COMMAND

    ftp

SYSTEMS AFFECTED

    HP9000 series 700/800, HP-UX releases 9.X, 10.X, and 11.00

PROBLEM

    The  ftp  client  can  be  tricked into running arbitrary commands
    supplied by the remote server.

SOLUTION

    Install the applicable patches for the fileset: ARPA-RUN ARPA-MAN:

        HP-UX release   9.X                 PHNE_13595
        HP-UX release   10.0,10.01,10.10    PHNE_13596
        HP-UX release   10.16               PHNE_16006 (available after 10 August 98)
        HP-UX release   10.20               PHNE_13597
        HP-UX release   10.24               PHNE_15802
        HP-UX release   11.00               PHNE_14479

    Install the applicable patches for the fileset:
    InternetSvcSec.INETSVCS-SEC   or    InternetSvcSec.ISEC-ENG-A-MAN,
    (Secure Internet Services):

        HP-UX release   10.20               PHNE_15544

    Recommended solution - Install the applicable patches.  The Secure
    Internet Services product, if  enabled, has to be  disabled before
    the installation and removal of patch PHNE_15544 for HP-UX  10.20.
    If Secure Internet Services is enabled during patch  installation,
    the installation  will fail  with an  error.   On the HP-UX 11.00,
    this version of FTP has  some new configuration files that  can be
    used to  take advantage  of new  functionality. Sample  of the new
    configuration  files  are  provided  in   /usr/newconfig/etc/ftpd.
    These  files  can  be  altered  per  your  needs and copied to the
    location /etc/ftpd.  Information on these new features  introduced
    by this new version of ftpd are in the file:

        /usr/share/doc/RelNotes_newftp.txt