I'm sure that other people have received / will receive a security notification letter from HP warning about 3 MPE/iX bugs: 1) Users already logged on to the system may, via a malicious attack, gain additional privileges and/or special capabilities. Applies to 4.0, 4.5, Limited 5.0. 2) Unauthorized users may, via a malicious attack, gain access to a higher TurboImage privilege. Applies to Limited 5.0. 3) Users already logged on to the system may, via a malicious attack, gain additional privileges and/or special capabilities. Applies to all releases up to Limited 5.0. That is all the detail given; sort of like hearing that your car has been recalled without knowing what the exact defect is. ;-) Upgrading to the General Release of 5.0 fixes all 3 bugs. But I cannot upgrade our only 3000, the 4.0 one that naturally runs our most critical business functions, until the first 5.0 Powerpatch is available to minimize the chance of any nasty surprises. Patches are available for bugs 1) and 3) on 4.0, but 1) forces you to REAPPLY ALL PREVIOUS PATCHES because it is an OS SOM replacement. I have several patches since the previous Powerpatch that need to be investigated. I'm guessing the 5.0 Powerpatch is about 3 months away. I have a choice of reinstalling all of my 4.0 patches or waiting until 5.0 upgrade time. But my Response Center Advocate does not have any technical details on these security holes, and says that she DOES NOT HAVE ACCESS to any technical details. HP is evidently trying to keep these bugs quiet to prevent security break-ins. That's a laudable goal, but denies me the knowledge I'd like to have to evaluate how much risk is posed to our environment here. If I knew the risk was high, I'd reapply all of the 4.0 patches; if the risk is low, I'll wait until 5.0. But HP won't tell me, the designated contact person on our HP support contract, and that bugs me! I think the designated person(s) on an HP support contract should be able to go through their local SE (who knows them personally, one would hope!) to obtain technical details about security issues like this. Comments? Would anybody who does know about these bugs care to e-mail me the technical details strictly off the record and not for redistribution? -- Mark Bixby E-mail: [log in to unmask] Coast Community College Dist. Web: http://www.cccd.edu/~markb/ District Information Services 1370 Adams Ave., Costa Mesa, CA, USA 92626-5429 Technical Support +1 714 432-5865 x7064 "You can tune a file system, but you can't tune a fish." - tunefs(1M)