Bugtraq mailing list archives
Re: Multiple vulnerabilities in CDE
From: djast () PPP12 UTOPIA CSAS COM (Dan Astoorian)
Date: Tue, 14 Sep 1999 18:53:23 -0400
On Mon, 13 Sep 1999 23:46:53 EDT, "Troy A. Bollinger" writes:
Here's the CERT advisory that was released today. Of course, it's also available at www.cert.org.
[...]
Sun Microsystems, Inc. Vulnerability #1: Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX authentication mechanism (default) is used with ttsession. The use of DES authentication is recommended to resolve this issue. To set the authentication mechanism to DES, use the
[...] The way they've worded this very much makes it sound as though patches are not forthcoming. Is this a design flaw, or an oversight in the implementation? If the former, why is it that other vendors (e.g. IBM) are releasing patches claiming to fix the problem? And, if the latter, is Sun *really* saying "instead of fixing the problem, we're going to tell all of our customers to use DES authentication, and if they can't or won't, then to hell with them"? (Anyone know any decent references for setting up Secure RPC under Solaris, particularly if NIS or NIS+ is not in use?) -- People shouldn't think that it's better to have Dan Astoorian loved and lost than never loved at all. It's http://www.utopia.csas.com not, it's better to have loved and won. All djast () utopia csas com the other options really suck. --Dan Redican
Current thread:
- Redhat 6.0 Password Issues root3d (Sep 08)
- <Possible follow-ups>
- Re: Redhat 6.0 Password Issues Josh Higham (Sep 10)
- Re: Redhat 6.0 Password Issues Erik Parker (Sep 11)
- Re: Redhat 6.0 Password Issues Alan Brown (Sep 11)
- CGI security Kerb (Sep 12)
- Re: CGI security Ivo van der Wijk (Sep 13)
- Re: CGI security Vladimir Dubrovin (Sep 14)
- Re: CGI security Arturo Busleiman (Sep 14)
- Multiple vulnerabilities in CDE Job de Haas (Sep 13)
- Re: Multiple vulnerabilities in CDE Troy A. Bollinger (Sep 13)
- Re: Multiple vulnerabilities in CDE Dan Astoorian (Sep 14)
- Vulnerability in dtspcd Job de Haas (Sep 13)
- Solaris 2.7 /usr/bin/mail Brock Tellier (Sep 13)
- Stack Shield 0.5 beta vendicator () USA NET (Sep 13)
- Re: Redhat 6.0 Password Issues Scott Manley (Sep 12)
- Re: Redhat 6.0 Password Issues Roger Espel Llima (Sep 12)
- Vulnerability in dtsession Job de Haas (Sep 13)