Markus, I wonder if you are confusing the two IBM TSM security noitices
that were both sent on the same day. The other one, a denial-of-service
exposure in the Classic Scheduler, mentioned v5.5, 6.1, and 6.2, and it
also mentioned several easy workarounds. We circumvented it by SET
SCHEDMODE POLLING on all our TSM servers.
This one, involving unauthorized information disclosure in the Web
Client, did not mention those earlier versions. It is harder to deal
with, because there are no workarounds, it is a more serious issue, and
the only possible remediation is at the client level. Upgrading clients
to 6.3.1.0 or 6.4.0.1 to fix this, is not supported for Windows XP
clients (we still have a lot of XP clients) or V5.5 servers. Plus, it
involves the cooperation of clients, which can be difficult.
So, I still need to know if this affects 5.5, 6.1, or 6.2, because if it
does, I have a much larger number of clients to individually remediate.
Our clients are mostly 5.5 or 6.2.
Roger Deschner University of Illinois at Chicago rogerd AT uic DOT edu
Academic Computing & Communications Center
======I have not lost my mind -- it is backed up on tape somewhere.=====
On Tue, 5 Feb 2013, Zoltan Forray wrote:
>Where did you get this information? When I read the "Security Bulletin" it
>only addresses 6.3.x and 6.4.0. Searching for patches I can only find
>6.4.0.1 and 6.3.1.0, per the bulletin. None of the older versions have
>been updated.
>
>2013/2/5 Markus Engelhard <markus.engelhard AT bundesbank DOT de>
>
>> Hi Roger,
>>
>> according to my infos, the vulnerability is reported in versions 5.5.0.0
>> through 5.5.4.x, 6.1.0.0 through 6.1.5.x, 6.2.0.0 through 6.2.4.x, 6.3.0.x,
>> and 6.4.0.0.
>>
>> Regards, Markus
>>
>>
>>
>> --
>> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
>> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
>> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
>> vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte
>> Weitergabe dieser Mail oder von Teilen dieser Mail ist nicht gestattet.
>>
>> Wir haben alle verkehrsüblichen Maßnahmen unternommen, um das Risiko der
>> Verbreitung virenbefallener Software oder E-Mails zu minimieren, dennoch
>> raten wir Ihnen, Ihre eigenen Virenkontrollen auf alle Anhänge an dieser
>> Nachricht durchzuführen. Wir schließen außer für den Fall von Vorsatz oder
>> grober Fahrlässigkeit die Haftung für jeglichen Verlust oder Schäden durch
>> virenbefallene Software oder E-Mails aus.
>>
>> Jede von der Bank versendete E-Mail ist sorgfältig erstellt worden, dennoch
>> schließen wir die rechtliche Verbindlichkeit aus; sie kann nicht zu einer
>> irgendwie gearteten Verpflichtung zu Lasten der Bank ausgelegt werden.
>> ______________________________________________________________________
>>
>> This e-mail may contain confidential and/or privileged information. If you
>> are not the intended recipient (or have received this e-mail in error)
>> please notify the sender immediately and destroy this e-mail. Any
>> unauthorised copying, disclosure or distribution of the material in this
>> e-mail or of parts hereof is strictly forbidden.
>>
>> We have taken precautions to minimize the risk of transmitting software
>> viruses but nevertheless advise you to carry out your own virus checks on
>> any attachment of this message. We accept no liability for loss or damage
>> caused by software viruses except in case of gross negligence or willful
>> behaviour.
>>
>> Any e-mail messages from the Bank are sent in good faith, but shall not be
>> binding or construed as constituting any kind of obligation on the part of
>> the Bank.
>
>
>
>
>--
>*Zoltan Forray*
>TSM Software & Hardware Administrator
>Virginia Commonwealth University
>UCC/Office of Technology Services
>zforray AT vcu DOT edu - 804-828-4807
>Don't be a phishing victim - VCU and other reputable organizations will
>never use email to request that you reply with your password, social
>security number or confidential personal information. For more details
>visit http://infosecurity.vcu.edu/phishing.html
>
|
