[Info-vax] Heads up: multiple exploitable security issues in HP SWS
Richard B. Gilbert
rgilbert88 at comcast.net
Mon May 7 10:17:04 EDT 2012
On 5/7/2012 9:28 AM, VAXman- @SendSpamHere.ORG wrote:
> In article<jo74u7$rp7$1 at dont-email.me>, Simon Clubley<clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>> On 2012-05-06, John Smith (who cares if I'm the one @ HP - if here's even still there)<a at nonymous.com> wrote:
>>>
>>> "Simon Clubley"<clubley at remove_me.eisner.decus.org-Earth.UFP> wrote in
>>> message news:jmjona$jl9$1 at dont-email.me...
>>>> Multiple critical security issues exist in HP's VMS version of Apache.
>>>>
>>>> PHP related:
>>>>
>>>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867
>>>>
>>>> Java related:
>>>>
>>>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831
>>>>
>>>> I think the most telling thing about this is that the CVEs date back over
>>>> the last several _years_; in Linux land you would generally get a new kit
>>>> to fix the latest CVE within a few days.
>>>>
>>>> So much for this been the "Secure" Web Server.
>>>>
>>>
>>> Simon,
>>>
>>> It takes time to ship code to India via tramp steamer. Be patient.
>>>
>>
>> This may just be me, but I think it would be better if we focused on the
>> issues instead of performing two dimensional racial stereotyping. As I
>> have always said, you can find smart and not so smart people in any
>> country and the problem with HP seems to be they have gone for the cheapest
>> solution possible. You would have had similar problems if VMS engineering
>> had been kept in the US, but the then current VMS team had been replaced
>> with cheaper, but far less capable/experienced people.
>>
>> BTW, to give a example of how out of touch the VMS patch release schedule
>> is for Internet based components, there is currently a PHP exploit been
>> discussed (the one involving parameters on the command line) and people
>> are upset that it was sat on for 4 months, which seems to be generally
>> considered a unreasonably large amount of time to wait, which is something
>> I strongly agree with.
>>
>> A patch kit which only now fixes problems which are several years old is
>> absolutely pathetic.
> ^^^^^^^^^^^^^^^^^^^
Don't you mean "Hopelessly Pathetic"?
> sub/absolutely/pathetic/whole and what have you got?
>
> I haven't heard anything WRT several bug reports I've submitted in recent
> months. Two are, for me at least, very annoying and causing me no relief
> from kludgy workarounds.
Are you paying for support? If so, call H-P. If not, you fix it
yourself and you'll find sympathy in your dictionary!
More information about the Info-vax
mailing list