LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1995, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1995, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Secretive security notification letter
From:	Mark Bixby <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Thu, 23 Mar 1995 16:38:07 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (50 lines)

I'm sure that other people have received / will receive a security notification
letter from HP warning about 3 MPE/iX bugs:
 
1) Users already logged on to the system may, via a malicious attack, gain
additional privileges and/or special capabilities.  Applies to 4.0, 4.5,
Limited 5.0.
 
2) Unauthorized users may, via a malicious attack, gain access to a higher
TurboImage privilege.  Applies to Limited 5.0.
 
3) Users already logged on to the system may, via a malicious attack, gain
additional privileges and/or special capabilities.  Applies to all releases
up to Limited 5.0.
 
That is all the detail given; sort of like hearing that your car has been
recalled without knowing what the exact defect is.  ;-)
 
Upgrading to the General Release of 5.0 fixes all 3 bugs.  But I cannot upgrade
our only 3000, the 4.0 one that naturally runs our most critical business
functions, until the first 5.0 Powerpatch is available to minimize the chance
of any nasty surprises.
 
Patches are available for bugs 1) and 3) on 4.0, but 1) forces you to REAPPLY
ALL PREVIOUS PATCHES because it is an OS SOM replacement.  I have several
patches since the previous Powerpatch that need to be investigated.
 
I'm guessing the 5.0 Powerpatch is about 3 months away.  I have a choice of
reinstalling all of my 4.0 patches or waiting until 5.0 upgrade time.  But my
Response Center Advocate does not have any technical details on these security
holes, and says that she DOES NOT HAVE ACCESS to any technical details.  HP
is evidently trying to keep these bugs quiet to prevent security break-ins.
That's a laudable goal, but denies me the knowledge I'd like to have to
evaluate how much risk is posed to our environment here.  If I knew the risk
was high, I'd reapply all of the 4.0 patches; if the risk is low, I'll wait
until 5.0.  But HP won't tell me, the designated contact person on our
HP support contract, and that bugs me!
 
I think the designated person(s) on an HP support contract should be able to
go through their local SE (who knows them personally, one would hope!) to
obtain technical details about security issues like this.
 
Comments?  Would anybody who does know about these bugs care to e-mail me the
technical details strictly off the record and not for redistribution?
--
Mark Bixby                      E-mail: [log in to unmask]
Coast Community College Dist.   Web: http://www.cccd.edu/~markb/
District Information Services   1370 Adams Ave., Costa Mesa, CA, USA 92626-5429
Technical Support               +1 714 432-5865 x7064
"You can tune a file system, but you can't tune a fish." - tunefs(1M)

ATOM RSS1 RSS2

RAVEN.UTC.EDU