Searching the achives, I've not seen any reply to this, have these
questions been answered yet? In regards to Sun, is there a patch
in the works, and if not how have other vendors fixed the problem?
-Nick
Date sent: Tue, 14 Sep 1999 18:53:23 -0400
Send reply to: Dan Astoorian <[EMAIL PROTECTED]>
From: Dan Astoorian <[EMAIL PROTECTED]>
Subject: Re: Multiple vulnerabilities in CDE
Originally to: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
> On Mon, 13 Sep 1999 23:46:53 EDT, "Troy A. Bollinger" writes:
> >
> > Here's the CERT advisory that was released today. Of course, it's also
> > available at www.cert.org.
> >
> [...]
> > Sun Microsystems, Inc.
> >
> > Vulnerability #1:
> >
> > Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and
> > SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX
> > authentication mechanism (default) is used with ttsession.
> >
> > The use of DES authentication is recommended to resolve this
> > issue. To set the authentication mechanism to DES, use the
> [...]
>
> The way they've worded this very much makes it sound as though patches
> are not forthcoming.
>
> Is this a design flaw, or an oversight in the implementation?
>
> If the former, why is it that other vendors (e.g. IBM) are releasing
> patches claiming to fix the problem? And, if the latter, is Sun
> *really* saying "instead of fixing the problem, we're going to tell all
> of our customers to use DES authentication, and if they can't or won't,
> then to hell with them"?
>
> (Anyone know any decent references for setting up Secure RPC under
> Solaris, particularly if NIS or NIS+ is not in use?)
>
> -- People shouldn't think that it's better to have
> Dan Astoorian loved and lost than never loved at all. It's
> http://www.utopia.csas.com not, it's better to have loved and won. All
> [EMAIL PROTECTED] the other options really suck. --Dan Redican
>
--
Nicholas Crawford <[EMAIL PROTECTED]> / ICQ: 2555860 / Nick_ers@UnderNet IRC
4096/1024 Diffie-Hellman/DSS PGP key ID: 0x738C4DB4 fingerprint:
54DF 09EC D2A0 0942 2A4C 3CDD 3438 FF7B 738C 4DB4
PGP keys via key server or http://paranoid.wolfspirit.org/~crawf/pgpkeys/
