figured folks might be interested.... - d
IT Resource Center wrote:
> HP Support Information Digests
>
> ===============================================================================
> o Security Bulletin Digest Split
> ------------------------------
>
> The security bulletins digest has been split into multiple digests
> based on the operating system (HP-UX, MPE/iX, and HP Secure OS
> Software for Linux). You will continue to receive all security
> bulletin digests unless you choose to update your subscriptions.
>
> To update your subscriptions, use your browser to access the
> IT Resource Center on the World Wide Web at:
>
> http://support.itrc.hp.com/
>
> Under the Maintenance and Support Menu, click on the "more..." link.
> Then use the 'login' link at the left side of the screen to login
> using your IT Resource Center User ID and Password.
>
> Under the notifications section (near the bottom of the page), select
> Support Information Digests.
>
> To subscribe or unsubscribe to a specific security bulletin digest,
> select or unselect the checkbox beside it. Then click the
> "Update Subscriptions" button at the bottom of the page.
>
> o IT Resource Center World Wide Web Service
> ---------------------------------------------------
>
> If you subscribed through the IT Resource Center and would
> like to be REMOVED from this mailing list, access the
> IT Resource Center on the World Wide Web at:
>
> http://support.itrc.hp.com/
>
> Login using your IT Resource Center User ID and Password.
> Then select Support Information Digests (located under
> Maintenance and Support). You may then unsubscribe from the
> appropriate digest.
> ===============================================================================
>
> Digest Name: daily MPE/iX security bulletins digest
> Created: Tue Apr 1 6:00:02 EST 2003
>
> Table of Contents:
>
> Document ID Title
> --------------- -----------
> HPSBMP0303-017 SSRT3527 Security Vulnerability in MPE/iX sendmail
> HPSBMP0303-016 SSRT3525 Security Vulnerability in MPE/iX ftp
>
> The documents are listed below.
> -------------------------------------------------------------------------------
>
> Document ID: HPSBMP0303-017
> Date Loaded: 20030331
> Title: SSRT3527 Security Vulnerability in MPE/iX sendmail
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -----------------------------------------------------------------
> Source: HEWLETT-PACKARD COMPANY
> SECURITY BULLETIN: HPSBMP0303-017
> Originally issued: 25 March 2003
> SSRT3527 Security Vulnerability in MPE/iX sendmail
> -----------------------------------------------------------------
>
> NOTICE: There are no restrictions for distribution of this
> Bulletin provided that it remains complete and intact.
>
> The information in the following Security Bulletin should be
> acted upon as soon as possible. Hewlett-Packard Company will
> not be liable for any consequences to any customer resulting
> from customer's failure to fully implement instructions in this
> Security Bulletin as soon as possible.
>
> -----------------------------------------------------------------
> PROBLEM: Potential security vulnerability in sendmail
>
> IMPACT: Potential Denial of Service (DoS).
>
> PLATFORM: MPE 7.0 and 7.5 running Sendmail 8.12.1 A.01.00, as
> well as earlier unsupported freeware versions of
> sendmail.
>
> SOLUTION: Download and install the appropriate sendmail patch
> MPE/iX 7.5 SMLHD04A,
> MPE/iX 7.0 SMLHD03A,
> MPE/iX 6.5 (and earlier) See below.
>
> MANUAL ACTIONS: Yes - Non-HP-UX only
> See below.
>
> AVAILABILITY: All patches are available now on itrc.hp.com
> -----------------------------------------------------------------
> A. Background
> A potential security vulnerability with sendmail/iX 8.12.1
> A.01.00 has been reported in MPE/iX. This potential
> vulnerability may result a remote Denial of Service (DoS)
> only.
>
> NOTE: This is similar but not identical to the vulnerability
> reported in CERT/CC CA-2003-07, as MPE/iX implements
> sendmail differently.
>
> CERT/CC is tracking this issue as VU#398025 This reference
> number corresponds to CVE candidate CAN-2002-1337.
>
> NOTE: This problem does not impact HP NonStop Servers, nor
> HP OpenVMS, nor HP Tru64 UNIX/Trucluster Server.
>
> B. Recommended solution
> Download and install the following fixes on the appropriate
> HP3000 systems:
> MPE/iX 7.5 SMLHD04A,
> MPE/iX 7.0 SMLHD03A,
> MPE/iX 6.5 (and earlier)
> NOTE:
> On releases before 6.5 where sendmail is not officially
> supported, the SENDMAIL NMPRG within SMLHD03A or SMLHD04A
> will work for unsupported freeware versions.
>
> Download and unpack SMLHD03A or SMLHD04A, then manually copy
> the new SENDMAIL NMPRG into the appropriate group in the
> SENDMAIL account.
