compaq guidelines are available from the Compaq Services web page at: http://www.support.compaq.com/sec/system-protections-tru64.html (2) . (SSRT0742U, SSRT0759U) A potential security vulnerability has been reported, where under certain circumstances, system integrity may be compromised. This may be in the form of improper privileged application core file access. VERSIONS IMPACTED: All supported versions as well as recent prior versions. The affected versions include but are not limited to Tru64 UNIX versions V5.1a, V5.1, V5.0a, V5.0, V4.0g, V4.0f and V4.0d. RESOLUTION: Early Release Patches (ERPs) are available for all supported versions of Tru64 UNIX Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1 and 5.1A and as a courtesy, for V4.0D and V4.0F as support for these two have just recently ended. To obtain a the patch or patches needed, connect to the FTP site ftp://ftp.support.compaq.com/public/unix/ choose the version directory required and download the appropriate patch. Early Release Patches Until the Tru64 UNIX fixes are generally available in mainstream patch kits, Compaq recommends use of the following Early Release Patches(ERP) kits: Tru64 UNIX 4.0D Prerequisite: 4.0D with Patch Kit 9 (BL17) installed ERP Kit Name: DUV40DB17-C0061401-12858-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0d/ Tru64 UNIX 4.0F: Prerequisite: 4.0F with Patch Kit 6 (BL17) installed ERP Kit Name: DUV40FB17-C0061801-12860-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/ Prerequisite: 4.0F with Patch Kit 7 (BL18) installed ERP Kit Name: DUV40FB18-C0065000-12930-E-20020122.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/ Tru64 UNIX 4.0G: Prerequisite: 4.0G with Patch Kit 3 (BL17) installed ERP Kit Name: T64V40GB17-C0009303-12856-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0g/ Tru64 UNIX 5.0: Prerequisite: 5.0 with Patch Kit 4 (BL17) installed ERP Kit Name: T64V50B17-C0006900-12861-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0/ Tru64 UNIX 5.0A: Prerequisite: 5.0A with Patch Kit 3 (BL17) installed ERP Kit Name: T64V50AB17-C0017601-12862-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0a/ Tru64 UNIX 5.1: Prerequisite: 5.1 with Patch Kit 3 (BL17) installed ERP Kit Name: T64V51B17-C0095501-12931-E-20020122.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/ Prerequisite: 5.1 with Patch Kit 4 (BL18) installed ERP Kit Name: T64V51B18-C0094800-12864-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/ Tru64 UNIX 5.1A: Prerequisite: 5.1A with Patch Kit 1 (BL1) installed ERP Kit Name: T64V51AB1-C0008900-12954-E-20020124.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1a/ MD5 and SHA1 checksums are available in the public patch notice for the ERP kits. You can find information on how to verify MD5 and SHA1 checksums at: http://www.support.compaq.com/patches/whats-new.shtml The fixes contained in the early release patch (ERP) kits will be available in the next aggregate patch kits for each supported product release as follows: - Tru64 UNIX 4.0F PK8 - Tru64 UNIX 4.0G PK4 - Tru64 UNIX 5.0A PK4 - Tru64 UNIX 5.1 PK5 - Tru64 UNIX 5.1A PK2 NOTE: (1) Please review the README file(s) for each patch prior to installation. After completing the update, Compaq strongly recommends that you perform an immediate backup of your system disk so that any subsequent restore operations begin with updated software. Otherwise, you must reapply the update after a future restore operation. Also, if at some future time you upgrade your system to a later patch version, you may need to reapply the appropriate update. SUPPORT: For further information, please contact your normal Compaq Global Services support channel. SUBSCRIBE: To subscribe to automatically receive future Security Advisories from the Compaq's Software Security Response Team via electronic mail: http://www.support.compaq.com/patches/mailing-list.shtml REPORT: To report a potential security vulnerability with any Compaq supported product, send email to: security-ssrt@compaq.com Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. "Compaq is broadly distributing this Security Advisory to notify all users of Compaq products of the important security information contained in this Advisory. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." Copyright 2002 Compaq Computer Corporation. All rights reserved.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The above statement was made by Compaq Computer Corporation prior to their merger with Hewlett packard. For additional information, please see http://ftp.support.compaq.com/patches/public/unix/v4.0f/duv40fb18-c0065000-12930-e-20020122.README Please see: http://www.tru64unix.compaq.com/unix/security-download.html for the patch/security information; http://ftp.support.compaq.com/patches/.new/unix.shtml for the actual patches.

