information about security announcements

From: Bob Vickers <bobv_at_cs.rhul.ac.uk>
Date: Tue, 29 Jan 2002 11:11:34 +0000 (GMT)

Dear All,

I received a bunch of classically uninformative security announcements
from Compaq this morning about security vulnerabilities reported in
SSRT1-41U, SSRT0742U, and SSRT0759U. My situation is that our Tru64
servers are running just fine; they never crash and very rarely provide
any kind of administrative headache. So I am reluctant to upgrade; it
creates work for me, disruption for our users, and there is always the
danger that something will stop working. In fact the Compaq announcement
includes the paragraph:
       This ECO has not been through an exhaustive field test process.
       Due to the experimental stage of this ECO/workaround, Compaq
       makes no representations regarding its use or performance. The
       customer shall have the sole responsibility for adequate protection
       and back-up data used in conjunction with this ECO/workaround.

But if the only way of fixing a security problem is to upgrade then I
will. What I need is information to know whether an upgrade is the best
solution; often security problems can be solved simply by disabling
some unneeded software.

So here are some questions that should have been answered in the
announcement but were not; if anyone has answers I will summarise:

(1) Which systems are vulnerable, in particular is 4.0G PK2 vulnerable?
(2) Is there a simple way to check whether my system is vulnerable?
(3) Is this a problem that has been discussed publicly or is it one that
Compaq have discovered internally?
(4) If it has been discussed publicly where can I find further information
(e.g. CERT announcements)?
(5) Is there a workround that does not require an upgrade?

There was a time when all software suppliers took this 'Nanny knows best'
attitude towards security, but nowadays nearly all seem to have come round
to the view that it does not do administrators any favours.

Bob
==============================================================
Bob Vickers R.Vickers_at_cs.rhul.ac.uk
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691
Received on Tue Jan 29 2002 - 11:12:17 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:43 NZDT