× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  • Subject: Re: URGENT !! PTFs to fix another integrity problem
  • From: Chuck Lewis <clewis@xxxxxxxxxx>
  • Date: Fri, 28 Jul 2000 07:28:50 +0100

Right you are Eric !

The first problem was discovered last month and dealt with fairly quickly (even
though it had been around since the S/38 days from what I hear - someone
correct me if I am wrong !!! So warn any S/38 shops you know of  <BG>)

Chuck

Eric Merritt wrote:

> Here is the deal guys. Be aware there are two sets of
> ptfs. This is strait from the AS400 Network ->
>
> New PTFs Plug Password Security Hole
> By Gary Guthrie
> Tech Editor
> JUNE 14, 2000 — A serious AS/400 security exposure was
> recently brought to IBM’s attention. Though IBM
> encrypts passwords before storing them permanently,
> your users’ passwords may have been compromised by the
> fact that unencrypted passwords are also stored in
> another location temporarily. If a hacker discovers
> where and when the unencrypted passwords are stored,
> he can use a simple technique to capture the
> passwords, giving him access to your network
> resources.
>
> IBM responded to this revelation in an expedient
> manner and has issued the following PTFs:
>
> V3R2 — SF62947
> V4R1 — SF62944
> V4R1M4 — SF62945
> V4R2 — SF62946
> V4R3 — SF62894
> V4R4 — SF62895
> V4R5 — SF62896
> Because of the other PTFs in the supercede chain, the
> PTFs for V3R2 and V4R2 are delayed PTFs. You must IPL
> to apply the PTFs for these releases.
>
> You should load and apply the appropriate PTF
> immediately. You can download these PTFs on the
> Internet using IBM’s iPTF facility at
> http://as400service.ibm.com. Click the "Fixes,
> Downloads and Updates" link and follow the links for
> the AS/400 Internet PTF facility (iPTF).
>
> After loading and applying the PTF, you must end and
> restart all subsystems to fully activate the fix.
> Because passwords may have been compromised prior to
> the PTF being applied to your system, it is strongly
> recommended that after you activate the fix, you
> require all users to change their passwords.
>
> -------------------------------------------------------
> Tech Talk: More PTFs for More Password Security Holes
> By Gary Guthrie
> Tech Editor
> JULY 26, 2000 — You may recall that last month we
> reported a serious security exposure in which your
> passwords may have been compromised, along with a list
> of PTFs to address the issue. Well, the AS/400
> security fires continue to heat up with another round
> of PTFs to address yet another serious security
> exposure. As with last month’s problem, your passwords
> may have been compromised by the fact that another
> location has been found that contains easily obtained
> unencrypted passwords. Again, IBM responded quickly to
> this issue and released the following PTFs:
>
> V3R2 — SF63352
> V4R1 — SF63350
> V4R1M4 — SF63351
> V4R2 — SF63357
> V4R3 — SF63347
> V4R4 — SF63349
> But be aware; this security hole isn’t the same as the
> one discussed last month. Even if you’ve applied the
> PTFs from last month’s fix, the exposure still exists.
>
> My advice this month is that same as last month. You
> should load and apply the appropriate PTF immediately.
> You can download these PTFs on the Internet using
> IBM’s iPTF facility at http://as400service.ibm.com.
> Click the "Fixes, Downloads and Updates" link and
> follow the links for the AS/400 Internet PTF facility
> (iPTF).
>
> Because passwords may have been compromised prior to
> the PTF being applied to your system, it is strongly
> recommended that after you activate the fix, you
> require all users to change their passwords.
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
> +---
> | This is the JAVA/400 Mailing List!
> | To submit a new message, send your mail to JAVA400-L@midrange.com.
> | To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
> | To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner: joe@zappie.net
> +---

+---
| This is the JAVA/400 Mailing List!
| To submit a new message, send your mail to JAVA400-L@midrange.com.
| To subscribe to this list send email to JAVA400-L-SUB@midrange.com.
| To unsubscribe from this list send email to JAVA400-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: joe@zappie.net
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.