[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 705/06 - Four Hewlett Packard Security Bulletins:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

 UNIRAS (UK Government CERT) Briefing - 705/06 dated 02.11.06 time 12:30
 UNIRAS is part of NISCC (the UK National Infrastructure Security
 Co-ordination Centre)
______________________________________________________________________________

 UNIRAS material is available from the NISCC website at www.niscc.gov.uk
______________________________________________________________________________

Title
=====

Four Hewlett Packard Security Bulletins:

1. HPSBUX02091 SSRT061099 rev.2 - HP-UX Local Increased Privilege

2. HPSBUX02164 SSRT061265 rev.1 - HP-UX VirtualVault Running Apache 1.3.X Remote 
Denial of Service (DoS) and Arbitrary Code Execution

3. HPSBUX02165 SSRT061266 rev.1 - HP-UX VirtualVault Remote Unauthorized Access

4. HPSBUX02172 SSRT061269 rev.1 - HP-UX VirtualVault running Apache Remote Execution 
of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access

Detail
======

1. A potential security vulnerability has been identified with HP-UX
systems where the vulnerability may be exploited to allow a local user
to increase privilege. 

2. Two potential security vulnerabilities have been reported in HP-UX
VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may
allow a Denial of Service (DoS) attack and execution of arbitrary code.

3. A security vulnerability has been identified in OpenSSL used in HP
VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote
unauthorized access.

4. Potential security vulnerabilities have been identified with Apache
running on HP-UX VirtualVault. These vulnerabilities could be exploited
remotely to allow execution of arbitrary code, Denial of Service (DoS),
or unauthorized access.



1.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00591401
Version: 2

HPSBUX02091 SSRT061099 rev.2 - HP-UX Local Increased Privilege

NOTICE: The information in this Security Bulletin should be acted upon
as soon as possible.

Release Date: 2006-10-27
Last Updated: 2006-10-30

Potential Security Impact: Local increased privilege

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX
systems where the vulnerability may be exploited to allow a local user
to increase privilege. 

References: CVE-2006-0436

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.00, B.11.04, B.11.11.

BACKGROUND

The Hewlett-Packard Company thanks NCC Group for reporting this
vulnerability to security-alert@xxxxxxx

To determine if a system has an affected version, search the output of
"swlist -a revision -l fileset" for one of the filesets listed below.
For affected systems verify that the recommended action has been taken. 


AFFECTED VERSIONS

HP-UX B.11.00 
=========== 
OS-Core.CORE-SHLIBS 
action: install PHCO_29249 or subsequent 

HP-UX B.11.04 
=========== 
OS-Core.CORE-SHLIBS 
action: install PHCO_32280 or subsequent 

HP-UX B.11.11 
=========== 
OS-Core.CORE-SHLIBS 
action: install PHCO_30402 or subsequent 

END AFFECTED VERSIONS 


RESOLUTION

HP is providing the following patches to resolve this potential
vulnerability.
These patches can be downloaded from http://itrc.hp.com . 

HP-UX B.11.00 PHCO_29249
 
HP-UX B.11.04 PHCO_32280
 
HP-UX B.11.11 PHCO_30402


MANUAL ACTIONS: No 


PRODUCT SPECIFIC INFORMATION 

HP-UX Security Patch Check: Security Patch Check revision B.02.00
analyzes all HP-issued Security Bulletins to provide a subset of
recommended actions that potentially affect a specific HP-UX system.For
more information:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumbe
r=B6834AA 



HISTORY: 
Version: 1 (rev.1) 23 January 2006 Initial release 
Version: 2 (rev.2) 30 October 2006 Added CVE reference 

Third Party Security Patches: Third party security patches which are to
be installed on systems running HP software products should be applied
in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services
support channel.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert@xxxxxxx  It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information.  To get the security-alert PGP key, please send an
e-mail message as follows:
  To: security-alert@xxxxxx
  Subject: get key

Subscribe: To initiate a subscription to receive future HP
Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&;
langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and
    continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and
    save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page:
  Subscriber's choice for Business: sign-in.
On the web page:
  Subscriber's Choice: your profile summary
    - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters of the
Bulletin number in the title:

    GN = HP General SW,
    MA = HP Management Agents,
    MI = Misc. 3rd party SW,
    MP = HP MPE/iX,
    NS = HP NonStop Servers,
    OV = HP OpenVMS,
    PI = HP Printing & Imaging,
    ST = HP Storage SW,
    TL = HP Trusted Linux,
    TU = HP Tru64 UNIX,
    UX = HP-UX,
    VV = HP Virtual Vault


System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products the
important security information contained in this Bulletin. HP
recommends that all users determine the applicability of this
information to their individual situations and take appropriate
action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP
will not be responsible for any damages resulting from user's use
or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either
express or implied, including the warranties of merchantability
and fitness for a particular purpose, title and non-infringement."


