Path: utzoo!utgpu!watmath!att!tut.cis.ohio-state.edu!ucbvax!decwrl!eda!jim
From: jim@eda.com (Jim Budler)
Newsgroups: comp.sys.apollo
Subject: Re: security hole
Message-ID: <511@eda.com>
Date: 9 Aug 89 16:41:23 GMT
References: <44e9d7d4.c4b0@apollo.HP.COM>
Organization: EDA Systems, Inc. Santa Clara, CA
Lines: 61

dawson@apollo.HP.COM (Keith Dawson) writes:

>This security problem has been fixed in SR10.2. Patches have been 
>generated for earlier releases:

>  SR9.7 -- patch # 184 on the June 1989 patch tape

>  SR10.1 -- patch # m0048 on the August 1989 tape

>We regret the broad dissemination of detailed instructions for exploiting
>a security hole.
>____________________________________________________________  
>Keith Dawson  Section Manager, Window Systems Group
>              Hewlett Packard Co.         508-256-0176 x5739  
>              Graphics Technology Division / East  


We regret that it took such a blunt step to cause Apollo to bother to
tell us that the hole exists, and has fixes.

From Sun Microsystems?

	Every quarter, a thick book arrives in the mail, detailing
bug reports.

	Every month, a book arrives in the mail, containing
interesting Technical details.

	I forget which usually contains notices of patches, perhaps
both.

From Apollo?

	Every month, an invoice arrives. (Well, not any more 8^)

================

I fully agree with the posting of the bug. Look, INSTANT action.
Explicit mention of compatibility of /lib/streams. High awareness
in community of seriousness of bug.

Report it to software support. You get told about the patch.

Don't notice the problem. Remain ignorant.

Post a note to Usenet less explicitely saying there is a bug. Response
from Apollo may list patches, but people may not realize how serious
it is, no matter how serious the poster says it is. Result: Hacker
decides to explore area in question, finds hole, most people do not
install patches, perhaps because of the confusion caused by the fact
that almost everything Apollo fixes involves /lib/streams.

The party line answer will be "what about all the people not on
software support or Usenet"

Apollo needs to solve that problem, not hide the facts from the rest
of us.-- 
Jim Budler   address = uucp: ...!{decwrl,uunet}!eda!jim
					 domain: jim@eda.com
			 voice	 = +1 408 986-9585
			 fax	 = +1 408 748-1032