SECURITY BULLETIN: SSRT2385 OSIS V5.4 LDAP Module for
System Authentication Potential Security
Vulnerability
REVISION: 0
NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and
intact.
RELEASE DATE: 13 November 2002
SEVERITY: High
SOURCE:
Hewlett-Packard Company and
Hewlett-Packard Company HP Services
Software Security Response Team
REFERENCE: SSRT2385
PROBLEM SUMMARY:
This bulletin will be posted to the support
website within 24 hours of release to
http://thenew.hp.com/country/us/eng/support.html
Use the SEARCH IN feature box, enter SSRT2385 in
the search window.
SSRT2385 LDAP (Severity - High)
A potential security vulnerability has been has been
identified in the Lightweight Directory Access Protocol
(LDAP) Module for System Authentication from Open
Source Internet Solutions (OSIS) V5.4. Later versions
of OSIS have been renamed Internet Express for Tru64 UNIX.
The potential vulnerability may result in nonprivileged
users gaining unauthorized access to files or privileged access
on the system. This potential vulnerability may be in the form of
local and remote security domain risks.
VERSIONS IMPACTED:
HP Tru64 UNIX V4.0G
HP Tru64 UNIX V4.0F
NOT IMPACTED:
HP-UX
HP-MPE/ix
HP NonStop Servers
HP OpenVMS
RESOLUTION:
Early Release Patches (ERPs) are now available for
OSIS 5.4 LDAP Module for System Authentication for
HP Tru64 UNIX V4.0F and V4.0G (Cluster and Non-clustered
Systems) that provide a solution to this potential
vulnerability.
NOTE:
Customers running the LDAP Module for System
Authentication on HP Tru64 UNIX V5.*/TruCluster V5.*
should update to the version included with Internet Express
V5.9 or later.
Please review the README file for each patch prior to
installation.
HP Tru64 UNIX V4.0G/TruCluster Server V1.6:
PREREQUISITE: OSIS V5.4 LDAP Module for System Authentication
Patch Kit Name: OSISV54_SSRT2385_40G_PATCH.tar
Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0g/
HP Tru64 UNIX V4.0F/TruCluster Server V1.6:
PREREQUISITE: OSIS V5.4 LDAP Module for System Authentication
Patch Kit Name: OSISV54_SSRT2385_40F_PATCH.tar
Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0f/
After completing the update, HP strongly
recommends that you perform an immediate backup of
the system disk so that any subsequent restore operations
begin with updated software. Otherwise, the updates must
be re-applied after a future restore operation. Also, if
at some future time the system is upgraded to a later
patch release or version release, reinstall the
appropriate ERP.
SUPPORT:
For further information, contact HP Services.
SUBSCRIBE:
To subscribe to automatically receive future Security
Advisories from the Software Security Response Team via
Electronic mail:
http://www.support.compaq.com/patches/mailing-list.shtml
REPORT:
To report a potential security vulnerability with any HP supported
product, send email to: security-alert (at) hp (dot) com [email concealed]
As always, HP urges you to periodically review your system management
and security procedures. HP will continue to review and enhance the
security features of its products and work with our customers to
maintain and improve the security and integrity of their systems.
"HP is broadly distributing this Security Bulletin in order to bring
to the attention of users of the affected HP products the important
security information contained in this Bulletin. HP recommends that
all users determine the applicability of this information to their
individual situations and take appropriate action. HP does not
warrant that this information is necessarily accurate or complete for
all user situations and, consequently, HP will not be responsible
for any damages resulting from user's use or disregard of the
information provided in this Bulletin."
(c)Copyright 2002 Hewlett-Packard Company.
Hewlett-Packard Company shall not be liable for technical
or editorial errors or omissions contained herein. The
information in this document is subject to change without
notice. Hewlett-Packard Company and the names of
Hewlett-Packard products referenced herein are trademarks
of Hewlett-Packard Company in the United States and other
countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SECURITY BULLETIN: SSRT2385 OSIS V5.4 LDAP Module for
System Authentication Potential Security
Vulnerability
REVISION: 0
NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and
intact.
