Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1994_3

Bugtraq archives for 3rd quarter (Jul-Sep) 1994: Re: DEC OSF/1 Enhanced Security passwd problem

Re: DEC OSF/1 Enhanced Security passwd problem

(no name) ((no email))
Thu, 01 Sep 1994 09:21:56 +1000 (AEST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marc J. Fraioli: "DEC OSF/1 Enhanced Security passwd problem"
Previous message: der Mouse: "Re: DEC OSF/1 Enhanced Security passwd problem"
Maybe in reply to: Marc J. Fraioli: "DEC OSF/1 Enhanced Security passwd problem"

Tim (et al),

> I'm having trouble w/ DEC OSF/1 V2.0 Enhanced Security.  Just yesterday, 
> the passwd program decided to be very friendly and let anyone (except 
> root) change anyone else's password.  I wrote a wrapper for it so that it 
> can't do that anymore.

This bug was actually announced with a patch back in May 1994.

[...]

> Check your OSF/1 systems.
>
> Any ideas are welcome.

Digital's announcement (which was also echoed the various Incident Response 
Teams around the world) included:

-------------------
IMPACT:

Digital has discovered the existence of potential software security
vulnerabilities in the ULTRIX V4.3, V4.3a, V4.4 and DEC OSF/1 V1.2, V1.3,
V2.0 Operating Systems, and in DECnet-ULTRIX V4.2.  These potential
vulnerabilities were discovered as a result of evaluating recent reports of
potential security vulnerabilities which were distributed on the INTERNET
and as a result of Digital's continued engineering efforts.  The solutions
to these vulnerabilities have been included in the next release of ULTRIX
and DEC OSF/1.

The kits have been created to correct potential software security
vulnerabilities which, under certain circumstances may expand user access
or privilege.

Digital Equipment Corporation strongly urges Customers to upgrade to a
minimum of ULTRIX V4.4 and DEC OSF/1 V2.0 then apply the Security Enhanced
Kit.
------------------

and...

------------------
CSCPAT_4060  V1.0   ULTRIX    V4.3 thru V4.4  (Includes DECnet-ULTRIX V4.2)
CSCPAT_4061  V1.0   DEC OSF/1 V1.2 thru V2.0

         _______________________________________________________________
         These kits will not install on versions previous to ULTRIX V4.3
         or DEC OSF/1 V1.2.
         _______________________________________________________________
------------------

==========================================================================
 Danny Smith                    |  Phone:  +61 7 365 4105
 The Prentice Centre            |  Fax:    +61 7 365 4477
 The University of Queensland   |
 Qld.  4072.  Australia         |  Internet:  D.Smithcc.uq.edu.au

Next message: Marc J. Fraioli: "DEC OSF/1 Enhanced Security passwd problem"
Previous message: der Mouse: "Re: DEC OSF/1 Enhanced Security passwd problem"
Maybe in reply to: Marc J. Fraioli: "DEC OSF/1 Enhanced Security passwd problem"