[Info-vax] Remote DoS critical problem for SMTP in TCP/IP services

[Simon Clubley]

On 2011-11-09, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>
> Now onto the problem I am trying to solve:
>
> A critical DoS bulletin, HPSBOV02470, for TCP/IP services for the SMTP
> server in TCP/IP services has been published.
>
> [There's also a unauthorised access one for POP/IMAP as well, BTW, in
> bulletin ID HPSBOV02467]
>
> The bulletin is a few days old, but the patch id given in the bulletin
> for TCP/IP V5.6 on Alpha results in a 18 month old TCP/IP patch kit been
> found when I enter it into the HP support centre.
>
> Does anyone know what the correct patch ID is please ?
>

I now have a answer from HP.

It turns out that the >18 month old patch kit is the correct patch kit
for a security problem announced a few days ago.

This means that either HP fixed a serious security problem without alerting
customers to this specific security problem at the time for whatever reason
or they fixed a unrelated problem which also happened to fix a recently
discovered problem in a (presumably) older version of TCP/IP Services.

I have asked the local HP people if they know which one it is and the
response I have just got is that it is the latter (a unrelated fix).

BTW, for people who say you should just install all ECO kits anyway, then
that reasoning is quite valid provided you implicitly trust the people
producing the patch kits.

Unfortunately, there's been plenty of examples (since the disbanding of
Nashua) why that is no longer the case and that is why I now only install
patch kits for VMS which fix a specific problem I am currently experiencing.

Furthermore, even if I did that, been told that a 18 month old kit
is a fix for a recently announced problem is weird enough by itself
to require further investigation.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world