dawson@apollo.HP.COM (Keith Dawson) (08/09/89)
In a recent posting Peter Lipp [plipp@tugiig.uucp] details a
> Possible Security Problem with DOMAIN-OS and the Display-Manager
This security problem has been fixed in SR10.2. Patches have been
generated for earlier releases:
SR9.7 -- patch # 184 on the June 1989 patch tape
SR10.1 -- patch # m0048 on the August 1989 tape
These patches can be applied to /lib/streams on any version of SR9.7
and SR10.1, including the versions that support Domain/X11. Please
see your local support office to obtain copies of these patch tapes.
We regret the broad dissemination of detailed instructions for exploiting
a security hole.
____________________________________________________________
Keith Dawson Section Manager, Window Systems Group
Hewlett Packard Co. 508-256-0176 x5739
Graphics Technology Division / East
300 Apollo Dr. (CHR.03.DE)
Chelmsford, MA 01824 USA
Internet: dawson@apollo.hp.com
UUCP: {mit-eddie,yale,uw-beaver}!apollo!dawson
jim@eda.com (Jim Budler) (08/09/89)
dawson@apollo.HP.COM (Keith Dawson) writes: >This security problem has been fixed in SR10.2. Patches have been >generated for earlier releases: > SR9.7 -- patch # 184 on the June 1989 patch tape > SR10.1 -- patch # m0048 on the August 1989 tape >We regret the broad dissemination of detailed instructions for exploiting >a security hole. >____________________________________________________________ >Keith Dawson Section Manager, Window Systems Group > Hewlett Packard Co. 508-256-0176 x5739 > Graphics Technology Division / East We regret that it took such a blunt step to cause Apollo to bother to tell us that the hole exists, and has fixes. From Sun Microsystems? Every quarter, a thick book arrives in the mail, detailing bug reports. Every month, a book arrives in the mail, containing interesting Technical details. I forget which usually contains notices of patches, perhaps both. From Apollo? Every month, an invoice arrives. (Well, not any more 8^) ================ I fully agree with the posting of the bug. Look, INSTANT action. Explicit mention of compatibility of /lib/streams. High awareness in community of seriousness of bug. Report it to software support. You get told about the patch. Don't notice the problem. Remain ignorant. Post a note to Usenet less explicitely saying there is a bug. Response from Apollo may list patches, but people may not realize how serious it is, no matter how serious the poster says it is. Result: Hacker decides to explore area in question, finds hole, most people do not install patches, perhaps because of the confusion caused by the fact that almost everything Apollo fixes involves /lib/streams. The party line answer will be "what about all the people not on software support or Usenet" Apollo needs to solve that problem, not hide the facts from the rest of us.-- Jim Budler address = uucp: ...!{decwrl,uunet}!eda!jim domain: jim@eda.com voice = +1 408 986-9585 fax = +1 408 748-1032
collins@nvpna1.prl.philips.nl (Donal O Coileain) (08/10/89)
In article <511@eda.com> jim@eda.com (Jim Budler) writes: >From Apollo? > > Every month, an invoice arrives. (Well, not any more 8^) Apollo produces a patch tape every month. In the 9.7 patch tape for JUNE 89 months before this discussion was started I read : "Patch 184 APR DCB34 : A security hole existed in the pad_$dm_cmd .......................... Now if the two user_ids are not equal, the command is disallowed and the following error status is returned: 'operation is illegal when no display is attached'" You cannot blame Apollo because you don't read the release notes or understand the bugs/fixes. >I fully agree with the posting of the bug. Look, INSTANT action. >Explicit mention of compatibility of /lib/streams. High awareness >in community of seriousness of bug. I see no problem in posting the problem, however I feel that it is not necessary to post the source code as well. Donal O Coileain. collins@apolloway.prl.philips.nl or collins%nvpna1.prl.philips.nl@uunet.uu.nl -- And out of the gloom a voice said, 'Smile and be happy for things could be a lot worse'. So I smiled and was happy and behold, things got worse --
kts@quintro.uucp (Kenneth T. Smelcer) (08/11/89)
In article <511@eda.com> jim@eda.com (Jim Budler) writes: > >We regret that it took such a blunt step to cause Apollo to bother to >tell us that the hole exists, and has fixes. > >From Sun Microsystems? > > Every quarter, a thick book arrives in the mail, detailing >bug reports. > > Every month, a book arrives in the mail, containing >interesting Technical details. > Mentor Graphics does the same thing for its Apollo customers. Every month we get a book with technical tips for Sys Admins, followed by a list of current bugs, work-arounds, and bug fixes for their entire product line. It would be great if Apollo would do something like this. It would save them money in fewer calls to the Hotline, and it would enhance their image (I tend to get real ticked off when I spend 2-3 days trying to fix something that Apollo already knows doesn't work.) Who knows, maybe with HP taking control, Apollo will show more interest in taking care of their current customer base, as well as trying to open new markets. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ken Smelcer Quintron Corp. quintro!kts@lll-winken Quincy, IL tiamat!quintro!kts@uunet
