Patch-ID# 101435-04
Keywords: security ypserv ypxfrd res_send resolv.conf CERT domain 
Synopsis: SunOS 4.1.3_U1: ypserv and ypxfrd fixes
Date: Aug/04/97

Solaris Release: 1.1.1A
 
SunOS Release: 4.1.3_U1A
 
Unbundled Product: 
 
Unbundled Release:
 
BugId's fixed with this patch: 4056730 1238679 1036869 1082320 1080353

Changes incorporated in this version: 4056730                 

Relevant Architectures: sparc
    NOTE: sun4(all)

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by: 

Files included with this patch: ypxfrd
				ypserv
				securenets

Problem Description: 

  This patch also incorporates multi-home support for SunClusters into the
  ypserv for sun4 machines running SunOS4.1.3_U1.

	Bug 4056730 - ypserv allows invalid domain names

	Bug 1238679 - DNS spoofing is possible per CERT CA-96.02

        Bug 1036869
	Security -  ypserv will send maps to anyone who can guess the 
		    domainname

	Bug 1082320
        Security -  ypxfrd will send maps to anyone.
        Ypxfrd does not check whether the person transferring the map
        is root on  his machine, when the map is ``secure''. As a
        consequence, any user can get the password map if the
        NIS master is running ypxfrd.

	Bug 1080353
    	The problem is whenever the primary name server downloads an 
      	'A' record to the secondary system and this 'A' record contains 
	more then 36 IP addresses. It will cause ypserv on the 
	secondary system to dump core.


Comments:

This patch contains the following fixes:

	1. ypserv - for bugs 4056730 1036869 1080353 1238679
	2. ypxfrd - for bug 1082320

In order to prevent these NIS security problems, all of the
above fixes need to work together. 

Both the "ypserv" and "ypxfrd" processes use a /var/yp/securenets 
file and, if it is present, they will only respond to IP addresses  
in the range given. This file is only read when the daemons (both
ypserv & ypxfrd) start. To get a change in /var/yp/securenets
to take effect, one must kill and restart the daemons.


The format of the file is one of more lines of:

	netmask netaddr

	e.g. 

	255.255.0.0 128.30.0.0
	255.255.255.0 128.311.10.0

	In the 2nd example, the netmask is 255.255.255.0 
	and the network address is 128.311.10.0 . This 
	setup will only allow the ypserv to respond to 
	those IP addresses which are within the subnet 
	128.311.10 range. 

Installation:

1) As root, save the original binaries:

  mv /usr/etc/ypserv /usr/etc/ypserv.orig
  mv /usr/etc/ypxfrd /usr/etc/ypxfrd.orig
  chmod 0400 /usr/etc/ypserv.orig
  chmod 0400 /usr/etc/ypxfrd.orig

2) Copy the new files from the patch directory:

  cp ypserv /usr/etc
  cp ypxfrd /usr/etc
 
  chown root.staff /usr/etc/ypserv
  chmod 755  /usr/etc/ypserv
 
  chown root.staff /usr/etc/ypxfrd
  chmod 755  /usr/etc/ypxfrd
 

3) Copy the securenets file to /var/yp

  cp securenets /var/yp
 
  chown root.staff /var/yp/securenets
  chmod 644 /var/yp/securenets

4) Edit the securenets file and make the appropriate changes.

5) Reboot the system to invoke the new binaries.