Data General Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Linux Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

DEC Affected

Notified:  May 14, 2001 Updated: January 30, 2002

Status

Affected

Vendor Statement

TITLE: Tru64 UNIX Potential Security Vulnerability, Privileged App. Core Files and Temp File/Symbolic Links With Temp Files (SSRT1-41U, SSRT0742U, SSRT0759U) NOTICE: There are no restrictions for distribution of this advisory provided that it remains complete and intact. RELEASE DATE: 28 JANUARY 2002 SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team CROSS REFERENCE: (CVE CAN-2000-1134, CERT/CC VU#10277) PROBLEM SUMMARY: (1) . (SSRT1-41U) It has been reported to Compaq that Tru64 UNIX has a potential security vulnerability with it's utilization of temporary files in the shell programs and system startup or management scripts. Because the potential security vulnerability can only be exploited by users who have access to your local security domain, the risk is diminished. Many systems operate in a "turn key" mode where login access exists only for system administration. These systems are not at risk. Examples of these systems are file servers and web servers. There are things that can be done to reduce the potential vulnerability and exposure. A set of Compaq guidelines are available from the Compaq Services web page at: http://www.support.compaq.com/sec/system-protections-tru64.html (2) . (SSRT0742U, SSRT0759U) A potential security vulnerability has been reported, where under certain circumstances, system integrity may be compromised. This may be in the form of improper privileged application core file access. VERSIONS IMPACTED: All supported versions as well as recent prior versions. The affected versions include but are not limited to Tru64 UNIX versions V5.1a, V5.1, V5.0a, V5.0, V4.0g, V4.0f and V4.0d. RESOLUTION: Early Release Patches (ERPs) are available for all supported versions of Tru64 UNIX Tru64 UNIX 4.0F, 4.0G, 5.0A, 5.1 and 5.1A and as a courtesy, for V4.0D and V4.0F as support for these two have just recently ended. To obtain a the patch or patches needed, connect to the FTP site ftp://ftp.support.compaq.com/public/unix/ choose the version directory required and download the appropriate patch. Early Release Patches Until the Tru64 UNIX fixes are generally available in mainstream patch kits, Compaq recommends use of the following Early Release Patches(ERP) kits: Tru64 UNIX 4.0D Prerequisite: 4.0D with Patch Kit 9 (BL17) installed ERP Kit Name: DUV40DB17-C0061401-12858-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0d/ Tru64 UNIX 4.0F: Prerequisite: 4.0F with Patch Kit 6 (BL17) installed ERP Kit Name: DUV40FB17-C0061801-12860-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/ Prerequisite: 4.0F with Patch Kit 7 (BL18) installed ERP Kit Name: DUV40FB18-C0065000-12930-E-20020122.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0f/ Tru64 UNIX 4.0G: Prerequisite: 4.0G with Patch Kit 3 (BL17) installed ERP Kit Name: T64V40GB17-C0009303-12856-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v4.0g/ Tru64 UNIX 5.0: Prerequisite: 5.0 with Patch Kit 4 (BL17) installed ERP Kit Name: T64V50B17-C0006900-12861-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0/ Tru64 UNIX 5.0A: Prerequisite: 5.0A with Patch Kit 3 (BL17) installed ERP Kit Name: T64V50AB17-C0017601-12862-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0a/ Tru64 UNIX 5.1: Prerequisite: 5.1 with Patch Kit 3 (BL17) installed ERP Kit Name: T64V51B17-C0095501-12931-E-20020122.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/ Prerequisite: 5.1 with Patch Kit 4 (BL18) installed ERP Kit Name: T64V51B18-C0094800-12864-E-20020115.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1/ Tru64 UNIX 5.1A: Prerequisite: 5.1A with Patch Kit 1 (BL1) installed ERP Kit Name: T64V51AB1-C0008900-12954-E-20020124.tar Kit Location: http://ftp1.support.compaq.com/public/unix/v5.1a/ MD5 and SHA1 checksums are available in the public patch notice for the ERP kits. You can find information on how to verify MD5 and SHA1 checksums at: http://www.support.compaq.com/patches/whats-new.shtml The fixes contained in the early release patch (ERP) kits will be available in the next aggregate patch kits for each supported product release as follows: - Tru64 UNIX 4.0F PK8 - Tru64 UNIX 4.0G PK4 - Tru64 UNIX 5.0A PK4 - Tru64 UNIX 5.1 PK5 - Tru64 UNIX 5.1A PK2 NOTE: (1) Please review the README file(s) for each patch prior to installation. After completing the update, Compaq strongly recommends that you perform an immediate backup of your system disk so that any subsequent restore operations begin with updated software. Otherwise, you must reapply the update after a future restore operation. Also, if at some future time you upgrade your system to a later patch version, you may need to reapply the appropriate update. SUPPORT: For further information, please contact your normal Compaq Global Services support channel. SUBSCRIBE: To subscribe to automatically receive future Security Advisories from the Compaq's Software Security Response Team via electronic mail: http://www.support.compaq.com/patches/mailing-list.shtml REPORT: To report a potential security vulnerability with any Compaq supported product, send email to: security-ssrt@compaq.com Compaq appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. "Compaq is broadly distributing this Security Advisory to notify all users of Compaq products of the important security information contained in this Advisory. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." Copyright 2002 Compaq Computer Corporation. All rights reserved.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

