gih900@fac3.anu.oz (GEOFF HUSTON) (05/12/88)
I followed the recent debate in this newsgroup on VMS Security issues, and have
some sympathy with the Digital line that they wish to issue security patches
without explaining precisely what is being fixed, and ensure as far as possible
that the patch only reaches system managers of VMS systems.
However there is an equally valid argument to inform as many system managers as
quickly as possible when supplied software has security problems.
Accordingly I am posting this message (verbatim as I received it) to the net,
and have included the relevant headers to indicate the original source of the
message. I HAVE NOT CONFIRMED WITH DIGITAL THAT THIS IS AN "OFFICAL" PATCH. If
you are unsure whether to apply the measures suggested here, then perhaps you
may wish to follow up with your local Digital software support.
----------------------------------------------------------------------------
Via: UK.AC.RUTHERFORD.VAX-E ; Wed, 27 Apr 88 12:36 BST
(V39 at UK.AC.RUTHERFORD.GEC-B)
Date: Wed, 27 APR 88 12:36:11 GMT
From: SUPPORT@UK.AC.RL.VE
To: VMS-COMMS@UK.AC.RL.GB
AN AN stt: Security!!!!!
*********************************************************************
******* **********
******* IMPORTANT SECURITY MESSAGE **********
******* **********
*********************************************************************
To VAX/VMS Managers,
I have been contacted by DEC and asked to forward this information to you.
There is a security loophole in the current VMS system (as discussed at the
last SERC VAX/VMS User Group). In order to overcome this problem please
deinstall the NETTRACE image on your system and remove the command procedure
YS$MANAGER:NETTRACE_INSTALL.COM. (This will prevent the image being
reinstalled at the next reboot and will not effstt the running of PSI at all.)
To do this :
$ INSTALL == "$SYS$SYSTEM:INSTALL/COMMAND_MODE"
$ INSTALL REMOVE SYS$SYSTEM:NETTRACE
$ RENAME SYS$MANAGER:NETTRACE_INSTALL.COM;* SYS$MANAGER:NETTRACE_NOINSTALL.COM
All users on the system will still have access to PSI TRACE but due to the
fact that the image is no longer installed with privileges certain operations
will not be accessible to non privileged users.
PLEASE DO THIS NOW WHATEVER VERSION OF PSI YOU HAPPEN TO BE RUNNING.
Regards
Sue Weston
P.S. This message is being sent to a number of mailing lists, apologies if
you receive it more than once.
----------------------------------------------------------------------
--
Geoff Huston Computer Services Centre, Australian National University
GPO Box 4, Canberra, ACT 2601 AUSTRALIA
ACSnet,CSNET: gih900@fac3.anu.oz INTERNET: gih900%fac3.anu.oz@uunet.uu.net
UUCP: {uunet,ubc-cs,nttlab,mcvax,ukc}!munnari!fac3.anu.oz!gih900
PSI_MAIL: PSI%505262440032::gih9