|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Cobalt Updates
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
This package contains an updated Apache HTTP Server that addresses a security issue recently discovered. For more information, please see http://httpd.apache.org/info/security_bulletin_20020617.txt
Reboot Required: Yes
MD5 Check Sum: 49cd8c41d95bbe9231d0677e59d99ac6
TCPDUMP Update 4.0.1
|
This patch replaces the TCPDUMP network analysis tool with a new version. This version of TCPDUMP contains security fixes for issues that were found in prior releases of TCPDUMP for the Sun Cobalt Server Appliance.
Reboot Required: No
MD5 Check Sum: 98739a0020940f2525f2698224996b67
Security Bundle 4.0.1
|
This package contains security updates for a varity of programs included on the Sun Cobalt Qube 2 appliance. The following packages have been upgraded:
- ProFTPD 1.2.4
- zlib 1.1.3-25.7c1r2
- pine 4.44-C1
- binutils 2.8.1-1C2r2
- CVS 1.10.2-1c1r2
- GCC 2.7.2-c3r3
- sed 2.05-7c1r2
MD5 Check Sum: 428824092410c9ca5e3533ec6bd60c7e
telnetd Update 4.0.1
|
This security patch addresses an issue found in the telnet daemon, where a remote attacker is able to gain access to server appliances if telnet is enabled. Information regarding this update can be found at CERT Coordination Center's website. The URL is: http://www.cert.org/advisories/CA-2001-21.html.
MD5 Check Sum: dee27b4e66fd790f4534a9b9136a36a3
Special Characters Update 4.0.1
|
System problems may occur when using special characters when adding a new username or a user’s full name. This update enables the use of special characters such as “.” in a username and “’” in user’s full names
MD5 Check Sum: 249b3eb563c58aca9389e96f301c9cba
analog Update 4.0.2
|
This security update prevents a buffer overflow exploit via analog using the "alias" command. This package upgrades analog to v4.16-1(C1).
For additional information please refer to http://www.analog.cx/
MD5 Check Sum: 0af78e59840c939631d51524cdc2ff13
ntp Update 4.0.1
|
The current version of ntp was found to be susceptible to buffer overflow remote root exploits. This package corrects this with updating ntp to xntp 3-5.93-14.
MD5 Check Sum: 7d799eb1b6b9cd472bba64e8f6591078
proftpd Update 4.0.1
|
This patch updates proftpd in response to a CERT alert (CA-2001-07) regarding the current version of proftpd. Additional information on the patch can be located at CERT ‘s official website.: http://www.cert.org/advisories/CA-2001-07.html
MD5 Check Sum: 0268bd32e6033d459cb2a96711f3e993
Deactivate backup.cgi 4.0.1
|
This update prevents a copy of the backup.cgi from being created.
MD5 Check Sum: f1620746fe81fef37e4aedf904cfa223
Backup Update 4.0.1
|
This patch addresses an issue found in backup that allows local users to run arbitrary commands with elevated user privileges.
MD5 Check Sum: 04ca7020b05166bc11080e9f1ad5c6af
vixie-cron Update 4.0.1
|
This patch upgrades the version of vixie-cron to 3.0.1-40. This version of vixie-cron addresses the following security issue, which existed in previous versions. A buffer overflow existed in the 'crontab' command: if called by a user with a username longer than 20 characters, it would be possible for that user to gain elevated privileges.
Pine Update Update 4.0.2
|
Upon abnormal exit, the text editor saves any changes made to the file being edited into a new file in the current working directory labeled filename.save (where filename will correspond to the name of the file being edited, e.g. test.txt will be saved as test.txt.save). When saving this file, the text editor does not check for the file type. A user editing a file in a directory writable by others could be subject to having other files written to if a malicious user were to symbollically link the filename.save file to one of owner/group write access of the user. This would result in the contents of the pico session being written to the symbolically linked file.
This security update installs Pine v4.33-C1 which includes the latest Pico v4.0.
proftpd Update 4.0.1
|
This package upgrades the version of proftpd to 1.2.0rc3.
/tmp DOS Attack Update 4.0.7
|
The previous versions contained legacy patch invocation code that had the illegal "-z" option in upgrade_me for MIPS appliances. These versions do not.
BIND Update 4.0.2
|
This patch upgrades the version of BIND used by DNS to 4.9.8. This version of BIND contains various security fixes for security holes that were found in the previous version.
ncurses Update 4.0.2
|
There used to be an overflowable buffer in the part of the ncurses library handling cursor movement. Attackers can force a privileged application to use their own termcap file containing a special terminal entry which will trigger the ncurses vulnerability, allowing them to execute arbitrary code with the privileges of the exploited binary.
OS Update 4.0
|
Note: This update requires OS Update 3.0 and the glibc update (Qube2-All-Security-3.0.1-8061.pkg) before installation.
