Folks,
A serious defect with the AFS 3.3 version of ftpd for AIX 3.2 (system
type rs_aix32) has been found. After every ftp login, the ftpd logs
the user's password to a file. Since the log file is readable by
everyone under most AIX installations, the passwords for those users
who connected to an AFS 3.3 ftpd may have been compromised.
The AFS ftpd records log messages using the "syslog" system. The
message which includes the password was written with facility set to
"ftpd" and the level set to LOG_ERR. To see where these messages
might have been recorded, look at the /etc/syslog.conf file. On many
AIX installations, the file /usr/adm/ERRS receives them.
If you have installed the AFS 3.3 version of ftpd on any of your AIX
3.2 machines, we ask that you take the following corrective action
immediately. Remove any log file which contains ftpd messages and replace
the AFS 3.3 ftpd with the corrected binary mentioned below. You may also
want to ask all of your users to change their AFS passwords immediately as
a precaution. A corrected binary is now available in the AFS product tree:
/afs/transarc.com/product/afs/3.3/rs_aix32/etc/ftpd
Note that this problem was the result of a build problem and it is not
in the AFS 3.3 source code. If you have compiled your own binaries you
will not be affected. Also, it does not affect any other system
besides AIX 3.2.
If you do not have access to the transarc.com cell, please inform your
AFS Product Support Representative and a new binary will be sent to
you by e-mail or tape. In the meantime, you may replace the 3.3 ftpd
with the ftpd from an earlier AFS release (AFS 3.2b, 3.2a, etc.)
Bapi Buddhavarapu
Product Engineer
Transarc Corporation
PS: We apologize if you have received this message more than once. We
are looking into the problem that causes the extra mail to be sent.
