OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: IT Resource Center (support_feedbackus-support.external.hp.com)
Date: Thu Mar 01 2001 - 06:05:35 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                            HP Support Information Digests

    ===============================================================================
    o IT Resource Center World Wide Web Service
       ---------------------------------------------------

       If you subscribed through the IT Resource Center and would
       like to be REMOVED from this mailing list, access the
       IT Resource Center on the World Wide Web at:

         http://www.itresourcecenter.hp.com/

       Login using your IT Resource Center User ID and Password.
       Then select Support Information Digests (located under
       Maintenance and Support). You may then unsubscribe from the
       appropriate digest.
    ===============================================================================


    Digest Name: daily security bulletins digest
        Created: Thu Mar 1 3:00:03 PST 2001

    Table of Contents:

    Document ID Title
    --------------- -----------
    HPSBUX0102-144 Sec. Vulnerability in BIND
    HPSBUX0102-143 Sec. Vulnerability in SD-UX
    HPSBUX0102-142 Sec. Vulnerability in OV OmniBack

    The documents are listed below.
    -------------------------------------------------------------------------------


    Document ID: HPSBUX0102-144
    Date Loaded: 20010228
          Title: Sec. Vulnerability in BIND

    ----------------------------------------------------------------------
       HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0144, 28 Feb. '01
    ----------------------------------------------------------------------
        The information in the following Security Bulletin should be
        acted upon as soon as possible. Hewlett-Packard Company will
        not be liable for any consequences to any customer resulting
        from customer's failure to fully implement instructions in
        this Security Bulletin as soon as possible.
    ----------------------------------------------------------------------
    ISSUE: The CERT advisories CA-2001-02 and CA-2000-20 detailed
              several BIND vulnerabilities including buffer overflows,
              input validation error, and disclosure environment
              variables and denial of service.
              See:
                http://www.cert.org/advisories/CA-2001-02.html
                  and
                http://www.cert.org/advisories/CA-2000-20.html .

              The Internet Software Consortium has posted information
              about all vulnerabilities at the following URL:

                http://www.isc.org/products/BIND/bind-security.html

    PLATFORM: HP9000 servers and workstations running HP-UX releases
               11.11, 11.00, 11.04, 10.20, 10.24, 10.10, and 10.01.

    POSSIBLE RESULT: May allow remote users to disrupt normal operation
                     on the DNS servers, other services could be
                     impacted if these vulnerabilities are exploited.

    SOLUTION: Apply patches for HP-UX releases as follows:
                     for 11.00: PHNE_23274 (BIND 4.9.7)
                         11.00: * (BIND 8.1.2)
                         11.11: PHNE_23275 (BIND 8.1.2)
                         11.04: PHNE_22919 (BIND 4.9.7)
                         10.20: PHNE_23277 (BIND 4.9.7)
                         10.24: PHNE_23439 (BIND 4.9.7)
                         10.10: PHNE_23277 (BIND 4.9.7)
                         10.01: PHNE_23277 (BIND 4.9.7)

               * See Section B below.

    AVAILABILITY: The patches are available now.
    -----------------------------------------------------------------------
    I.
        A. Background
           The CERT advisories (CA-2001-02, and CA-2000-20) detailed several
           BIND vulnerabilities.
           The Berkeley Internet Name Domain (BIND) is an implementation of
           the Domain Name System (DNS) protocols. Complete details can be
           found at: http://www.cert.org/advisories/CA-2001-02.html and
                      http://www.cert.org/advisories/CA-2000-20.html .

        B. Recommended solution

           The problem can be fully resolved by applying the appropriate
           patches to the system from http://itrc.hp.com.
            For HP-UX releases
                         11.00: PHNE_23274 (BIND 4.9.7)
                         11.00: * (BIND 8.1.2)
                         11.11: PHNE_23275 (BIND 8.1.2)
                         11.04: PHNE_22919 (BIND 4.9.7)
                         10.20: PHNE_23277 (BIND 4.9.7)
                         10.24: PHNE_23439 (BIND 4.9.7)
                         10.10: PHNE_23277 (BIND 4.9.7)
                         10.01: PHNE_23277 (BIND 4.9.7)

           * Note: If you have upgraded HP-UX 11.00 BIND to 8.1.2
                    via the WEB upgrade you need to upgrade with the
                    latest version of the BIND package, 1.3 via the
                    website below.

                 http://www.software.hp.com/products/DNS_BIND/index.html

             Registration for the download is necessary. Once done,
             there is a link for installation instructions underneath
             the download button.

