From: ELAB::PANETTA "Ron Panetta, GE-ELAB, 8*256-2555 02-Jul-1991 0754" 2-JUL-1991 08:11:07.11 To: @NETMGRS CC: Subj: Ultrix security loophole Enclosed is a DSN flash message regarding an Ultrix security vunerability. I've distributed it to NETMGRS.DIS and included a current copy of SYSMGRS.DIS at the end of the mail message for your convenience. Ron ---------------------------------------------------------------------- From: RSO::DSN%CSC_Flash_Mail "Digital Customer Support Center ( 1-JUL-1991 22:20)" 2-JUL-1991 00:28:19.76 To: DSN$MAIL_FLASH_RECIPIENT CC: Subj: Digital/DSNlink Flash Mail Message Dear Customer, The following is important information about the product ULTRIX. A technical article describing an issue concerning this product is provided below. It has also been entered into the ULTRIX-32 database. You can access this article by using DSNlink Interactive Text Search (ITS), opening the ULTRIX-32 database, and listing all FLASH articles. Thank you, Digital Customer Support Center ULTRIX V4.1 - Security Vulnerability Identified in /usr/bin/mail COPYRIGHT (c) 1988, 1989, 1990 by Digital Equipment Corporation. ALL RIGHTS RESERVED. No distribution except as provided under contract. PRODUCT: ULTRIX V4.1 SOURCE: Customer Support Center/Atlanta USA PROBLEM: A potential security vulnerability has been identified in ULTRIX Version 4.1 where, under certain circumstances, user privileges can be expanded via usr/bin/mail. SOLUTION: Digital has corrected the identified code in ULTRIX Version 4.2 (released May 1991). We recommend that you upgrade to Version 4.2 immediately to avoid any potential threats to your system via this problem. For those of you who are unable to upgrade at this time, installing the V4.2 mail file on your V4.1 system will correct this problem. Both the VAX and RISC versions of this file, /usr/bin/mail, can be obtained by contacting the Customer Support Center at 1-800-332-8000. -------------------------------------------------------------------------------- ! ! This VAX MAIL distribution list contains all system managers ! (exclusive of NETMGRS.DIS, the network manager's distribution ! list) on the GE DECnet network. To be complete, a mailing to ! system managers must also include those individuals in ! NETMGRS.DIS. ! ! 12-June-1991 ! ! Source: ELAB::GEDECNET ! ! Site names should be the GE DECnet Network site name so that ! we can associate responsibility each system manager's name. ! ! The city and state should be the actual location for the individual. ! acs1::hazeltine !ACS_VF Valley Forge, PA Andy Hazeltine acs1::sscrmlt !ACS_VF Valley Forge, PA Mark Laffin acs1::ss2aelv !ACS_VF Valley Forge, PA Art Laholt seo::system !ACSD Seattle, WA Dave McKinstry vaxms1::bender !AESD Utica, NY Bill Bender gitoc1::ae2510t !AE_CIN1 Cincinnati, OH Mike Allshouse pmc1::anderson !AE_CIN1 Cincinnati, OH Grant Anderson ecamv1::boyle !AE_CIN1 Cincinnati, OH Dave Boyle cpsd::delman !AE_CIN1 Cincinnati, OH Linda Delman cpsd::larson !AE_CIN1 Cincinnati, OH Marsha Larson cpsd::leedke !AE_CIN1 Cincinnati, OH Tim Leedke cpsd::mondello !AE_CIN1 Cincinnati, OH Rick Mondello petsys::system1 !AE_CIN1 Cincinnati, OH Jim Heath gitoc1::ae2830t !AE_CIN1 Cincinnati, OH Dave Hirsh aee690::schulte !AE_CIN1 Cincinnati, OH Doug Schulte aee040::aewcs01t !AE_CIN1 Cincinnati, OH Charlie Slaven pmc1::rack !AE_CIN1 Cincinnati, OH Sherrie Rack odin::truman !AE_CIN1 Florence, SC Alicia Truman antvax::crick !AE_CIN1 San Jose, CA Steve Crick snetx::sanjines !AE_CIN1 San Jose, CA Louis Sanjines strnfs::k0455sys !AE_CIN2 Arkansas City, KS Mike McEwen strasr::dpdaly !AE_CIN2 Arkansas City, KS Dave Daly iron::mazza !AE_CIN2 Cincinnati, OH Steve Mazza dvxs02::bromir !AE_CIN2 Durham, NC Steve Bromir wmeth1::tschutte !AE_CIN2 Wilmington, NC Tom Schutte