[Info-vax] Shell vulnerabilities, was: Re: What to do with my VAX.....

[gah4]

On Monday, October 26, 2020 at 4:24:06 AM UTC-7, abrsvc wrote:

(snip)

> I honestly don't recall the specifics as it was quite a while ago, but I do know that it was never fixed as the "bug" had been in existence for over 20 years without any reports other that one problem that ended up being traced to it. I was working at DEC at the time, so it is possible that the report was in an internal doc, but I don't recall. Nothing to do with security BTW. Just making the point that "bugs" can exist for a long time without discovery.

This is reminding me of a story about a TOPS-10 bug that I heard 40 years ago.

It seems that the QUEUE command has an option to run a program when finished.
(This is used so a program can run it, and then get control back.)

The system also lets you run QUEUE when not logged in, so you can check
the status of jobs.

It seems it took some time to figure out that both features could be used together,
but finally someone sent in a bug report ... and checked the PUBLISH option on the form.