I have received a lot of private mail regarding the fixes released over
the weekend. Because over 200 sites are affected, I cannot reply
individually to everyone, in particular not to questions which have been
answered on the list.
If you have no read the descriptions of the 3 fixes in question, do so
before reading any further or asking me something. The answer to your
question is probably in the description.
Everyone should install the first fix. It is a good idea to install the
second fix even if you don't run CMS 6-8. It is a harmless waste of your
time to install the third fix if your copy of LSWCWRT MODULE is readable.
The only purpose of the third fix is to make it possible for people whose
LSWCWRT MODULE was destroyed to order a new copy without having to ask
me, so that I don't have to ship 100 copies manually. I did send copies
to the first few that asked, but eventually gave up. If you asked me for
a copy and didn't receive it yet, do not wait for me to send it!
If you tried to install the third fix before the second one (and were
told that a pre-req was missing), the installation of the third fix may
fail even after applying the second one. This is because CARD is
NUCXLOADed, so you are still using the old copy; just NUCXDROP CARD and
re-install the third fix. It does not happen if you install the fixes in
the right order because the state of your A-disk will not trigger the bug
in that case (it would be long to explain).
If you inadvertently lost some of the messages I posted, do not ask me
for a copy! Get it from the list archives, it is faster for both of us.
If you don't know how to access list archives, now is a good time to
learn (TELL LISTSERV INFO DATABASE). If you don't have time for such
things, try for a few seconds to think up reasons why I would consider
your time more precious than mine, and come by yourself to the obvious
conclusion, thus saving yourself the time needed to lecture me about
imaginary "duties".
I am indeed very sorry to have written code with a security exposure - I
never claimed to be perfect. This does not however mean that I have time
to reassure 50 people individually and confirm that command so and so was
indeed the right one to type. Even if you typed the right command, all I
can say is that you ran the program that installs the fix, which for all
I know might have failed or might be buggy. You might have had the wrong
disks accessed, and so on. There is no way I am going to confirm to
anyone that the exposure is gone based on a console log or command you
typed, because it simply proves nothing! The only way to confirm that the
exposure is gone is by poking it and finding out that the wall doesn't
yield. If you want me to do that, say so very explicitly so I know I
won't get sued if I do it, and I still won't do that without a good bit
of convincing.
Eric
|