- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: TCP/IP security patch
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-27-2010 10:16 PM
тАО03-27-2010 10:16 PM
Re: TCP/IP security patch
HP really seems to be listening !
Now there is rev. 2 of the security bulletin c01961959
There are now also patches for TCPIP V5.6 ECO 5.
And the wrong reference to CVE-2009-696 (BIND) has been removed.
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-28-2010 02:24 AM
тАО03-28-2010 02:24 AM
Re: TCP/IP security patch
Someone buy him a beer
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-28-2010 03:29 AM
тАО03-28-2010 03:29 AM
Re: TCP/IP security patch
hold back on the applause please...
The patches for TCPIP V5.6 ECO 4 and ECO 5 for Alpha and I64 ship TCPIP$NTPTRACE linked 30-MAR-2004 ! Looks like this image has NEVER been relinked since TCPIP V5.6 SSB ?!
The patches for TCPIP V5.5 ECO 3 do NOT ship TCPIP$NTPTRACE images.
So there still remains the question:
Is TCPIP$NTPTRACE affected by this security problem ? If so, why has it not been relinked. And if NOT, why is it being shipped at all ?
To me, it looks like all the .EXE files from the build directory of NTP have been shipped in this kit and not just the affected images.
And to build and ship the V5.6 ECO 5 images took less than 16 hours, so the previous speculation about 'intensive testing of the patched images delaying the issue of the security fixes', does not seem to have affected this set of fixes.
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2010 01:57 AM
тАО03-29-2010 01:57 AM
Re: TCP/IP security patch
This seems to be very unusual, all other NTP images have been relinked for each new SSB version and for each patch.
Maybe the NTP build is broken since V5.5 and missing the re-build of TCPIP$NTPTRACE...
FWIW,
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2010 08:51 AM
тАО03-29-2010 08:51 AM
Re: TCP/IP security patch
Thanks for any info...
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2010 09:19 AM
тАО03-29-2010 09:19 AM
Re: TCP/IP security patch
The safest assumption (and based on reading CVEs and reading the developer discussions of the fix over at the ntp site) is that the error does exist in earlier releases.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2010 09:27 AM
тАО03-29-2010 09:27 AM
Re: TCP/IP security patch
Hoff,
Many Thanks for the quick answer. Does V5.6 ECO 3 need to be patched or only V5.6 ECO 4 ?
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2010 09:31 AM
тАО03-29-2010 09:31 AM
Re: TCP/IP security patch
HP did NOT make a patch available for TCPIP V5.6 ECO 3. Whether this mean ECO 3 is not affected, only HP can answer !
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-29-2010 11:13 AM
тАО03-29-2010 11:13 AM
Re: TCP/IP security patch
Sure. That's easy. Be (appropriately!) paranoid.
Until you hear otherwise from an authoritative source (and which is _not_ ITRC) that a version or configuration is explicitly _not_ vulnerable, the assumption is that the software _is_ vulnerable. And if you're even operating with an average level of paranoia, not even then.
This (appropriate!) paranoia irrespective of the platform and software; whether we are discussing OpenVMS or anything else.
The web-facing servers I manage get attacked multiple times a day.
Unfortunately for this whole discussion, the OpenVMS web tools and web-facing software stacks are down-revision, and there are various security issues within the various web-facing and net-facing tools. Which is why do not recommend exposing OpenVMS to the Internet.
In defense of the vendors here, security also often turns into a circus; there's no certainty here, and even current-patch systems can be vulnerable to zero-day attacks, and to targeted attacks and spearfishing. And some of the security uproars are inconsequential for many sites; you have to know how big a target your site is, and how much you're willing to (directly and indirectly) pay to (try to) reduce your exposure to attacks. This security stuff gets FUD'd pretty heavily in the market, and it's easy to end up with an inappropriate degree of paranoia.
And one of the oft-overlooked parts of security is having current archives. And a review for the "low-hanging" security bugs that can exist in most any configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-30-2010 07:41 AM
тАО03-30-2010 07:41 AM
Re: TCP/IP security patch
Many Thanks for the info esp. on the appropriate "paranoia" level - understand the risk assessment aspect that you mentioned and I'll continue to follow up with on whether versions not mentioned in the bulletin do have the vulnerability. Way too easy to just assume that all is well when a specific version is not directly referenced in a bulletin.
Regards,
John