This tar file contains a complete set of fixes for various important security
problems.  Included in this archive are:

	README -- this file
	fingerfix -- fix from Keith Bostic at Berkeley for the finger hole,
		distributed in source form.  This message also includes
		fixes to the worm source, which are sort of amusing if
		looked at closely...
	ftpfix1 -- fix for anonymous FTP security hole (also in source form)
		in *all* 4.2BSD, 4.3BSD, and 4.3BSD-tahoe derived systems.
	SunFTPPatch -- diffs that should make the 4.3BSD-tahoe ftpd compile
		and work under SunOS 3.X.
	ftpfix2 -- fix for other (non-anonymous) FTP hole in 4.2BSD-derived
		ftpds.  If you install the new FTP sources in fix1, you don't
		need this.
	ftpfixfix -- fix for ftpd sources in ftpfix1.  This just makes it
		so that anonymous ftp doesn't get logged in wtmp.
	sendmailfix -- final (and, I think, best) fix for the worm's favorite
		hole in sendmail.  An alternate fix (if you have source) is
		to go into recipient.c and change the test protecting the
		'syserr("Can't mail directly to {programs,:includes,files}")'
		lines so that the tTd(0,1) test is no longer present.  This
		lets you keep debug mode, while remaining secure (I think). 
		In fact, this latter fix is probably better than zapping
		debug altogether, for a few reasons.
	wormfixes.sun.1 -- Chuq Von Rospach's official Sun fixes to keep the
		worm out of your system.  I'd suggest that you use the Berkeley
		sendmail patch over the one given here.
	wormfixes.sun.2 -- ditto, but updated a bit.  The sendmail patch here
		should be as effective as the Berkeley patch, but I still like
		the Berkeley one better...
	fingernote -- a condensation of a note from Tony Nardo at APL that
		describes yet another small but significant security hole
		in fingerd.

   Have fun.

	-Steve

Spoken: Steve Miller    Domain: steve@mimsy.umd.edu    UUCP: uunet!mimsy!steve
Phone: +1-301-454-1808  USPS: UMIACS, Univ. of Maryland, College Park, MD 20742
