[Info-vax] Heads up: multiple exploitable security issues in HP SWS

John Smith (who cares if I'm the one @ HP - if here's even still there) a at nonymous.com
Mon May 7 11:30:59 EDT 2012 

"Simon Clubley" <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote in 
message news:jo74u7$rp7$1 at dont-email.me...
> On 2012-05-06, John Smith (who cares if I'm the one @ HP - if here's even 
> still there) <a at nonymous.com> wrote:
>>
>> "Simon Clubley" <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote in
>> message news:jmjona$jl9$1 at dont-email.me...
>>> Multiple critical security issues exist in HP's VMS version of Apache.
>>>
>>> PHP related:
>>>
>>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281867
>>>
>>> Java related:
>>>
>>> http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03281831
>>>
>>> I think the most telling thing about this is that the CVEs date back 
>>> over
>>> the last several _years_; in Linux land you would generally get a new 
>>> kit
>>> to fix the latest CVE within a few days.
>>>
>>> So much for this been the "Secure" Web Server.
>>>
>>
>> Simon,
>>
>> It takes time to ship code to India via tramp steamer. Be patient.
>>
>
> This may just be me, but I think it would be better if we focused on the
> issues instead of performing two dimensional racial stereotyping. As I
> have always said, you can find smart and not so smart people in any
> country and the problem with HP seems to be they have gone for the 
> cheapest
> solution possible. You would have had similar problems if VMS engineering
> had been kept in the US, but the then current VMS team had been replaced
> with cheaper, but far less capable/experienced people.
>
> BTW, to give a example of how out of touch the VMS patch release schedule
> is for Internet based components, there is currently a PHP exploit been
> discussed (the one involving parameters on the command line) and people
> are upset that it was sat on for 4 months, which seems to be generally
> considered a unreasonably large amount of time to wait, which is something
> I strongly agree with.
>
> A patch kit which only now fixes problems which are several years old is
> absolutely pathetic.


It's got nothing to do with stereotyping.

HP has chosen to ship all their VMS support (and dare I say "development") 
to India. Fine.
But they've also chosen to put that support on the slow train too, which 
seems not to have a direct or fully funded path.

Tramp steamers are ones that people have used when they aren't particularly 
concerned about how long it takes to get to a destination but they *are* 
concerned about getting there as cheaply as possible.

Hence the analogy sticks, IMHO.

More information about the Info-vax mailing list