-- Arrigo Triulzi <arrigo_at_albourne.com> - Peripatetic Wizard Albourne Partners Ltd. - London, UK APL Financial Services (Overseas) Ltd. - Nicosia, Cyprus "Every day, thousands are coming back to BT... with baseball bats!" --------------------------------------------------------- >From wolinski_at_umaxp1.physics.lsa.umich.edu Mon Sep 20 09:07:14 1999 Date: Sun, 19 Sep 1999 14:22:55 -0400 (EDT) From: Dave Wolinski <wolinski_at_umaxp1.physics.lsa.umich.edu> To: Eric Gatenby <egatenby_at_mailhub.com> Subject: Re: Lack of security notifications Hi, I have only heard of the tooltalk patch -- that was announced by CERT sometime last week. I think you bring up a good point. I have never understood how one is supposed to know when and what patches become officially available from Compaq. They just sort of appear there from time to time. If you learn anything about this, I'm sure other people (in addition to me) would appreciate hearing about it. Good luck, Dave -------------------------------------------------- David Wolinski wolinski_at_umich.edu Department of Physics Phone: (734) 936-6648 University of Michigan Fax: (734) 936-6753 --------------------------------------------------------- >From pas_at_unh.edu Mon Sep 20 09:07:19 1999 Date: Sun, 19 Sep 1999 14:28:10 -0400 From: Paul A Sand <pas_at_unh.edu> To: Eric Gatenby <egatenby_at_mailhub.com> Subject: Re: Lack of security notifications Eric Gatenby (egatenby_at_mailhub.com) writes: > > Has anyone actually received a security advisory/patch notification from the > "dunix-patches" list for these patches? > Not me. I think I was subscribed to that list but I haven't received anything from it for quite awhile. (And for awhile, I was getting multiple messages for each patch.) -- -- Paul A. Sand | Oh well. It's just life. -- University of New Hampshire | (Bart Simps... er... Oktay Ahiska) -- pas_at_unh.edu | -- http://pubpages.unh.edu/~pas | --------------------------------------------------------- >From kforward_at_morgan.ucs.mun.ca Mon Sep 20 09:07:26 1999 Date: Sun, 19 Sep 1999 17:51:08 -0230 (NDT) From: Kenneth Forward <kforward_at_morgan.ucs.mun.ca> To: Eric Gatenby <egatenby_at_mailhub.com> Subject: Re: Lack of security notifications Eric, I received the following dunix-patches alerts on the following dates: Subject: SSRT0614U_RPC_CMSD Potential Security Problem When Using rpc.cmsd Date: Thu, 12 Aug 1999 16:30:19 -0600 Subject: SSRTO615U_DTACTION Potential Security Problem when using dtaction Date: Mon, 23 Aug 1999 15:30:15 -0600 Subject: SSRT0617U_TTSESSION Potential Security Problem when using Date: Fri, 10 Sep 1999 14:30:45 -0600 > If it isn't me, then there is a major problem. One fixes a problem > for a remote root hack, something I would have liked to have found out > about from Compaq, rather than from a two day old Bugtraq message. > Another patch is for a local root hack.... Whatever the platform, whatever the list, you're *always* gonna find out about it on BUGTRAQ first... Hang in there, KenF -- Kenneth Forward, Technical Support Group Department of Computing and Communications Memorial University of Newfoundland --------------------------------------------------------- >From startrek-joel_at_email.msn.com Mon Sep 20 09:07:31 1999 Date: Sun, 19 Sep 1999 18:33:05 -0500 From: Joel DeWitt <startrek-joel_at_email.msn.com> To: Eric Gatenby <egatenby_at_mailhub.com> Subject: RE: Lack of security notifications [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] I've gotten something on the "ssrt0617u_ttsession" patch, but that's it. I didn't know there was more... startrek-joel_at_email.msn.com --------------------------------------------------------- >From Neil.Dyce_at_bristol.ac.uk Mon Sep 20 09:07:39 1999 Date: Mon, 20 Sep 1999 08:54:47 +0100 (BST) From: Neil Dyce <Neil.Dyce_at_bristol.ac.uk> To: Eric Gatenby <egatenby_at_mailhub.com> Subject: Re: Lack of security notifications On Sun, 19 Sep 1999, Eric Gatenby wrote: > > Has anyone actually received a security advisory/patch notification from the > "dunix-patches" list for these patches? > > ssrt0614u_rpc_cmsd > ssrt0615u_dtaction > ssrt0617u_ttsession > > I have 2 accounts (one work, one home) subscribed to the dunix-patches list. > Neither of them have received anything. Is it me? Is it them? > I got them fine, in particular the ttsession patch came a couple of days before the CERT advisory. Initially I had subscribed to the digest version of the list, but changed after not receiving anything from it for several weeks. Maybe the server will let you query