(c)Copyright 2006 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP nor its affiliates,
subcontractors or suppliers will be liable for incidental, special
or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration.
The information in this document is subject to change without
notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRUixmeAfOvwtKn1ZEQKw4QCeMvzxUA3hwai2CiYPOR9ptabal6oAoMd/
bFl4agGcOQqbibypmvQjqIan
=9xn4
- -----END PGP SIGNATURE-----



2.



- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00794047
Version: 1

HPSBUX02164 SSRT061265 rev.1 - HP-UX VirtualVault Running Apache 1.3.X
Remote Denial of Service (DoS) and Arbitrary Code Execution

NOTICE: The information in this Security Bulletin should be acted upon
as soon as possible.

Release Date: 2006-10-31
Last Updated: 2006-10-31

Potential Security Impact: Remote Denial of Service (DoS) and execution
of arbitrary code

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Two potential security vulnerabilities have been reported in HP-UX
VirtualVault Apache HTTP server versions prior to Apache 1.3.37 that may
allow a Denial of Service (DoS) attack and execution of arbitrary code.

References: CVE-2006-3747, CVE-2006-3352

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.04 with VirtualVault 4.7 or VirtualVault 4.6 or VirtualVault
4.5.

BACKGROUND

The Apache group, while announcing the release of Apache HTTP Server
version 1.3.37 reported that two security defects have been addressed. 

Note: To determine if an HP-UX system has an affected version, search
the output of "swlist -a revision -l fileset" for one of the filesets
listed below. For affected systems verify that the recommended action
has been taken. 

AFFECTED VERSIONS 

HP-UX B.11.04 Virtualvault A.04.70 
=========================== 
VaultTS.VV-IWS 
action: install PHSS_35460 or subsequent 
VaultWS.WS-CORE 
action: install PHSS_35463 or subsequent 

HP-UX B.11.04 Virtualvault A.04.60 
=========================== 
VaultTS.VV-IWS 
action: install PHSS_35459 or subsequent 
VaultWS.WS-CORE 
action: install PHSS_35462 or subsequent 

HP-UX B.11.04 Virtualvault A.04.50 
=========================== 
VaultTS.VV-IWS 
action: install PHSS_35458 or subsequent 
VaultWS.WS-CORE 
action: install PHSS_35461 or subsequent 

HP-UX B.11.04 HP Webproxy A.02.10 (Apache 1.x) 
============================ 
HP_Webproxy.HPWEB-PX-CORE 
action: install PHSS_35111 or subsequent 

HP-UX B.11.04 HP Webproxy A.02.00 
============================ 
HP_Webproxy.HPWEB-PX-CORE 
action: install PHSS_35110 or subsequent 

END AFFECTED VERSIONS 


RESOLUTION

For B.11.04 HP has made the following patches available. 
The patches are available for download from http://itrc.hp.com 

PHSS_35460 HP-UX VirtualVault 4.7 IWS update 
PHSS_35463 HP-UX VirtualVault 4.7.OWS update 
PHSS_35459 HP-UX VirtualVault 4.6 IWS update 
PHSS_35462 HP-UX VirtualVault 4.6 OWS update 
PHSS_35458 HP-UX VirtualVault 4.5 IWS update 
PHSS_35461 HP-UX VirtualVault 4.5 OWS update 
PHSS_35111 HP-UX VirtualVault Webproxy server2.1 (Apache 1.x) update 
PHSS_35110 HP-UX VirtualVault Webproxy server2.0 update 

PRODUCT SPECIFIC INFORMATION 
HP-UX Security Patch Check: Security Patch Check revision B.02.00
analyzes all HP-issued Security Bulletins to provide a subset of
recommended actions that potentially affect a specific HP-UX system. For
more information:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumbe
r=B6834AA 

