Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!unmvax!ncar!tank!mimsy!haven!decuac!felix!info-ultrix
From: zhang@zgdvda.UUCP (Ning Zhang)
Newsgroups: comp.unix.ultrix
Subject: Re: VERY Dangerous Hole ...
Message-ID: <82066@felix.UUCP>
Date: 3 Feb 89 20:27:42 GMT
References: <81555@felix.UUCP>
Sender: info-ultrix@felix.UUCP
Reply-To: zhang@zgdvda.UUCP (Ning Zhang)
Organization: ZGDV Darmstadt, FRG
Lines: 53
Approved: zemon@felix.UUCP
Reply-Path:

Reply-to: zhang@zgdvda.UUCP (Ning Zhang)


In article <81555@felix.UUCP>, slouder@note.nsf.gov (Steve Loudermilk) writes:
> Reply-to: slouder@note.nsf.gov (Steve Loudermilk) 

> ...had drafted a report on it. 

Yes. I've post it (and some lastest bugs) to UCB, DEC, SUN, Cert,...
 
> I was of the opinion that much more would be forthcoming if there
> really was such a problem.

Do you mean that I should post the bug reports in this open bulletin?
No, it's much more dangerous, because they contained the step-by-step
breakin methods to exploit such bugs. I should be very very careful to
deliver them. I just got a complaint about the abuse of my report and
I'm surprised!

> Nothing else has been posted concerning this. And I have seen nothing
> on other BBs which are linked to this message.

Originally, I planned to post the announcement to news.sysadmin, news.admin,
and comp.unix.ultrix,... but most of them are moderated. I only have seen
my posting in comp.unix.ultrix.

> I was ready to write it off as a false alarm.

Please not...:-)

> However, other's in my office, and rightly so, have urged me to "close the
> loop" and find out for sure.

If you're really aware of the security problems, why not you take part in
some security lists? There're many discussions about the resent discoveries
of security problems.

> Is there really a big problem?

Yes, they're quite serious. But many vendors have shipped patches to fix them.

> Is it the same as ftp, finger, or sendmail problems which have been handled
> so well by others in the internet community?  

Of course not. 

Hope the above info is enough. Please ask your vendors for fixes. I wont
deliver the bug reports again!
----
Ning Zhang relay.cs.net!uka!unido!zgdvda!zhang |Giving a man a fish \\\| An  Old
Computer Graphics Center (ZGDV)                |Feed him for one day \\| Chinese
Wilhelminenstr.7, 6100 Darmstadt, West Germany |Teaching a man to fish | Proverb
Permanent Addr:Inst.of AI,Zhejiang Univ. China |Serve him forever and a day ||||