[security bulletin] SSRT2385 OSIS V5.4 LDAP Module for System Authentication Potential Security Vulnerability (fwd)

From: Dave Ahmad (daat_private)
Date: Tue Nov 26 2002 - 07:22:46 PST

Next message: Dave Ahmad: "[security bulletin] SSRT2301 - HP Tru64 UNIX uudecode Potential Security Vulnerability (fwd)"

Previous message: David Miller: "XSS vulnerability in Bugzilla if upgraded from 2.10 or earlier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY BULLETIN: SSRT2385 OSIS V5.4 LDAP Module for
                   System Authentication Potential Security
                   Vulnerability

REVISION: 0


NOTICE: There are no restrictions for distribution of this
        Bulletin provided that it remains complete and
intact.

RELEASE DATE:  13 November 2002

SEVERITY:  High

SOURCE:
         Hewlett-Packard Company and
         Hewlett-Packard Company HP Services
         Software Security Response Team

REFERENCE:  SSRT2385

PROBLEM SUMMARY:

         This bulletin will be posted to the support
         website within 24 hours of release to
         http://thenew.hp.com/country/us/eng/support.html
         Use the SEARCH IN feature box, enter SSRT2385 in
         the search window.


   SSRT2385   LDAP    (Severity - High)

   A potential security vulnerability has been has been
   identified in the Lightweight Directory Access Protocol
   (LDAP) Module for System Authentication from Open
   Source Internet Solutions (OSIS) V5.4.  Later versions
   of OSIS have been renamed Internet Express for Tru64 UNIX.

   The potential vulnerability may result in nonprivileged
   users gaining  unauthorized access to files or privileged access
   on the system. This potential vulnerability may be in the form of
   local and remote security domain risks.


VERSIONS IMPACTED:


      HP Tru64 UNIX V4.0G

      HP Tru64 UNIX V4.0F


NOT IMPACTED:

      HP-UX

      HP-MPE/ix

      HP NonStop Servers

      HP OpenVMS


RESOLUTION:

   Early Release Patches (ERPs) are now available for
   OSIS 5.4 LDAP Module for System Authentication for
   HP Tru64 UNIX V4.0F and V4.0G (Cluster and Non-clustered
   Systems) that provide a solution to this potential
   vulnerability.

       NOTE:
       Customers running the LDAP Module for System
       Authentication on HP Tru64 UNIX V5.*/TruCluster V5.*
       should update to the version included with Internet Express
       V5.9 or later.

   Please review the README file for each patch prior to
   installation.

   HP Tru64 UNIX V4.0G/TruCluster Server V1.6:

 PREREQUISITE: OSIS V5.4 LDAP Module for System Authentication
 Patch Kit Name:  OSISV54_SSRT2385_40G_PATCH.tar
 Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0g/

 HP Tru64 UNIX V4.0F/TruCluster Server V1.6:
 PREREQUISITE: OSIS V5.4 LDAP Module for System Authentication
 Patch Kit Name: OSISV54_SSRT2385_40F_PATCH.tar
 Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0f/


After completing the update, HP strongly
recommends that you perform an immediate backup of
the system disk so that any subsequent restore operations
begin with updated software. Otherwise, the updates must
be re-applied after a future restore operation. Also, if
at some future time the system is upgraded to a later
patch release or version release, reinstall the
appropriate ERP.


SUPPORT:

For further information, contact HP Services.

SUBSCRIBE:

To subscribe to automatically receive future Security
Advisories from the Software Security Response Team via
Electronic mail:
http://www.support.compaq.com/patches/mailing-list.shtml

REPORT:

To report a potential security vulnerability with any HP supported
product, send email to: security-alertat_private

As always, HP urges you to periodically review your system management
and security procedures. HP will continue to review and enhance the
security features of its products and work with our customers to
maintain and improve the security and integrity of their systems.

"HP is broadly distributing this Security Bulletin in order to bring
to the attention of users of the affected HP products the important
security information contained in this Bulletin. HP recommends that
all users determine the applicability of this information to their
individual situations and take appropriate action. HP does not
warrant that this information is necessarily accurate or complete for
all user situations and, consequently,  HP will not be responsible
for any damages resulting from user's use or disregard of the
information provided in this Bulletin."



(c)Copyright 2002 Hewlett-Packard Company.
Hewlett-Packard Company shall not be liable for technical
or editorial errors or omissions contained herein. The
information in this document is subject to change without
notice. Hewlett-Packard Company and the names of
Hewlett-Packard products referenced herein are trademarks
of Hewlett-Packard Company in the United States and other
countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPeKmEDnTu2ckvbFuEQL12QCg4I0p0vIY8zXuoBGvghPZgew1VsYAoP6z
pkPRSIFp2CnEEZrpUGVR2qYU
=8epn
-----END PGP SIGNATURE-----

Next message: Dave Ahmad: "[security bulletin] SSRT2301 - HP Tru64 UNIX uudecode Potential Security Vulnerability (fwd)"
Previous message: David Miller: "XSS vulnerability in Bugzilla if upgraded from 2.10 or earlier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:49:11 PST