topic Re: Critical Security Bulletin Notification in Operating System - HP-UX

Critical Security Bulletin Notification

F Verschuren — Tue, 05 May 2009 06:32:11 GMT

I reseved a critical patch that needs to be installed on all hp systems
http://alerts.hp.com/r?2.1.3KT.2ZR.yYLPc.CymZx6..T.G9qo.1mR2.HXYEdc00
In the url there seems to be a bug in the comand useradd, however if I download the patch I see that the tree patches are for chmod, can somebody explean what chmod and useradd have in comment and if this are the correct patches?

Re: Critical Security Bulletin Notification

Bart Paulusse — Tue, 05 May 2009 07:39:56 GMT

When I use your url, it shows a security bulletin regarding Apache vulnerabilities, nothing about useradd...
If there is a bug in the useradd command, useradd should be patched and not chmod. Does the patch perhaps contain patches for both? If not it seems the patch you downloaded is not correct.

Re: Critical Security Bulletin Notification

F Verschuren — Tue, 05 May 2009 07:57:17 GMT

sorry, this is the correct url:
http://alerts.hp.com/r?2.1.3KT.2ZR.yYLPc.DBBrSc..T.HFny.1reg.bW89MQ%5f%5fDJHQFTD0

Re: Critical Security Bulletin Notification

mobidyc — Tue, 05 May 2009 08:12:12 GMT

Hi,

this patch correct a bug in the skel directory used by useradd in some circumstances.

chmod fixes the rights on the home directory for the new user.

Regards,
Cedrick Gaillard

Re: Critical Security Bulletin Notification

F Verschuren — Tue, 05 May 2009 09:50:18 GMT

If I download the patch, I do not see any changes to the skil dirs.

so the question remane, why do I neet to patch chmod if useradd is not ok....

is it because useradd is useing chmod?
ore are the patches not compleat?

Re: Critical Security Bulletin Notification

Dennis Handly — Tue, 05 May 2009 15:58:31 GMT

>If I download the patch, I do not see any changes to the skel dirs.
>so the question remains, why do I need to patch chmod if useradd is not ok.

Good questions, you should provide feedback on that Alert page.

Re: Critical Security Bulletin Notification

Dennis Handly — Wed, 06 May 2009 01:24:44 GMT

It seems the 11.31 useradd(1m) patch is PHCO_38547 and the chmod patch is PHCO_38482.

But I don't see any mention of these in the former:
OS-Core.SYS-ADMIN: /etc/default/useradd
OS-Core.SYS-ADMIN: /usr/newconfig/etc/default/useradd

Though I do see them in the 11.11 version: PHCO_38492

A previous security bulletin mentions useradd too:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01455884

Re: Critical Security Bulletin Notification

F Verschuren — Thu, 07 May 2009 06:34:42 GMT

I just pleased a software call and send a mail to security-alert@hp.com
As soon I get the anser form HP I will post it here

Re: Critical Security Bulletin Notification

F Verschuren — Thu, 07 May 2009 12:00:17 GMT

reaction form hp:

-----Original Message-----

Subject: RE: <1604942226>

Freek,

For HP-UX 11.31 this is the patch ----Patch PHCO_38547

For HP-UX 11.23 this is the patch ----Patch PHCO_38491

For HP-UX 11.11 this is the patch ---Patch PHCO_38492

Indeed the documentation is very much missleading. I sent a correction request.

Regards,
Ari

Re: Critical Security Bulletin Notification

Torsten. — Thu, 07 May 2009 12:32:46 GMT

You should never post complete email addresses - think about the spam robots.

Re: Critical Security Bulletin Notification

John Morris — Fri, 08 May 2009 12:34:30 GMT

The corrected security bulletins is now available here:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01539431

and here:

http://www2.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01539431

Re: Critical Security Bulletin Notification

F Verschuren — Fri, 08 May 2009 12:52:25 GMT

The new security bulitains are created, topic closed.