Date: Thu, 28 Mar 2024 16:03:50 -0400 (EDT) Message-ID: <97165510.507.1711656230642@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_506_1031840027.1711656230640" ------=_Part_506_1031840027.1711656230640 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
There were a number of problems with various early versions of Sun Micro= systems, Inc. (Sun) /usr/lib/lpd patch ( Patch ID 100305-xx ). While securi= ty problems were fixed in the patches, a remote print spooling problem was = introduced. Sun believes all the problems have been fixed and they are now = releasing the enclosed information concerning a new patch version. They hav= e given the CERT/CC permission to distribute this information.
The Computer Emergency Response Team/Coordination Center (CERT/CC) recom= mends that all affected sites follow the information provided by Sun Micros= ystems in this bulletin.
Sun expressly disclaims all liability for any misuse of this information= by any third party.
This is more an update on the lpd fix than any new information.
This patch is available via anonymous ftp from the ftp.uu.net system in = the sun-dist directory as 100305-06.tar.Z, or through your local Sun Answer= Center. The checksum information for the file available from ftp.uu.net is= :
24474 440 100305-06.tar.Z
A second bug was also shown that could still be used to remove system fi= les. This fix was rolled into 100305-02.
An lpc problem that touched one of the same modules as in the lpd fix wa= s fixed and the subsequent change rolled into the lpd patch 100305-03.
Two additional problems were sent to Sun: one having to do with RPC call= s to lpd and the second having to do with postscript calls to lpd, thus 100= 305-04.
It was in creating the -04 version that we unknowingly introduced a remo= te spool problem on the SunOS 4.1.1 version of the patch. The problem was t= hat if the remote queue had jobs in it, the local job sent was often trunca= ted to zero length.
The -05 version was an attempt to back out the last few changes to remov= e the remote print problem. Unfortunately, it did not. It was at this time = that we decided to do a lengthy evaluation and test cycle to ensure that th= e newest version fixed all the reported problems as well as fixed the remot= e spool bug we had introduced.
The 100305-06 patch is the result of that lengthy test cycle.
Thank you all for your support through all this.
Brad Powell
Software Security Coordinator
Sun Microsystems.
Copyright 1991 Carnegie Mellon University.
September 18,1997 Attached copyright statement