        C. To subscribe to automatically receive future NEW HP Security
           Bulletins from the HP IT Resource Center via electronic mail,
           do the following:

           Use your browser to get to the HP IT Resource Center page
           at:

            http://itrc.hp.com

           Under the Maintenance and Support Menu (Electronic Support
           Center): click on the "more..." link. Then -

           Use the 'Login' tab at the left side of the screen to login
           using your ID and password. Check with your system
           administrator to see if you have an existing login or use
           the "Register" button at the left to create a login. You
           will need to login in order to gain access to many areas of
           the ITRC. Remember to save the User ID assigned to you, and
           your password.

           Under the Maintenance and Support Menu, click on the "more..."
           link. Under the "Notifications" section (near the bottom of
           the page), select "Support Information Digests".

           To -subscribe- to future HP Security Bulletins or other
           Technical Digests, click the check box (in the left column)
           for the appropriate digest and then click the "Update
           Subscriptions" button at the bottom of the page.

           or

           To -review- bulletins already released, select the link
           (in the middle column) for the appropriate digest.

           To -gain access- to the Security Patch Matrix, select
           the link for "hp security bulletins archive" near the bottom.
           Once in the archive the top link is to our current Security
           Patch Matrix. Updated daily, this matrix categorizes security
           patches by platform/OS release, and by bulletin topic.

           The security patch matrix is also available via anonymous ftp:

           ftp.itrc.hp.com
           ~ftp/export/patches/hp-ux_patch_matrix"

           On the "Support Information Digest Main" page:
           click on the "HP Security Bulletin Archive".

        D. To report new security vulnerabilities, send email to

           security-alerthp.com

           Please encrypt any exploit information using the security-alert
           PGP key, available from your local key server, or by sending a
           message with a -subject- (not body) of 'get key' (no quotes) to
           security-alerthp.com.

           Permission is granted for copying and circulating this Bulletin
           to Hewlett-Packard (HP) customers (or the Internet community)
           for the purpose of alerting them to problems, if and only if,
           the Bulletin is not edited or changed in any way, is attributed
           to HP, and provided such reproduction and/or distribution is
           performed for non-commercial purposes.

           Any other use of this information is prohibited. HP is not
           liable for any misuse of this information by any third party.
    ________________________________________________________________________
    -----End of Document ID: HPSBUX0102-144--------------------------------------


    Document ID: HPSBUX0102-143
    Date Loaded: 20010228
          Title: Sec. Vulnerability in SD-UX

    ------------------------------------------------------------------------
         HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0143, 28 Feb. '01
    ------------------------------------------------------------------------

    The information in the following Security Bulletin should be acted upon
    as soon as possible. Hewlett-Packard Company will not be liable for any
    consequences to any customer resulting from customer's failure to fully
    implement instructions in this Security Bulletin as soon as possible.

    ------------------------------------------------------------------------

    PROBLEM: Security defect in Software Distributor SD-UX

    PLATFORM: HP9000 Series 700/800 running HP-UX releases 10.01, 10.10,
               10.20 and 11.00 only.

    DAMAGE: A vulnerability exists potentially allowing local users
               additional privileges.

    SOLUTION: Install the cumulative patch as described below.
                   HP-UX 10.01 and 10.10: PHCO_15205,
                         10.20: PHCO_20209,
                         11.00: PHCO_22526.

    AVAILABILITY: The patches are available now.

    ------------------------------------------------------------------------=

    I.
       A. Background
          Hewlett-Packard Company has learned of a Software Distributor
          defect which causes the product to fail.

       B. Fixing the problem
          Obtaining and installing the current cummulative patch completely
          solves this problem.

