Path: utzoo!utgpu!watmath!att!tut.cis.ohio-state.edu!ucbvax!decwrl!eda!jim From: jim@eda.com (Jim Budler) Newsgroups: comp.sys.apollo Subject: Re: security hole Message-ID: <511@eda.com> Date: 9 Aug 89 16:41:23 GMT References: <44e9d7d4.c4b0@apollo.HP.COM> Organization: EDA Systems, Inc. Santa Clara, CA Lines: 61 dawson@apollo.HP.COM (Keith Dawson) writes: >This security problem has been fixed in SR10.2. Patches have been >generated for earlier releases: > SR9.7 -- patch # 184 on the June 1989 patch tape > SR10.1 -- patch # m0048 on the August 1989 tape >We regret the broad dissemination of detailed instructions for exploiting >a security hole. >____________________________________________________________ >Keith Dawson Section Manager, Window Systems Group > Hewlett Packard Co. 508-256-0176 x5739 > Graphics Technology Division / East We regret that it took such a blunt step to cause Apollo to bother to tell us that the hole exists, and has fixes. From Sun Microsystems? Every quarter, a thick book arrives in the mail, detailing bug reports. Every month, a book arrives in the mail, containing interesting Technical details. I forget which usually contains notices of patches, perhaps both. From Apollo? Every month, an invoice arrives. (Well, not any more 8^) ================ I fully agree with the posting of the bug. Look, INSTANT action. Explicit mention of compatibility of /lib/streams. High awareness in community of seriousness of bug. Report it to software support. You get told about the patch. Don't notice the problem. Remain ignorant. Post a note to Usenet less explicitely saying there is a bug. Response from Apollo may list patches, but people may not realize how serious it is, no matter how serious the poster says it is. Result: Hacker decides to explore area in question, finds hole, most people do not install patches, perhaps because of the confusion caused by the fact that almost everything Apollo fixes involves /lib/streams. The party line answer will be "what about all the people not on software support or Usenet" Apollo needs to solve that problem, not hide the facts from the rest of us.-- Jim Budler address = uucp: ...!{decwrl,uunet}!eda!jim domain: jim@eda.com voice = +1 408 986-9585 fax = +1 408 748-1032