CA used to have mailing lists for Hiper fix notifications. I haven't
received such a notice in so long that I don't know if there haven't
been any Hipers, I fell off the list, or the list was discontinued. I'd
expect to be notified immediately if a product that we use had that kind
of security exposure. I understand if CA doesn't want to discuss the
details, but I need to know that there's a problem.
Dennis O'Brien
Bank of America
"You can have peace, or you can have freedom. Don't ever count on
having both at the same time." -- Robert A. Heinlein
-----Original Message-----
From: VM/ESA and z/VM Discussions [mailto:[EMAIL PROTECTED] On
Behalf Of Romanowski, John (OFT)
Sent: Friday, October 28, 2005 11:12
To: [email protected]
Subject: How to handle security hole?
I alerted Computer Associates (CA) to a security hole in one of their
VM products that let's any VM userid control a VM system that runs this
product. CA wrote a fix.
If your VM system's running this product without the fix then it has
this security hole active now. The security hole is installed by
default and there's no product installation step or configuration
parameter that closes the hole.
CA and I have agreed to disagree on how well they alert their customers
to the existence of security-related fixes for VM products.
My question to all is would you rather CA labeled VM product fixes as
security-related or not? Is security thru obscurity better?
--------------------------------------------------------
This e-mail, including any attachments, may be confidential, privileged
or otherwise legally protected. It is intended only for the addressee.
If you received this e-mail in error or from someone who was not
authorized to send it to you, do not disseminate, copy or otherwise use
this e-mail or its attachments. Please notify the sender immediately by
reply e-mail and delete the e-mail from your system.
