Hello,
I installed "ssrt0615u_dtaction" & "ssrt0617u_ttsession" in accordance with
a CERT bulletin last week. See
http://www.cert.org/advisories/CA-99-11-CDE.html. They were listed in the
bulletin as approved by Compaq to correct CDE security problems.
(Compaq was also one of few companies, who were affected by these bugs, and
had a patch out this quickly. *Good job Compaq!* Now if they just had better
customer notification. *This needs work Compaq.* Having bug patches quickly
doesn't help if your customers don't know to install them.)
P.S. The patch "ssrt0614u_rpc_cmsd" was mentioned in this post. Anybody know
exactly what it does and why it should be installed?
Jim Fitzmaurice
jpfitz_at_fnal.gov
UNIX is very user friendly, It's just very particular about who it makes
friends with.
> -----Original Message-----
> From: tru64-unix-managers-owner_at_ornl.gov
> [mailto:tru64-unix-managers-owner_at_ornl.gov]On Behalf Of Eric Gatenby
> Sent: Monday, September 20, 1999 8:12 AM
> To: tru64-unix-managers_at_ornl.gov
> Subject: SUMMARY: Lack of security notifications
>
>
>
>
> On this issue, I received responses from the following people:
>
> Arrigo Triulzi <arrigo_at_albourne.com>
> Dave Wolinski <wolinski_at_umaxp1.physics.lsa.umich.edu>
> Paul A Sand <pas_at_unh.edu>
> Kenneth Forward <kforward_at_morgan.ucs.mun.ca>
> Joel DeWitt <startrek-joel_at_email.msn.com>
> Neil Dyce <Neil.Dyce_at_bristol.ac.uk>
> Gwen Pettigrew <gwen_at_itg.cam.ac.uk>
> Bob Vickers <bobv_at_dcs.rhbnc.ac.uk>
> Joe Fletcher <joe_at_meng.ucl.ac.uk>
> John Files <jhf_at_dmu.ac.uk>
>
>
> Of these 10 people, 6 have received nothing. 2 received some of the
> notifications. 2 received all of them.
>
> Apparently, it isn't me :)
>
> Below are their responses:
>
> ---------------------------------------------------------
>
> >From arrigo_at_albourne.com Mon Sep 20 09:07:05 1999
> Date: Sun, 19 Sep 1999 18:54:29 +0100 (BST)
> From: Arrigo Triulzi <arrigo_at_albourne.com>
> To: Eric Gatenby <egatenby_at_mailhub.com>
> Subject: Re: Lack of security notifications
>
> Eric Gatenby scripsit:
> |Has anyone actually received a security advisory/patch
> notification from the
> |"dunix-patches" list for these patches?
> |
> | ssrt0614u_rpc_cmsd
> | ssrt0615u_dtaction
> | ssrt0617u_ttsession
> |
> |I have 2 accounts (one work, one home) subscribed to the
> dunix-patches list.
> |Neither of them have received anything. Is it me? Is it them?
>
> <AOL>Me too</AOL>. I knew about them from a recent CIAC notice about
> dtaction and I believe CDE vulnerabilities in general. I haven't
> installed them as my local DEC engineer isn't sure that the DU
> engineering group has authorised them - they seem to have close
> relatives in the 4.0F patch kit #1.
>
> Ciao,
>
> Arrigo
>
> --
> Arrigo Triulzi <arrigo_at_albourne.com> - Peripatetic Wizard
> Albourne Partners Ltd. - London, UK
> APL Financial Services (Overseas) Ltd. - Nicosia, Cyprus
> "Every day, thousands are coming back to BT... with baseball bats!"
>
> ---------------------------------------------------------
>
> >From wolinski_at_umaxp1.physics.lsa.umich.edu Mon Sep 20 09:07:14 1999
> Date: Sun, 19 Sep 1999 14:22:55 -0400 (EDT)
> From: Dave Wolinski <wolinski_at_umaxp1.physics.lsa.umich.edu>
> To: Eric Gatenby <egatenby_at_mailhub.com>
> Subject: Re: Lack of security notifications
>
> Hi,
> I have only heard of the tooltalk patch -- that was announced by
> CERT sometime last week.
>
> I think you bring up a good point. I have never understood how
> one is supposed to know when and what patches become officially available
> from Compaq. They just sort of appear there from time to time.
>
> If you learn anything about this, I'm sure other people (in
> addition to me) would appreciate hearing about it.
