===================================================================== CERT-Renater Note d'Information No. 2008/VULN185 _____________________________________________________________________ DATE : 28/05/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : AIX 5.2, AIX 5.3, AIX 6.1. ====================================================================== First Issued: Wed May 21 11:55:27 CDT 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Multiple AIX advisories issued on May 21, 2008 PLATFORMS: AIX 5.2, 5.3, and 6.1 SOLUTION: Apply the fix, interim fix or workaround as described in the associated vulnerability advisories. THREAT: See individual advisories. CERT VU Number: n/a CVE Number: n/a =============================================================================== DETAILED INFORMATION I. OVERVIEW This advisory addresses multiple vulnerabilities found in the AIX operating system. See the individual advisories for service pack availability dates. II. DESCRIPTION The following advisories are being issued on May 21, 2008: A. UPDATE AIX pioout buffer overflow Advisory: http://aix.software.ibm.com/aix/efixes/security/pioout_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/pioout_advisory.asc Fix: http://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar ftp://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar Reboot: NO Workarounds: YES B. AIX unix kernel buffer overflow Advisory: http://aix.software.ibm.com/aix/efixes/security/unix_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/unix_advisory.asc Fix: http://aix.software.ibm.com/aix/efixes/security/unix_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/unix_fix.tar Reboot: YES Workarounds: NO C. AIX errpt buffer overflow Advisory: http://aix.software.ibm.com/aix/efixes/security/errpt_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/errpt_advisory.asc Fix: http://aix.software.ibm.com/aix/efixes/security/errpt_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/errpt_fix.tar Reboot: NO Workarounds: YES D. AIX anonymous ftpd information leak Advisory: http://aix.software.ibm.com/aix/efixes/security/ftpd_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/ftpd_advisory.asc Fix: http://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar Reboot: NO Workarounds: NO E. AIX iostat environment variable error Advisory: http://aix.software.ibm.com/aix/efixes/security/iostat_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/iostat_advisory.asc Fix: http://aix.software.ibm.com/aix/efixes/security/iostat_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/iostat_fix.tar Reboot: NO Workarounds: YES F. AIX OpenSSH multiple vulnerabilities Advisory: http://aix.software.ibm.com/aix/efixes/security/ssh_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/ssh_advisory.asc Fix: AIX 5.2: http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5201.tar.Z AIX 5.3: http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5301.tar.Z AIX 6.1: http://downloads.sourceforge.net/openssh-aix/openssh-4.7_5301aix61.tar.Z Reboot: NO Workarounds: NO III. IMPACT See the specific advisories for details. IV. PLATFORM VULNERABILITY ASSESSMENT See the specific advisories for details. V. SOLUTIONS A. APARS See the specific advisories for details. B. FIXES See the specific advisories for details. C. FIX INSTALLATION See the specific advisories for details. VI. WORKAROUNDS See the specific advisories for details. VII. OBTAINING FIXES Security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS See the specific advisories for details. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================