               Release Notes for
        McAfee ePolicy Orchestrator(TM)
          Version 2.0, 2.5, and 2.5.1
                    Patch 2
   2003 Networks Associates Technology, Inc.
              All Rights Reserved


=====================================================

This release was developed and tested with:

ePolicy Orchestrator:  2.0.0, 2.5.0, and 2.5.1

Make sure you have installed one of these
versions before using this release.

=====================================================


Thank you for using the ePolicy
Orchestrator(TM) software. This file contains
important information regarding this release.
We strongly recommend that you read the entire
document.

The attached files are provided as is, and with
no warranty either expressed or implied as to
their suitability for any particular use or
purpose. Network Associates, Inc. assumes no
liability for damages incurred either directly
or indirectly as a result of the use of these
files, including but not limited to the loss or
damage of data or systems, loss of business or
revenue, or incidental damages arising from
their use. Patch files should be applied only
on the advice of McAfee Security Technical
Support, and only when you are actually
experiencing the issue being addressed by the
Patch. Patch files should not be proactively
applied in order to prevent potential product
issues. You are responsible for reading and
following all instructions for preparation,
configuration, and installation of Patch files.
Patch files are not a substitute or replacement
for product Service Packs which may be released
by Network Associates, Inc. It is a violation
of your software license agreement to
distribute or share these files with any other
person or entity without written permission
from Network Associates, Inc. Further, posting
of McAfee Security Patch files to publicly
available Internet sites is prohibited. Network
Associates, Inc. reserves the right to refuse
distribution of Patch files to any company or
person guilty of unlawful distribution of
McAfee software products. Questions or issues
with McAfee Patch files should be directed to
McAfee Security Technical Support.


_____________________________________________________
WHAT'S IN THIS FILE

-  About This Release
   -  Purpose
   -  Language Support
   -  Files Included with This Release
-  Installation
   -  Installation Requirements
   -  Installation Steps
   -  Installing the Patch
   -  Securing ePolicy Orchestrator SQL Server
      Logins
   -  Removing This Release
-  Contacting McAfee Security and Network
   Associates
-  Copyright and Trademark Attributions
   -  Trademarks
   -  License Agreement and Attributions


_____________________________________________________
ABOUT THIS RELEASE

PURPOSE

This release addresses the following
vulnerabilities:

-  ePolicy Orchestrator MSDE SA Account
   Compromise -- The default installation of
   MSDE, via ePolicy Orchestrator, configures a
   connection between the ePolicy Orchestrator
   server and MSDE to use an SA account. The
   following two steps would allow a
   knowledgeable user to obtain the SA password
   to this account. The ePolicy Orchestrator
   server configuration file, encrypted with
   3DES, can be obtained by issuing a carefully
   targeted HTTP request to the ePolicy
   Orchestrator server. It is then possible to
   decrypt this file and obtain the password by
   reverse engineering the product.
   Vulnerability identifier: CAN-2003-0148

-  ePolicy Orchestrator 2.X Post Parameters
   Heap Overflow -- Sending a POST request to
   the ePolicy Orchestrator agent, where
   parameters in the URL are substituted for a
   large number of A's will cause the service
   to stop responding. A carefully targeted
   request will allow an attacker to overwrite
   arbitrary data and thus execute code.
   Vulnerability identifier: CAN-2003-0149

-  ePolicy Orchestrator 2.X Computerlist Format
   String -- Sending a POST request to the
   ePolicy Orchestrator server, where the
   computerlist parameter contains a few format
   characters, will cause the ePolicy
   Orchestrator server service to stop
   responding when it tries to log a failed
   name resolution. A maliciously constructed
   string containing format string characters
   will allow the execution of arbitrary code.
   Vulnerability identifier: CAN-2003-0616

This release also includes the following HotFix
and Patch releases for each product version:

-  Version 2.0 -- Includes HotFix 1 through
   HotFix6. If you have installed HotFix 7, 8,
   9, 10, 11, or 12, you do NOT need to
   re-install them.

-  Version 2.5 -- Does not include any HotFix
   releases. If you have installed HotFix 1, 2,
   3, 4, 5, 6, or 7, you do NOT need to
   re-install them.

-  Version 2.5.1 -- Includes Patch 1.


LANGUAGE SUPPORT

This release supports all language versions of
the ePolicy Orchestrator software.


