Heads up: multiple exploitable security issues in HP SWS

Multiple critical security issues exist in HP's VMS version of Apache. PHP related: http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867 Java related: http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831 I think the most telling thing about this is that the CVEs date back over the last several _years_; in Linux land you would generally get a new kit to fix the latest CVE within a few days. So much for this been the "Secure" Web Server. Simon. -- Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP Microsoft: Bringing you 1980s technology to a 21st century world

On Tue, 17 Apr 2012 12:46:34 +0000, Simon Clubley wrote: > Multiple critical security issues exist in HP's VMS version of Apache. > > PHP related: > > http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/? docId=emr_na-c03281867 > > Java related: > > http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/? docId=emr_na-c03281831 > > I think the most telling thing about this is that the CVEs date back > over the last several _years_; in Linux land you would generally get a > new kit to fix the latest CVE within a few days. > > So much for this been the "Secure" Web Server. Thanks for the alert Simon. Does anyone know what the "Base Vector" column in those reports is supposed to mean? (And sigh, the text on those pages overflows the right margin when viewed in Firefox.) -- Paul Sture

On 2012-04-17, Paul Sture <paul@sture.ch> wrote: > > Thanks for the alert Simon. > > Does anyone know what the "Base Vector" column in those reports is > supposed to mean? > Start here (and follow the link in the document for further information): http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01345499 > (And sigh, the text on those pages overflows the right margin when viewed > in Firefox.) > The same happens to me as well. At work, I am running Firefox ESR 10.0.3 on Linux. I am running Firefox 11 on Linux at home, but I have not tried it with that version. Simon. -- Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP Microsoft: Bringing you 1980s technology to a 21st century world

On Wed, 18 Apr 2012 11:56:21 +0000, Simon Clubley wrote: > On 2012-04-17, Paul Sture <paul@sture.ch> wrote: >> >> Thanks for the alert Simon. >> >> Does anyone know what the "Base Vector" column in those reports is >> supposed to mean? >> >> > Start here (and follow the link in the document for further > information): > > http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp? lang=en&cc=us&objectID=c01345499 Thanks. >> (And sigh, the text on those pages overflows the right margin when >> viewed in Firefox.) >> >> > The same happens to me as well. At work, I am running Firefox ESR 10.0.3 > on Linux. I am running Firefox 11 on Linux at home, but I have not tried > it with that version. I've found the same on FF 11 on Linux, and MSIE 8 and 11 on Windows. Perhaps I should rush out and buy a bigger screen :-) -- Paul Sture

"Simon Clubley" <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote in message news:jmjona$jl9$1@dont-email.me... > Multiple critical security issues exist in HP's VMS version of Apache. > > PHP related: > > http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867 > > Java related: > > http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831 > > I think the most telling thing about this is that the CVEs date back over > the last several _years_; in Linux land you would generally get a new kit > to fix the latest CVE within a few days. > > So much for this been the "Secure" Web Server. > Simon, It takes time to ship code to India via tramp steamer. Be patient.

On 2012-05-06, John Smith (who cares if I'm the one @ HP - if here's even still there) <a@nonymous.com> wrote: > > "Simon Clubley" <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote in > message news:jmjona$jl9$1@dont-email.me... >> Multiple critical security issues exist in HP's VMS version of Apache. >> >> PHP related: >> >> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867 >> >> Java related: >> >> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831 >> >> I think the most telling thing about this is that the CVEs date back over >> the last several _years_; in Linux land you would generally get a new kit >> to fix the latest CVE within a few days. >> >> So much for this been the "Secure" Web Server. >> > > Simon, > > It takes time to ship code to India via tramp steamer. Be patient. > This may just be me, but I think it would be better if we focused on the issues instead of performing two dimensional racial stereotyping. As I have always said, you can find smart and not so smart people in any country and the problem with HP seems to be they have gone for the cheapest solution possible. You would have had similar problems if VMS engineering had been kept in the US, but the then current VMS team had been replaced with cheaper, but far less capable/experienced people. BTW, to give a example of how out of touch the VMS patch release schedule is for Internet based components, there is currently a PHP exploit been discussed (the one involving parameters on the command line) and people are upset that it was sat on for 4 months, which seems to be generally considered a unreasonably large amount of time to wait, which is something I strongly agree with. A patch kit which only now fixes problems which are several years old is absolutely pathetic. Simon. -- Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP Microsoft: Bringing you 1980s technology to a 21st century world