>
> C. To subscribe to automatically receive future NEW HP Security
> Bulletins from the HP IT Resource Center via electronic
> mail, do the following:
>
> Use your browser to get to the HP IT Resource Center page
> at:
>
> http://itrc.hp.com
>
> Use the 'Login' tab at the left side of the screen to login
> using your ID and password. Use your existing login or the
> "Register" button at the left to create a login, in order to
> gain access to many areas of the ITRC. Remember to save the
> User ID assigned to you, and your password.
>
> In the left most frame select "Maintenance and Support".
>
> Under the "Notifications" section (near the bottom of
> the page), select "Support Information Digests".
>
> To -subscribe- to future HP Security Bulletins or other
> Technical Digests, click the check box (in the left column)
> for the appropriate digest and then click the "Update
> Subscriptions" button at the bottom of the page.
>
> or
>
> To -review- bulletins already released, select the link
> (in the middle column) for the appropriate digest.
>
> NOTE: Using your itrc account security bulletins can be
> found here:
> http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin
>
> To -gain access- to the Security Patch Matrix, select
> the link for "The Security Bulletins Archive". (near the
> bottom of the page) Once in the archive the third link is
> to the current Security Patch Matrix. Updated daily, this
> matrix categorizes security patches by platform/OS release,
> and by bulletin topic. Security Patch Check completely
> automates the process of reviewing the patch matrix for
> 11.XX systems. Please note that installing the patches
> listed in the Security Patch Matrix will completely
> implement a security bulletin _only_ if the MANUAL ACTIONS
> field specifies "No."
>
> The Security Patch Check tool can verify that a security
> bulletin has been implemented on HP-UX 11.XX systems providing
> that the fix is completely implemented in a patch with no
> manual actions required. The Security Patch Check tool cannot
> verify fixes implemented via a product upgrade.
>
> For information on the Security Patch Check tool, see:
> http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
> displayProductInfo.pl?productNumber=B6834AA
>
> The security patch matrix is also available via anonymous
> ftp:
>
> ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/
>
> On the "Support Information Digest Main" page:
> click on the "HP Security Bulletin Archive".
>
> The PGP key used to sign this bulletin is available from
> several PGP Public Key servers. The key identification
> information is:
>
> 2D2A7D59
> HP Security Response Team (Security Bulletin signing only)
> <[log in to unmask]>
> Fingerprint =
> 6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59
>
> If you have problems locating the key please write to
> [log in to unmask] Please note that this key is
> for signing bulletins only and is not the key returned
> by sending 'get key' to [log in to unmask]
>
> D. To report new security vulnerabilities, send email to
>
> [log in to unmask]
>
> Please encrypt any exploit information using the
> security-alert PGP key, available from your local key
> server, or by sending a message with a -subject- (not body)
> of 'get key' (no quotes) to [log in to unmask]
>
> -----------------------------------------------------------------
>
> (c)Copyright 2003 Hewlett-Packard Company
> Hewlett-Packard Company shall not be liable for technical or
> editorial errors or omissions contained herein. The information
> in this document is subject to change without notice.
> Hewlett-Packard Company and the names of HP products referenced
> herein are trademarks and/or service marks of Hewlett-Packard
> Company. Other product and company names mentioned herein may be
> trademarks and/or service marks of their respective owners.
>
> ________________________________________________________________
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBPoDzueAfOvwtKn1ZEQIXhwCfXdoC3IBw5CNEeOpP0pUUyCdMf8AAni9I
> AslcC8ZiHbj7D21ddtDh5L68
> =WRul
> -----END PGP SIGNATURE-----
> -----End of Document ID: HPSBMP0303-017--------------------------------------
>
> Document ID: HPSBMP0303-016
> Date Loaded: 20030331
> Title: SSRT3525 Security Vulnerability in MPE/iX ftp
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -----------------------------------------------------------------
> Source: HEWLETT-PACKARD COMPANY
> SECURITY BULLETIN: HPSBMP0303-016
> Originally issued: 25 March 2003
> SSRT3525 Security Vulnerability in MPE/iX ftp
> -----------------------------------------------------------------
>
> NOTICE: There are no restrictions for distribution of this
> Bulletin provided that it remains complete and intact.
>
> The information in the following Security Bulletin should be
> acted upon as soon as possible. Hewlett-Packard Company will
> not be liable for any consequences to any customer resulting
> from customer's failure to fully implement instructions in this
> Security Bulletin as soon as possible.
>
> -----------------------------------------------------------------
> PROBLEM: Remote unauthorized users may potentially access
> privileged data.
>
> IMPACT: Unauthorized access.
>
> PLATFORM: HP3000 running MPE/iX 5.5, 6.X or 7.X.
>
> SOLUTION: Install the following fixes on supported MPE/iX
> releases:
> FTPGDY7 for 6.5,
> FTPGDY8 for 7.0,
> FTPGDY9 for 7.5.
