Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Thu, 25 Mar 1999 11:08:21 -0800  
From: aleph1@UNDERGROUND.ORG  
Reply-To: support_feedback@us-support.external.hp.com  
To: BUGTRAQ@netspace.org  
Subject: Security Bulletins Digest  
HP Support Information Digests  
o HP Electronic Support Center World Wide Web Service  
If you subscribed through the HP Electronic Support Center and would  
like to be REMOVED from this mailing list, access the  
HP Electronic Support Center on the World Wide Web at:  
Login using your HP Electronic Support Center User ID and Password.  
Then select Support Information Digests. You may then unsubscribe from the  
appropriate digest.  
Digest Name: Daily Security Bulletins Digest  
Created: Thu Mar 25 3:00:03 PST 1999  
Table of Contents:  
Document ID Title  
--------------- -----------  
HPSBUX9903-094 Security Vulnerability with ftp on HP-UX 11.00  
The documents are listed below.  
Document ID: HPSBUX9903-094  
Date Loaded: 19990323  
Title: Security Vulnerability with ftp on HP-UX 11.00  
The information in the following Security Bulletin should be acted upon  
as soon as possible. Hewlett-Packard Company will not be liable for any  
consequences to any customer resulting from customer's failure to fully  
implement instructions in this Security Bulletin as soon as possible.  
PROBLEM: Security Vulnerability during ftp operations.  
PLATFORM: HP9000 Series 7/800 running HP-UX release 11.00 only.  
DAMAGE: Users can increase privileges  
SOLUTION: Apply the patch specified below  
AVAILABILITY: The patch is available now.  
A. Background  
Hewlett-Packard Company has found that during normal operations,  
the ftp program might grant users increased privileges.  
B. Fixing the problem  
Obtaining and installing the following patch will completely close  
this vulnerability. Rebooting the system will NOT be required.  
For all HP9000 S7/800 platforms running HP-UX 11.00: PHCO_17601  
C. To subscribe to automatically receive future NEW HP Security  
Bulletins or access the HP Electronic Support Center, use your  
browser to get to our ESC web page at:  
http://us-support.external.hp.com (for non-European locations),  
or http://europe-support.external.hp.com (for Europe)  
Login with your user ID and password (or register for one).  
Remember to save the User ID/password assigned to you.  
Once you are in the Main Menu:  
To -subscribe- to future HP Security Bulletins,  
click on "Support Information Digests".  
To -review Security bulletins already released-,  
click on the "Search Technical Knowledge Database."  
To -retrieve patches-, click on "Individual Patches" and select  
appropriate release and locate with the patch identifier (ID).  
To -browse the HP Security Bulletin Archive-, select the link at  
the bottom of the page once in the "Support Information Digests".  
To -view the Security Patch Matrix-, (updated daily) which  
categorizes security patches by platform/OS release, and by  
bulletin topic, go to the archive (above) and follow the links.  
The security patch matrix is also available via anonymous ftp:  
us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix  
D. To report new security vulnerabilities, send email to  
Please encrypt any exploit information using the security-alert  
PGP key, available from your local key server, or by sending a  
message with a -subject- (not body) of 'get key' (no quotes) to  
Permission is granted for copying and circulating this Bulletin to  
Hewlett-Packard (HP) customers (or the Internet community) for the  
purpose of alerting them to problems, if and only if, the Bulletin  
is not edited or changed in any way, is attributed to HP, and  
provided such reproduction and/or distribution is performed for  
non-commercial purposes.  
Any other use of this information is prohibited. HP is not liable  
for any misuse of this information by any third party.  
-----End of Document ID: HPSBUX9903-094--------------------------------------