MANUAL ACTIONS: No 

HISTORY Version: 1 (rev.1) 31 October 2006 Initial release 

Third Party Security Patches: Third Party security patches which are to
be installed on systems running HP software products should be applied
in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services
support channel.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert@xxxxxxx  It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information.  To get the security-alert PGP key, please send an
e-mail message as follows:
  To: security-alert@xxxxxx
  Subject: get key

Subscribe: To initiate a subscription to receive future HP
Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&;
langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and
    continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and
    save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page:
  Subscriber's choice for Business: sign-in.
On the web page:
  Subscriber's Choice: your profile summary
    - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters of the
Bulletin number in the title:

    GN = HP General SW,
    MA = HP Management Agents,
    MI = Misc. 3rd party SW,
    MP = HP MPE/iX,
    NS = HP NonStop Servers,
    OV = HP OpenVMS,
    PI = HP Printing & Imaging,
    ST = HP Storage SW,
    TL = HP Trusted Linux,
    TU = HP Tru64 UNIX,
    UX = HP-UX,
    VV = HP Virtual Vault


System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products the
important security information contained in this Bulletin. HP
recommends that all users determine the applicability of this
information to their individual situations and take appropriate
action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP
will not be responsible for any damages resulting from user's use
or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either
express or implied, including the warranties of merchantability
and fitness for a particular purpose, title and non-infringement."


(c)Copyright 2006 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP nor its affiliates,
subcontractors or suppliers will be liable for incidental, special
or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration.
The information in this document is subject to change without
notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRUi1/eAfOvwtKn1ZEQLaeACaAlzrv89dtmS0bEaqymTNdFoZtv4An2yo
rb7FLyM6FNNdjxZZYIaTU7qR
=x/SQ
- -----END PGP SIGNATURE-----



3.


The following Security Bulletin may contain long lines.  If this causes
a verification problem with the PGP signature, please use the copy in
the attached text file for verification.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00794048
Version: 1

HPSBUX02165 SSRT061266 rev.1 - HP-UX VirtualVault Remote Unauthorized
Access

NOTICE: The information in this Security Bulletin should be acted upon
as soon as possible.

Release Date: 2006-10-31
Last Updated: 2006-10-31


Potential Security Impact: Remote Unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A security vulnerability has been identified in OpenSSL used in HP
VirtualVault 4.7, 4.6, 4.5 and HP WebProxy that may allow remote
unauthorized access.

References: CVE-2006-4339

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.04 running Virtualvault 4.7 or Virtualvault 4.6 or
Virtualvault 4.5 or HP WebProxy.

BACKGROUND

The OpenSSL community has released OpenSSL 0.9.7.k version superseding
the OpenSSL 0.9.7i release that was identified in the CVE report. 

Note: To determine if a system has an affected version, search the
output of "swlist -a revision -l fileset" for an affected fileset. Then
determine if the recommended patch or update is installed. 

AFFECTED VERSIONS 

HP-UX B.11.04 Virtualvault A.04.70 
=========================== 
VaultWS.WS-CORE 
VaultTS.VV-IWS 
VaultTS.VV-CORE-CMN 
VaultTGP.TGP-CORE 
action: install PHSS_35463, PHSS_35460, PHSS_35481 or subsequent 

HP-UX B.11.04 Virtualvault A.04.70 (Apache 2.X) 
==================================== 
VaultWS.WS-CORE 
action: install PHSS_35436 or subsequent 

HP-UX B.11.04 Virtualvault A.04.60 
=========================== 
VaultWS.WS-CORE 
VaultTS.VV-IWS 
VaultTS.VV-CORE-CMN 
VaultTGP.TGP-CORE 
action: install PHSS_35462, PHSS_35459, PHSS_35480 or subsequent 

HP-UX B.11.04 Virtualvault A.04.50 
=========================== 
VaultWS.WS-CORE 
VaultTS.VV-IWS 
VaultTS.VV-IWS-JK 
VaultTS.VV-CORE-CMN 
action: install PHSS_35461, PHSS_35458 or subsequent 

HP-UX B.11.04 HP Webproxy A.02.10 (Apache 2.x) 
============================ 
HP_Webproxy.HPWEB-PX-CORE 
action: install PHSS_35437 or subsequent 

