lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 2 May 2003 17:42:30 EDT
From: Frank da Cruz <fdc@...umbia.edu>
To: bt@...fi.lt
Subject: Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd)


> I see. The problem is that the latest patch for kermit in HP-UX 11.0 is
> PHCO_22665 . This kermit patch does not increase version of kermit, it only
> patches known kermit(v. 6.0.192) vulnerabilities.  I have kermit
> v.6.0.192,shipped with default HP-UX 11.0 install and patched with latest HP
> security patch for it.
> ...
> It would be a perfect solution, but most sysadmins do not download newer
> software from third parties, but patches existing software from OS
> vendor. As I mentioned, new kermit versions were released, but AFAIK HP
> didn't make any patches to upgrade existing ones shipped earlier.
> ...
> I meant that patches should be released by HP.
> ...
> My point is : I have kermit with latest HP patches, an it is
> vulnerable. There are newer C-Kermit releases, but HP has no upgrade patch
> for it...Did i miss something?
> 
I submit all new Kermit versions of Kermit to HP.  I include HP in the
development and test cycles.  They are supposed to update their copies.
OK, let me try some of the HP-UX systems at:

  http://www.testdrive.hp.com/

Here's what I find:

 HP-UX spe175 B.11.22 U ia64 rx2600
   C-Kermit 8.0.200, 12 Dec 2001, for HP-UX 11.00
   This one is fairly current - it has the buffer overflow fixes.

 HP-UX spe169 B.11.11 U 9000/800/A500-7X
   C-Kermit 7.0.197,  8 Feb 2000, for HP-UX 11.00
   This one is four years newer than the one you found but
   it is before the buffer overflow fixes.

I suspect that HP ships newer Kermit versions with newer OS versions, but
does not issue new Kermit patches for older OS versions.  If that is true,
then you have a point.  But:

 . HP probably wants you upgrade your OS version.  They don't want
   to maintain patches for every combination of C-Kermit version and
   HP-UX version.

 . The current version is always available direct from us, for EVERY
   version of HP-UX on EVERY hardware platform.  See:

     http://www.columbia.edu/kermit/ck80binaries.html#hp

- Frank

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