|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Cobalt Updates
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
This package contains an updated CGIWrap that addresses a security issue recently discovered. For more information, please see: http://online.securityfocus.com/bid/3084
Reboot Required: No
MD5 Check Sum: 4ec44da70d6087ee1696b98c73a3098e
Apache Update 4.0.1
|
This package contains an updated Apache HTTP Server that addresses a security issue recently discovered. For more information, please see http://httpd.apache.org/info/security_bulletin_20020617.txt
Note to Brosoft SSL users:
Please refer to Brosoft's web site for the latest version of this update. http://www.brosoft.net/en/os_update.html
Reboot Required: Yes
MD5 Check Sum: 74ccd9289fee962157d864d9bcacb203
TCPDUMP Update 4.0.1
|
This patch replaces the TCPDUMP network analysis tool with a new version. This version of TCPDUMP contains security fixes for issues that were found in prior releases of TCPDUMP for the Sun Cobalt Server Appliance.
Reboot Required: No
MD5 Check Sum: ceca89ca4e9153a16df7041feb6735c3
Security Bundle Update 4.0.1
|
This package contains security updates for a varity of programs included on the Sun Cobalt Qube 2 appliance. The following packages have been upgraded:
- ProFTPD 1.2.4
- zlib 1.1.3-25.7c1r2
- pine 4.44-C1
- binutils 2.8.1-1C2r2
- CVS 1.10.2-1c1r2
- GCC 2.7.2-c3r3
- sed 2.05-7c1r2
MD5 Check Sum: 9286181dd4d868d7ab5c3c454d76a56e
glibc Update 4.0.1
|
This updates the version of glibc to fix a known vulnerability with file globbing functionality. See the following link for details: http://online.securityfocus.com/bid/3707
MD5 Check Sum: 4f2ece611d5480d1cc3c6dd0b85f81c1
Reboot Required: Yes
Analog Patch Update 4.0.1
|
After Installing Update 4.0, analog reports may not be generated correctly. Web statistic report options will be greyed out as a result. This patch fixes this issue.
Prerequisites: Sun Cobalt RaQ 2 OS Update 4.0
MD5 Check Sum: 824b5e402a1029d80b4e9d38ea3ab391
Reboot Required: No
telnetd Update 4.0.1
|
This security patch addresses an issue found in the telnet daemon, where a remote attacker is able to gain access to server appliances if telnet is enabled. Information regarding this update can be found at CERT Coordination Center's website. The URL is: http://www.cert.org/advisories/CA-2001-21.html.
MD5 Check Sum: 0dc276ebe44f1d880ca69d31ba8affc4
Special Characters Update 4.0.1
|
System problems may occur when using special characters when adding a new username or a user’s full name. This update enables the use of special characters such as “.” in a username and “’” in user’s full names
MD5 Check Sum: dd2eb15c370f461fcfda2bd8fe435b6c
OS Update 4.0
|
Reboot required: Yes
MD5 Check Sum: f78b58fca4995ed583fcecfbdfc04449
Prerequisites:
RaQ2-en-Update-OS-3.0
RaQ2-All-Security-3.0.1-8061
Obsoletes These Previous Updates:
RaQ2-All-Security-3.0.1-6682
RaQ2-All-Security-3.0.1-6750
RaQ2-All-System-3.0.1-7362
RaQ2-All-Security-3.0.1-6449
RaQ2-All-Security-3.0.1-8008
RaQ2-All-Security-3.0.1-8164
RaQ2-All-Security-3.0.1-8577
RaQ2-All-Security-3.0.1-8747
RaQ2-All-Security-3.0.1-8762
RaQ2-All-Security-3.0.1-9353
RaQ2-All-Security-3.0.1-8532
RaQ2-All-Security-3.0.1-9531
RaQ2-All-Security-3.0.1-9077
RaQ2-All-Security-3.0.1-9648
RaQ2-All-Security-3.0.2-9769
RaQ2-All-Security-3.0.1-9878
RaQ2-All-Security-3.0.1-10108
RaQ2-All-Security-3.0.1-10198
Cumulative List of Bug Fixes and Feature Changes:
- Modified confusing Active Monitor error messages.
- Added 127.0.0.1/localhost as an acceptable combination for DNS
- Email to mailing lists would bounce to admin if it contained any Majordomo commands in the first 10 lines
- NTP server was unable to be set up in some network topologies.