HP-UX B.11.04 HP Webproxy A.02.10 (Apache 1.x) 
============================ 
HP_Webproxy.HPWEB-PX-CORE 
action: install PHSS_35111 or subsequent 

HP-UX B.11.04 HP Webproxy A.02.00 
============================ 
HP_Webproxy.HPWEB-PX-CORE 
action: install PHSS_35110 or subsequent 

END AFFECTED VERSIONS 



RESOLUTION

HP is making the following patches available to resolve this issue. 
The patches are available for download from http://itrc.hp.com 

For B.11.04 HP has made the following patches available: 
PHSS_35463 Virtualvault 4.7 OWS (Apache 1.x) update 
PHSS_35460 Virtualvault 4.7 IWS update 
PHSS_35481 Virtualvault 4.7 TGP update 
PHSS_35436 Virtualvault 4.7 OWS (Apache 2.x) update 
PHSS_35462 Virtualvault 4.6 OWS update 
PHSS_35459 Virtualvault 4.6 IWS update 
PHSS_35480 Virtualvault 4.6 TGP update 
PHSS_35461 Virtualvault 4.5 OWS update 
PHSS_35458 Virtualvault 4.5 IWS update 
PHSS_35437 Webproxy server 2.1 (Apache 2.x) update 
PHSS_35111 Webproxy server 2.1 (Apache 1.x) update 
PHSS_35110 Webproxy server 2.0 update 

PRODUCT SPECIFIC INFORMATION 
HP-UX Security Patch Check: Security Patch Check revision B.02.00
analyzes all HP-issued Security Bulletins to provide a subset of
recommended actions that potentially affect a specific HP-UX system. For
more information:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumbe
r=B6834AA 

MANUAL ACTIONS: No 

HISTORY Version: 1 (rev.1) 31 October 2006 Initial release 

Third Party Security Patches: Third Party security patches which are to
be installed on systems running HP software products should be applied
in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services
support channel.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert@xxxxxxx  It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information.  To get the security-alert PGP key, please send an
e-mail message as follows:
  To: security-alert@xxxxxx
  Subject: get key

Subscribe: To initiate a subscription to receive future HP
Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&;
langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and
    continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and
    save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page:
  Subscriber's choice for Business: sign-in.
On the web page:
  Subscriber's Choice: your profile summary
    - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters of the
Bulletin number in the title:

    GN = HP General SW,
    MA = HP Management Agents,
    MI = Misc. 3rd party SW,
    MP = HP MPE/iX,
    NS = HP NonStop Servers,
    OV = HP OpenVMS,
    PI = HP Printing & Imaging,
    ST = HP Storage SW,
    TL = HP Trusted Linux,
    TU = HP Tru64 UNIX,
    UX = HP-UX,
    VV = HP Virtual Vault


System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products the
important security information contained in this Bulletin. HP
recommends that all users determine the applicability of this
information to their individual situations and take appropriate
action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP
will not be responsible for any damages resulting from user's use
or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either
express or implied, including the warranties of merchantability
and fitness for a particular purpose, title and non-infringement."


(c)Copyright 2006 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP nor its affiliates,
subcontractors or suppliers will be liable for incidental, special
or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration.
The information in this document is subject to change without
notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRUi1AuAfOvwtKn1ZEQKXtQCfVa/C4zQ6PjBcTthCZGSi6LaqhJkAoJyb
4zQ+FfHTQ+8o6iNE/2/Qlm9f
=2Kp/
- -----END PGP SIGNATURE-----



4.


The following Security Bulletin may contain long lines.  If this causes
a verification problem with the PGP signature, please use the copy in
the attached text file for verification.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00797078
Version: 1

HPSBUX02172 SSRT061269 rev.1 - HP-UX VirtualVault running Apache Remote
Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized
Access

NOTICE: The information in this Security Bulletin should be acted upon
as soon as possible.

Release Date: 2006-10-31
Last Updated: 2006-10-31


Potential Security Impact: Remote Execution of Arbitrary Code, Denial of
Service (DoS), and Unauthorized Access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with Apache
running on HP-UX VirtualVault. These vulnerabilities could be exploited
remotely to allow execution of arbitrary code, Denial of Service (DoS),
or unauthorized access.