Obsoletes These Previous Updates:
- Qube2-All-System-3.0.1-6541
- Qube2-All-System-3.0.1-7324-3.0.1-7324
- Qube2-All-Security-3.0.1-8164-3.0.1-8164
- Qube2-All-Security-3.0.1-8008-3.0.1-8008
- Qube2-All-Security-3.0.1-6453-3.0.1-6453
- Qube2-All-Security-3.0.1-6750-3.0.1-6750
- Qube2-All-Security-3.0.2-6750-3.0.2-6750
- Qube2-All-Security-3.0.1-6682-3.0.1-6682
- Qube2-All-System-3.0.2-6449-3.0.2-6449
- Qube2-All-Security-3.0.1-6579-3.0.1-6579
- Qube2-en-OSUpdate-3.0
- Modified confusing Active Monitor error messages
- Modifying user quota previously corrupted smbpasswd file
- Users could be assigned existing aliases as usernames
- Username would disappear from the list if the user was created with an existing alias
- Added 127.0.0.1/localhost as an acceptable combination for DNS configuration
- Deletion of a username with a "." would cause the deletion of users with similar names
- Server will now wait the appropriate amount of time before dialing in to deliver mail
- Date format fixed in vacation mail
- Deleting a user does not delete the POP lockfile if it exists
- Email to mailing lists would bounce if it contained any Majordomo commands in the first 10 lines
- Removed the need for a trailing slash for sites on the second interface
- Firewall rules did not work with remote dialups
- Fixed various ISDN modem incompatibilities
- In certain situations FTP would not work unless Appleshare was enabled
- Failed Scheduled Backups left stray archives in /home/tmp
- SMB based backups did not work with "." in the share name
- Bind updated from Bind 4 to Bind 8
- ProFtpd updated to 1.2.0 rc2
glibc Update 3.0.1
|
This updates the version of glibc. Prior to this update it was possible for local users to gain root access.
OS Update 3.0
|
Update OS 2.0 is required before installing Update OS 3.0. As this update contains a kernel upgrade, please be aware that some third party Applications install a modified kernel in order to facilitate their functionality. If you believe their functionality could be affected by this kernel upgrade, please check with the third party application vendor before installing this update.
Do not install this update if you have an ISDN Qube.
Obsoletes These Previous Updates:
- Qube2-Security 2.0
- Qube2-Security 2.1
- Qube2-Security 2.2
- Qube2-Security 2.3
- Qube2-Security 2.4
- Qube2-Security 2.5
- Qube2-Security 2.6
- Qube2-Security 2.7
- Qube2-Security 2.8
- All-Kernel-MIPS Update 1.0
- Qube2-InfoPlace Patch 2.1 (English Only)
Cumulative List of Bug Fixes and Feature Changes:
Operating System and User Interface
- Upgraded kernel version.
- The disk quota of a user or group was not allowed to be set any larger than 10 gigabytes. Now, this limitation has been removed.
- The log files /var/cobalt/dhcpd.log, /var/cobalt/modem.log and /var/cobalt/telnet.log were not being rotated properly in the log rotation process. This could accidentally lead to a disk full error condition.
- The cron program was updated to fix a potential buffer overflow security problem that might allow a user to gain root privileges.
- The syslog server was updated to fix a potential denial of service security problem.
- The modem update screen incorrectly returned a user to the modem update screen even after the user selected another page in the user interface.
- Once an existing username is deleted and the changes are saved within the modem settings screen, the user interface did not properly allow you to enter a username into the modem settings screen again. The user interface improperly showed the username as having been added, even though the underlying configuration file was never properly updated.
E-Mail and Mailing Lists
- Increased the maximum number of allowable POP connections per minute from 40 to 80.
- A user could incorrectly create an e-mail alias with the same name as an already existing mailing list or alias, thereby improperly intercepting e-mail messages.
- Fixed a problem where trying to add a forwarding e-mail address for a user would intermittently cause the user interface to fail to accept the addition at all.
- The POP server was upgraded to fix a potential problem where a user would be incorrectly prevented from successfully downloading e-mail messages using a POP connection. This would typically occur when a user's e-mail spool file exceeded more than half of the user's total disk space quota.
- The e-mail server was updated to fix a potential security problem due to the possibility of a user corrupting the aliases database and thereby stopping service.
- All mailing lists were created with a default password, which posed a potential security problem. Now, all mailing lists have a randomly password generated for both the list owner and the list moderator.
- The mailing list program was updated to fix a potential security problem that might allow a user to gain higher privileges.
Web and FrontPage Extensions
- The web server was updated to fix a potential denial of service security problem.
FTP and File Sharing
- The FTP server could improperly deny site administrators access to any directories above their home directories, thereby denying access to their virtual site web directory. This typically occurs for the site administrator group when the total length of the user names in the group are greater than 1024 characters in length.
- Permissions for anonymous FTP transfers were set incorrectly on the incoming folder.
- Disabled guest login access from being enabled by default when using Apple File Sharing. This prevents guest users from accessing all files in all groups.
- Changing a user's quota setting incorrectly erased the user's Windows File Sharing password.
Backup and Restore
- The backup routine improperly allowed anyone to run a complete or configuration only backup routine, thereby allowing access to some sensitive configuration files. The scheduled backup routine sometimes improperly used text transfer mode instead of using binary transfer mode for all FTP transfers, thereby irretrievable corrupting some backups.
- Scheduled backups could not be created if share names had dashes in them.
- Backups did not properly handle filenames with apostrophes in them.
- Backups did not properly handle filenames with double-byte characters in them
- Backups did not properly handle filenames with left or right parentheses or the ampersand symbol in them
- Doing a selective restore of a backup file incorrectly left behind a temporary copy in /home/tmp instead of deleting it properly.
- Mailing list information was improperly omitted from the complete and configuration only backup routines.
Miscellaneous
- Added manual pages for sendmail command.
- The server incorrectly identified itself as a Sun Cobalt Qube 2800WG appliance instead of a Sun Cobalt Qube 2 appliance when using Windows File Sharing.
- Created and configured the file /home/groups/home/robots.txt in order to disallow search engine robots from scanning for web sites.
- Public discussion forums incorrectly allowed users to include files in their postings that were not accessible to the public.
- The InfoPlace Document Organizer was updated to properly display dates and allow searches after January 1, 2000.
Please refer to Brosoft's web site for the latest version of this update. http://www.brosoft.net/en/os_update.html