- Email sent to majordomo@domain.com was bounced in certain circumstances
- "Delete Domain" button now displays properly in Japanese text (Japanese Only)
Note to Users running Sun Cobalt RaQ 2 software on RaQ 1 hardware:
There was an issue with Update 3.0 which caused problems for users with this special build.
Before installing RaQ2-en-Update-OS-3.0 and RaQ2-en-OSUpdate-4.0
Please install the following package:
RaQ2-All-System-2.0.1-8374.pkg
MD5 Check Sum: a4a203e9e7bec29bf22ea74627bb1e0f
glibc Update 3.0.1
|
This updates the version of glibc. Prior to this update it was possible for local users to gain root access.
OS Update 3.0
|
Installation Notes:
Update OS 2.0 is required before installing Update OS 3.0.
Obsoletes These Previous Updates:
RaQ2-Update-MFG-2.1
RaQ2-Security 2.0
RaQ2-Security 2.1
RaQ2-Security 2.3
RaQ2-Security 2.7
RaQ2-Security 2.8
RaQ2-Security 2.9
RaQ2-Security 2.91
RaQ2-Security 2.92
RaQ2-Security 2.93
RaQ2-Security 2.94
RaQ2-Security 2.95
RaQ2-Security 2.96
RaQ2-Security 2.97
RaQ2-All-System-2.98-6168
All-Kernel-MIPS Update 1.0
Cumulative List of Bug Fixes and Feature Changes:
Operating System and User Interface
- Updated kernel version to improve network stability under load conditions. Now also recognizes multiple SCSI Logical Unit Numbers.
- The log file /var/log/analog.dns was not being rotated properly in the log rotation process. This could accidentally lead to a diskfull error condition.
- "The administrator was improperly prevented from modifying a user's settings when any mailing lists beginning with 1, 3 or 4 werecreated on the system."
- The site user modification routine improperly allowed any site administrator to change the password of the main administrator.
- The site user addition routine improperly allowed any site administrator to modify the information of another virtual site.
- User interface now allows two successive dashes in a domain name.
- Changing the IP address of a main site to match the IP address of an already existing virtual site improperly caused a loss ofnetwork services.
- The system improperly ignored error messages which occurred while changing IP addresses.
- Attempting to clear the value of the secondary domain name server at the same time as entering a value for the primary domain nameserver would occasionally fail to clear the value of the secondary domain name server.
- Users are no longer allowed to improperly create a virtual site with the same IP address as the IP address of their default gateway.
- The cron program was updated to fix a potential buffer overflow security problem that might allow a user to gain root privileges.
- The syslog server was updated to fix a potential denial of service security problem.
- The su command was updated to fix a potential security problem due to the absence of any logging of failed attempts to gain full root access.
- Increased the maximum number of allowable POP connections per minute from 40 to 200.
- The POP server was upgraded to fix a potential problem where a user would be incorrectly prevented from successfully downloading e-mail messages using a POP connection. This would typically occur when a user's e-mail spool file exceeded more than half of the user's total disk space quota.
- A user could improperly be created with the same name as an already existing mailing list or e-mail alias, thereby improperlyintercepting e-mail messages.
- A user on a virtual site improperly received e-mail destined for a user which does not exist on another virtual site if the e-mailis addressed to the same user name. That is to say, a message sent to an invalid user@virtual.site.two.com was improperly sent to the valid user@virtual.site.one.com instead of being bounced. Now, invalid messages will be bounced for all newly created virtual sites. For all existing virtual sites, temporarily changing the host name of the existing virtual sites and then changing them back to their original host name will fix the problem.
- Fixed a problem where the e-mail aliases of every user in every virtual site were improperly deleted if more than one person made changes to e-mail aliases exactly at the same time.
- Repeatedly toggling the ""Accept EMail For Domain"" site setting for a virtual site often improperly stopped the mail server from responding.
- The e-mail server was updated to fix a potential security problem due to the possibility of a user corrupting the aliases database and thereby stopping service.
- Fixed a security issue whereby a malicious user with shell access could use the vacation message field to compromise the system.
- The vacation message of a user was not deleted properly when the user was deleted.
