[Info-vax] Heads up: multiple exploitable security issues in HP SWS
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Sun May 6 20:27:52 EDT 2012
On 2012-05-06, John Smith (who cares if I'm the one @ HP - if here's even still there) <a at nonymous.com> wrote:
>
> "Simon Clubley" <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote in
> message news:jmjona$jl9$1 at dont-email.me...
>> Multiple critical security issues exist in HP's VMS version of Apache.
>>
>> PHP related:
>>
>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867
>>
>> Java related:
>>
>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831
>>
>> I think the most telling thing about this is that the CVEs date back over
>> the last several _years_; in Linux land you would generally get a new kit
>> to fix the latest CVE within a few days.
>>
>> So much for this been the "Secure" Web Server.
>>
>
> Simon,
>
> It takes time to ship code to India via tramp steamer. Be patient.
>
This may just be me, but I think it would be better if we focused on the
issues instead of performing two dimensional racial stereotyping. As I
have always said, you can find smart and not so smart people in any
country and the problem with HP seems to be they have gone for the cheapest
solution possible. You would have had similar problems if VMS engineering
had been kept in the US, but the then current VMS team had been replaced
with cheaper, but far less capable/experienced people.
BTW, to give a example of how out of touch the VMS patch release schedule
is for Internet based components, there is currently a PHP exploit been
discussed (the one involving parameters on the command line) and people
are upset that it was sat on for 4 months, which seems to be generally
considered a unreasonably large amount of time to wait, which is something
I strongly agree with.
A patch kit which only now fixes problems which are several years old is
absolutely pathetic.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list