bonnetf@apo.esiee.fr (bonnet-franck) (08/22/90)
I've heard about a BIG security hole in 10.2 !!
We have some machines running 10.2 and a lot of running 10.1.
Could someone tell me more about that new security problem ?
Help would be VERY appreciated because the software support
of HP/APOLLO France and NOTHING is the same, especially for
security problems ( Problems ? what ? ).
I agree with one who said that OBSCURITY IS NOT SECURITY
( === O.I.N.S === , nice isn't it ? )
I've NEVER received a list of security patches and what are
they supposed to correct !!!
In fact I've never received one patch ...
I suppose that we are lucky frenchmen who received the perfect version of
DOMAIN_OS without any bug !
In the good old time ( before HP ) We had here good guys at
APOLLO France, they KNEW the Operating System.
But now ALL of them are gone in other companies everywhere.
It is a real disaster, nobody seriously knows DOMAIN_OS at HP France.
They want to kill APOLLO maybe.
-------------------------------------------------------------------------------|
bonnetf@apo.esiee.fr | |
Frank Bonnet | Surfing ... |
E.S.I.E.E | |
BP99 93162 Noisy le Grand cedex.FRANCE. | the rest is details ! |
Fax : 33 1 45 92 66 99 | |
-------------------------------------------------------------------------------|
wjw@eba.eb.ele.tue.nl (Willem Jan Withagen) (08/23/90)
In article <9008221551.AA02021@apo.esiee.fr> bonnetf@apo.esiee.fr (bonnet-franck) writes: >I've heard about a BIG security hole in 10.2 !! Yup there is. It takes a few hours to find it, but it's there. ^^^^ or days if you know little of apollo's > >We have some machines running 10.2 and a lot of running 10.1. >Could someone tell me more about that new security problem ? Well that's a problem: Even my local dutch sales rep does not want to give me all the nice and juicy details. He says that they not allowed to do so??????? ( And maybe we're not supossed to know.) As fas as I can tell, is the bug not going to be fixed since al sorts of programs need to be fixed also. The claim is that OS10.3 is going to solve everything! You should at least get a replacement for 'tar' and remove the /etc/suid_exec program from all stations. > >I agree with one who said that OBSCURITY IS NOT SECURITY > ( === O.I.N.S === , nice isn't it ? ) > >I've NEVER received a list of security patches and what are >they supposed to correct !!! > You could retreive a patch-list with anon-ftp from eba.eb.ele.tue.nl in /pub/apollo I try to take care that there no info on security in this list, so that's of little use for this one specificaly. But what there is boils done to the above. Have you already signed up for the open letter? Regards, Willem Jan Withagen. Eindhoven University of Technology DomainName: wjw@eb.ele.tue.nl Digital Systems Group, Room EH 10.10 BITNET: ELEBWJ@HEITUE5.BITNET P.O. 513 Tel: +31-40-473401 5600 MB Eindhoven The Netherlands
pha@CAEN.ENGIN.UMICH.EDU (Paul H. Anderson) (08/31/90)
In article <9008221551.AA02021@apo.esiee.fr> bonnetf@apo.esiee.fr (bonnet-franck) writes: >I've heard about a BIG security hole in 10.2 !! Yup there is. It takes a few hours to find it, but it's there. ^^^^ or days if you know little of apollo's > >We have some machines running 10.2 and a lot of running 10.1. >Could someone tell me more about that new security problem ? Well that's a problem: Even my local dutch sales rep does not want to give me all the nice and juicy details. He says that they not allowed to do so??????? ( And maybe we're not supossed to know.) As fas as I can tell, is the bug not going to be fixed since al sorts of programs need to be fixed also. The claim is that OS10.3 is going to solve everything! Without going into too much detail, let me say that I know Apollo is working very hard on the problem. I have heard from reliable sources that 10.2 will be have a patch soon, and that a patch for 10.3 will follow. 10.3 has to ship as is, because it is required to support the series 9000/400 machines. I'm hoping to do testing of the patch with our software here on site (maybe 30 major packages or so), so I hope to get a good feeling for how well the patch works. I expect that it will break some packages, so everyone on the internet is going to have to make a tough decision as to whether or not they will apply the patch, or take their chances. Keep in mind that the security hole is only present once someone logs into the Apollo. If the person can't get in, they can't exploit the hole. Therefore, Apollos that are in secure locations are quite safe, provided any access is controlled via physical security or via well chosen passwords. The juicy details of the problem itself are fairly mind boggling. Don't get me wrong - I'm glad they're fixing it, but for them to have put capability like that in the system deliberately completely defies reason. I posted this to explain 1) that Apollo is doing something, 2) that the fix will break other applications, 3) the bug is nasty, 4) that progress is probably being made, and 5) that I'm sick and tired of design decisions that rely on security by obscurity. Paul Anderson CAEN University of Michigan