gih900@fac3.anu.oz (GEOFF HUSTON) (05/12/88)
I followed the recent debate in this newsgroup on VMS Security issues, and have some sympathy with the Digital line that they wish to issue security patches without explaining precisely what is being fixed, and ensure as far as possible that the patch only reaches system managers of VMS systems. However there is an equally valid argument to inform as many system managers as quickly as possible when supplied software has security problems. Accordingly I am posting this message (verbatim as I received it) to the net, and have included the relevant headers to indicate the original source of the message. I HAVE NOT CONFIRMED WITH DIGITAL THAT THIS IS AN "OFFICAL" PATCH. If you are unsure whether to apply the measures suggested here, then perhaps you may wish to follow up with your local Digital software support. ---------------------------------------------------------------------------- Via: UK.AC.RUTHERFORD.VAX-E ; Wed, 27 Apr 88 12:36 BST (V39 at UK.AC.RUTHERFORD.GEC-B) Date: Wed, 27 APR 88 12:36:11 GMT From: SUPPORT@UK.AC.RL.VE To: VMS-COMMS@UK.AC.RL.GB AN AN stt: Security!!!!! ********************************************************************* ******* ********** ******* IMPORTANT SECURITY MESSAGE ********** ******* ********** ********************************************************************* To VAX/VMS Managers, I have been contacted by DEC and asked to forward this information to you. There is a security loophole in the current VMS system (as discussed at the last SERC VAX/VMS User Group). In order to overcome this problem please deinstall the NETTRACE image on your system and remove the command procedure YS$MANAGER:NETTRACE_INSTALL.COM. (This will prevent the image being reinstalled at the next reboot and will not effstt the running of PSI at all.) To do this : $ INSTALL == "$SYS$SYSTEM:INSTALL/COMMAND_MODE" $ INSTALL REMOVE SYS$SYSTEM:NETTRACE $ RENAME SYS$MANAGER:NETTRACE_INSTALL.COM;* SYS$MANAGER:NETTRACE_NOINSTALL.COM All users on the system will still have access to PSI TRACE but due to the fact that the image is no longer installed with privileges certain operations will not be accessible to non privileged users. PLEASE DO THIS NOW WHATEVER VERSION OF PSI YOU HAPPEN TO BE RUNNING. Regards Sue Weston P.S. This message is being sent to a number of mailing lists, apologies if you receive it more than once. ---------------------------------------------------------------------- -- Geoff Huston Computer Services Centre, Australian National University GPO Box 4, Canberra, ACT 2601 AUSTRALIA ACSnet,CSNET: gih900@fac3.anu.oz INTERNET: gih900%fac3.anu.oz@uunet.uu.net UUCP: {uunet,ubc-cs,nttlab,mcvax,ukc}!munnari!fac3.anu.oz!gih900 PSI_MAIL: PSI%505262440032::gih9