> David Wolverton > As a 'security risk', has IBM explicitly been asked to fix > this item and said they'd prefer just to leave a gaping hole? > Or is it like many things, everyone knows it, but everyone > thinks someone else has followed up on it, and it must just > be 'the way it must be'... Remember, IBM does not monitor > this list for bugs to fix... At least, I'm not expecting them to! > > IBM seems to respond to TechConnect issues -- Log it!
I first _formally_ reported it in 1996, although I can't prove that at this point. I think there was a GTAR. I have also had personal conversations about it with several Vmark/Ardent/Informix/IBM people who were in a position to care or take action. I remember asking about it in a question/answer panel during the Ft. Lauderdale, 1998 national conference. So it has been a conscious decision to leave it as is for about a decade. (When was UV first implemented on NT? I do not remember how catdir's REF counter is implemented there.) I cannot imagine I am the only one who has ever complained. It is a glaring hole that everyone sees when they do the "ls -lt uv/catdir" that John Reid mentioned at the top of this thread. Or everyone who wondered how the &MAP&'s REF counter was incremented. I have not vigorously pursued it because those paying my bills, whose DBs I would be protecting, have not cared enough. I don't think the majority of companies worry about malicious attacks (from their own staff or contractors). Even SJ+'s PRC, the premier U2 software control tool, does not prevent malicious attempts to circumvent it. My own UV/RCS-based SCM effort tightens things down pretty well, but I haven't figure out how to protect catdir. I can only log changes to it. I'll take it to U2UG's Enhancement committee. cds ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