If you have feedback, comments, or additional information about this vulnerability, please send email to Compaq Computer Corporation. Please see: http://www.tru64unix.compaq.com/unix/security-download.html for the patch/security information; http://ftp.support.compaq.com/patches/.new/unix.shtml for the actual patches.

FreeBSD, Inc. Affected

Notified:  November 20, 2000 Updated: May 15, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/freebsd_advisory-1054.html http://www.linuxsecurity.com/advisories/freebsd_advisory-900.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Third-party shells may be vulnerable -- consult vendor.

Fujitsu Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett-Packard Company Affected

Notified:  May 14, 2001 Updated: June 13, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also http://www.kb.cert.org/vuls/id/TJSL-56UQED.

IBM Corporation Affected

Notified:  May 14, 2001 Updated: June 13, 2001

Status

Affected

Vendor Statement

We examined our UNIX shells that ship aith AIX for the redirection operator vulnerability. Our ksh is not vulnerable. Our Bourne shell may be vulnerable, but we have asked the developer to review the appropriate source code to make a final determination. Our csh is vulnerable, and the problem is being fixed.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Mandriva, Inc. Affected

Notified:  November 20, 2000 Updated: July 16, 2001

Status

Affected

Vendor Statement

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000350&idioma=en

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Corporation Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NeXT Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Not Affected

Notified:  October 30, 2000 Updated: July 05, 2001

Status

Not Affected

Vendor Statement

This has been fixed (as of 10/30/2000) in OpenBSD csh. The sh (which is pdksh) was not vulnerable. Further research shows that this vulnerability was not present in earlier releases.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sequent Computer Systems, Inc. Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Affected

Notified:  May 14, 2001 Updated: January 29, 2002

Status

Affected

Vendor Statement

ftp://patches.sgi.com/support/free/security/advisories/20011103-01-I

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Previous statement (May 18, 2001): SGI acknowledges receiving the vulnerability reported and is currently investigating. No further information is available at this time. As further information becomes available, additional advisories will be issued via the normal SGI security informationdistribution methods including the wiretap mailing list and http://www.sgi.com/support/security/ For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements.

Siemens Nixdorf Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Corporation Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems, Inc. Affected

Notified:  July 17, 1991 Updated: May 17, 2001

Status

Affected

Vendor Statement

Releases starting at Solaris 8 update 5 have been fixed, and patches will be available soon.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO Linux) Affected

Notified:  May 14, 2001 Updated: June 19, 2001

Status

Affected

Vendor Statement

Caldera International has released updates for those problems: 1. bash1, released on November 24th, 2000 Location of fixed packages: OpenLinux 2.3: ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/045/ OpenLinux eServer 2.3.1: ftp://ftp.caldera.com/pub/updates/eServer/2.3/034/ OpenLinux eDesktop 2.4: ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/028/ 2. tcsh, released on December 4th, 2000 Location of fixed packages: OpenLinux 2.3: ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/046/ OpenLinux eServer 2.3.1: ftp://ftp.caldera.com/pub/updates/eServer/2.3/035/ OpenLinux eDesktop 2.4: ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/029/ 3. Other shells: We have detected the same problem in bash2 and fixed it for the next shipping product.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO Unix) Affected

Notified:  May 14, 2001 Updated: January 29, 2002

Status

Affected

Vendor Statement

ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.24/CSSA-2001-SCO.24.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Contact vendor regarding availability of patches.

Unisys Unknown

Notified:  May 14, 2001 Updated: June 11, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 24 vendors View less vendors