ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Re: Versions for Web Client security hole

2013-02-08 22:19:59
Subject: Re: [ADSM-L] Re: Versions for Web Client security hole
From: David Bronder <david-bronder AT UIOWA DOT EDU>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Fri, 8 Feb 2013 21:18:58 -0600 
The security bulletin was updated on 2013-02-07 to indicate that the
issue affects only 6.3.0.x and 6.4.0.0 (see change history section).

=Dave

Remco Post wrote:
>
> since the security bulletin only mentions 6.3 and 6.4, as affected
> levels, it's safe to assume that 5.5, 6.1 and 6.2 are not affected,
> otherwise they would have been mentioned.
>
> On 6 feb. 2013, at 22:18, Roger Deschner <rogerd AT UIC DOT EDU> wrote:
>
> > Markus, I wonder if you are confusing the two IBM TSM security noitices
> > that were both sent on the same day. The other one, a denial-of-service
> > exposure in the Classic Scheduler, mentioned v5.5, 6.1, and 6.2, and it
> > also mentioned several easy workarounds. We circumvented it by SET
> > SCHEDMODE POLLING on all our TSM servers.
> >
> > This one, involving unauthorized information disclosure in the Web
> > Client, did not mention those earlier versions. It is harder to deal
> > with, because there are no workarounds, it is a more serious issue, and
> > the only possible remediation is at the client level. Upgrading clients
> > to 6.3.1.0 or 6.4.0.1 to fix this, is not supported for Windows XP
> > clients (we still have a lot of XP clients) or V5.5 servers. Plus, it
> > involves the cooperation of clients, which can be difficult.
> >
> > So, I still need to know if this affects 5.5, 6.1, or 6.2, because if it
> > does, I have a much larger number of clients to individually remediate.
> > Our clients are mostly 5.5 or 6.2.
> >
> > Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT 
> > edu
> >               Academic Computing & Communications Center
> > ======I have not lost my mind -- it is backed up on tape somewhere.=====
> >
> >
> > On Tue, 5 Feb 2013, Zoltan Forray wrote:
> >
> >> Where did you get this information?  When I read the "Security Bulletin" it
> >> only addresses 6.3.x and 6.4.0.  Searching for patches I can only find
> >> 6.4.0.1 and 6.3.1.0, per the bulletin.  None of the older versions have
> >> been updated.
> >>
> >> 2013/2/5 Markus Engelhard <markus.engelhard AT bundesbank DOT de>
> >>
> >>> Hi Roger,
> >>>
> >>> according to my infos, the vulnerability is reported in versions 5.5.0.0
> >>> through 5.5.4.x, 6.1.0.0 through 6.1.5.x, 6.2.0.0 through 6.2.4.x, 
> >>> 6.3.0.x,
> >>> and 6.4.0.0.
> >>>
> >>> Regards, Markus
> >>>


--
Hello World.                                David Bronder - Systems Architect
Segmentation Fault                                      ITS-EI, Univ. of Iowa
Core dumped, disk trashed, quota filled, soda warm.   david-bronder AT uiowa 
DOT edu
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] Added permissions for new user to a folder causes backup of unchanged files, Zoltan Forray
Next by Date:  Re: [ADSM-L] Antwort: [ADSM-L] tsm reclaim of copy pool, Prather, Wanda
Previous by Thread:  Re: [ADSM-L] Versions for Web Client security hole, Remco Post
Next by Thread:  [ADSM-L] VTL or disk pool, ritchi64
Indexes:  [Date] [Thread] [Top] [All Lists]