Lutz Donnerhacke wrote:
> * af@C4C.COM wrote:
> >I also wonder about IBM's answer:
> >SOLUTION: Remove the setuid bit from the "ftp" command.
> >
> >On our 4.2.1, ftp will not run if it is not suid.
> >Didn't somebody test this?
>
> Yep. ftp does not need suid:
The AIX ftp client MUST BE SETUID to work for non-root users.
>
> DFN-CERT corrected the solution of IBM. It was a false statment according to
> them.
>
DFN-CERT is correct. The solution listed in the advisory header should
have said to apply the fixes listed in the advisory. The setuid fiasco
was a mistake on my part.
The correct fix for the AIX ftp client bug is to apply the following
fixes:
AIX 3.2: upgrade to v4
AIX 4.1: IX70885
AIX 4.2: IX70886
AIX 4.3: fix already contained in the release
These fixes are available and may be obtained using FixDist or from the
IBM Support Center. For more information on FixDist, reference URL:
http://service.software.ibm.com/aixsupport/
Questions relating to AIX security advisories can be emailed to
security-alert@austin.ibm.com. New AIX vulnerabilities can be PGP
encrypted using the AIX Security public key available by sending email
to security-alert@austin.ibm.com with a subject of "get key".
- --
Troy Bollinger troy@austin.ibm.com
AIX Security Development security-alert@austin.ibm.com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQCVAwUBNGIJtcjqvEm3eDEpAQF+PQP+LtKAfV94QozA+ZlIUJDFhC7M5qZjKMgJ
lsFHt0lEBA74umHI5/B3FkSsrPewrYQx7FEdmVI493BrDwHZOCr3xEJNlEjcsGOf
DRzlvDYtwMGN9GQn2XSEeO8C5/w2MgARtqyiLWh25vaQUVVIH2xe9t/XQ3qCzEmU
fLHkUCCz41c=
=UFWn
-----END PGP SIGNATURE-----