In article <jo74u7$rp7$1@dont-email.me>, Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> writes: >On 2012-05-06, John Smith (who cares if I'm the one @ HP - if here's even still there) <a@nonymous.com> wrote: >> >> "Simon Clubley" <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote in >> message news:jmjona$jl9$1@dont-email.me... >>> Multiple critical security issues exist in HP's VMS version of Apache. >>> >>> PHP related: >>> >>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867 >>> >>> Java related: >>> >>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831 >>> >>> I think the most telling thing about this is that the CVEs date back over >>> the last several _years_; in Linux land you would generally get a new kit >>> to fix the latest CVE within a few days. >>> >>> So much for this been the "Secure" Web Server. >>> >> >> Simon, >> >> It takes time to ship code to India via tramp steamer. Be patient. >> > >This may just be me, but I think it would be better if we focused on the >issues instead of performing two dimensional racial stereotyping. As I >have always said, you can find smart and not so smart people in any >country and the problem with HP seems to be they have gone for the cheapest >solution possible. You would have had similar problems if VMS engineering >had been kept in the US, but the then current VMS team had been replaced >with cheaper, but far less capable/experienced people. > >BTW, to give a example of how out of touch the VMS patch release schedule >is for Internet based components, there is currently a PHP exploit been >discussed (the one involving parameters on the command line) and people >are upset that it was sat on for 4 months, which seems to be generally >considered a unreasonably large amount of time to wait, which is something >I strongly agree with. > >A patch kit which only now fixes problems which are several years old is >absolutely pathetic. ^^^^^^^^^^^^^^^^^^^ sub/absolutely/pathetic/whole and what have you got? I haven't heard anything WRT several bug reports I've submitted in recent months. Two are, for me at least, very annoying and causing me no relief from kludgy workarounds. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG Well I speak to machines with the voice of humanity.

On 5/7/2012 9:28 AM, VAXman- @SendSpamHere.ORG wrote: > In article<jo74u7$rp7$1@dont-email.me>, Simon Clubley<clubley@remove_me.eisner.decus.org-Earth.UFP> writes: >> On 2012-05-06, John Smith (who cares if I'm the one @ HP - if here's even still there)<a@nonymous.com> wrote: >>> >>> "Simon Clubley"<clubley@remove_me.eisner.decus.org-Earth.UFP> wrote in >>> message news:jmjona$jl9$1@dont-email.me... >>>> Multiple critical security issues exist in HP's VMS version of Apache. >>>> >>>> PHP related: >>>> >>>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867 >>>> >>>> Java related: >>>> >>>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831 >>>> >>>> I think the most telling thing about this is that the CVEs date back over >>>> the last several _years_; in Linux land you would generally get a new kit >>>> to fix the latest CVE within a few days. >>>> >>>> So much for this been the "Secure" Web Server. >>>> >>> >>> Simon, >>> >>> It takes time to ship code to India via tramp steamer. Be patient. >>> >> >> This may just be me, but I think it would be better if we focused on the >> issues instead of performing two dimensional racial stereotyping. As I >> have always said, you can find smart and not so smart people in any >> country and the problem with HP seems to be they have gone for the cheapest >> solution possible. You would have had similar problems if VMS engineering >> had been kept in the US, but the then current VMS team had been replaced >> with cheaper, but far less capable/experienced people. >> >> BTW, to give a example of how out of touch the VMS patch release schedule >> is for Internet based components, there is currently a PHP exploit been >> discussed (the one involving parameters on the command line) and people >> are upset that it was sat on for 4 months, which seems to be generally >> considered a unreasonably large amount of time to wait, which is something >> I strongly agree with. >> >> A patch kit which only now fixes problems which are several years old is >> absolutely pathetic. > ^^^^^^^^^^^^^^^^^^^ Don't you mean "Hopelessly Pathetic"? > sub/absolutely/pathetic/whole and what have you got? > > I haven't heard anything WRT several bug reports I've submitted in recent > months. Two are, for me at least, very annoying and causing me no relief > from kludgy workarounds. Are you paying for support? If so, call H-P. If not, you fix it yourself and you'll find sympathy in your dictionary!

