From support@us.external.hp.com Wed Mar 13 00:52:00 1996 Date: Wed, 13 Mar 1996 01:00:29 -0800 From: HPSL Mail Service Reply to: support-feedback@us.external.hp.com To: Damien Sorder Subject: RE: send doc HPSBMP9503-002 -------- ## Regarding your request: Send Doc HPSBMP9503-002 The following are the results of your request from the HP SupportLine mail service. =============================================================================== Document Id: [HPSBMP9503-002] Date Loaded: [03-20-95] Description: Security Vulnerability (HPSBMP9503-002) in MPE/iX releases =============================================================================== ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: (MPE/iX) #00002, 20 March 95 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. _______________________________________________________________________ PROBLEM: Security vulnerability in the MPE/iX operating system PLATFORM: HP3000 Series 900 systems running the Limited Release of MPE/iX 5.0 DAMAGE: Users can gain access to a higher TurboImage privilege SOLUTION: Update all systems to the General Release of MPE/iX 5.0, or Apply patch MPEHX25A (Limited Release MPE/iX 5.0 X.50.20). FIX: The problem is fixed in the General Release of MPE/iX 5.0 (C.50.00) AVAILABILITY: The 5.0 General Release and all patches are available now. _______________________________________________________________________ A. Nature of the problem It has been found that HP 3000 systems running the Limited Release of MPE/iX 5.0 (X.50.20) have a vulnerability that can be exploited by logged on users to gain a higher TurboImage privilege. This problem does not permit a user to gain additional privileges by accident. B. Fixing the problem Hewlett-Packard recommends that you update your HP 3000 Series 900 computer systems to the General Release of MPE/iX 5.0 (C.50.00), as this problem is fixed in that release. Updating to the 5.0 General Release is the easiest and safest way to get the fix for this security problem. Customers with HP System Support contracts should have already received their shipments of the General Release of MPE/iX 5.0 (C.50.00). However, if you feel that you cannot update to the 5.0 General Release at this time, the vulnerability can be eliminated from the Limited Release of MPE/iX 5.0 by applying a patch, MPEHX25A. C. How to Install the Patch (for the Limited Release MPE/iX 5.0) 1. Determine which patch is appropriate for your operating system release: MPEHX25A for Series 900, Limited Release MPE/iX 5.0 (X.50.20) 2. Obtaining the patch. If you have an HP System Support contract, you should be receiving a security notification packet that includes a FAX-back form for ordering the patches that fix the problems described in the following three Security Bulletins -- HPSBMP9503-001, HPSBMP9503-002, and HPSBMP9503-003. If you do not have an HP System Support contract, you can obtain the same patches by ordering MPE/iX SECURITY PATCH, Product Number B5116AA. This product is available at no charge. When ordering the product, you need to know which MPE/iX release you are patching and on what media you want the patch delivered. The following chart shows the two product options: Option Table for Product Number B5116AA 1600BPI 6250BPI Tape Tape DDS |---------|---------|---------| B.40.00 | 240,AA1 | 240,AA2 | 240,AAH | |---------|---------|---------| X.50.20 | 250,AA1 | 250,AA2 | 250,AAH | |---------|---------|---------| Phone numbers to HP Direct and other HP Country Sales offices have been included at the end of this bulletin for your convenience. 3. Apply the patch to your MPE/iX system. Installation instructions are included with the MPE/iX SECURITY PATCH product. D. Impact of the patch and workaround Application of the patch will eliminate the vulnerability. E. Obtaining General Security Information To subscribe to automatically receive future NEW HP Security Bulletins from the HP SupportLine mail service via electronic mail, send an email message to: support@support.mayfield.hp.com (no Subject is required) Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE, here are some basic instructions you may want to use: To add your name to the subscription list for new Security Bulletins, send the following in the TEXT PORTION OF THE MESSAGE: subscribe security_info To retrieve the index of all HP Security Bulletins issued to date, send the following in the TEXT PORTION OF THE MESSAGE: send security_info_list World Wide Web service for browsing of bulletins is available via the HPSL URL: http://support.mayfield.hp.com Choose "Support news", then under Support news, choose "Security Bulletins" F. To report new security vulnerabilities, send email to security-alert@hp.com _______________________________________________________________________ United States Canada Tel: 800-386-1117 Tel: 800-387-3154 Fax: 800-386-1118 Austria Netherlands Tel: 43 222/250 00-200 Tel: 31 20-5476040 Fax: 43 222/250 00-311 Fax: 31 20-5477778 Belgium Norway Tel: 32 2/778.33.99 Tel: 47 2 273 5767 Fax: 32 2/778.33.88 Fax: 47 2 273 5620 Czech Republic Poland Tel: 42/2/4717230 Tel: 48/22/375085 Fax: 42/2/4717611 Fax: 48/22/374783 Denmark Portugal Tel: 45 45 99 11 45 Tel: 351(1)301 7343 Fax: 45 45 82 11 46 Fax: 351(1)301 7568 Finland Russia Tel: 358 0-8872 2000 Tel: 7095-923-5001 Fax: 358 0-8872 2002 Fax: 7095-230-2611 France Slovenia Tel: 33(1)60 77 30 04 Tel: 386(61)159-3322 Fax: 33(1)69 91 86 79 Fax: 386(61)558-597 Germany Slovak Republic Tel: 49 70 31/14-55 40 Tel: 42/7/765896 Fax: 49 70 31/14-10 80 Fax: 42/7/763408 Greece Spain Tel: 30/1/6896411 Tel: 34(1)631 11 11 Fax: 30/1/6896512 Fax: 34(1)631 11 22 Hungary Sweden Tel: 36/1/1420986 Tel: 46 8-750 22 10 Fax: 36/1/1223692 Fax: 46 8-793 90 50 Iceland Switzerland (French) Tel: 354/1/671000 Tel: 41(22)780 44 65 Fax: 354/1/673031 Fax: 41(22)780 42 20 Ireland Switzerland (German) Tel: 353/1/2844633 Tel: 41 1/735 72 70 Fax: 353/1/2844622 Fax: 41 1/735 77 11 Italy Turkey Tel: Tel: 90-1-224 59 25 Fax: 39 2/75.30.645 Fax: 90-1-224 59 39 Mexico UK Tel: (+52 5) 326-4684 Tel: 44-344-369231 Fax: 44 344-361014 European Headquarters & Middle East and Multicountry Sales Region Afrika Operation Tel: 41/22/780/8111 Tel: 41/22/780/4111 Fax: 41/22/780/8609 Fax: 41/22/780/4770 Australia Korea Tel: (61-2)950-7491 Tel: (822)769-0612 Fax: (61-2)878-5596 Fax: (822)769-0523 Asia Pacific Headquarters Malaysia Tel: (65) 290-6217 Tel: (60-3)295-2315 Fax: (65) 291-9697 Fax: (60-3)291-5495 Hong Kong Singapore Tel: (852)599-7571 Tel: (65) 290-6005 Fax: (852)506-9261 Fax: (65) 296-9023 Japan Taiwan Tel: (81-423)30-7888 Tel: (886-2)717-9620 Fax: (81-426)45-4312 Fax: (886-2)714-8793 Other Countries Call your local HP Country Sales office or distributor -----------------------------------------------------------------------------