Can a HP person check out this patch and post it...?
Technical Support
Hot News - Patch Released
The Microsoft patch MS04-025 (KB867801) for Internet Explorer broke the
login to HP SIM 4.0, 4.0.1, and 4.1 when using IE..
[EDIT]
>> Windows patches Here you will find a directory for HP SIM 4.0 and
4.1. The patch and directions are in each directory. Once installed, the
patch for HP SIM 4.0 does not provide a version string in the help-about
box, however the 4.1 patch does show the version of HP SIM as being
C.04.01.00.01. A file is placed in the main HP SIM directory named
sp1.txt which prevents the patch from being installed a second time.
In this edition:
HP SIM fix for Microsoft patch MS04-025 (KB867801)
OpenSSH 3.7p1 PAM authentication vulnerability
HP SIM fix for Microsoft patch MS04-025 (KB867801)
Microsoft released a new IE Patch on 7/30/04 that disables the ability
to login to HP SIM when using Internet Explorer. Read more about this
in HP SIM Newsletter #7
[EDIT]
The version string will show in HP SIM 4.1 as C.04.01.00.01. However,
this will not show in HP SIM 4.0. You will have to check for the
presence of the sp1.txt file in the main HP SIM directory to determine
if the patch had been installed.
OpenSSH 3.7p1 PAM authentication vulnerability
Recently a critical security advisory was released regarding OpenSSH and
PAM. This advisory is being presented in the event you receive queries
about how it applies to HP SIM.
Although HP SIM uses OpenSSH, PAM is not enabled in the sshd_config file
(see below where "usePAM" is commented-out):
The setting is appropriate for any of the OSs on which HP SIM can be
installed. To ensure PAM vulnerability is not present, ensure that PAM
is commented-out in the sshd_conf file on your CMS platform.
Below is the actual advisory from
http://www.openssh.com/txt/sshpam.adv.Subject: Portable OpenSSH Security Advisory: sshpam.adv
This document can be found at:
http://www.openssh.com/txt/sshpam.adv 1. Versions affected:
Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple
vulnerabilities in the new PAM code. At least one of these bugs is
remotely exploitable (under a non-standard configuration, with privsep
disabled).
The OpenBSD releases of OpenSSH do not contain this code and are not
vulnerable. Older versions of portable OpenSSH are not vulnerable.
2. Solution:
Upgrade to Portable OpenSSH 3.7.1p2 or disable PAM support ("UsePam no"
in sshd_config).
Due to complexity, inconsistencies in the specification and differences
between vendors' PAM implementations we recommend that PAM be left
disabled in sshd_config unless there is a need for its use. Sites only
using public key or simple password authentication usually have little
need to enable PAM support.
As stated earlier, the problem discussed in the advisory does not affect
systems on which HP SIM is installed unless someone has modified the
sshd_conf file.
