by This document is being posted to the following groups: alt.security,
comp.security.misc, comp.security.unix, and comp.unix.admin.
Vendor Security Contacts: Reporting Vulnerabilities
and Obtaining New Patches
Author: Christopher Klaus <ckl...@shadow.net>
Date: March 7th, 1994.
Version: 1.2
The following is a list of security contacts to reach at various
vendors for reporting security vulnerabilities and obtaining new security
related patches.
With the rising number of people and hosts gaining access to the
Internet, the basic integrity of the Net needs to be maintained. Many of
security incidents that happen on Internet could have been avoided by
installing security patches that are available by vendors. It is important
to get the recent patches and ensure that your systems are configured
properly. With intruders and their underground network having quick access
to security vulnerabilities, it is important that administrators have
security information available and not rely on just One organization.
Here are the security contacts that information is available for:
A/UX, Cray, Dec, HP, IBM, Next, SGI, and Sun.
When reporting a new security bug, try to be as specific as
possible about how to reproduce it, which OS release (uname -a), and any
other release numbers of software that are involved.
A/UX
~~~~
Contact information for A/UX as follows:
Send security related information to the following people:
Erik E. Fair f...@apple.com
and CC: st...@apple.com
anto...@aux.support.apple.com (A/UX support person).
Cray
~~~~
Contact information for Cray as follows:
Cray Research customers should first direct questions and concerns to on-site
support personnel (if provided by their service contract). Other contacts
should be made through the
Technical Service Center
Cray Research, Inc.
655F Lone Oak Drive
Eagan MN 55121
USA
tel. +1-612-683-5600
email. supp...@cray.com
Dec
~~~
Contact information for Dec as follows:
Send security related information to the following people:
Reid, Brian K. (BKR) r...@PA.DEC.COM (415) 688-1307
Peck, Joseph R. (JRP50) p...@PA.DEC.COM (415) 688-1341
Rich Boren rich.bo...@cxo.mts.dec.com (719) 592-4689
Security patches are issued by Customer Support Centers.
HP
~~
Contact information for HP as follows:
For security concerns, questions, or problems, you can contact:
security-al...@hp.com
Obtaining Patches:
The HP SupportLine mail service is available to anyone who can send electronic
mail via the Internet.
If you have access to the Internet or can send electronic mail via an Internet
mail forwarder, you can use the HP SupportLine mail service.
*************************************************************************** o To obtain a copy of the HP SupportLine mail service user's guide, send the send guide Note: The HP SupportLine mail service user's guide is formatted using nroff. If o Once your request is received, the HP SupportLine mail service will send you o If you encounter any problems using the HP SupportLine mail service, report *************************************************************************** The following is a list of all mailing lists available via the HP SupportLine mailing_list_name Description dom_all_patch weekly digest of all new domain patches technical_tips weekly digest of new HP Technical Tips o To subscribe to an HP SupportLine mail service mailing list, send the subscribe mailing_list_name (i.e. subscribe hpux_all_patch) On a weekly or monthly basis, the HP SupportLine mail service will create and *************************************************************************** If you know the name of the patch needed, Email to: supp...@support.mayfield.hp.com with the body of the message stated as: "send PHKL_9999" The patch will automatically be mailed back to you with a mail unpacker If you just want the README for the patch, Email a message to: supp...@support.mayfield.hp.com with the body of the message stated as: "send doc PHKL_9999" The patch README will be mailed back to you. Response Center Customers: 1-800-633-3600 Outside the U.S., contact your local Response Center. IBM Contact information for IBM as follows: IBM support @ 1-800 237-5511 Send security related information to Nick Trio (n...@watson.ibm.com, There are some security patches on anonymous FTP software.watson.ibm.com Security patches are issued through your IBM sales office. Some of the following patches that are available are: Next Contact information for Next as follows: Technical Support at "ask_n...@next.com" Address is 900 Chesapeake Drive; Redwood City, CA; 94063. SGI Contact information for SGI as follows: Send security related information to postmas...@sgi.com and they Support line 1-800-800-4SGI and ask what patches are available. There are some security patches on anonymous FTP sgi.com in Security patches are issued through your SGI sales office. Sun Contact information for Sun as follows: email: security-al...@sun.com postal: Sun produces "Sun Security Bulletin" - ask security coordinator for it. Other Resources The CERT (Computer Emergency Response Team) advisory mailing list. Send The CIAC (Computer Incident Advisory Capability) of DoE. To report a Standard Form From CERT Here is the form CERT provides for reporting new vulnerabilities found CERT Coordination Center Reporter Information Reporter name : Reported to vendor: Y/N =========================================================================== Reporter Considerations Special considerations (e.g. restrictions on dissemination): =========================================================================== Vulnerability number (after assigned by CERT) : Problem Description: Impact: Currently being exploited? : Y/N Exploitation: Systems and/or configurations vulnerable Workarounds and/or fixes: Problem Analysis: Source code, logs, or other supporting technical info: Acknowledgements Thanks Dave Millar for helping provide a portion of the information. Copyright This paper is Copyright (c) 1994 by Christopher Klaus Permission is hereby granted to give away free copies. You may Disclaimer The information within this paper may change without notice. Use of Address of Author Please send suggestions, updates, and comments to: <ckl...@shadow.net> --
* How do I access the HP SupportLine mail service? *
***************************************************************************
following in the TEXT PORTION OF THE MESSAGE to supp...@support.mayfield.hp.com
(no Subject is required):
you would like an ASCII version of the user's guide or if you are utilizing a
non-UNIX mail reader, replace "send guide" with "send guide.txt".