RELEASE DATE: 13 November 2002
SEVERITY: High
SOURCE:
Hewlett-Packard Company and
Hewlett-Packard Company HP Services
Software Security Response Team
REFERENCE: SSRT2385
PROBLEM SUMMARY:
This bulletin will be posted to the support
website within 24 hours of release to
http://thenew.hp.com/country/us/eng/support.html
Use the SEARCH IN feature box, enter SSRT2385 in
the search window.
SSRT2385 LDAP (Severity - High)
A potential security vulnerability has been has been
identified in the Lightweight Directory Access Protocol
(LDAP) Module for System Authentication from Open
Source Internet Solutions (OSIS) V5.4. Later versions
of OSIS have been renamed Internet Express for Tru64 UNIX.
The potential vulnerability may result in nonprivileged
users gaining unauthorized access to files or privileged access
on the system. This potential vulnerability may be in the form of
local and remote security domain risks.
VERSIONS IMPACTED:
HP Tru64 UNIX V4.0G
HP Tru64 UNIX V4.0F
NOT IMPACTED:
HP-UX
HP-MPE/ix
HP NonStop Servers
HP OpenVMS
RESOLUTION:
Early Release Patches (ERPs) are now available for
OSIS 5.4 LDAP Module for System Authentication for
HP Tru64 UNIX V4.0F and V4.0G (Cluster and Non-clustered
Systems) that provide a solution to this potential
vulnerability.
NOTE:
Customers running the LDAP Module for System
Authentication on HP Tru64 UNIX V5.*/TruCluster V5.*
should update to the version included with Internet Express
V5.9 or later.
Please review the README file for each patch prior to
installation.
HP Tru64 UNIX V4.0G/TruCluster Server V1.6:
PREREQUISITE: OSIS V5.4 LDAP Module for System Authentication
Patch Kit Name: OSISV54_SSRT2385_40G_PATCH.tar
Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0g/
HP Tru64 UNIX V4.0F/TruCluster Server V1.6:
PREREQUISITE: OSIS V5.4 LDAP Module for System Authentication
Patch Kit Name: OSISV54_SSRT2385_40F_PATCH.tar
Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0f/
After completing the update, HP strongly
recommends that you perform an immediate backup of
the system disk so that any subsequent restore operations
begin with updated software. Otherwise, the updates must
be re-applied after a future restore operation. Also, if
at some future time the system is upgraded to a later
patch release or version release, reinstall the
appropriate ERP.
SUPPORT:
For further information, contact HP Services.
SUBSCRIBE:
To subscribe to automatically receive future Security
Advisories from the Software Security Response Team via
Electronic mail:
http://www.support.compaq.com/patches/mailing-list.shtml
REPORT:
To report a potential security vulnerability with any HP supported
product, send email to: security-alert (at) hp (dot) com [email concealed]
As always, HP urges you to periodically review your system management
and security procedures. HP will continue to review and enhance the
security features of its products and work with our customers to
maintain and improve the security and integrity of their systems.
"HP is broadly distributing this Security Bulletin in order to bring
to the attention of users of the affected HP products the important
security information contained in this Bulletin. HP recommends that
all users determine the applicability of this information to their
individual situations and take appropriate action. HP does not
warrant that this information is necessarily accurate or complete for
all user situations and, consequently, HP will not be responsible
for any damages resulting from user's use or disregard of the
information provided in this Bulletin."
(c)Copyright 2002 Hewlett-Packard Company.
Hewlett-Packard Company shall not be liable for technical
or editorial errors or omissions contained herein. The
information in this document is subject to change without
notice. Hewlett-Packard Company and the names of
Hewlett-Packard products referenced herein are trademarks
of Hewlett-Packard Company in the United States and other
countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBPeKmEDnTu2ckvbFuEQL12QCg4I0p0vIY8zXuoBGvghPZgew1VsYAoP6z
pkPRSIFp2CnEEZrpUGVR2qYU
=8epn
-----END PGP SIGNATURE-----
[ reply ]