FILES INCLUDED WITH THIS RELEASE

This release consists of a package called
EPO2X2.ZIP, which contains the following
files:

   EPO2XP2.EXE =
      Setup program

   EPOSQLSEC.SQL =
      SQL script

   PACKING.LST =
      List of Patch files

   PATCH2.TXT =
      This text file


_____________________________________________________
INSTALLATION

INSTALLATION REQUIREMENTS

To use this release, you must have ePolicy
Orchestrator 2.0, 2.5, or 2.5.1 software
installed on the ePolicy Orchestrator server
that you intend to update with this release.

   NOTE:
   This release does not work with earlier
   versions of the ePolicy Orchestrator
   software.


INSTALLATION STEPS

1. Create a temporary folder on the hard drive
   of the ePolicy Orchestrator server.

2. Extract the EPO2X2.ZIP file to the temporary
   folder that you created in Step 1.


INSTALLING THE PATCH

      WARNING
      Close the Windows Services dialog box to
      avoid installation issues.

1. Back up ePolicy Orchestrator databases.

   If you are using Microsoft SQL Server as the
   ePolicy Orchestrator database, see the SQL
   Server product documentation.

   If you are using Microsoft Data Engine
   (MSDE) as the ePolicy Orchestrator database,
   you can use the Database Backup Utility
   (DBBAK.EXE) to back up ePolicy Orchestrator
   MSDE databases on the database server. For
   instructions, see "Backing up ePolicy
   Orchestrator MSDE databases" in the ePolicy
   Orchestrator 3.0 Product Guide.

2. Log on to the desired computer using a user
   account with local administrator
   permissions.

3. Close all ePolicy Orchestrator consoles.

4. On the taskbar, click the "Start" button,
   then point to "Run." The "Run" dialog box
   appears.

5. In "Open," type the path where the Setup
   program (EPO2XP2.EXE) is located, then click
   "OK." The "ePolicy Orchestrator 2.x Patch 2
   Setup" wizard appears.

6. Click "Next" to begin the installation.

7. Click "Finish" to complete the
   installation.

8. In the "Services" dialog box, select the
   "NAI ePolicy Orchestrator 2.5.1 Server"
   service and edit the service to change the
   account back to the original setting. For
   example, if you specified a domain
   administrator account during the initial
   installation, you need to provide that
   account information again. The account is
   not automatically restored.


SECURING EPOLICY ORCHESTRATOR SQL SERVER
LOGINS

If you installed MSDE as part of the ePolicy
Orchestrator installation, you need to complete
these steps.

1. In a text editor, open the EPOSQLSEC.SQL
   file from the temporary folder you created
   in Step 1 of "Installation Steps." It
   contains these lines:

   EXEC sp_addlogin
      '<new_login_name>',
      '<password>',
      '<database_name>'

   EXEC sp_grantdbaccess '<new_login_name>'

   EXEC sp_addrolemember
      'db_owner',
      '<new_login_name>'

2. Replace the <new_login_name> variable with a
   user name for a new SQL Server user account
   (login). This variable appears three times.

3. Replace the <password> variable with a
   password for the new user account. This
   variable appears once.

4. Replace the <database_name> variable with
   the name of the ePolicy Orchestrator
   database. The default database name is
   EPO_<SERVER>, where <SERVER> is the name of
   the ePolicy Orchestrator server. This
   variable appears once.

   For example, if the user name is EPODBO, the
   password is T2M0912, and the database name
   is ePO_MANAGE, the resulting file would be:

   EXEC sp_addlogin
      'EPODBO',
      'T2M0912',
      'ePO_MANAGE'

   EXEC sp_grantdbaccess 'EPODBO'

   EXEC sp_addrolemember
      'db_owner',
      'EPODBO'

5. Save the file.

6. At the command prompt, run the following
   command:

      NOTE
      This command is case-sensitive.

      OSQL -d<database_name> -U<account_with_sa_privileges> -P<password>
      -i<path>EPOSQLSEC.SQL

   Where <database_name> is the name of the
   ePolicy Orchestrator database. The default
   database name is EPO_<SERVER>, where
   <SERVER> is the name of the ePolicy
   Orchestrator server.

   And where <account_with_sa_privileges> and
   <password> are the user name and password of
   an account with system administrator
   permissions on the database.

   And where <path> is the location of the
   EPOSQLSEC.SQL file.

