Original issue date: March 19,1992<BR>
Last revised: September 19, 1997<BR>
Attached copyright statement

<P>A complete revision history is at the end of this file.

<P>The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability with the UUCP software
in versions of AIX up to 2007.  The vulnerability does not exist in AIX 3.2.

<P>IBM is aware of this problem, and a fix is available as apar number
&quot;ix18516&quot;.  This patch is available for all AIX releases from GOLD to
2006.

<P>The fix is in the 2007 update and 3.2 release of AIX.  IBM customers may
call IBM Support (800-237-5511) and ask that the fix be shipped to them.
Patches may be obtained outside the U.S. by contacting your local IBM
representative.

<P><HR>
<H2>I. Description</H2>


Previous versions, except AIX 3.2, of the UUCP software contained
incorrectly configured versions of various files.



<H2>II. Impact</H2>


Local users can execute unauthorized commands and gain unauthorized
root access.



<H2>III. Solution</H2>

<UL>

<LI>If allowing users access to the uucp isn't necessary, disable it.
<PRE>
% chmod 0100 /usr/bin/uucp
</PRE>

<LI>Obtain the fix from IBM Support.

<LI><P>Install the fix following the instructions in the README file.
</UL>
<HR>

<P>The CERT/CC would like to thank Steve Knodle, Clarkson University, for
bringing this security vulnerability to our attention.

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1992 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
September 19,1997  Attached copyright statement
</PRE>