References: CVE-2006-3747, CVE-2005-3352, CVE-2005-3357

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.04 with VirtualVault running Apache 2.x Web Server

BACKGROUND

AFFECTED VERSIONS 

HP-UX B.11.04 VirtualVault 4.7 running Apache 2.x 
===================================== 
VaultWS.WS-CORE 
action: install PHSS_35436 or subsequent 

HP-UX B.11.04 HP Webproxy A.02.10 (Apache 2.x) 
===================================== 
HP_Webproxy.HPWEB-PX-CORE 
action: install PHSS_35437 or subsequent 

END AFFECTED VERSIONS 

RESOLUTION
For B.11.04 HP has made the following patches available to resolve the
issue. 
These patches are available from: http://itrc.hp.com 

PHSS_35436 VirtualVault 4.7 OWS (Apache 2.x) update 
PHSS_35437 WebProxy Server 2.1 (Apache 2.x) update 

MANUAL ACTIONS: No 

PRODUCT SPECIFIC INFORMATION 
HP-UX Security Patch Check: Security Patch Check revision B.02.00
analyzes all HP-issued Security Bulletins to provide a subset of
recommended actions that potentially affect a specific HP-UX system. For
more information:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumbe
r=B6834AA 

HISTORY: 
Version 1 (rev.1) - 31 October 2006 Initial Release 

Third Party Security Patches: Third Party security patches which are to
be installed on systems running HP software products should be applied
in accordance with the customer's patch management policy. 


Support: For further information, contact normal HP Services
support channel.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert@xxxxxxx  It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information.  To get the security-alert PGP key, please send an
e-mail message as follows:
  To: security-alert@xxxxxx
  Subject: get key

Subscribe: To initiate a subscription to receive future HP
Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&;
langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and
    continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and
    save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page:
  Subscriber's choice for Business: sign-in.
On the web page:
  Subscriber's Choice: your profile summary
    - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters of the
Bulletin number in the title:

    GN = HP General SW,
    MA = HP Management Agents,
    MI = Misc. 3rd party SW,
    MP = HP MPE/iX,
    NS = HP NonStop Servers,
    OV = HP OpenVMS,
    PI = HP Printing & Imaging,
    ST = HP Storage SW,
    TL = HP Trusted Linux,
    TU = HP Tru64 UNIX,
    UX = HP-UX,
    VV = HP Virtual Vault


System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products the
important security information contained in this Bulletin. HP
recommends that all users determine the applicability of this
information to their individual situations and take appropriate
action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP
will not be responsible for any damages resulting from user's use
or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either
express or implied, including the warranties of merchantability
and fitness for a particular purpose, title and non-infringement."


(c)Copyright 2006 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP nor its affiliates,
subcontractors or suppliers will be liable for incidental, special
or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration.
The information in this document is subject to change without
notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRUi0cOAfOvwtKn1ZEQILpgCeNCfbVJZ4xDpyxuPMDrkFq0vshMUAoP0k
t/+6SsGri8UVOOGmZfUTh4+T
=ybFK
- -----END PGP SIGNATURE-----



______________________________________________________________________________

NISCC values your feedback.

1. Which of the following most reflects the value of the briefing to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__ 

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our briefings?


Thank you for your contribution.
______________________________________________________________________________

For additional information or assistance, please contact our help desk
by telephone.  You may send Not Protectively Marked information via
e-mail to uniras@xxxxxxxxxxxxx

Office hours:

Mon - Fri: 08:30 - 17:00 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts

______________________________________________________________________________

UNIRAS wishes to acknowledge the contributions of Hewlett Packard for the
information contained in this briefing.
______________________________________________________________________________

This notice contains information released by the original author.
Some of the information may have changed since it was released. If the
vulnerability affects you, it may be prudent to retrieve the advisory
from the site of the original source to ensure that you receive the most
current information concerning that problem.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute or
imply its endorsement, recommendation, or favouring by UNIRAS or NISCC.
The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall not be liable for any loss or damage whatsoever, arising from or
in connection with the usage of information contained within this
notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response
Teams (IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
______________________________________________________________________________

<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRUnj7Gl7oeQsXfKvEQJgCACdFHgxw70sNhACA03p6XPgetLIuXUAoPhY
ozuY0KEfB5up1Z1yiZlMUqt8
=dGRa
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________