"Simon Clubley" <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote in message news:jo74u7$rp7$1@dont-email.me... > On 2012-05-06, John Smith (who cares if I'm the one @ HP - if here's even > still there) <a@nonymous.com> wrote: >> >> "Simon Clubley" <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote in >> message news:jmjona$jl9$1@dont-email.me... >>> Multiple critical security issues exist in HP's VMS version of Apache. >>> >>> PHP related: >>> >>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867 >>> >>> Java related: >>> >>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831 >>> >>> I think the most telling thing about this is that the CVEs date back >>> over >>> the last several _years_; in Linux land you would generally get a new >>> kit >>> to fix the latest CVE within a few days. >>> >>> So much for this been the "Secure" Web Server. >>> >> >> Simon, >> >> It takes time to ship code to India via tramp steamer. Be patient. >> > > This may just be me, but I think it would be better if we focused on the > issues instead of performing two dimensional racial stereotyping. As I > have always said, you can find smart and not so smart people in any > country and the problem with HP seems to be they have gone for the > cheapest > solution possible. You would have had similar problems if VMS engineering > had been kept in the US, but the then current VMS team had been replaced > with cheaper, but far less capable/experienced people. > > BTW, to give a example of how out of touch the VMS patch release schedule > is for Internet based components, there is currently a PHP exploit been > discussed (the one involving parameters on the command line) and people > are upset that it was sat on for 4 months, which seems to be generally > considered a unreasonably large amount of time to wait, which is something > I strongly agree with. > > A patch kit which only now fixes problems which are several years old is > absolutely pathetic. It's got nothing to do with stereotyping. HP has chosen to ship all their VMS support (and dare I say "development") to India. Fine. But they've also chosen to put that support on the slow train too, which seems not to have a direct or fully funded path. Tramp steamers are ones that people have used when they aren't particularly concerned about how long it takes to get to a destination but they *are* concerned about getting there as cheaply as possible. Hence the analogy sticks, IMHO.

On 2012-05-07, John Smith (who cares if I'm the one @ HP - if here's even still there) <a@nonymous.com> wrote: > > It's got nothing to do with stereotyping. > > HP has chosen to ship all their VMS support (and dare I say "development") > to India. Fine. > But they've also chosen to put that support on the slow train too, which > seems not to have a direct or fully funded path. > > Tramp steamers are ones that people have used when they aren't particularly > concerned about how long it takes to get to a destination but they *are* > concerned about getting there as cheaply as possible. > > Hence the analogy sticks, IMHO. > Yes, with the explanation I now see where you are coming from. There have been a number of comments here over the years which basically came across as all Indians are stupid and this appeared to be another one. With the comment above, it clearly wasn't. Sorry about that. You are clearly targetting HP itself, which is also where I place my own criticisms. Simon. -- Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP Microsoft: Bringing you 1980s technology to a 21st century world

> There have been a number of comments here over the years which basically > came across as all Indians are stupid and this appeared to be another one. When the outsourcing became public, I asked multiple times whether staffing levels would remain roughly the same as before, and HP steadfastedly refused to answer. If staffing levels had remained the same or been increased, HP would have bragged about it. Given time, the new team will gain experience, and with each error, they learn. However, time will not fix a shortage of manpower to fix all the bugs.That shortage is dictated by HP management who allocate how much work the indian team is budgeted to do for VMS. Of course, one must not forget the big white elephant in the room: the court documents alleging that HP had long ago decided to retire the IA64 based operating systems along with IA64 after having tried to port HP-UX to the 8086. You don't spend money to improve an operating system that is a dead end, you spend money to maintain it just eough to prevent customers from running to other vendors at record speed. Once HP launches its Odyssey 8086 Superdomes with either Linux or Window "mainframes", I think we will start to get clearer message on porting from the legacy OS to HP's new enterprise ecosystem. Nobody should be surprised that the proprietary port of Apache to VMS is years behind. The only solution to open sourced software is to integrate the VMS specific stuff in the main source code tree so that anyone can build the latest version

Similiar Articles:

Re: PDE toolbox initial condi - comp.soft-sys.matlab
Re: PDE toolbox initial condi Follow

HP Communities - The HP Security Laboratory Blog - Enterprise ...
... setting up and communicating a systematized software security ... HP Security's theme ... to multiple vulnerabilities including Cross-Site Scripting, issues of security bypass ...

Summary of Base Operating System Patches - Tru64 UNIX Software
... Corporation" to "Hewlett-Packard ... attributes by default and addresses security issues ... condition only shows up on a domains with multiple ...

7/24/2012 6:28:18 AM