OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Boren, Rich (SSRT) (Rich.Boren_at_hp.com)
Date: Thu Feb 20 2003 - 15:07:07 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    SECURITY BULLETIN

    REVISION: 0
     
    SSRT2408 SSRT2410 SSRT2411 - HP Tru64 UNIX, HP-UX,
    Potential BIND Security Vulnerabilities

     
    - ----------------------------------------------------------------------
    - --
    NOTICE: There are no restrictions for distribution of
    this Bulletin provided that it remains complete and
    intact.

    RELEASE DATE: February 2003

     
    SEVERITY: High

    SOURCE: HEWLETT-PACKARD COMPANY
             Software Security Response Team

    REFERENCE: SSRT2400 (VU#844360 ),
                SSRT2408 - SSRT2410 -
                SSRT2411, CERT (CA-2002-31,
                VU#852283, VU#229595, VU#581682)

    PROBLEM SUMMARY

    This bulletin will be posted to the support website
    within 24 hours of release to -
    http://thenew.hp.com/country/us/eng/support.html
    Use the SEARCH IN feature box, enter SSRT2408 in
    the search window.

    SSRT2408, SSRT2410, SSRT2411 BIND - (Severity - High)

    BIND (Berkeley Internet Name Domain)

    Potential BIND (Berkeley Internet Name Domain) security
    vulnerabilities have been reported to HP that may result
    in buffer overflows, unauthorized access, or denial of
    service (DoS) on HP Tru64 UNIX systems. These potential
    security vulnerabilities may be in the form of local
    and remote security domain risks.

    VERSIONS IMPACTED:

    HP Tru64 UNIX V5.1B

    HP Tru64 UNIX V5.1A

    HP Tru64 UNIX V5.1

    HP Tru64 UNIX V5.0A

    HP Tru64 UNIX V4.0G

    HP Tru64 UNIX V4.0F

    HP-UX release 11.11 (11i)

    HP-UX release 11.04 (VVOS)

    HP-UX release 11.00

    HP-UX release 10.20

    HP-UX release 10.10

    NOT IMPACTED:

       HP-MPE/ix

       HP NonStop Servers

       HP OpenVMS

    RESOLUTION:

       HP-UX

    REF: SSRT2408, SSRT2410, SSRT2411

    HP has provided notice of the availability
    of any necessary solutions through the standard
    Security Bulletin HPSBUX0212-233 announcement
    and is available from your normal HP Services
    support channel and will be available from
    http://itrc.hp.com search for HPSBUX0212-233

    HP Tru64 UNIX

    Early Release Patches (ERPs) are now available for
    all supported versions of HP Tru64 UNIX. The ERP kits
    use dupatch to install and will not install over any
    Customer Specific Patches (CSPs) which have file
    intersections with the ERPs. Contact your normal
    support channel and request HP Tru64 services elevate
    a case to Support Engineering if a CSP must be merged
    with one of the ERPs.

    Note: For the following versions, the solutions
    provided in these ERPs do intersect with the solutions
    provided for SSRT1-68u and SSRT1-69u. Corrections
    provided in SSRT1-68u, SSRT1-69u, and this set of
    ERPs all update named and named-xfer.

    HP Tru64 UNIX 5.0A PK3 (BL17)
    HP Tru64 UNIX 4.0G PK3 (BL17)

    Please review the README file for each patch
    prior to installation.

    HP Tru64 UNIX/TruCluster Server V5.1B:
    Prerequisite: V5.1B with PK1 (BL1) installed
    ERP Kit Name: T64V51BB1-C0002700-16642-ES-20030129.tar
    Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.1b/

    HP Tru64 UNIX/TruCluster Server V5.1A:
    Prerequisite: V5.1A with PK3 (BL3) installed
    ERP Kit Name: T64V51AB3-C0099200-16641-ES-20030129.tar
    Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.1a/

    HP Tru64 UNIX/TruCluster Server V5.1:
    Prerequisite: V5.1 with PK5 (BL19) installed
    ERP Kit Name: T64V51B19-C0167700-16640-ES-20030129.tar
    Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.1/

    HP Tru64 UNIX/TruCluster Server V5.0A:
    PREREQUISITE: V5.0a with PK3 (BL17) installed
    ERP Kit Name: T64V50AB17-C0031104-16655-ES-20030129.tar
    Kit Location: http://ftp1.support.compaq.com/public/unix/v5.0a/

    HP Tru64 UNIX/TruCluster Server V4.0G:
    Prerequisite: V4.0G with PK3 (BL17) installed
    ERP Kit Name: T64V40GB17-C0028000-16638-ES-20030129.tar
    Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0g/

    HP Tru64 UNIX/TruCluster V4.0F:
    Prerequisite: V4.0F with PK7 (BL18) installed
    ERP Kit Name: DUV40FB18-C0090600-16637-ES-20030129.tar
    Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0f/

    The fixes contained in the ERP kits will be available in the
    following mainstream patch kits:

    HP Tru64 UNIX 5.1B PK2
    HP Tru64 UNIX 5.1A PK5
    HP Tru64 UNIX 5.1 PK7
    HP Tru64 UNIX 4.0G PK4
    HP Tru64 UNIX 4.0F PK8

    Information on how to verify MD5 and SHA1 checksums is
    available at:
    http://www.support.compaq.com/patches/whats-new.shtml

    After completing the update, HP and Compaq strongly
    recommend that you perform an immediate backup of
    the system disk so that any subsequent restore
    operations begin with updated software. Otherwise,
    the updates must be re-applied after a future restore
    operation. Also, if at some future time the system is
    upgraded to a later patch release or version release,
    reinstall the appropriate ERP.

    SUPPORT: For further information, contact HP Services.
     
    SUBSCRIBE: To subscribe to automatically receive future
    Security Advisories from the Software Security Response
    Team via electronic mail:
    http://www.support.compaq.com/patches/mailing-list.shtml
     
    REPORT: To report a potential security vulnerability
    with any HP supported product, send email
    to: security-alerthp.com

    As always, HP urges you to periodically review your
    system management and security procedures. HP will
    continue to review and enhance the security features
    of its products and work with our customers to maintain
    and improve the security and integrity of their systems.

    "HP is broadly distributing this Security Bulletin in
    order to bring to the attention of users of the affected
    HP products the important security information contained
    in this Bulletin. HP recommends that all users determine
    the applicability of this information to their individual
    situations and take appropriate action. HP does not warrant
    that this information is necessarily accurate or complete
    for all user situations and, consequently, HP will not be
    responsible for any damages resulting from user's use or
    disregard of the information provided in this Bulletin."

    (c)Copyright 2002 Hewlett-Packard Company
    Hewlett-Packard Company shall not be liable for technical
    or editorial errors or omissions contained herein. The
    information in this document is subject to change without
    notice. Hewlett-Packard Company and the names of
    Hewlett-Packard products referenced herein are trademarks
    of Hewlett-Packard Company in the United States and other
    countries. Other product and company names mentioned herein
    may be trademarks of their respective owners.
     

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1

    iQA/AwUBPlVDcTnTu2ckvbFuEQIOewCgoDUzeoYKsCJEHANrvY5tfIwUTC4AoMXv
    yeORn7Bw7283rPykMicllOup
    =8uHU
    -----END PGP SIGNATURE----- 

    ---