---------- Forwarded message ----------
Date: Wed, 3 Apr 1996 15:47:11 -0500
From: CERT Bulletin <cert-advisory_at_cert.org>
Reply-To: cert-advisory-request_at_cert.org
To: cert-advisory_at_cert.org
Subject: CERT Vendor-Initiated Bulletin VB-96.05 - OSF/1 dxconsole
=============================================================================
CERT(sm) Vendor-Initiated Bulletin VB-96.05
April 3, 1996
Topic: OSF/1 dxconsole vulnerability
Source: Digital Equipment Corporation
To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Digital
Equipment Corporation. Digital Equipment Corporation urges you to act on this
information as soon as possible. Digital Equipment Corporation contact
information is included in the forwarded text below; please contact them if
you have any questions or need further information.
========================FORWARDED TEXT STARTS HERE============================
---------------------------------------------------------------------
Copyright (c) Digital Equipment Corporation 1996.
All rights reserved.
TITLE: SSRT0358_OSF1032C Digital OSF/1 V2.0 thru 3.2C dxconsole
SOURCE: Digital Equipment Corporation
Software Security Response Team
---------------------------------------------------------------------
PROBLEM:
--------
Digital recently discovered a potential security vulnerability with
dxconsole for OSF/1 V2.0 thru V3.2C. This potential vulnerability may
allow authorized users to gain unauthorized privileges.
Digital has corrected this potential vulnerability and provided
kits containing new images. The appropriate kits and images are
identified below.
APPLICABILITY:
--------------
Digital Equipment Corporation strongly urges Customers to upgrade
to a minimum of DEC OSF/1 V3.0 then apply the Security patch.
ECO INFORMATION:
----------------
ECO Kit Name: SSRT0358_OSF1032C
ECO Kits Superseded by This ECO Kit: None
ECO Kit Approximate Size: ssrt0358_osf1032C.tar_Z 76571 Bytes
System Reboot Necessary: Yes
__________________________________________________________________
These kits will not install on versions previous to DEC OSF/1 V2.0
__________________________________________________________________
AVAILABILITY:
-------------
Software service contract or warranty customers can obtain the kits through
normal Digital support channels via AES (Advanced Electronic Service)
or from the appropriate version directory listed by accessing:
ftp://ftp.service.digital.com/public/osf
Please refer to the applicable Release Note information prior to
upgrading your installation.
Note: Non-contract/non-warranty customers should contact
local Digital support channels for information
regarding these kits.
As always, Digital urges you to periodically review your system
management and security procedures. Digital will continue to review
and enhance the security features of its products and work
with customers to maintain and improve the security and integrity
of their systems.
- DIGITAL EQUIPMENT CORPORATION
---------------------------------------------------------------------
=========================FORWARDED TEXT ENDS HERE=============================
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST).
We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact the
CERT staff for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
CERT Contact Information
------------------------
Email cert_at_cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
CERT publications, information about FIRST representatives, and other
security-related information are available from
http://www.cert.org/
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request_at_cert.org
CERT is a service mark of Carnegie Mellon University.
Received on Thu Apr 04 1996 - 08:11:36 NZST