OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Ahmad (da_at_securityfocus.com)
Date: Tue Nov 26 2002 - 09:22:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    SECURITY BULLETIN: SSRT2385 OSIS V5.4 LDAP Module for
                       System Authentication Potential Security
                       Vulnerability

    REVISION: 0

    NOTICE: There are no restrictions for distribution of this
            Bulletin provided that it remains complete and
    intact.

    RELEASE DATE: 13 November 2002

    SEVERITY: High

    SOURCE:
             Hewlett-Packard Company and
             Hewlett-Packard Company HP Services
             Software Security Response Team

    REFERENCE: SSRT2385

    PROBLEM SUMMARY:

             This bulletin will be posted to the support
             website within 24 hours of release to
             http://thenew.hp.com/country/us/eng/support.html
             Use the SEARCH IN feature box, enter SSRT2385 in
             the search window.

       SSRT2385 LDAP (Severity - High)

       A potential security vulnerability has been has been
       identified in the Lightweight Directory Access Protocol
       (LDAP) Module for System Authentication from Open
       Source Internet Solutions (OSIS) V5.4. Later versions
       of OSIS have been renamed Internet Express for Tru64 UNIX.

       The potential vulnerability may result in nonprivileged
       users gaining unauthorized access to files or privileged access
       on the system. This potential vulnerability may be in the form of
       local and remote security domain risks.

    VERSIONS IMPACTED:

          HP Tru64 UNIX V4.0G

          HP Tru64 UNIX V4.0F

    NOT IMPACTED:

          HP-UX

          HP-MPE/ix

          HP NonStop Servers

          HP OpenVMS

    RESOLUTION:

       Early Release Patches (ERPs) are now available for
       OSIS 5.4 LDAP Module for System Authentication for
       HP Tru64 UNIX V4.0F and V4.0G (Cluster and Non-clustered
       Systems) that provide a solution to this potential
       vulnerability.

           NOTE:
           Customers running the LDAP Module for System
           Authentication on HP Tru64 UNIX V5.*/TruCluster V5.*
           should update to the version included with Internet Express
           V5.9 or later.

       Please review the README file for each patch prior to
       installation.

       HP Tru64 UNIX V4.0G/TruCluster Server V1.6:

     PREREQUISITE: OSIS V5.4 LDAP Module for System Authentication
     Patch Kit Name: OSISV54_SSRT2385_40G_PATCH.tar
     Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0g/

     HP Tru64 UNIX V4.0F/TruCluster Server V1.6:
     PREREQUISITE: OSIS V5.4 LDAP Module for System Authentication
     Patch Kit Name: OSISV54_SSRT2385_40F_PATCH.tar
     Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0f/

    After completing the update, HP strongly
    recommends that you perform an immediate backup of
    the system disk so that any subsequent restore operations
    begin with updated software. Otherwise, the updates must
    be re-applied after a future restore operation. Also, if
    at some future time the system is upgraded to a later
    patch release or version release, reinstall the
    appropriate ERP.

    SUPPORT:

    For further information, contact HP Services.

    SUBSCRIBE:

    To subscribe to automatically receive future Security
    Advisories from the Software Security Response Team via
    Electronic mail:
    http://www.support.compaq.com/patches/mailing-list.shtml

    REPORT:

    To report a potential security vulnerability with any HP supported
    product, send email to: security-alerthp.com

    As always, HP urges you to periodically review your system management
    and security procedures. HP will continue to review and enhance the
    security features of its products and work with our customers to
    maintain and improve the security and integrity of their systems.

    "HP is broadly distributing this Security Bulletin in order to bring
    to the attention of users of the affected HP products the important
    security information contained in this Bulletin. HP recommends that
    all users determine the applicability of this information to their
    individual situations and take appropriate action. HP does not
    warrant that this information is necessarily accurate or complete for
    all user situations and, consequently, HP will not be responsible
    for any damages resulting from user's use or disregard of the
    information provided in this Bulletin."

    (c)Copyright 2002 Hewlett-Packard Company.
    Hewlett-Packard Company shall not be liable for technical
    or editorial errors or omissions contained herein. The
    information in this document is subject to change without
    notice. Hewlett-Packard Company and the names of
    Hewlett-Packard products referenced herein are trademarks
    of Hewlett-Packard Company in the United States and other
    countries. Other product and company names mentioned herein
    may be trademarks of their respective owners.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1

    iQA/AwUBPeKmEDnTu2ckvbFuEQL12QCg4I0p0vIY8zXuoBGvghPZgew1VsYAoP6z
    pkPRSIFp2CnEEZrpUGVR2qYU
    =8epn
    -----END PGP SIGNATURE-----