ASA-2006-250 (SUN 102606, 102636, 102640, 102648, 102651, 102652, 102655, 102657)

Sun Alert Notifications from Sun Weekly Report dated Oct 07, 2006

Original Release Date: November 17, 2006
Last Revised: August 16, 2007
Number: ASA-2006-250
Risk Level: Low
Advisory Version: 2.0
Advisory Status: Interim

1. Overview:

New Sun Alert Notifications from Sun Microsystems have been issued and are described below. Issues which have been resolved by Sun Microsystems have been indicated as such. Notifications without a resolution may have restrictions to additional information on the sunsolve.sun.com website.

102606 (RESOLVED)

Security Vulnerability in Solaris 10 Link Aggregation may Allow Local Users Total Access to Network Packets

Product: Solaris 10 Operating System

Category: Security

Date Released: 06-Oct-2006

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102606-1

102636 (RESOLVED)

Host May Panic In Veritas Oracle Disk Manager (ODM) Driver After 'DR' Operation

Product: VERITAS Storage Foundation 4.1 Software

Category: Availability

Date Released: 02-Oct-2006

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102636-1

102640 (RESOLVED)

Security Vulnerability in Apache 2 Web Server Module 'mod_ssl'

Product: Solaris 10 Operating System

Category: Security

Date Released: 04-Oct-2006

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102640-1

102648

Security Vulnerability in RSA Signature Verification Impacting Multiple SUN Products

Product: Sun Security Services

Category: Security

Date Released: 02-Oct-2006

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1

102651 (RESOLVED)

Platform Specific Issues on Sun Fire T1000/T2000 Systems Can Cause the System to Panic

Product: Sun Fire T2000 Server, Sun Fire T1000 Server

Category: Availability, Availability

Date Released: 02-Oct-2006

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102651-1

102652

Security Vulnerability in X Display Manager (xdm(1)) Xsession Script

Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 Operating System

Category: Security

Date Released: 06-Oct-2006

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102652-1

102655

Certain Brocade Switches May Panic When Performing Zone Changes

Product: Brocade SilkWorm 3850 Fabric Switch, Brocade SilkWorm 24000 Director, Brocade SilkWorm 3250 Fabric Switch, Brocade SilkWorm 200E Fibre Channel Switch, Brocade 12000 2 GB Switch, Brocade SilkWorm 48000 Director, Brocade SilkWorm 4100 Enterprise Fabric Switch, Brocade SilkWorm 3900 Switch

Category: Availability

Date Released: 06-Oct-2006

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102655-1

102657

Security Vulnerability With RSA Signature Affects the Sun Secure Global Desktop Software

Product: Sun Secure Global Desktop Software 4.2

Category: Security

Date Released: 06-Oct-2006

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102657-1

Avaya System Products using a Sun Microsystems Operating System:
Avaya system products include an Operating System with the product when it is delivered. The Avaya Call Management System (CMS) and the Avaya Interactive Response (IR) are both shipped with an operating system from Sun Microsystems. Actions to be taken on those products are described below.

Recommended Actions:
Follow the recommended actions for each notification described below. This advisory will be updated as additional information becomes available.

Sun Advisory: Affected S/W Version Risk Comments or Recommended Actions

102606 CMS - All
IR - 2.0 None CMS does not use Solaris 10 and IR 2.0 does not use link aggregation in Solaris 10.

102636 CMS - All
IR - All None Neither CMS or IR install or use the Veritas Oracle Disk Manager software.

102640 CMS - All

IR - 2.0 CMS - None

IR - Low CMS does not use the Solaris 10 platform

IR is currently testing patches and will advise when they are available.

102648 CMS - All

IR - All CMS - None

IR - Low CMS does not utilize the products listed.

IR is vulnerable and is awaiting a patch from Sun.

102651 CMS - All
IR - All None Neither CMS or IR utilize the Sun Fire T1000 or T2000 platforms.

102652 CMS - V9, V11, R12, R13/R13.1

IR - 2.0 CMS - Low

IR - None CMS - For CMS V9 and V11 systems install patch 111844-04. For CMS R12 and R13/R13.1 install patch 124830-01.

IR - IR is not affected by this issue however customers can use the workaround detailed in "Workarounds" below until a patch becomes available.

102655 CMS - All
IR - All None Neither CMS or IR utilize Sun Brocade Switches.

102657 CMS - All
IR - All None Neither CMS or IR install and/or use the Sun Global Desktop Software.

Workarounds

Two workarounds for Sun Alert ID 102652 are provided below (as provided by the Sun Alert). Select one of the two to implement.

A) Use an alternate login mechanism such as dtlogin(1) or if using Solaris 10, gdm(1).

or:

B) Modify the xdm(1) configuration file, xdm-config, and create a new Xsession file using the following commands as the root user:

# cd /usr/openwin/lib/X11/xdm

# mv xdm-config xdm-config.orig

# sed -e 's/cp \/dev\/null "$errfile"/umask 077 \&\& cp \/dev\/null "$errfile"/' Xsession> /etc/X11/Xsession

# sed -e 's/\/usr\/openwin\/lib\/X11\/xdm\/Xsession/\/etc\/X11\/Xsession/' xdm-config.orig> xdm-config

then restore executable permissions to the file by running the following command:

# chmod 755 Xsession

2. Additional Information:

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

3. Disclaimer:

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

4. Revision History:

V 1.0 - November 17, 2006 - Initial Statement issued.
V 2.0 - August 16, 2007 - Updated CMS response for Sun Alert ID 102652 to include approved patches.

Send information regarding any discovered security problems with Avaya products to either the contact noted in the product's documentation or [email protected].

© 2006 Avaya Inc. All Rights Reserved. All trademarks identified by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.