From support@us.external.hp.com Wed Mar 13 00:56:05 1996 Date: Wed, 13 Mar 1996 01:01:03 -0800 From: HPSL Mail Service Reply to: support-feedback@us.external.hp.com To: Damien Sorder Subject: RE: send doc HPSBUX9502-021 -------- ## Regarding your request: Send Doc HPSBUX9502-021 The following are the results of your request from the HP SupportLine mail service. =============================================================================== Document Id: [HPSBUX9502-021] Date Loaded: [02-02-95] Description: No current vulnerability in /bin/mail (or /bin/rmail) =============================================================================== ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: #00021, 01 February 95 ******** ADVISORY ONLY ******** ------------------------------------------------------------------------- _______________________________________________________________________ ISSUE: /bin/mail security problem announced by CIAC,CERT PLATFORM: All HP-UX systems STATUS: No current vulnerability in /bin/mail (or /bin/rmail) ADVICE: Continue to use /bin/mail distributed with HP-UX. Do not use mail.local. _______________________________________________________________________ I. /bin/mail A. Nature of the Problem A recent announcement by CERT (CA-95:02) warned of a potential danger caused by the /bin/mail and advised users to run mail.local instead of /bin/mail. The mail.local program is primarily intended for those systems which use /usr/mail directories that have 777 permissions. B. Status of HP-UX HP only supports /usr/mail directories that have 775 permissions: drwxrwxr-x 2 bin mail 1024 Jan 30 16:21 mail/ With such permissions, /bin/mail has no vulnerabilities. Note that /bin/rmail is used by HP-UX for local deliveries; however, /bin/rmail is just a copy of /bin/mail with a different file name. (When invoked, the program looks at the name it was invoked under, and reacts properly.) Neither /bin/mail or /bin/rmail has any vulnerabilities. C. Recommended Actions HP-UX users should continue to use the /bin/mail distributed with the release tapes or provided in official HP-UX patches. HP does not recommend the use of the mail.local program. D. To subscribe to automatically receive future NEW HP Security Bulletins from the HP SupportLine mail service via electronic mail, send an email message to: support@support.mayfield.hp.com (no Subject is required) Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE, here are some basic instructions you may want to use: To add your name to the subscription list for new security bulletins, send the following in the TEXT PORTION OF THE MESSAGE: subscribe security_info To retrieve the index of all HP Security Bulletins issued to date, send the following in the TEXT PORTION OF THE MESSAGE: send security_info_list WWW (MOSAIC) service (Browsing of Bulletins) is also available via WWW (MOSAIC) our URL is: (http://support.mayfield.hp.com) Choose "Support News", then under Support News, choose "Security Bulletins" E. To report new security vulnerabilities, send email to security-alert@hp.com _______________________________________________________________________