sparev::bryan !AE_CIN2 Wilmington, NC Liz Bryan (NEBO) sparev::arun !AE_CIN2 Wilmington, NC Arun Sanghvi (NEBO) sparev::sessions !AE_CIN2 Wilmington, NC Zack Sessions(NEBO) hkncm2::system !AEBG_LYNN Hooksett, NH Wayne Eddy hkvax::system !AEBG_LYNN Hooksett, NH Moe Giddis dncvax::audette !AEBG_LYNN Rutland, VT Laura Audette dncvax::bixby !AEBG_LYNN Rutland, VT Bob Bixby dncvax::mason !AEBG_LYNN Rutland, VT Dave Mason dncvax::miles !AEBG_LYNN Rutland, VT Tom Miles dncvax::varian !AEBG_LYNN Rutland, VT Barry Varian vax74::system !AEBG_LYNN Lynn, MA George Blais cad3::carraro !AEBG_LYNN Lynn, MA Russ Carraro ael310::system !AEBG_LYNN Lynn, MA Matt Chella vax74::cowen !AEBG_LYNN Lynn, MA Paul Cowen cad3::don !AEBG_LYNN Lynn, MA Don Deschenes wofhst::system !AEBG_LYNN Lynn, MA Al Giles cad3::healey !AEBG_LYNN Lynn, MA Bob Healey cell02::system !AEBG_LYNN Lynn, MA Merrit Heminway cimv1::system !AEBG_LYNN Lynn, MA Te Hoang aeaa1::livermore !AEBG_LYNN Lynn, MA Don Livermore aeldev::system !AEBG_LYNN Lynn, MA Amy Macarthur cad3::martym !AEBG_LYNN Lynn, MA Marty Monahan cg540::system !AEBG_LYNN Lynn, MA Bill Nuymer fofv1::system !AEBG_LYNN Lynn, MA Dean Panagopoulos fof107::sanguedolce !AEBG_LYNN Lynn, MA Bob Sanguedolce ael009::system !AEBG_LYNN Lynn, MA Barry Sahovey mc3601::system !AEBG_LYNN Lynn, MA Dave St. Pierre jay::4366 !ASD Burlington, VT Bob Brych dssclu::1382 !ASD Burlington, VT Phil Gingrow atl::acolabelli !ATL Moorestown, NJ Tony Calabelli ispvax::banewicz !CRD Schenectady, NY Donna Banewicz ispvax::bennett !CRD Schenectady, NY Wayne Bennett cadvax::darkangelo !CRD Schenectady, NY Dom Darkangelo rdsvax::frankr !CRD Schenectady, NY Ron Frank isovax::stec !CRD Schenectady, NY Joyce Stec orcon::genesi !DSD Pittsfield, MA Rick Genesi orcon::zanotta !DSD Pittsfield, MA Dave Zanotta elab::smith !ELAB Syracuse, NY Tom Smith zeus::cbishop !F&ESD_ASD Burlington, MA Chuck Bishop luke::sbutt !GCSD Camden, NJ Steve Butt r2d2::phenry !GCSD Camden, NJ Trish Henry atl::hholcombe !GCSD Camden, NJ Howard Holcombe leia::jfmclaughlin !GCSD Camden, NJ John McLaughlin cho000::carl_r !GE_FANUC_CHO Charlottesville, VA Rick Carl cho000::hubert_d !GE_FANUC_CHO Charlottestille, VA geisco::lvu !GEIS Rockville, MD Luan Vu geisco::system !GEIS Rockville, MD Dave Younoszai hco880::wasden !HCO Huntsville, AL Jim Wasden liso::dierker !LBG Cleveland, OH Bill Dierker liso::farinacci !LBG Cleveland, OH Tony Farinacci liso::hepp !LBG Cleveland, OH John Hepp liso::higgins !LBG Toronto, Canada Sean Higgins win::majzel !LBG Winchester, VA Mike Majzel liso::tuma !LBG Cleveland, OH Bert Tuma liso::wentz !LBG Cleveland, OH Eric Wentz liso::whiteb !LBG Cleveland, OH Brian White reston::hartmeyer !M&DSO Reston, VA Kurt Hartmeyer reston::thomas !M&DSO Reston, VA Dave Thomas trees::barnes !M&DSO Valley Forge, PA Bill Barnes trees::gurney !M&DSO Valley Forge, PA Sharon Gurney trees::ward !M&DSO Valley Forge, PA Hugh Ward acons0::miller !MABG_PROD Columbia, TN Dave Miller geappl::l024619 !MABG_PROD Louisville, KY Bryan Dooley tacl::trclemens !MABG_PROD Louisville, KY Tim Clemens tacl::ndmann !MABG_TECH Louisville, KY Nathan Mann tacl::dlnorris !MABG_TECH Louisville, KY Don Norris c5vn::roller !MESO Syracuse, NY Don Roller e7va::sys_singer !MESO Syracuse, NY Larry Singer astro::goldberg !RCA_AED Hightstown, NJ Fred Goldberg esdsdf::gore !RCA_MSRD_VCC Moorestown, NJ Bob Gore muppet::sickles !RCA_MSRD_VCC Moorestown, NJ Brian Sickles rso::roy_wi !RSO Philadelphia, PA Bill Roy scovcb::lambert_lt !SCO Valley Forge, PA Lee Lambert advax::barry !SCSD Daytona Beach, FL Barry Fishman dabzoo::rgl !SCSD Daytona Beach, FL Greg Lee tbosch::look !TBO_SCH Bangor, ME Allen Look tbosch::courtemanche !TBO_SCH Fitchburg, MA Jeff Courtemanche ws::haynes !WESTERN_SYS San Jose, CA Tom Haynes