       C. Recommended solution
              for HP-UX release 10.01 and 10.10: PHCO_15205,
              for HP-UX release 10.20: PHCO_20209,
              for HP-UX release 11.00: PHCO_22526.

           The ServiceControlManager release of SD for 11.00 is not
           vulnerable, nor are any of the SD-OV releases.

       D. To subscribe to automatically receive future NEW HP Security
          Bulletins/Advisories from the HP IT Resource Center via
          electronic mail, do the following:

          Use your browser to get to the HP IT Resource Center page
          at:

           http://itrc.hp.com

          Under the Maintenance and Support Menu (Electronic Support Center):
          click on the "more..." link. Then -

          Use the 'Login' tab at the left side of the screen to login
          using your ID and password. Check with your system
          administrator to see if you have an existing login or use
          the "Register" button at the left to create a login. You
          will need to login in order to gain access to many areas of
          the ITRC. Remember to save the User ID assigned to you, and
          your password.

          Under the Maintenance and Support Menu, click on the "more..."
          link. Under the "Notifications" section (near the bottom of
          the page), select "Support Information Digests".

          To -subscribe- to future HP Security Bulletins or other
          Technical Digests, click the check box (in the left column)
          for the appropriate digest and then click the "Update
          Subscriptions" button at the bottom of the page.

          or

          To -review- bulletins already released, select the link
          (in the middle column) for the appropriate digest.

          To -gain access- to the Security Patch Matrix, select
          the link for "The Security Bulletins Archive". Once in
          the archive the third link is to our current Security
          Patch Matrix. Updated daily, this matrix categorizes security
          patches by platform/OS release, and by bulletin topic.

          The security patch matrix is also available via anonymous ftp:

          ftp.itrc.hp.com
          ~ftp/export/patches/hp-ux_patch_matrix"

          On the "Support Information Digest Main" page:
          click on the "HP Security Bulletin Archive".

       E. To report new security vulnerabilities, send email to

          security-alerthp.com

          Please encrypt any exploit information using the security-alert
          PGP key, available from your local key server, or by sending a
          message with a -subject- (not body) of 'get key' (no quotes) to
          security-alerthp.com.

          Permission is granted for copying and circulating this Bulletin to
          Hewlett-Packard (HP) customers (or the Internet community) for the
          purpose of alerting them to problems, if and only if, the Bulletin
          is not edited or changed in any way, is attributed to HP, and
          provided such reproduction and/or distribution is performed for
          non-commercial purposes.

          Any other use of this information is prohibited. HP is not liable
          for any misuse of this information by any third party.
    ________________________________________________________________________
    -----End of Document ID: HPSBUX0102-143--------------------------------------


    Document ID: HPSBUX0102-142
    Date Loaded: 20010228
          Title: Sec. Vulnerability in OV OmniBack

    -------------------------------------------------------------------------
       HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0142, 28 Feb. '01
    -------------------------------------------------------------------------
       The information in the following Security Bulletin should be
       acted upon as soon as possible. Hewlett-Packard Company will
       not be liable for any consequences to any customer resulting
       from customer's failure to fully implement instructions in
       this Security Bulletin as soon as possible.
    -------------------------------------------------------------------------
    ISSUE: Security vulnerability with HP OpenView OmniBack Clients,
            where unauthorized remote users can start a shell as System
            Administrator.

    PLATFORM: Windows NT 4.0, Windows 2000, and HP-UX Systems running
              OmniBack Version 3.00 or later.

    DAMAGE: Full System access for unauthorized remote users.

    SOLUTION: Enable OmniBack security features and apply appropriate
              patches as follows:
              PHSS_22914 - OmniBack version 3.50 on HP-UX 10.X
              PHSS_22915 - OmniBack version 3.50 on HP-UX 11.X

              PHSS_23095 - OmniBack version 3.10 on HP-UX 10.X
              PHSS_23096 - OmniBack version 3.10 on HP-UX 11.X

              PHSS_23103 - OmniBack version 3.00 on HP-UX 10.X
              PHSS_23104 - OmniBack version 3.00 on HP-UX 11.X

              For Windows NT/2000 based Omniback apply:
              OmniBack_00017 - OmniBack version 3.50 on Win NT/2000

    AVAILABILITY: The patches are currently available.

