* ____________________________________________________________________________ * * ID: 2 * PRODUCT: LEWSVR * RELEASE: 11.5 * DESC: WIN-SECURITY VULNERABILITY * SYSTEMS AFFECTED: WINDOWS * SOLUTION TEXT: PRODUCT: BAB for Laptops & Desktops Server RELEASE: 11.5 APAR #: QO91015 DATE: 20 SEP 2007 PROBLEM DESCRIPTION: WIN-SECURITY VULNERABILITY ---------------------------------------------------- This update addresses multiple vulnerabilities: 1. The server accepts connections with insufficient authentication verification. 2. Insufficient bounds checking during authentication can result in a buffer overflow. 3. Insufficient bounds checking during processing inbound commands can result in a buffer overflow. The buffer overflow vulnerabilities can allow a remote attacker to execute arbitrary code or cause a denial of service condition. Please note that this fix does not need to be applied to the client machines. PREREQS: None MPREREQS: None COREQS: None MCOREQS: None SUPERSEDED: None HYPER: YES DISTRIBUTION CODE: A (A=Available, I=Internal) PROBLEM RESOLUTION: Follow the instructions below: This fix requires BrightStor ARCserve Backup for Laptops & Desktops version 11.5 to be installed. Install Instructions -------------------- 1. Unzip the fix file as follows: CAZIPXP -u QO91015.CAZ 2. Shutdown the BrightStor ARCserve Backup for Laptops & Desktops Server 3. Apply the fix file as follows (selecting the "Apply PTF to local or remote nodes" option): APPLYPTF 1) Choose QO91015_svr.jcl file, run it. 2) Choose QO91015_mgr.jcl file, run it. 3) Choose QO91015_gui.jcl file, run it. 4. Restart the BrightStor ARCserve Backup for Laptops & Desktops Server. If you want to apply the fix manually, follow steps 1 and 2 above. 3. Rename ManagerCLI.exe,rxRPC.dll,rxRPCstub.dll under x:\Program Files\CA\BrightStor ARCserve Backup for Laptops and Desktops\Server 4. Copy ManagerCLI.exe,rxRPC.dll,rxRPCstub.dll to x:\Program Files\CA\BrightStor ARCserve Backup for Laptops and Desktops\Server 5. Rename ManagerCLI.exe,rxRPC.dll,rxRPCstub.dll under x:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Manager 6. Copy ManagerCLI.exe,rxRPC.dll,rxRPCstub.dll to x:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Manager 7. Rename ManagerCLI.exe,rxRPC.dll,rxRPCstub.dll under x:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Explorer 8. Copy ManagerCLI.exe,rxRPC.dll,rxRPCstub.dll to x:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\Explorer 9. Restart the BrightStor ARCserve Backup for Laptops & Desktops Server. ===================================================================== CAZIPXP.EXE can be found on web site: http://support.ca.com/ca_common_docs/latest_cazipxp.html <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> < To remove a fix applied via Applyptf: > < > < 1. Shutdown the BABLDServer (including its service > < if you installed it as a service, using the WindowsNT/ > < Windows2000 Services control panel). > < > < 2. Go to "replaced\fix_name" directory under the component/image > < directory where "fix_name" is the fix to be backed out, > < > < 3. Copy files under the "fix_name" directory to the component/ > < image being sure to replace the files in the same directory > < structure as the replaced\fix_name directory > < > > < 4. Restart the BABLD Server (using the Services > < control panel if you installed the Server as a service). > < > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>> PRODUCT(S) AFFECTED: BrightStor ARCserve Backup for Laptops Release 11.5 DOWNLOAD INFORMATION: --------------------- NODE: ftp.ca.com PATH: /CAproducts/unicenter/BABLD/nt/GA/QO91015 FILES: QO91015.DXJ QO91015.CAZ UPDATED ROUTINES: --------------- ManagerCLI.exe 622592 TUE JUN 26 09:31:58 2007 rxRPC.dll 135168 TUE JUN 26 09:30:41 2007 rxRPCstub.dll 65536 TUE JUN 26 09:30:46 2007 * ____________________________________________________________________________ * * WINDOWS VERSION: 0 EFFECTIVE: 09/05/2007 ACTION: A *** NO ZAPS FOR THIS VERSION ***