>
> Good luck, Dave
>
>
> --------------------------------------------------
> David Wolinski wolinski_at_umich.edu
> Department of Physics Phone: (734) 936-6648
> University of Michigan Fax: (734) 936-6753
>
>
> ---------------------------------------------------------
>
>
> >From pas_at_unh.edu Mon Sep 20 09:07:19 1999
> Date: Sun, 19 Sep 1999 14:28:10 -0400
> From: Paul A Sand <pas_at_unh.edu>
> To: Eric Gatenby <egatenby_at_mailhub.com>
> Subject: Re: Lack of security notifications
>
> Eric Gatenby (egatenby_at_mailhub.com) writes:
> >
> > Has anyone actually received a security advisory/patch
> notification from the
> > "dunix-patches" list for these patches?
> >
>
> Not me.
> I think I was subscribed to that list but I haven't received
> anything from it for quite awhile. (And for awhile, I was getting
> multiple messages for each patch.)
>
> --
> -- Paul A. Sand | Oh well. It's just life.
> -- University of New Hampshire | (Bart Simps... er... Oktay Ahiska)
> -- pas_at_unh.edu |
> -- http://pubpages.unh.edu/~pas |
>
> ---------------------------------------------------------
>
> >From kforward_at_morgan.ucs.mun.ca Mon Sep 20 09:07:26 1999
> Date: Sun, 19 Sep 1999 17:51:08 -0230 (NDT)
> From: Kenneth Forward <kforward_at_morgan.ucs.mun.ca>
> To: Eric Gatenby <egatenby_at_mailhub.com>
> Subject: Re: Lack of security notifications
>
> Eric,
>
> I received the following dunix-patches alerts on the following dates:
>
> Subject: SSRT0614U_RPC_CMSD Potential Security Problem When Using rpc.cmsd
> Date: Thu, 12 Aug 1999 16:30:19 -0600
>
> Subject: SSRTO615U_DTACTION Potential Security Problem when using dtaction
> Date: Mon, 23 Aug 1999 15:30:15 -0600
>
> Subject: SSRT0617U_TTSESSION Potential Security Problem when using
> Date: Fri, 10 Sep 1999 14:30:45 -0600
>
> > If it isn't me, then there is a major problem. One fixes a problem
> > for a remote root hack, something I would have liked to have found out
> > about from Compaq, rather than from a two day old Bugtraq message.
> > Another patch is for a local root hack....
>
> Whatever the platform, whatever the list, you're *always* gonna find out
> about it on BUGTRAQ first...
>
> Hang in there, KenF
> --
> Kenneth Forward,
> Technical Support Group
> Department of Computing and Communications
> Memorial University of Newfoundland
>
> ---------------------------------------------------------
>
> >From startrek-joel_at_email.msn.com Mon Sep 20 09:07:31 1999
> Date: Sun, 19 Sep 1999 18:33:05 -0500
> From: Joel DeWitt <startrek-joel_at_email.msn.com>
> To: Eric Gatenby <egatenby_at_mailhub.com>
> Subject: RE: Lack of security notifications
>
> [ The following text is in the "iso-8859-1" character set. ]
> [ Your display is set for the "US-ASCII" character set. ]
> [ Some characters may be displayed incorrectly. ]
>
> I've gotten something on the "ssrt0617u_ttsession" patch, but
> that's it. I
> didn't know there was more...
>
> startrek-joel_at_email.msn.com
>
>
> ---------------------------------------------------------
>
> >From Neil.Dyce_at_bristol.ac.uk Mon Sep 20 09:07:39 1999
> Date: Mon, 20 Sep 1999 08:54:47 +0100 (BST)
> From: Neil Dyce <Neil.Dyce_at_bristol.ac.uk>
> To: Eric Gatenby <egatenby_at_mailhub.com>
> Subject: Re: Lack of security notifications
>
> On Sun, 19 Sep 1999, Eric Gatenby wrote:
>
> >
> > Has anyone actually received a security advisory/patch notification
> from the
> > "dunix-patches" list for these patches?
> >
> > ssrt0614u_rpc_cmsd
> > ssrt0615u_dtaction
> > ssrt0617u_ttsession
> >
> > I have 2 accounts (one work, one home) subscribed to the
> dunix-patches list.
> > Neither of them have received anything. Is it me? Is it them?
> >
>
> I got them fine, in particular the ttsession patch came a couple of days
> before the CERT advisory. Initially I had subscribed to the digest version
> of the list, but changed after not receiving anything from it for several
> weeks. Maybe the server will let you query it for your subscription
> details.
>
> Regards,
> Neil.