>
> MANUAL ACTIONS: Yes - NonHPUX only.
> See below.
>
> AVAILABILITY: All beta-test patches are available now on
> itrc.hp.com.
>
> -----------------------------------------------------------------
> A. Background
> Hewlett-Packard has discovered that changes made in the 1996
> FTP Enhancement allow incorrect file operations.
>
> NOTE: This problem does not impact HP NonStop Servers, nor
> HP OpenVMS, nor HP Tru64 UNIX/Trucluster Server.
>
> B. Recommended solution
> Download and install the following fixes on the appropriate
> HP3000 systems:
> FTPGDY7 for 6.5,
> FTPGDY8 for 7.0,
> FTPGDY9 for 7.5.
>
> On older non-supported releases, the following workarounds
> may be used.
>
> a) In the file inetdcnf.net, remove (comment out) the ftp
> entry. This disables ftp access.
> b) Discontinue using FTP/iX (remember to terminate JINETD job)
> c) Install a newer supported Operating System software version
> and then apply the appropriate FTP patch.
>
> C. To subscribe to automatically receive future NEW HP Security
> Bulletins from the HP IT Resource Center via electronic
> mail, do the following:
>
> Use your browser to get to the HP IT Resource Center page
> at:
>
> http://itrc.hp.com
>
> Use the 'Login' tab at the left side of the screen to login
> using your ID and password. Use your existing login or the
> "Register" button at the left to create a login, in order to
> gain access to many areas of the ITRC. Remember to save the
> User ID assigned to you, and your password.
>
> In the left most frame select "Maintenance and Support".
>
> Under the "Notifications" section (near the bottom of
> the page), select "Support Information Digests".
>
> To -subscribe- to future HP Security Bulletins or other
> Technical Digests, click the check box (in the left column)
> for the appropriate digest and then click the "Update
> Subscriptions" button at the bottom of the page.
>
> or
>
> To -review- bulletins already released, select the link
> (in the middle column) for the appropriate digest.
>
> NOTE: Using your itrc account security bulletins can be
> found here:
> http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin
>
> To -gain access- to the Security Patch Matrix, select
> the link for "The Security Bulletins Archive". (near the
> bottom of the page) Once in the archive the third link is
> to the current Security Patch Matrix. Updated daily, this
> matrix categorizes security patches by platform/OS release,
> and by bulletin topic. Security Patch Check completely
> automates the process of reviewing the patch matrix for
> 11.XX systems. Please note that installing the patches
> listed in the Security Patch Matrix will completely
> implement a security bulletin _only_ if the MANUAL ACTIONS
> field specifies "No."
>
> The security patch matrix is also available via anonymous
> ftp:
>
> ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/
>
> On the "Support Information Digest Main" page:
> click on the "HP Security Bulletin Archive".
>
> The PGP key used to sign this bulletin is available from
> several PGP Public Key servers. The key identification
> information is:
>
> 2D2A7D59
> HP Security Response Team (Security Bulletin signing only)
> <[log in to unmask]>
> Fingerprint =
> 6002 6019 BFC1 BC62 F079 862E E01F 3AFC 2D2A 7D59
>
> If you have problems locating the key please write to
> [log in to unmask] Please note that this key is
> for signing bulletins only and is not the key returned
> by sending 'get key' to [log in to unmask]
>
> D. To report new security vulnerabilities, send email to
>
> [log in to unmask]
>
> Please encrypt any exploit information using the
> security-alert PGP key, available from your local key
> server, or by sending a message with a -subject- (not body)
> of 'get key' (no quotes) to [log in to unmask]
>
> -----------------------------------------------------------------
>
> (c)Copyright 2003 Hewlett-Packard Company
> Hewlett-Packard Company shall not be liable for technical or
> editorial errors or omissions contained herein. The information
> in this document is subject to change without notice.
> Hewlett-Packard Company and the names of HP products referenced
> herein are trademarks and/or service marks of Hewlett-Packard
> Company. Other product and company names mentioned herein may be
> trademarks and/or service marks of their respective owners.
>
> ________________________________________________________________
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBPoDQOOAfOvwtKn1ZEQK4dACfTMIM0c2sDn1hyIcyo+az5F8JU2gAoLLi
> 32GSTiwIEbLAQjL0QooG3gNI
> =wN2a
> -----END PGP SIGNATURE-----
> -----End of Document ID: HPSBMP0303-016--------------------------------------
--
Donna Garverick Sr. System Programmer
925-210-6631 [log in to unmask]
Come, my friends, 'Tis not too late to seek a newer world.
Tho' much is taken, much abides; and tho'
We are not now that strength which in old days
Moved earth and heaven, that which we are, we are.
"Ulysses", A. Tennyson
>>>MY opinions, not Longs Drug Stores'<<<
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
