From: Webb, Nigel (SSRT) (nigelwebbhp.com)
Date: Wed Aug 13 2003 - 10:00:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY BULLETIN

REVISION: 0

SSRT3499, SSRT3518 (Tru64) Local or remote users may obtain
OpenSSL encryption key and additionally perform remote
unauthorized operations

- -----------------------------------------------------------
NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.

RELEASE DATE: August 2003

SEVERITY: 1

SOURCE: HEWLETT-PACKARD COMPANY
         Software Security Response Team

REFERENCE: CAN-2003-0131, CAN-2003-0147, VU997481, SSRT3521

PROBLEM SUMMARY
A potential vulnerability in OpenSSL may allow local and
remote users to obtain the server's private encryption key.
Also, an additional vulnerability in OpenSSL may allow
remote users to perform an unauthorized RSA private key
operation.

VERSIONS IMPACTED
All Currently supported versions of HP Tru64 UNIX including
Ver: 5.0a, 5.1, 5.1a, running Insight Manager and/or Apache

To include:

HP Tru64 UNIX/TruCluster Server Ver:4.x and Ver: 5.0a

HP Tru64 UNIX Secure Web Server v6.0 and v5.9.2 with 5.1b

HP Tru64 UNIX Internet Express v6.0

RESOLUTION
Resolutions for the vulnerabilities with OpenSSL have been
included in the latest versions of OpenSSL.

For HP Tru64 Unix running Insight Manager: the Insight
Manager software has been updated to include the latest
versions of OpenSSL and is available for download from:
http://h30097.www3.hp.com/manage/download.html#cma

For HP Tru64 UNIX Intenet software running Apache: the
Apache software has been updated to include the latest
versions of OpenSSL and is available for download from:
http://h30097.www3.hp.com/internet/download.htm

New versions of OpenSSL can be downloaded and re-linked
to Tru64 UNIX applications to resolve these
vulnerabilities.

SUPPORT: For further information, contact HP Services.

SUBSCRIBE: To subscribe to automatically receive future
Security
Advisories from the Software Security Response Team via
electronic mail:
http://www.support.compaq.com/patches/mail-list.shtml

REPORT: To report a potential security vulnerability
with any HP supported product, send email to:
security-alerthp.com

As always, HP urges you to periodically review your system
management and security procedures. HP will continue to
review and enhance the security features of its products
and work with our customers to maintain and improve the
security and integrity of their systems.

"HP is broadly distributing this Security Bulletin in
order to bring to the attention of users of the affected
HP products the important security information contained
in this Bulletin. HP recommends that all users determine
the applicability of this information to their individual
situations and take appropriate action. HP does not warrant
that this information is necessarily accurate or complete
for all user situations and, consequently, HP will not be
responsible for any damages resulting from user's use or
disregard of the information provided in this Bulletin."

(c)Copyright 2001, 2003 Hewlett-Packard Development Company,
L.P. Hewlett-Packard Company shall not be liable for
technical or editorial errors or omissions contained
herein. The information in this document is subject to
change without notice. Hewlett-Packard Company and the
names of Hewlett-Packard products referenced herein are
trademarks of Hewlett-Packard Company in the United
States and other countries. Other product and company
names mentioned herein may be trademarks of their
respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBPzop9+AfOvwtKn1ZEQKoRACgvOMsjt2Y8go+Pmq93b0hI3Gm4V0An3PS
+ixrkEocewkA0mCX+1A5I70K
=8ZAf
-----END PGP SIGNATURE-----

---

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]