>
> ---------------------------------------------------------
>
> >From gwen_at_itg.cam.ac.uk Mon Sep 20 09:07:44 1999
> Date: Mon, 20 Sep 1999 09:40:55 +0100
> From: Gwen Pettigrew <gwen_at_itg.cam.ac.uk>
> To: Eric Gatenby <egatenby_at_mailhub.com>
> Subject: Re: Lack of security notifications
>
> Hi Eric,
> I didnt receive any notification from the dunix-patches list either. I
> learnt about these patches from the CERT mailing list
> --
> Gwen Pettigrew
> Computer Officer
> Institute of Theoretical Geophysics
> Department of Earth Sciences
> Downing Street
> Cambridge
> CB2 3EQ
> UK
>
> Tel 01223 333464
>
> E-mail gwen_at_itg.cam.ac.uk
> W3 http://www.itg.cam.ac.uk/ITG/members/gwen/
>
> ---------------------------------------------------------
>
> >From bobv_at_dcs.rhbnc.ac.uk Mon Sep 20 09:07:48 1999
> Date: Mon, 20 Sep 1999 09:56:58 +0100 (BST)
> From: Bob Vickers <bobv_at_dcs.rhbnc.ac.uk>
> Reply-To: R.Vickers_at_dcs.rhbnc.ac.uk
> To: Eric Gatenby <egatenby_at_mailhub.com>
> Subject: Re: Lack of security notifications
>
> Hello Eric,
>
> I'm on the patches list but have heard nothing from it about these
> patches. In fact I don't think I've ever received anything useful from it
> at all!
>
> Compaq's behaviour has been particular bad over the rpc.cmsd problem.
> There were CIAC and CERT announcements about this problem which failed to
> mention Compaq. Someone asked the TRU64 Managers' list what the status
> was, and quoted Compaq support as saying there were no known
> vulnerabilities in it.
>
> But much later I found the patch completely by chance when I was
> downloading other patches. As far as I know it has never been announced at
> all!
>
> Compaq is obsessively secretive about security. It is often completely
> imnpossible to discover from them whether a particular OS releases is
> vulnerable to a problem; even their support staff are kept in the dark.
> And when a jumbo patch kit is released it is very hard to find out which
> security patches you have to reinstall.
>
> Bob
>
> On Sun, 19 Sep 1999, Eric Gatenby wrote:
>
> >
> > Has anyone actually received a security advisory/patch
> notification from the
> > "dunix-patches" list for these patches?
> >
> > ssrt0614u_rpc_cmsd
> > ssrt0615u_dtaction
> > ssrt0617u_ttsession
> >
> > I have 2 accounts (one work, one home) subscribed to the
> dunix-patches list.
> > Neither of them have received anything. Is it me? Is it them?
> >
> > If it isn't me, then there is a major problem. One fixes a problem
> > for a remote root hack, something I would have liked to have found out
> > about from Compaq, rather than from a two day old Bugtraq message.
> > Another patch is for a local root hack....
> >
>
> ==============================================================
> Bob Vickers R.Vickers_at_dcs.rhbnc.ac.uk
> Dept of Computer Science, Royal Holloway, University of London
> WWW: http://www.cs.rhbnc.ac.uk/home/bobv
> Phone: +44 1784 443691
>
>
> ---------------------------------------------------------
>
> >From joe_at_meng.ucl.ac.uk Mon Sep 20 09:07:52 1999
> Date: Mon, 20 Sep 1999 11:43:42 GMT0
> From: Joe Fletcher <joe_at_meng.ucl.ac.uk>
> To: egatenby_at_mailhub.com
> Subject: RE: Lack of security notifications
>
> Hi,
>
> > Has anyone actually received a security advisory/patch
> notification from the
> > "dunix-patches" list for these patches?
> >
> > ssrt0614u_rpc_cmsd
> > ssrt0615u_dtaction
> > ssrt0617u_ttsession
> >
> > I have 2 accounts (one work, one home) subscribed to the
> dunix-patches list.
> > Neither of them have received anything. Is it me? Is it them?
> >
> > If it isn't me, then there is a major problem. One fixes a problem
> > for a remote root hack, something I would have liked to have found out
> > about from Compaq, rather than from a two day old Bugtraq message.
> > Another patch is for a local root hack....
>
> It's not you. I'm on the dunix and VMS patch lists and they've been silent
> for a while now.
>
> Joe
>
> ---------------------------------------------------------
>
> >From jhf_at_dmu.ac.uk Mon Sep 20 09:07:57 1999
> Date: Mon, 20 Sep 1999 12:25:41 +0100 (BST)
> From: John Files <jhf_at_dmu.ac.uk>
> To: egatenby_at_mailhub.com
> Subject: Re: Lack of security notifications
>
> I also subscribe to the patches list but received no
> notifications.
> Regards
> John
>
> ---------------------------------------------------------------------
> John Files Senior Systems Engineer (UNIX Group)
> Faculty of Computing Sciences
> and Engineering Tel: 0116-2551551 ext 8475
> De Montfort University Fax: 0116-254 1891
> The Gateway e-mail: jhf_at_dmu.ac.uk
> Leicester LE1 9BH
> England
> ---------------------------------------------------------------------
>
Received on Mon Sep 20 1999 - 14:57:11 NZST