   For example, if the ePolicy Orchestrator
   database name is ePO_MANAGE, the user name
   is SA, the password is 53cr3t, and the
   EPOSQLSEC.SQL file is in C:\TEMP, the
   resulting command would be:

      OSQL -dePO_MANAGE -USA -P53cr3t -iC:\TEMP\EPOSQLSEC.SQL

7. Start the Server Configuration program
   (CFGNAIMS.EXE). The default location is:

      C:\PROGRAM FILES\MCAFEE\EPO\2.0

8. Click the "Administrator" tab.

9. Select "Use SQL authentication."

10.   In "User name," type the value you
   provided for the <new_login_name> variable
   in Step 3.

11.   In "Password," type the value you
   provided for the <password> variable in Step
   4.

12.   Click "OK."


REMOVING THIS RELEASE

To remove this Patch from your computer,
uninstall, then reinstall ePolicy
Orchestrator.

   NOTE:
   We recommend that you do NOT remove the
   Patch files once you install them. If you
   reinstall the ePolicy Orchestrator software,
   we recommend that you also reinstall the
   Patch.


_____________________________________________________
CONTACTING MCAFEE SECURITY & NETWORK
ASSOCIATES

Technical Support
   Home Page
      http://www.networkassociates.com/us/support/


   KnowledgeBase Search
      https://knowledgemap.nai.com/phpclient/homepage.aspx

   PrimeSupport Service Portal
      http://mysupport.nai.com

      Login credentials required.


McAfee Security Beta Program
   Beta Web Site
      http://www.networkassociates.com/us/downloads/beta/

   E-mail
      avbeta@nai.com


Security Headquarters -- AVERT (Anti-Virus
Emergency Response Team)
   Home Page
      http://www.networkassociates.com/us/security/home.asp

   Virus Information Library
      http://vil.nai.com

   Submit a Virus Sample  AVERT WebImmune
      https://www.webimmune.net/default.asp

   AVERT DAT Notification Service
      http://www.networkassociates.com/us/downloads/updates/


Download Site
   Home Page
      http://www.networkassociates.com/us/downloads/

   DAT File and Engine Updates
      http://www.networkassociates.com/us/downloads/updates/

      ftp://ftp.nai.com/pub/antivirus/datfiles/4.x

   Product Upgrades
      https://secure.nai.com/us/forms/downloads/upgrades/login.asp

      Valid grant number required.
      Contact Network Associates Customer
      Service


Training
   McAfee Security University
      http://www.networkassociates.com/us/services/education/mcafee/university.htm



Network Associates Customer Service
   US, Canada, and Latin America toll-free:
   Phone:   +1-888-VIRUS NO or +1-888-847-8766
            Monday - Friday, 8 a.m. - 8 p.m.,
            Central Time

   E-mail:  services_corporate_division@nai.com
   Web:     http://www.nai.com/us/index.asp
            http://www.networkassociates.com/us/products/mcafee_security_home.htm

For additional information on contacting
Network Associates and McAfee Security 
including toll-free numbers for other
geographic areas  see the documentation that
accompanied your original product release.


_____________________________________________________
COPYRIGHT AND TRADEMARK ATTRIBUTIONS

 2003 Networks Associates Technology, Inc. All
Rights Reserved. No part of this publication
may be reproduced, transmitted, transcribed,
stored in a retrieval system, or translated
into any language in any form or by any means
without the written permission of Networks
Associates Technology, Inc., or its suppliers
or affiliate companies. To obtain this
permission, write to the attention of the
Network Associates legal department at: 5000
Headquarters Drive, Plano, Texas 75024, or call
+1-972- 963-8000.


