Further to SERT advisory SA-93.01 which mentioned a forthcoming version of 
the MegaPatch, MegaPatch v1.6 for SunOS 4.1.3 is now available. Note the
release date of 30/Mar/1993 16:50.

As part of the SERT initiative, the MegaPatch has been developed to install
security patches on Sun Microsystems machines running SunOS 4.1.3. The 
purpose of this message is to announce the availability of The MegaPatch 
version 1.6 for machines running SunOS 4.1.3.

Development is under way on a MegaPatch for SunOS 4.1.2. This package is 
not yet available.

If you have any questions regarding the MegaPatch, please send electronic 
mail to megapatch@sert.edu.au.


MegaPatch version 1.6
=====================

Release Date: 30/Mar/1993 16:50

This MegaPatch has been developed to apply a number of security patches in a
one time manner to SunOS.  The MegaPatch is an un-productised version of Sun
Microsystems's security patches, and as such may have additional features/
enhancements/improvements which are not supported  by Sun.

This MegaPatch currently works for SunOS systems 4.1.3 only.

The MegaPatch is supplied as a compressed tar archive - there is a script file
supplied for easy installation. It is distributed on an "all care and no 
responsibility" basis - that is, every care has been taken in it's 
development, but no responsibility will be accepted for unexpected results. 


NOW AVAILABLE AT:
ftp.qut.edu.au:/security/MegaPatch.1.6.*


Additional localisation routines have been added to the MegaPatch to enhance 
site security.  The local scripts are detailed below:

local.aaa  A script to fix some of the permissions after the installation
    of the MegaPatch.
local.log_tcp  A script to install the TCP/IP firewall program log_tcp version
    4.3.  This restricts TCP/IP access to telnet and ftp by
    changing /etc/inetd.conf and further restricts these
    connections to this hosts.  To allow wider access edit the
    file /etc/hosts.allow to add hosts or domains in comma
    separated lists.
local.rmrhosts  This script removes all .rhosts files and /etc/hosts.equiv,
    this makes the use of rsh... a little more secure.
local.rread  This script processes the binary system executables and removes
    the read permission on these.  This makes it more difficult for
    users to pull apart programs with the strings command or for
    users to accidently copy large amounts of data or to copy a
    program such as telnet to a file such as vi in their directory
    to evade system accounting.
local.tripwire  This script installs a default installation of tripwire 1.02
    in the directory /usr/local/etc, with the database of file
    signatures being stored in /usr/local/etc/databases.
local.ttytab  This script ensures that secure is set ONLY for the console in
    the /etc/ttytab file.  This way root can only login on the
    console.
local.xx-cops  This script will install a minimal installation of COPS in
    /usr/local/etc and produce a report on the security of your
    system.  The report will be placed in the directory
    /usr/local/etc/cops_104/`hostname`.
local.zz-kernel  This script will ask additional questions with regard to which
    options you wish added or deleted from the kernel.  To ensure
    maximum security, answer y to all questions (but be aware that
    this may limit the use of some subsystems).  Then the kernel
    will be re-configured and rebuilt, even if there is no
    pre-existing kernel configuration file.
    THE KERNEL MUST BE REBUILT EITHER BY THIS SCRIPT OR MANUALLY AS
    SOME OF THE PATCHES CONTAIN FILES WHICH WILL AFFECT THE
    OPERATION OF THE KERNEL.


NOTE THE INCLUSION OF 2 ADDITIONAL SHELL SCRIPTS:

If you have previously installed patches using MegaPatch, you can use
the script checkmega to check the installation of current patches.

   cd MegaPatch
   ./checkmega

If you wish to mark certain patches as previously loaded (eg manually) so
that the MegaPatch will not re-install them, then use nopatch.
   cd MegaPatch
   ./nopatch


Changes in MegaPatch 1.6 from MegaPatch 1.5
===========================================

1. The following patches have been upgraded to the latest release:
   Previous version  Current version    Detail
   --------------------------------------------------------------
   100173-09    100173-10    NFS jumbo
   100305-10    100305-11    lpr
   100383-05    100383-06    rdist
   100513-01    100513-02    tty jumbo

2. The following patches have been added according to advice from CIAC
   (Advisory number D-11 on March 19, 1993):
   Patch number    Detail
   ----------------------------------------
   100224-06    /bin/mail jumbo patch
   100623-03    UFS jumbo patch
   100891-01    libc replacement

3. The size of MegaPatch 1.6 has increased substantially due to the libc
   patch.  It is anticipated that the compressed patch will now be
   approximately 6Mb (compared to approximatley 3Mb for version 1.5).

4. Two additional shell scripts have been supplied (checkmega, nopatch)
   which will make installation and checking of MegaPatch easier.

   The script, checkmega, will report on the installation status of a
   machine with regard to the current release of the MegaPatch.  Patches
   which have not been applied will be flagged as well as confirmation
   that all patches are applied.

   The script nopatch can be used to instruct MegaPatch not to install
   a particular patch.  This is typically needed if you have already
   applied that patch manually and it should not be re-applied.  It
   does this by touching a file which the installmega script uses to
   determine if a patch has been installed.  NOTE: This could cause
   erronous results to the checkmega script if the patch was truly
   not installed.



The MegaPatch is a result of the SERT initiative. The development work has 
been a joint effort between QUT staff and Sun Microystems. A MegaPatch for 
SunOS 4.1.2 is currently under development, and announcements will be made 
at the appropriate time.

If you have any questions regarding the MegaPatch, please send electronic 
mail to megapatch@sert.edu.au.