[Info-vax] Heads up: multiple exploitable security issues in HP SWS
VAXman- at SendSpamHere.ORG
VAXman- at SendSpamHere.ORG
Mon May 7 09:28:01 EDT 2012
In article <jo74u7$rp7$1 at dont-email.me>, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>On 2012-05-06, John Smith (who cares if I'm the one @ HP - if here's even still there) <a at nonymous.com> wrote:
>>
>> "Simon Clubley" <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote in
>> message news:jmjona$jl9$1 at dont-email.me...
>>> Multiple critical security issues exist in HP's VMS version of Apache.
>>>
>>> PHP related:
>>>
>>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867
>>>
>>> Java related:
>>>
>>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831
>>>
>>> I think the most telling thing about this is that the CVEs date back over
>>> the last several _years_; in Linux land you would generally get a new kit
>>> to fix the latest CVE within a few days.
>>>
>>> So much for this been the "Secure" Web Server.
>>>
>>
>> Simon,
>>
>> It takes time to ship code to India via tramp steamer. Be patient.
>>
>
>This may just be me, but I think it would be better if we focused on the
>issues instead of performing two dimensional racial stereotyping. As I
>have always said, you can find smart and not so smart people in any
>country and the problem with HP seems to be they have gone for the cheapest
>solution possible. You would have had similar problems if VMS engineering
>had been kept in the US, but the then current VMS team had been replaced
>with cheaper, but far less capable/experienced people.
>
>BTW, to give a example of how out of touch the VMS patch release schedule
>is for Internet based components, there is currently a PHP exploit been
>discussed (the one involving parameters on the command line) and people
>are upset that it was sat on for 4 months, which seems to be generally
>considered a unreasonably large amount of time to wait, which is something
>I strongly agree with.
>
>A patch kit which only now fixes problems which are several years old is
>absolutely pathetic.
^^^^^^^^^^^^^^^^^^^
sub/absolutely/pathetic/whole and what have you got?
I haven't heard anything WRT several bug reports I've submitted in recent
months. Two are, for me at least, very annoying and causing me no relief
from kludgy workarounds.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
Well I speak to machines with the voice of humanity.
More information about the Info-vax
mailing list