Re: Multiple vulnerabilities in CDE

From: Nick_ (nickcat_private)
Date: Sun Oct 17 1999 - 10:57:57 PDT

Next message: Aleph One: "Microsoft Security Bulletin (MS99-043)"

Previous message: securityat_private: "Re: execve bug linux-2.2.12"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Searching the achives, I've not seen any reply to this, have these
questions been answered yet?  In regards to Sun, is there a patch
in the works, and if not how have other vendors fixed the problem?

-Nick

Date sent:      	Tue, 14 Sep 1999 18:53:23 -0400
Send reply to:  	Dan Astoorian <djastat_private>
From:           	Dan Astoorian <djastat_private>
Subject:        	Re: Multiple vulnerabilities in CDE
Originally to:  	BUGTRAQat_private
To:             	BUGTRAQat_private

> On Mon, 13 Sep 1999 23:46:53 EDT, "Troy A. Bollinger" writes:
> >
> > Here's the CERT advisory that was released today.  Of course, it's also
> > available at www.cert.org.
> >
> [...]
> >    Sun Microsystems, Inc.
> >
> >    Vulnerability #1:
> >
> >           Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and
> >           SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX
> >           authentication mechanism (default) is used with ttsession.
> >
> >           The use of DES authentication is recommended to resolve this
> >           issue. To set the authentication mechanism to DES, use the
> [...]
>
> The way they've worded this very much makes it sound as though patches
> are not forthcoming.
>
> Is this a design flaw, or an oversight in the implementation?
>
> If the former, why is it that other vendors (e.g. IBM) are releasing
> patches claiming to fix the problem?  And, if the latter, is Sun
> *really* saying "instead of fixing the problem, we're going to tell all
> of our customers to use DES authentication, and if they can't or won't,
> then to hell with them"?
>
> (Anyone know any decent references for setting up Secure RPC under
> Solaris, particularly if NIS or NIS+ is not in use?)
>
> --                          People shouldn't think that it's better to have
> Dan Astoorian               loved and lost than never loved at all.  It's
> http://www.utopia.csas.com  not, it's better to have loved and won.  All
> djastat_private       the other options really suck.    --Dan Redican
>


--
Nicholas Crawford <nickat_private> / ICQ: 2555860 / Nick_ers@UnderNet IRC
4096/1024 Diffie-Hellman/DSS PGP key ID: 0x738C4DB4 fingerprint:
     54DF 09EC D2A0 0942 2A4C  3CDD 3438 FF7B 738C 4DB4
PGP keys via key server or http://paranoid.wolfspirit.org/~crawf/pgpkeys/

Next message: Aleph One: "Microsoft Security Bulletin (MS99-043)"
Previous message: securityat_private: "Re: execve bug linux-2.2.12"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:49 PDT