Notified: October 24, 2000 Updated: October 27, 2000
Not Affected
This notification is in regards to CERT Advisory "Input validation vulnerability in OpenBSD libutil library" (VU#369427). Mac OS X is not vulnerable to the input validation vulnerability in the OpenBSD libutil library. Eric Zelenka ericz@apple.com Apple Computer, Inc.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2000 Updated: October 27, 2000
Not Affected
No versions of BSD/OS are vulnerable to this problem. -Jeff Polk, BSDI
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2000 Updated: October 27, 2000
Not Affected
SOURCE: (c) Copyright 2000 Compaq Computer Corporation. All rights reserved. SOURCE: Compaq Computer Corporation Compaq Services Software Security Response Team USA This reported problem is not present in Compaq Tru64/UNIX Operating Systems Software. - Compaq Computer Corporation
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2000 Updated: October 31, 2000
Affected
FreeBSD was also vulnerable to this problem since the affected code has a common ancestor. Like OpenBSD, we fixed the problem during security auditing in 2000/07, but did not realise it to be a security vulnerability since the function is not part of a library on FreeBSD, but the source code file containing the function is included directly in the affected setuid programs. FreeBSD 3.5.1 and 4.0 are the most recent affected versions - 4.1 and 4.1.1 are unaffected. An advisory is under preparation and will likely be released on 2000/10/30. Kris
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 23, 2000 Updated: January 20, 2001
Not Affected
Fujitsu's UXP/V is not vulnerable to this problem.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2000 Updated: January 03, 2001
Not Affected
HP does not have a libutil and we don't offer a command called chpass. (Any password changes are done via the command options or SAM) . Further, we don't support a function called pw_error.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2000 Updated: October 27, 2000
Affected
NetBSD-1.4.2 and prior releases are vulnerable; the forthcoming 1.4.3 and 1.5 releases will have this problem fixed. We will be issuing an advisory (similar to the OpenBSD advisory) in the next day or two, with a patch included.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: October 24, 2000 Updated: November 17, 2000
Affected
From the OpenBSD Security Advisory: "This vulnerability affects OpenBSD versions through 2.7. FreeBSD 4.0 is vulnerable, but patches have been backported, and FreeBSD versions 4.1 and 4.1.1 are safe. Bill Sommerfield committed a fix to NetBSD today shortly after we notified him of the problem. OpenBSD users running -current (2.8-beta) with a system dated July 1st or thereafter are safe."
The vendor has not provided us with any further information regarding this vulnerability.
OpenBSD has provided a patch for this vulnerability at: http://www.openbsd.org/errata.html (025).