TRADEMARKS

Active Firewall, Active Security, Active
Security (in Katakana), ActiveHelp,
ActiveShield, AntiVirus Anyware and design,
Appera, AVERT, Bomb Shelter, Certified Network
Expert, Clean-Up, CleanUp Wizard, ClickNet,
CNX, CNX Certification Certified Network Expert
and design, Covert, Design (stylized N), Disk
Minder, Distributed Sniffer System, Distributed
Sniffer System (in Katakana), Dr Solomons, Dr
Solomons label, E and Design, Entercept,
Enterprise SecureCast, Enterprise SecureCast
(in Katakana), ePolicy Orchestrator, Event
Orchestrator (in Katakana), EZ SetUp, First
Aid, ForceField, GMT, GroupShield, GroupShield
(in Katakana), Guard Dog, HelpDesk, HelpDesk
IQ, HomeGuard, Hunter, Impermia, InfiniStream,
Intrusion Prevention Through Innovation,
IntruShield, IntruVert Networks, LANGuru,
LANGuru (in Katakana), M and design, Magic
Solutions, Magic Solutions (in Katakana), Magic
University, MagicSpy, MagicTree, McAfee, McAfee
(in Katakana), McAfee and design, McAfee.com,
MultiMedia Cloaking, NA Network Associates, Net
Tools, Net Tools (in Katakana), NetAsyst,
NetCrypto, NetOctopus, NetScan, NetShield,
NetStalker, Network Associates, Network
Performance Orchestrator, Network Policy
Orchestrator, NetXray, NotesGuard, nPO, Nuts &
Bolts, Oil Change, PC Medic, PCNotary,
PortalShield, Powered by SpamAssassin,
PrimeSupport, Recoverkey, Recoverkey 
International, Registry Wizard, Remote Desktop,
ReportMagic, RingFence, Router PM, Safe &
Sound, SalesMagic, SecureCast, SecureSelect,
Service Level Manager, ServiceMagic, SmartDesk,
Sniffer, Sniffer (in Hangul), SpamKiller,
SpamAssassin, Stalker, SupportMagic,
ThreatScan, TIS, TMEG, Total Network Security,
Total Network Visibility, Total Network
Visibility (in Katakana), Total Service Desk,
Total Virus Defense, Trusted Mail, UnInstaller,
VIDS, Virex, Virus Forum, ViruScan, VirusScan,
WebScan, WebShield, WebShield (in Katakana),
WebSniffer, WebStalker, WebWall, What's The
State Of Your IDS?, Whos Watching Your
Network, WinGauge, Your E-Business Defender,
ZAC 2000, Zip Manager are registered trademarks
or trademarks of Network Associates, Inc.
and/or its affiliates in the US and/or other
countries. Sniffer brand products are made
only by Network Associates, Inc. All other
registered and unregistered trademarks in this
document are the sole property of their
respective owners.


LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE
APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO
THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE
LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE
GRANT OR PURCHASE ORDER DOCUMENTS THAT
ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU
HAVE RECEIVED SEPARATELY AS PART OF THE
PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT
CD, OR A FILE AVAILABLE ON THE WEB SITE FROM
WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF
YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH
IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE.
IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO
NETWORK ASSOCIATES, INC. OR THE PLACE OF
PURCHASE FOR A FULL REFUND.


Attributions

This product includes or may include:

-  Software developed by the OpenSSL Project
   for use in the OpenSSL Toolkit
   (http://www.openss1.org/).

-  Cryptographic software written by Eric Young
   (eay@cryptsoft.com) and software written by
   Tim J. Hudson (tjh@cryptsoft.com).

-  Some software programs that are licensed (or
   sublicensed) to the user under the GNU
   General Public License (GPL) or other
   similar Free Software licenses which, among
   other rights, permit the user to copy,
   modify and redistribute certain programs, or
   portions thereof, and have access to the
   source code.  The GPL requires that for any
   software covered under the GPL which is
   distributed to someone in an executable
   binary format, that the source code also be
   made available to those users.  For any such
   software covered under the GPL, the source
   code is made available on this CD.  If any
   Free Software licenses require that Network
   Associates provide rights to use, copy or
   modify a software program that are broader
   than the rights granted in this agreement,
   then such rights shall take precedence over
   the rights and restrictions herein.

-  Software originally written by Henry
   Spencer, Copyright 1992, 1993, 1994, 1997
   Henry Spencer.

-  Software originally written by Robert
   Nordier, Copyright  1996-7 Robert Nordier.
   All rights reserved.

-  Software written by Douglas W. Sauder.

-  Software developed by the Apache Software
   Foundation (http://www.apache.org/).

-  International Components for Unicode ("ICU")
   Copyright  1995-2002 International Business
   Machines Corporation and others. All rights
   reserved.

-  Software developed by CrystalClear Software,
   Inc., Copyright  2000 CrystalClear
   Software, Inc.

-  FEAD Optimizer technology, Copyright
   Netopsystems AG, Berlin, Germany.


DBN 006-ENG
