Tim (et al), > I'm having trouble w/ DEC OSF/1 V2.0 Enhanced Security. Just yesterday, > the passwd program decided to be very friendly and let anyone (except > root) change anyone else's password. I wrote a wrapper for it so that it > can't do that anymore. This bug was actually announced with a patch back in May 1994. [...] > Check your OSF/1 systems. > > Any ideas are welcome. Digital's announcement (which was also echoed the various Incident Response Teams around the world) included: ------------------- IMPACT: Digital has discovered the existence of potential software security vulnerabilities in the ULTRIX V4.3, V4.3a, V4.4 and DEC OSF/1 V1.2, V1.3, V2.0 Operating Systems, and in DECnet-ULTRIX V4.2. These potential vulnerabilities were discovered as a result of evaluating recent reports of potential security vulnerabilities which were distributed on the INTERNET and as a result of Digital's continued engineering efforts. The solutions to these vulnerabilities have been included in the next release of ULTRIX and DEC OSF/1. The kits have been created to correct potential software security vulnerabilities which, under certain circumstances may expand user access or privilege. Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of ULTRIX V4.4 and DEC OSF/1 V2.0 then apply the Security Enhanced Kit. ------------------ and... ------------------ CSCPAT_4060 V1.0 ULTRIX V4.3 thru V4.4 (Includes DECnet-ULTRIX V4.2) CSCPAT_4061 V1.0 DEC OSF/1 V1.2 thru V2.0 _______________________________________________________________ These kits will not install on versions previous to ULTRIX V4.3 or DEC OSF/1 V1.2. _______________________________________________________________ ------------------ ========================================================================== Danny Smith | Phone: +61 7 365 4105 The Prentice Centre | Fax: +61 7 365 4477 The University of Queensland | Qld. 4072. Australia | Internet: D.Smith@cc.uq.edu.au