    -------------------------------------------------------------------------
    I.
        A. Background
           In HP OpenView OmniBack's communication between clients and
           the Cell Manager, the following patches implement a more
           appropriate security precaution code.

        B. Fixing the problem
           Enable the OmniBack security features as described in the
           Administrator's Guide for version 3.10, Chapter 11, in Section
           'Adding Security for Client Access'.
           For version 3.50 this is described in the 'Installation and
           Licensing Guide', Chapter 3, Section 'Security Considerations'.

           To fully eliminate the problem, install the respective patch
           on the OmniBack Cell Manager system and on the Installation
           Server, then distribute the patched binaries to the OmniBack
           clients using the Client Upgrade action in the OmniBack
           Manager GUI.

           The NT/2000 patch which follows can be obtained at the
           following site:
              http://ovweb.external.hp.com/cpe/patches

              OmniBack_00017 - OmniBack version 3.50 on Win NT/2000

           while the following HP-UX patches can be obtained from
              http://itrc.hp.com

            PHSS_22914 - OmniBack version 3.50 on HP-UX 10.x
            PHSS_22915 - OmniBack version 3.50 on HP-UX 11.x

            PHSS_23095 - OmniBack version 3.10 on HP-UX 10.x
            PHSS_23096 - OmniBack version 3.10 on HP-UX 11.x

            PHSS_23103 - OmniBack version 3.00 on HP-UX 10.x
            PHSS_23104 - OmniBack version 3.00 on HP-UX 11.x

        C. To subscribe to automatically receive future NEW HP Security
           Bulletins from the HP IT Resource Center via electronic mail,
           do the following:

           Use your browser to get to the HP IT Resource Center page
           at:

            http://itrc.hp.com

           Under the Maintenance and Support Menu (Electronic Support
           Center): click on the "more..." link. Then -

           Use the 'Login' tab at the left side of the screen to login
           using your ID and password. Check with your system
           administrator to see if you have an existing login or use
           the "Register" button at the left to create a login. You
           will need to login in order to gain access to many areas of
           the ITRC. Remember to save the User ID assigned to you, and
           your password.

           Under the Maintenance and Support Menu, click on the "more..."
           link. Under the "Notifications" section (near the bottom of
           the page), select "Support Information Digests".

           To -subscribe- to future HP Security Bulletins or other
           Technical Digests, click the check box (in the left column)
           for the appropriate digest and then click the "Update
           Subscriptions" button at the bottom of the page.

           or

           To -review- bulletins already released, select the link
           (in the middle column) for the appropriate digest.

           To -gain access- to the Security Patch Matrix, select
           the link for "The Security Bulletins Archive". Once in
           the archive the third link is to our current Security
           Patch Matrix. Updated daily, this matrix categorizes security
           patches by platform/OS release, and by bulletin topic.

           The security patch matrix is also available via anonymous ftp:

           ftp.itrc.hp.com
           ~ftp/export/patches/hp-ux_patch_matrix"

           On the "Support Information Digest Main" page:
           click on the "HP Security Bulletin Archive".

        E. To report new security vulnerabilities, send email to

           security-alerthp.com

           Please encrypt any exploit information using the security-alert
           PGP key, available from your local key server, or by sending a
           message with a -subject- (not body) of 'get key' (no quotes) to
           security-alerthp.com.

           Permission is granted for copying and circulating this Bulletin to
           Hewlett-Packard (HP) customers (or the Internet community) for the
           purpose of alerting them to problems, if and only if, the Bulletin
           is not edited or changed in any way, is attributed to HP, and
           provided such reproduction and/or distribution is performed for
           non-commercial purposes.

           Any other use of this information is prohibited. HP is not liable
           for any misuse of this information by any third party.
    ________________________________________________________________________
    -----End of Document ID: HPSBUX0102-142--------------------------------------