Bugtraq mailing list archives
Re: Multiple vulnerabilities in CDE
From: nickc () STAFFNET COM (Nick_)
Date: Sun, 17 Oct 1999 12:57:57 -0500
Searching the achives, I've not seen any reply to this, have these questions been answered yet? In regards to Sun, is there a patch in the works, and if not how have other vendors fixed the problem? -Nick Date sent: Tue, 14 Sep 1999 18:53:23 -0400 Send reply to: Dan Astoorian <djast () PPP12 UTOPIA CSAS COM> From: Dan Astoorian <djast () PPP12 UTOPIA CSAS COM> Subject: Re: Multiple vulnerabilities in CDE Originally to: BUGTRAQ () SECURITYFOCUS COM To: BUGTRAQ () SECURITYFOCUS COM
On Mon, 13 Sep 1999 23:46:53 EDT, "Troy A. Bollinger" writes:Here's the CERT advisory that was released today. Of course, it's also available at www.cert.org.[...]Sun Microsystems, Inc. Vulnerability #1: Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX authentication mechanism (default) is used with ttsession. The use of DES authentication is recommended to resolve this issue. To set the authentication mechanism to DES, use the[...] The way they've worded this very much makes it sound as though patches are not forthcoming. Is this a design flaw, or an oversight in the implementation? If the former, why is it that other vendors (e.g. IBM) are releasing patches claiming to fix the problem? And, if the latter, is Sun *really* saying "instead of fixing the problem, we're going to tell all of our customers to use DES authentication, and if they can't or won't, then to hell with them"? (Anyone know any decent references for setting up Secure RPC under Solaris, particularly if NIS or NIS+ is not in use?) -- People shouldn't think that it's better to have Dan Astoorian loved and lost than never loved at all. It's http://www.utopia.csas.com not, it's better to have loved and won. All djast () utopia csas com the other options really suck. --Dan Redican
-- Nicholas Crawford <nick () null net> / ICQ: 2555860 / > / ICQ: 2555860 / Nick_ers@UnderNet IRC 4096/1024 Diffie-Hellman/DSS PGP key ID: 0x738C4DB4 fingerprint: 54DF 09EC D2A0 0942 2A4C 3CDD 3438 FF7B 738C 4DB4 PGP keys via key server or http://paranoid.wolfspirit.org/~crawf/pgpkeys/
Current thread:
- Re: Multiple vulnerabilities in CDE Nick_ (Oct 17)