According to karl klebenow: > > I also agree - there needs to be a mechanism to let us determine the > size of the risk. Two cents from this SM. > ---------------Original Message--------------- > I agreee with Mark's concern but also understand HP's position. Even so, > there SHOULD be a way to know what is at risk. Maybe a certified letter to > the registered System Manager at each site upon request can be possible. > > So HP, please find a way to disclose this information to those who REALLY > need it and ask for it. SMs everywhere, speak. > > Thanks > > > ----------End of Original Message---------- > I agree that there is risk to revealing details, but that is *not* necessary. What most SMs need to know is if the problem hole is available without access to the CI and what general subsystem provides the hole. Most unix security briefs (including HP's for HP-UX) leave no doubt as to the general method of operation of the hole, but they do leave out many of the real details it takes to make use of the hole - I don't see why this could not be done by HP for the 3000. At least a letter to supported SMs - registered if necessary - but it would not have to provide all the details, but just a general, conceptual explanation. Of course, any clues would aid someone trying to do harm, but if systems are not updated with the patch when they would have been if more information was available, then hiding the infomation defeats the purpose. -- -- - - - Speaking for myself and not necessarily anybody else - - - - - - Richard Gambrell | Internet: [log in to unmask] Mgr. Tech. Services | POT: 504-483-7454 FAX: 504-482-1561 Xavier University of LA | Smail: 7325 Palmetto, New Orleans, LA 70125