BladeSystem Forums have moved here
To make BladeSystem information easier to find, we have moved the BladeSystem forums here, to Servers and Operating Systems.
Security
Showing results for 
Search instead for 
Do you mean 

SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Occasional Contributor

SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Is there a patch available for the recent SSL exploits not fixed in  the 0.9.8h version built into SWS v2.2?

 

CVE-2010-4180 and CVE-2008-7270

 

John Nebel

6 REPLIES
Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you log a call then HP support can tell you and supply the patch if there is one,.

____________________
Purely Personal Opinion
Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Here's a collection of CVE listings I've collected from recent HP security announcements.

 

CVE-2010-4180 is listed.   CVE-2008-7270 is not.

 

Ring up HP support for the official answer.

Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

Thanks, I did open a case.

 

Since SWS has its own SSL,  SSL V1.4-453 does not fix the CVE-2010-4180 exploit for SWS.

 

Best,

 

John

Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

According to HP these two are not patched and have been referred to engineering.  I've discovered a workaround and that is to turn off the SSLSessionCache.

 

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
SSLSessionCache        none
#SSLSessionCache        shm:logs/ssl_scache(512000)
#SSLSessionCache         dbm:logs/ssl_scache
#SSLSessionCacheTimeout  300

 

Best,

 

John

Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you are concerned around the status of SSL CVEs within Apache, consider a more detailed investigation into the current status, development plans, and remediation plans for OpenVMS and its web-facing and security-related components.

 

Highlighted
Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

A new Apache ECO is available which incorporates OpenSSL 0.9.8o and is linked from:

 

http://h71000.www7.hp.com/openvms/products/ips/apache/csws_patches.html

John Nebel