According to karl klebenow:
>
> I also agree - there needs to be a mechanism to let us determine the
> size of the risk. Two cents from this SM.
> ---------------Original Message---------------
> I agreee with Mark's concern but also understand HP's position. Even so,
> there SHOULD be a way to know what is at risk. Maybe a certified letter to
> the registered System Manager at each site upon request can be possible.
>
> So HP, please find a way to disclose this information to those who REALLY
> need it and ask for it.  SMs everywhere, speak.
>
> Thanks
>
>
> ----------End of Original Message----------
>
 
I agree that there is risk to revealing details, but that is *not*
necessary. What most SMs need to know is if the problem hole is
available without access to the CI and what general subsystem
provides the hole.
 
Most unix security briefs (including HP's for HP-UX) leave no doubt as to
the general method of operation of the hole, but they do leave out
many of the real details it takes to make use of the hole - I don't
see why this could not be done by HP for the 3000.
 
At least a letter to supported SMs - registered if necessary - but it would
not have to provide all the details, but just a general, conceptual
explanation.  Of course, any clues would aid someone trying to do harm, but
if systems are not updated with the patch when they would have been if more
information was available, then hiding the infomation defeats the purpose.
 
 
--
-- - - - Speaking for myself and not necessarily anybody else - - - - - -
Richard Gambrell        | Internet: [log in to unmask]
Mgr. Tech. Services     | POT:      504-483-7454     FAX: 504-482-1561
Xavier University of LA | Smail:    7325 Palmetto, New Orleans, LA 70125