Patch-ID# 103833-02
Keywords: security ypserv ypxfrd res_send resolv.conf CERT domain 
Synopsis: SunOS 4.1.4: ypserv and ypxfrd security fixes
Date: Aug/04/97

Solaris Release: 1.1.2
 
SunOS Release: 4.1.4
 
Unbundled Product: 
 
Unbundled Release:
 
BugId's fixed with this patch: 4056730 1238679 1036869 

Changes incorporated in this version: 4056730                 

Relevant Architectures: sun4(all)

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by: 

Files included with this patch: ypxfrd
				ypserv
				securenets

Problem Description: 

	Bug 4056730 - ypserv allows invalid domain names

	Bug 1238679 - DNS spoofing is possible per CERT CA-96.02

        Bug 1036869
	Security -  ypserv will send maps to anyone who can guess the 
		    domainname


Comments:

In order to prevent these NIS security problems, all of the
above fixes need to work together. 

Both the "ypserv" and "ypxfrd" processes use a /var/yp/securenets 
file and, if it is present, they will only respond to IP addresses 
in the range given. This file is only read when the daemons (both
ypserv & ypxfrd) start. To make a change in /var/yp/securenets
take effect, one must kill and restart the daemons.


The format of the file is one of more lines of:

	netmask netaddr

	e.g. 

	255.255.0.0 128.30.0.0
	255.255.255.0 128.311.10.0

	In the 2nd example, the netmask is 255.255.255.0 
	and the network address is 128.311.10.0 . This 
	setup will only allow the ypserv to respond to 
	those IP addresses which are within the subnet 
	128.311.10 range. 

Installation:

1) As root, save the original binaries:                   

  mv /usr/etc/ypserv /usr/etc/ypserv.orig
  mv /usr/etc/ypxfrd /usr/etc/ypxfrd.orig
  chmod 0400 /usr/etc/ypserv.orig
  chmod 0400 /usr/etc/ypxfrd.orig

2) Copy the new files from the patch directory:

  cp ypserv /usr/etc
  cp ypxfrd /usr/etc
 
  chown root.staff /usr/etc/ypserv
  chmod 755  /usr/etc/ypserv
 
  chown root.staff /usr/etc/ypxfrd
  chmod 755  /usr/etc/ypxfrd
 
3) Copy the securenets file to /var/yp

  cp securenets /var/yp
 
  chown root.staff /var/yp/securenets
  chmod 644 /var/yp/securenets

4) Edit the securenets file and make the appropriate changes.

5) Reboot the system to invoke the new binaries.