it for your subscription details. Regards, Neil. --------------------------------------------------------- >From gwen_at_itg.cam.ac.uk Mon Sep 20 09:07:44 1999 Date: Mon, 20 Sep 1999 09:40:55 +0100 From: Gwen Pettigrew <gwen_at_itg.cam.ac.uk> To: Eric Gatenby <egatenby_at_mailhub.com> Subject: Re: Lack of security notifications Hi Eric, I didnt receive any notification from the dunix-patches list either. I learnt about these patches from the CERT mailing list -- Gwen Pettigrew Computer Officer Institute of Theoretical Geophysics Department of Earth Sciences Downing Street Cambridge CB2 3EQ UK Tel 01223 333464 E-mail gwen_at_itg.cam.ac.uk W3 http://www.itg.cam.ac.uk/ITG/members/gwen/ --------------------------------------------------------- >From bobv_at_dcs.rhbnc.ac.uk Mon Sep 20 09:07:48 1999 Date: Mon, 20 Sep 1999 09:56:58 +0100 (BST) From: Bob Vickers <bobv_at_dcs.rhbnc.ac.uk> Reply-To: R.Vickers_at_dcs.rhbnc.ac.uk To: Eric Gatenby <egatenby_at_mailhub.com> Subject: Re: Lack of security notifications Hello Eric, I'm on the patches list but have heard nothing from it about these patches. In fact I don't think I've ever received anything useful from it at all! Compaq's behaviour has been particular bad over the rpc.cmsd problem. There were CIAC and CERT announcements about this problem which failed to mention Compaq. Someone asked the TRU64 Managers' list what the status was, and quoted Compaq support as saying there were no known vulnerabilities in it. But much later I found the patch completely by chance when I was downloading other patches. As far as I know it has never been announced at all! Compaq is obsessively secretive about security. It is often completely imnpossible to discover from them whether a particular OS releases is vulnerable to a problem; even their support staff are kept in the dark. And when a jumbo patch kit is released it is very hard to find out which security patches you have to reinstall. Bob On Sun, 19 Sep 1999, Eric Gatenby wrote: > > Has anyone actually received a security advisory/patch notification from the > "dunix-patches" list for these patches? > > ssrt0614u_rpc_cmsd > ssrt0615u_dtaction > ssrt0617u_ttsession > > I have 2 accounts (one work, one home) subscribed to the dunix-patches list. > Neither of them have received anything. Is it me? Is it them? > > If it isn't me, then there is a major problem. One fixes a problem > for a remote root hack, something I would have liked to have found out > about from Compaq, rather than from a two day old Bugtraq message. > Another patch is for a local root hack.... > ============================================================== Bob Vickers R.Vickers_at_dcs.rhbnc.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhbnc.ac.uk/home/bobv Phone: +44 1784 443691 --------------------------------------------------------- >From joe_at_meng.ucl.ac.uk Mon Sep 20 09:07:52 1999 Date: Mon, 20 Sep 1999 11:43:42 GMT0 From: Joe Fletcher <joe_at_meng.ucl.ac.uk> To: egatenby_at_mailhub.com Subject: RE: Lack of security notifications Hi, > Has anyone actually received a security advisory/patch notification from the > "dunix-patches" list for these patches? > > ssrt0614u_rpc_cmsd > ssrt0615u_dtaction > ssrt0617u_ttsession > > I have 2 accounts (one work, one home) subscribed to the dunix-patches list. > Neither of them have received anything. Is it me? Is it them? > > If it isn't me, then there is a major problem. One fixes a problem > for a remote root hack, something I would have liked to have found out > about from Compaq, rather than from a two day old Bugtraq message. > Another patch is for a local root hack.... It's not you. I'm on the dunix and VMS patch lists and they've been silent for a while now. Joe --------------------------------------------------------- >From jhf_at_dmu.ac.uk Mon Sep 20 09:07:57 1999 Date: Mon, 20 Sep 1999 12:25:41 +0100 (BST) From: John Files <jhf_at_dmu.ac.uk> To: egatenby_at_mailhub.com Subject: Re: Lack of security notifications I also subscribe to the patches list but received no notifications. Regards John --------------------------------------------------------------------- John Files Senior Systems Engineer (UNIX Group) Faculty of Computing Sciences and Engineering Tel: 0116-2551551 ext 8475 De Montfort University Fax: 0116-254 1891 The Gateway e-mail: jhf_at_dmu.ac.uk Leicester LE1 9BH England ---------------------------------------------------------------------Received on Mon Sep 20 1999 - 13:14:38 NZST
This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:39 NZDT