jwright@atanasoff.cs.iastate.edu (Jim Wright) (08/11/89)
In article <641@prles2.UUCP> collins@nvpna1.UUCP (Donal O Coileain) writes: | | Apollo produces a patch tape every month. | | You cannot blame Apollo because you don't read the release notes or | understand the bugs/fixes. I don't happen to have the clout of Phillips Research Labs. I don't get a patch tape every month, or even an announcement. In fact, this is the first I've heard of it. But enough whining. I'd like to offer some constructive help. The last time the patch issue was raised, there were some noises about the University of Iowa setting up an anonymous ftp site which archived all the patches. Apparently it has died; I haven't heard a peep out of them since. As part of the anti-viral archives, in conjunction with comp.virus/VIRUS-L, we are setting up a site for Unix systems. To start this, we already have bug fixes for Sun, Pyramid and DEC. We would be pleased to make the Apollo patches available too. If someone from Apollo could respond here, contact me, or give me a lead as to who to contact at Apollo, I would appreciate it. Also, opinions from the net as to whether this is good or bad would be helpful. Perhaps if enough interest is shown, it will happen. I know that anonymous ftp is not available to everyone. But as it stands now, you apparently have to be a mega-corporation with an inside track to Apollo to get access to bug fixes. (My perception; am I wrong?) -- Jim Wright jwright@atanasoff.cs.iastate.edu
dente@els.uucp (Colin Dente) (08/11/89)
In article <44e9d7d4.c4b0@apollo.HP.COM> dawson@apollo.HP.COM (Keith Dawson) writes: >In a recent posting Peter Lipp [plipp@tugiig.uucp] details a > > Possible Security Problem with DOMAIN-OS and the Display-Manager >[Gives patch numbers for 9.7 and 10.1] >These patches can be applied to /lib/streams on any version of SR9.7 >and SR10.1, including the versions that support Domain/X11. Please ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Well, I 'phoned my local support office, and they told me that the release notes for the 9.7 patch (they haven't got the 10.1 patch yet) state that it should *not* be applied if you are running Domain/X11. Naturally, I was a bit miffed at this - so I 'phoned Keith to see what he had to say. He seemed to think that the patch was, infact, more than one patch in one bundle, and if I applied just the /lib/streams part, I'd be okay. Anyway, I'm waiting for a floppy to land on my doormat with the patch on it, and when it does, I'll try it and let you know. Just thought I'd try to clear the confusion in the meantime. >We regret the broad dissemination of detailed instructions for exploiting >a security hole. So do I...... |-( Colin =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Colin Dente | JANET: dente@uk.ac.man.ee.els | | Dept. of Electrical Engineering | ARPA: dente@els.ee.man.ac.uk | | University of Manchester | UUCP: ...!mcvax!ukc!man.ee.els!dente | | England | These might work now, but then again... | |-----------------------------------------------------------------------------| =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
jim@eda.com (Jim Budler) (08/15/89)
collins@nvpna1.prl.philips.nl (Donal O Coileain) writes: >In article <511@eda.com> jim@eda.com (Jim Budler) writes: >>From Apollo? >> >> Every month, an invoice arrives. (Well, not any more 8^) >Apollo produces a patch tape every month. In the 9.7 patch tape for JUNE 89 >months before this discussion was started I read : > "Patch 184 APR DCB34 : A security hole existed in the pad_$dm_cmd > .......................... > Now if the two user_ids are not equal, the command is disallowed and > the following error status is returned: > 'operation is illegal when no display is attached'" >You cannot blame Apollo because you don't read the release notes or >understand the bugs/fixes. Wanta bet? In two years of paying Apollo for support I did not receive ONE patch tape that I didn't have to ask about myself. I can't read the release notes if I don't get them. I call in a bug and get told "fixed in the XXXX patch tape", and that is frequently months old, as you mention. It doesn't do me any good to have Apollo produce a monthly patch tape if they never inform me of it's existance. You didn't read my posting very well or you would have realized that. You even quoted my statement that the only monthly mailings I got from Apollo were bills. >Donal O Coileain. collins@apolloway.prl.philips.nl or > collins%nvpna1.prl.philips.nl@uunet.uu.nl >-- And out of the gloom a voice said, 'Smile and be happy for things could > be a lot worse'. So I smiled and was happy and behold, things got worse -- jim -- Jim Budler address = uucp: ...!{decwrl,uunet}!eda!jim domain: jim@eda.com voice = +1 408 986-9585 fax = +1 408 748-1032