On Monday IBM sent a Flash to many of us announcing a security
vulnerability in the TSM Server. Regular non-administrator end-users on
a multi-user system can restore files belonging to other users,
including userid "root". For instance, this could be a Unix system that
hosts shell accounts. Dissecting the CVSS scoring reveals "Access
Complexity: Low" and "Authentication: None" - which basically means
anyone can do it. Obviously, this is an opportunity for a breach of
confidentiality.

If you back up any multi-user clients which have non-administrative
accounts, this applies to you. It definitely applied to us, so I updated
all our TSM server instances immediately.

The Flash containing the full description and a list of fixing releases
is at http://www-01.ibm.com/support/docview.wss?uid=swg21657726

Kudos to IBM for making well-tested fixes widely available before
publishing the vulnerability, and also for announcing it after the
Thanksgiving holiday rather than before.

Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT edu
======I have not lost my mind -- it is backed up on tape somewhere.=====