- Changed formatting of date and time within vacation auto responder messages, in order to conform to standards.
- The mailing list program was updated to fix a potential security problem that might allow a user to gain higher privileges.
- All mailing lists were created with a default password, which posed a potential security problem. Now, all mailing lists have a randomly generated password for both the list owner and the list moderator.
- The system no longer allows any member of a mailing list to display all the other members.
- The system no longer allows any user to display all the mailing lists on the server appliance.
- The web server was updated to fix a potential denial of service security problem.
- The web service normally allowed anybody accessing a web site to view a "".htaccess"" file or "".htpasswd"" file. The web service no longer allows any files that begin with "".ht"" from being transmitted via the web.
- The cgi wrapper program was updated to disallow any cgi scripts from running unless its ownership is changed from httpd to a specific user. This specifically affects all scripts uploaded via FrontPage. This closes a security problem which allowed a malicious site administrator to modify datain another virtual site.
- The ownership of all virtual site directories and their contents were changed from httpd to nobody. This closes a security problem which allowed a malicious site administrator to bypass the cgi wrapper program and then modify data in another virtual site.
- FrontPage configuration errors are now logged in /var/cobalt/adm.log instead of being discarded.
- Disk quotas were improperly calculated for sites using FrontPage Server Extensions.
- The FTP server could improperly deny site administrators access to any directories above their home directories, thereby denying access to their virtual site web directory. This typically occurs for the site administrator group when the total length of the user names in the group are greater than 1024 characters in length.
- If the IP address of a virtual site with anonymous FTP access enabled was changed to match the IP address of another virtual site with anonymous FTP access enabled, user interface inconsistencies would occur. Anonymous FTP access is now first disabled on the virtual site that is to be changed.
- The backup routine improperly allowed anyone to run a complete or configuration only backup routine, thereby allowing access to some sensitive configuration files. The scheduled backup routine sometimes improperly used text transfer mode instead of using binary transfer mode for all FTP transfers, thereby irretrievable corrupting some backups.
- The backup routine improperly allowed anyone to run a group backup routine, thereby potentially allowing access to other user's files.
- Scheduled backups could not be created if share names had dashes in them.
- Backups of server configuration files did not always properly include all necessary server configuration files.
- Backups did not properly handle filenames with apostrophes in them.
- Doing a selective restore of a backup file incorrectly left behind a temporary copy in /home/tmp instead of deleting it properly.
- The domain name server was updated to fix several potential denial of service security problems.
- Internationalized the textual description for two button icons on the virtual site management screen. (Japanese Only)
- The user interface would incorrectly fail to detect a network time server that was operational in cases where ping requests were being blocked by a firewall.
- Fixed minor user interface typos in the help text description for the network time server.
- Fixes a problem where the Cobalt Logo light on the front panel incorrectly turns off under heavy use.
Customers with large number of Frontpage sites should install this patch in the following manner:
- Download the package to your local machine.
- Ftp the file onto the RaQ2.
> ftp
Connected to.
220 ProFTPD 1.2.0pre9 Server (ProFTPD) [raq2.cobalt.com]
User (raq2.cobalt.com:(none)): admin
331 Password required for admin.
Password:
230 User admin logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> put RaQ2-en-Update-OS-3.0.pkg
- telnet into the RaQ2 and AS ROOT run the following command
[root /tmp]# /usr/local/sbin/cobalt_upgrade
/tmp/RaQ2-en-Update-OS-3.0.pkg
......
201 Installation successful.
[root /tmp]# - telnet into the RaQ2 and AS ROOT run the following command
Please refer to Brosoft's web site for the latest version of this update. http://www.brosoft.net/en/os_update.html
OS Update 2.0
|
This update contains several security updates and Frontpage 2000 Server Extensions.
- Fix: Update contains all fixes in RaQ2-Security-1.0.pkg.
- Fix: Update contains all fixes in RaQ2-Security-1.2.pkg.
- Fix: Update contains all fixes in RaQ2-Security-1.4.pkg.
- Upgrade: FrontPage 98 Server Extensions have been upgraded to FrontPage 2000 Server extensions.
- Fix: Anonymous FTP would get disabled if another named based virtual hosts was added to the base IP address.
- Upgrade: Legato now has a Parameters Section once enabled. It now starts portmapper and passes the Legato server name to the service.