a copy of the user's guide.
them to support-feedb...@support.mayfield.hp.com
* What mailing lists are available? *
***************************************************************************
mail service:
----------------- -----------
hpux_all_patch weekly digest of all new hp-ux patches
hpux_300_patch weekly digest of all new hp-ux s300_400 patches
hpux_700_patch weekly digest of all new hp-ux s700 patches
hpux_800_patch weekly digest of all new hp-ux s800 patches
dom_m68k_patch weekly digest of all new domain m68k patches
dom_a88k_patch weekly digest of all new domain a88k patches
existing_news monthly digest of new Existing Product News
general_news monthly digest of new HP General News
new_products monthly digest of new HP Product Information
security_info Latest digest of new HP Security Bulletins
security_info_list Index of available HP Security Bulletins
following in the TEXT PORTION OF THE MESSAGE to supp...@support.mayfield.hp.com
(no Subject is required):
distribute the requested mailing_list_name digest directly to your mailbox.
* How do i get a Patch from HP? *
***************************************************************************
script (patch_maker).
BasicLine Customers: 1-415-691-3888
Also try email to bkel...@cup.hp.com
~~~
Email to servi...@austin.ibm.com
a.k.a. postmas...@ibm.com) Unix person on IBM's Computer Emergency Response
Team) and Alan Fedeli (fed...@vnet.ibm.com).
in pub/aix3 for AIX.
Patch: ix22628 Fix: Corrects TFTP from allowing people to grab /etc/passwd.
~~~~
Phone number: 800.848.6398.
~~~
will forward it to the appropriate person. If there is no response, try
Dave Olson ol...@anchor.esd.sgi.com or Sarah J. Rosedahl sa...@sgi.com
(415)390-1124.
directory sgi/IRIX4.0 (or 5.0 if the system is IRIX5).
~~~
phone: 415-688-9081
Fax: 415-688-9101
Sun Security Coordinator
MS MPK2-04
2550 Garcia Avenue
Mountain View, CA 94043-1100
~~~~~~~~~~~~~~~
e-mail to c...@cert.org, and ask to be placed on their mailing list. Past
advisories and other information related to computer security are available
for anonymous FTP from cert.org (192.88.209.5).
vulnerability, call CIAC at (510) 422-8193 or send e-mail to c...@llnl.gov.
Previous CIAC bulletins and other information is available via anonymous
ftp from irbis.llnl.gov (ip address 128.115.19.60).
~~~~~~~~~~~~~~~~~~~~~~~
in Unix platforms.
Product Vulnerability Reporting Form
Reporter e-mail :
Reporter phone / fax :
Reporter affiliation and address:
Date of report :
Vendor contact name :
Vendor contact phone :
Vendor contact e-mail :
Vendor reference number :
Policy Info
Pass name to vendor? :
Use name in advisory? :
Technical Info
System :
OS version :
Verified/Guessed:
~~~~~~~~~~~~~~~~
~~~~~~~~~
distribute, transfer, or spread this paper. You may not to pretend that
you wrote it. This copyright notice must be maintained in any copy made.
~~~~~~~~~~
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event shall
the author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
~~~~~~~~~~~~~~~~~
Christopher William Klaus Email: ckl...@shadow.net Author:Inet Sec. Scanner
2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)206-1513.