NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Compaq Tru64> 2004-q1

Security Bulletin SSRT3629A/B - Tru64 UNIX potentialDenial of Service and/or unauthorized access

From: Webb, Nigel (SSRT) (nigelwebbhp.com)
Date: Tue Jan 13 2004 - 15:32:30 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY BULLETIN

REVISION: 0

SSRT3629A/B - Tru64 UNIX potential Denial of Service and/or unauthorized
access

- -----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

RELEASE DATE: 7 January 2004

SEVERITY: 1

SOURCE: HEWLETT-PACKARD COMPANY
Software Security Response Team

REFERENCE: None

PROBLEM SUMMARY
Potential security vulnerabilities have been identified in HP Tru64 UNIX
running IPsec and SSH software that may result in a local or remote
exploit of a Denial of Service (DoS) and/or local or remote unauthorized
access.

VERSIONS IMPACTED
The currently supported versions of HP Tru64 UNIX V5.1B PK2 (BL22) and
PK3 (BL24) and V5.1A running IPsec and SSH software kits earlier than:
IPsec 2.1.1 and SSH 3.2.2

RESOLUTION
HP is releasing the following Early Release Patch (ERP) kits for HP
Tru64 UNIX V5.1B, and Web kits for HP Tru64 UNIX V5.1A.

The V5.1B ERP kits use dupatch to install and will not install over any
installed Customer Specific Patches (CSPs) that have file intersections
with the ERPs. Contact your service provider for assistance if the
installation of the ERPs is blocked by any of your installed CSPs.

The resolutions contained in the V5.1B ERP kits are scheduled to be
available in the following mainstream patch kit:

HP Tru64 UNIX V5.1B PK4

Early Release Patches

HP Tru64 UNIX 5.1B:

    For IPsec software:
    Note: The same ERP kit applies to both 5.1B PK2 and 5.1B PK3
    PREREQUISITE: HP Tru64 UNIX 5.1B with PK2 or PK3 installed
    ERP Kit Name: T64KIT0020963-V51BB24-ES-20031204
    Kit Location:
    http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=
    T64KIT0020963-V51BB24-ES-20031204

    For SSH software:
    Note: The same ERP kit applies to both 5.1B PK2 and 5.1B PK3
    PREREQUISITE: HP Tru64 UNIX 5.1B with PK2 or PK3 installed
    ERP Kit Name: T64KIT0020964-V51BB24-ES-20031204
    Kit Location:
    http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=
    T64KIT0020964-V51BB24-ES-20031204

HP Tru64 UNIX 5.1A

Customers running versions of software earlier than IPsec 2.1.1 and SSH
3.2.2 should upgrade.

Updated 5.1A SSH and IPsec kits are available at the following
locations:

IPsec: http://h30097.www3.hp.com/unix/ipsec

SSH: http://h30097.www3.hp.com/unix/ssh

MD5 checksums are available from the ITRC patch database main page
http://www.itrc.hp.com/service/patch/mainPage.do. From the patch
database main page, click tru64 UNIX, then click verifying MD5 checksums
under useful links.

SUPPORT: For further information, contact HP Services.

SUBSCRIBE: To subscribe to automatically receive future Security
Advisories from the Software Security Response Team via electronic
mail: http://www.support.compaq.com/patches/mail-list.shtml

REPORT: To report a potential security vulnerability with any HP
supported product, send email to: security-alerthp.com

As always, HP urges you to periodically review your system management
and security procedures. HP will continue to review and enhance the
security features of its products and work with our customers to
maintain and improve the security and integrity of their systems.

"HP is broadly distributing this Security Bulletin in order to bring to
the attention of users of the affected HP products the important
security information contained in this Bulletin. HP recommends that all
users determine the applicability of this information to their
individual situations and take appropriate action. HP does not warrant
that this information is necessarily accurate or complete for all user
situations and, consequently, HP will not be responsible for any damages
resulting from user's use or disregard of the information provided in
this Bulletin."

(c)Copyright 2004 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is
provided "as is" without warranty of any kind. To the extent permitted
by law, neither HP or its affiliates, subcontractors or suppliers will
be liable for incidental, special or consequential damages including
downtime cost; lost profits; damages relating to the procurement of
substitute products or services; or damages for loss of data, or
software restoration. The information in this document is subject to
change without notice. Hewlett-Packard Company and the names of
Hewlett-Packard products referenced herein are trademarks of
Hewlett-Packard Company in the United States and other countries. Other
product and company names mentioned herein may be trademarks of their
respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP/xzh+AfOvwtKn1ZEQL8IgCg5HWncROdN/CxfXUN9QfW5PFVXGwAoIJ7
7OXN4LsUmiBQ/jnQ2lz/EcKu
=WzGd
-----END PGP SIGNATURE-----

---

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]