AUSCERT External Security Bulletin Redistribution
                ESB-98.006 -- Amanda development team notice
             Vulnerabilities in the Amanda backup software suite
                               14 January 1998


The Amanda development team has released the following advisory concerning
several vulnerabilities in the Amanda backup software suite.

The upgrade suggested in this bulletin breaks backward compatibility.
See the Amanda web page for details:


The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when the original bulletin is.  If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.

Contact information for the Amanda development team can be found at:


If you have any questions or need further information, please contact them

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AUSCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.
Facsimile:      (07) 3365 7031

- - --------------------------BEGIN INCLUDED TEXT--------------------

AMANDA TEAM RESPONSE TO CPIO Security Notice Issue 11:

The Amanda development team confirms the existence of the amrecover
security hole in recent versions of Amanda.  We have made a new
release, Amanda 2.4.0b5, that fixes the amrecover problem and other
potential security holes, and is the product of a security audit
conducted in conjunction with the OpenBSD effort.  The new version is
available at:


Here's some more information about the amrecover problem to supplement the
information given in the CPIO Security Notice:


The Amanda 2.3.0.x interim releases that introduced amrecover, and the
2.4.0 beta releases by the Amanda team are vulnerable.

Amanda 2.3.0 and earlier UMD releases are not affected by this particular
bug, as amrecover was not part of those releases.  However, earlier
releases do have potential security problems and other bugs, so the Amanda
Team recommends upgrading to the new release as soon as practicable.


At an active site running Amanda 2.3.0.x or 2.4.0 beta, amrecover/amindexd
can be disabled by:

- - - removing amandaidx and amidxtape from /etc/inetd.conf

- - - restarting inetd.conf (kill -HUP should do)

This will avoid this particular vulnerability while continuing to run backups.
However, other vulnerabilities might exist, so the Amanda Team recommends
upgrading to the new release as soon as practicable.


This release (2.4.0) has addressed a number of security concerns with
the assistance of Theo de Raadt, Ejovi Nuwere and David Sacerdote of
the OpenBSD project.  Thanks guys!  Any problems that remain are our
own fault, of course.

The Amanda Team would also like to thank the many other people who have
contributed suggestions, patches, and new subsystems for Amanda.  We're
grateful for any contribution that helps us achieve and sustain critical
mass for improving Amanda.

- - --------------------------END INCLUDED TEXT--------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key