Searching the achives, I've not seen any reply to this, have these questions been answered yet? In regards to Sun, is there a patch in the works, and if not how have other vendors fixed the problem? -Nick Date sent: Tue, 14 Sep 1999 18:53:23 -0400 Send reply to: Dan Astoorian <djastat_private> From: Dan Astoorian <djastat_private> Subject: Re: Multiple vulnerabilities in CDE Originally to: BUGTRAQat_private To: BUGTRAQat_private > On Mon, 13 Sep 1999 23:46:53 EDT, "Troy A. Bollinger" writes: > > > > Here's the CERT advisory that was released today. Of course, it's also > > available at www.cert.org. > > > [...] > > Sun Microsystems, Inc. > > > > Vulnerability #1: > > > > Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and > > SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX > > authentication mechanism (default) is used with ttsession. > > > > The use of DES authentication is recommended to resolve this > > issue. To set the authentication mechanism to DES, use the > [...] > > The way they've worded this very much makes it sound as though patches > are not forthcoming. > > Is this a design flaw, or an oversight in the implementation? > > If the former, why is it that other vendors (e.g. IBM) are releasing > patches claiming to fix the problem? And, if the latter, is Sun > *really* saying "instead of fixing the problem, we're going to tell all > of our customers to use DES authentication, and if they can't or won't, > then to hell with them"? > > (Anyone know any decent references for setting up Secure RPC under > Solaris, particularly if NIS or NIS+ is not in use?) > > -- People shouldn't think that it's better to have > Dan Astoorian loved and lost than never loved at all. It's > http://www.utopia.csas.com not, it's better to have loved and won. All > djastat_private the other options really suck. --Dan Redican > -- Nicholas Crawford <nickat_private> / ICQ: 2555860 / Nick_ers@UnderNet IRC 4096/1024 Diffie-Hellman/DSS PGP key ID: 0x738C4DB4 fingerprint: 54DF 09EC D2A0 0942 2A4C 3CDD 3438 FF7B 738C 4DB4 PGP keys via key server or http://paranoid.wolfspirit.org/~crawf/pgpkeys/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:49 PDT