[VIM] AIX APAR conclusion - notes and oddities
security curmudgeon
jericho at attrition.org
Tue Mar 25 19:22:17 UTC 2008
Wow, talk about brain melt. The APAR database, as seen by regular
unauthenticated users is a complete mess and full of confusion. I posted a
quick blog entry the other day about it:
http://osvdb.org/blog/?p=235
First it was HP, then it was Sun. Not to be outdone, IBM steps up and
gives VDBs a headache.
APAR IZ00988 is sysrouted to APAR IZ01121 and APAR IZ01122.
Really IBM, the amount of information common to all three pages is
overwhelming. Do you really need a new APAR number issued for component
name or level? Cant you just list them all in one APAR and save us time?
More importantly, do we need three APAR entries that say a security
issue has been fixed and make us dig up the information?
When all said and done, there are obviously a lot of issues that MAY have
security implications, but it's hard to tell based on the information
available. We definitely need an AIX guru or IBM rep to clear them up. I'm
not holding my breath.
I ran across the following APARs that came back 'Document not found.' The
changelog I originally saw them in suggests there are security
implications.
IZ00829 RMUSER COMMAND REMOVED PASSWD STANZA FROM /ETC/SECURITY/PASSWD
IY97793 PASSWDEXPIRED MAY RETURN INCORRECT VALUE IF PASSWD IS CORRUPTED
IY96773 FTPD SECURITY ISSUES IN KRB5 ENVIRONMENT
IY95914 RPC.NISPASSWDD DOES NOT USE -C OPTION IN THE CORRECT MANNER
IY95913 YPPASSWD FAILS FOR NIS USER WITH LONG NAME(>8 CHARACTERS)
And finally, one changelog entry that doesn't jibe with the APAR entry.
http://www-1.ibm.com/support/docview.wss?uid=isg1IY97813
Changelog:
IY97813 srcmstr crash
APAR:
IY97813: NEW FUNCTION
More information about the VIM
mailing list