I think that part of the problem is that MPE is, so often, forgotten, that
we in the community know if something is for us.  We can't just assume that
everytime HP makes a statement, that they are including MPE.  The ESP thing
just in not working here.  And there is a lot of frustrated people here.
They don't know what to do, or how to get word out about MPE.  Just once,
can HP just use thoughs three little letters M, P, E.  Really, it doesn't
hurt all that much.

Later

"YAWN,MICHAEL (HP-Cupertino,ex1)" wrote:

> Hi Alfredo,
>
> I'm not sure why MPE/iX wasn't explicitly mentioned in the OS list
> on this security bulletin, but I can assure you that the Java folks
> on the HP-UX side did a very good job of keeping us in the loop as
> this security problem was uncovered and worked on.
>
> The security team for the HP-UX Java implementation provided us with
> details of the problem, test cases to reproduce the problem, and
> code patches that fixed the problem.  We applied these patches
> to our Java implementation.  Since the timing of our release was
> different from the timing of the HP-UX release, we issued a
> separate security bulletin for the MPE/iX security patch.
>
> The team putting out the bulletin was aware that we were also
> working on the same problem; perhaps they felt it was our
> prerogative to release any information about the status of
> the fix on MPE/iX.
>
> I agree that MPE/iX could have been added to the list of
> platforms that the patch 'does not cover', but that might
> have lead a reader to erroneously conclude that either the
> problem did not exist on MPE, or worse, that it wasn't being
> fixed for MPE.
>
> Mike
>
> -----Original Message-----
> From: F. Alfredo Rego
> To: HP3000-L
> Cc: Winston Prather; Ann Livermore; Mike Yawn; George Stachnik
> Sent: 2/24/01 6:17 AM
> Subject: MPE/iX missing (again) from an explicit HP OS list
>
> Have you seen HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0141,
> 21 Feb. '01?
>
> I have included a few lines below for your convenience, in case you
> missed it.
>
> Please note, under "PLATFORM", the sentence:
>
>             This security bulletin applies to Java on HP-UX,
>             and does not cover software shipped on Linux, nor
>             on Windows/NT.
>
> Where is MPE/iX?  Yes, I can hear it: It would be "inappropriate"
> and "confusing".  Fair enough.  Then, why include Windows/NT?
> The very first sentence under "PLATFORM" states:
>
>            HP9000 Series 700/800 running HP-UX releases 10.20,
>             10.24, 11.00, 11.04, and 11.11 only.
>
> Does Windows/NT run on these machines under these versions of HP-UX?
> If it does, great.  If it does not, then there are a few questions.
> Is this mention of Windows/NT "inappropriate" and "confusing"?
> If "yes", why go the extra length to mention Windows/NT?  If "no",
> why is it not confusing to mention Windows/NT in a purely-HP-UX
> context?  Is there a double (or triple) standard at play somewhere?
>
> Mike Yawn has done an excellent job with Java under MPE/iX.  In fact,
> Java under MPE/iX is an integral part of the new worldwide launch of
> the new HP e3000 servers.  What would HP have to lose by extending
> the offending sentence above to include (rather, to exclude :-)
> MPE/iX explicitly?  These technical bulletins, after all, don't go
> to "analysts" and other "potentially confusable" people.  They go
> to nuts-and-bolts engineers and scientists, who can certainly handle
> something like this:
>
>             This security bulletin applies to Java on HP-UX,
>             and does not cover software shipped on Linux, nor
>             on Windows/NT, nor on MPE/iX.
>
>   _______________
> |               |
> |               |
> |            r  |  Alfredo                     [log in to unmask]
> |          e    |                           http://www.adager.com
> |        g      |  F. Alfredo Rego
> |      a        |  Manager, R & D Labs
> |    d          |  Adager Corporation
> |  A            |  Sun Valley, Idaho 83353-3000            U.S.A.
> |               |
> |_______________|
>
> ________________________________________________________________________
> _
>
> ...
>
> Document ID:  HPSBUX0102-141
> Date Loaded:  20010221
>        Title:  Sec. Vulnerability in JRE
>
> ------------------------------------------------------------------------
> -
>      HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0141, 21 Feb. '01
> ------------------------------------------------------------------------
> -
>
>    The information in the following Security Bulletin should be acted
>    upon as soon as possible.  Hewlett-Packard Company will not be liable
>    for any consequences to any customer resulting from customer's
> failure
>    to fully implement instructions in this Security Bulletin as soon as
>    possible.
>
> ------------------------------------------------------------------------
> -
> ISSUE:   Sun Microsystems discovered a potential security issue in the
>           Java Runtime Environment.  The issue poses a possible security
>           risk by allowing malicious Java code to execute unauthorized
>           commands under certain circumstances.
>
> PLATFORM:  HP9000 Series 700/800 running HP-UX releases 10.20, 10.24,
>             11.00, 11.04, and 11.11 only.  This security bulletin
> applies
>             to Java on HP-UX, and does not cover software shipped on
>             Linux, nor on Windows/NT.
>
> POSSIBLE RESULT: Improper permission may be granted in some cases.
>
> SOLUTION:  Install the latest Java releases as described below.
>
> AVAILABILITY: The fixed releases are available immediately.
> ------------------------------------------------------------------------
> -
>
> ...

--
Ron Horner
HP3000 Systems Administrator
JCPenney Logistics
[log in to unmask]
(414) 259-2274