Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd)

From: Frank da Cruz (fdc_at_columbia.edu)
Date: 05/02/03

  • Next message: John Morris: "kermit buffer overflow on hp-ux"
    Date: Fri, 2 May 2003 17:42:30 EDT
    To: bt@delfi.lt
    
    

    > I see. The problem is that the latest patch for kermit in HP-UX 11.0 is
    > PHCO_22665 . This kermit patch does not increase version of kermit, it only
    > patches known kermit(v. 6.0.192) vulnerabilities. I have kermit
    > v.6.0.192,shipped with default HP-UX 11.0 install and patched with latest HP
    > security patch for it.
    > ...
    > It would be a perfect solution, but most sysadmins do not download newer
    > software from third parties, but patches existing software from OS
    > vendor. As I mentioned, new kermit versions were released, but AFAIK HP
    > didn't make any patches to upgrade existing ones shipped earlier.
    > ...
    > I meant that patches should be released by HP.
    > ...
    > My point is : I have kermit with latest HP patches, an it is
    > vulnerable. There are newer C-Kermit releases, but HP has no upgrade patch
    > for it...Did i miss something?
    >
    I submit all new Kermit versions of Kermit to HP. I include HP in the
    development and test cycles. They are supposed to update their copies.
    OK, let me try some of the HP-UX systems at:

      http://www.testdrive.hp.com/

    Here's what I find:

     HP-UX spe175 B.11.22 U ia64 rx2600
       C-Kermit 8.0.200, 12 Dec 2001, for HP-UX 11.00
       This one is fairly current - it has the buffer overflow fixes.

     HP-UX spe169 B.11.11 U 9000/800/A500-7X
       C-Kermit 7.0.197, 8 Feb 2000, for HP-UX 11.00
       This one is four years newer than the one you found but
       it is before the buffer overflow fixes.

    I suspect that HP ships newer Kermit versions with newer OS versions, but
    does not issue new Kermit patches for older OS versions. If that is true,
    then you have a point. But:

     . HP probably wants you upgrade your OS version. They don't want
       to maintain patches for every combination of C-Kermit version and
       HP-UX version.

     . The current version is always available direct from us, for EVERY
       version of HP-UX on EVERY hardware platform. See:

         http://www.columbia.edu/kermit/ck80binaries.html#hp

    - Frank


  • Next message: John Morris: "kermit buffer overflow on hp-ux"

    Relevant Pages

    • Ancient HP-UX patch question
      ... I have an ancient PA-RISC box running equally ... Now I want to install all patches which would apply ... What would be the procedure for HP-UX? ... The patches for s700/9.X are gone from the HP web site, ...
      (comp.sys.hp.hpux)
    • HP-UX 11.00 Patching
      ... I was trying out installing sample pkgs and its patches on HP-UX 11. ... After installing a base product and its patch, ...
      (comp.sys.hp.hpux)
    • Re: SSRT3555 Potential Security Vulnerability in kermit
      ... : PROBLEM: Potential security vulnerability in kermit ... What version of Kermit? ... then you also have C-Kermit 8.0 -- ... But if you have HP-UX 11.11, ...
      (comp.sys.hp.hpux)
    • Re: SSRT3555 Potential Security Vulnerability in kermit
      ... : PROBLEM: Potential security vulnerability in kermit ... What version of Kermit? ... then you also have C-Kermit 8.0 -- ... But if you have HP-UX 11.11, ...
      (comp.security.misc)
    • Re: SSRT3555 Potential Security Vulnerability in kermit
      ... : PROBLEM: Potential security vulnerability in kermit ... What version of Kermit? ... then you also have C-Kermit 8.0 -- ... But if you have HP-UX 11.11, ...
      (comp.security.unix)