[Security bulletin] SSRT2266 HP Tru64 UNIX IGMP Potential (DoS) Security Vulnerability (fwd)

[Dave Ahmad <da () securityfocus com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SECURITY BULLETIN: SSRT2266 HP Tru64 UNIX IGMP Potential
                                          (DoS) Security
Vulnerability

REVISION: 0

NOTICE: There are no restrictions for distribution of this Bulletin
                 provided that it remains complete and intact.

RELEASE DATE: 13 November 2002


SEVERITY:  High

SOURCE:  Compaq Computer Corporation,
         a wholly-owned subsidiary of
         Hewlett-Packard Company and
         Hewlett-Packard Company
         HP Services
         Software Security Response Team

REFERENCE:  SSRT2266

PROBLEM SUMMARY:

         This bulletin will be posted to the support
         website within 24 hours of release to -
         http://thenew.hp.com/country/us/eng/support.html
         Use the SEARCH IN feature box, enter SSRT2266 in
         the search window.

   SSRT2266  IGMP  (Severity - High)

   ( IGMP = Internet Group Management Protocol )


   A potential security vulnerability has been identified
   in the HP Tru64 UNIX operating system that may result in
   Denial of Service (DoS). This potential vulnerability
   may be in the form of local and remote security domain
   risks.


VERSIONS IMPACTED:

   HP Tru64 UNIX V5.1A

   HP Tru64 UNIX V5.1

   HP Tru64 UNIX V5.0A

   HP Tru64 UNIX V4.0G

   HP Tru64 UNIX V4.0F

   HP-UX


NOT IMPACTED:

   HP-MPE/ix

   HP NonStop Servers

   HP OpenVMS



RESOLUTION:

   HP-UX
   REF: SSRT2266 IGMP

   HP will provide notice of the availability of any
   necessary solutions through standard security
   bulletin announcements and will be available from
   your normal HP Services support channel
   and will be available from http://itrc.hp.com



   HP Tru64 UNIX

   Early Release Patches (ERPs) are now available for all
   supported versions of HP Tru64 UNIX. The ERP kits use
   dupatch to install and will not install over any
   Customer Specific Patches (CSPs) which have file
   intersections with the ERPs. Contact your normal support
   channel and request HP Tru64 services elevate a case to
   Support Engineering if a CSP must be merged with one of
   the ERPs.

   Please review the README file for each patch prior to
   installation.


   HP Tru64 UNIX/TruCluster V5.1A:
   Prerequisite: V5.1A with PK3 (BL3) installed
   ERP Kit Name:  T64V51AB3-C0076000-15793-ES-20021025.tar
   Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.1a/

   HP Tru64 UNIX/TruCluster V5.1:
   Prerequisite: V5.1 with PK5 (BL19) installed
   ERP Kit Name: T64V51B19-C0153600-15796-ES-20021025.tar
   Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.1/

   HP Tru64 UNIX/TruCluster V5.0A:
   Prerequisite: V5.0A with PK3 (BL17) installed
   ERP Kit Name: T64V50AB17-C0026000-15803-ES-20021025.tar
   Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.0a/

   HP Tru64 UNIX/TruCluster V4.0G:
   Prerequisite: V4.0G with PK3 (BL17) installed
   ERP Kit Name: T64V40GB17-C0021700-15804-ES-20021025.tar
   Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0g/

   HP Tru64 UNIX/TruCluster V4.0F:
   Prerequisite: V4.0F with PK7 (BL18) installed
   ERP Kit Name: DUV40FB18-C0084500-15850-ES-20021030.tar
   Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0f/


   Information on how to verify MD5 and SHA1 checksums is
available at: http://www.support.compaq.com/patches/whats-new.shtml


 After completing the update, HP  strongly
 recommends that you perform an immediate backup of
 the system disk so that any subsequent restore operations
 begin with updated software. Otherwise, the updates must
 be re-applied after a future restore operation. Also, if
 at some future time the system is upgraded to a later
 patch release or version release, reinstall the
 appropriate ERP.


SUPPORT:

For further information, contact HP Services.

SUBSCRIBE:

To subscribe to automatically receive future Security Advisories
from the Software Security Response Team via Electronic
mail: http://www.support.compaq.com/patches/mailing-list.shtml


REPORT:

  To report a potential security vulnerability with any HP
  supported product, send email to: security-alert () hp com

  As always, HP urges you to periodically review your system
  management and security procedures. HP will continue to
  review and enhance the security features of its products and
  work with our customers to maintain and improve the security
  and integrity of their systems.

  "HP is broadly distributing this Security Bulletin in order to
  bring to the attention of users of the affected HP products the
  important security information contained in this Bulletin. HP
  recommends that all users determine the applicability of this
  information to their individual situations and take appropriate
  action. HP does not warrant that this information is necessarily
  accurate or complete for all user situations and, consequently,
  HP will not be responsible for any damages resulting from
  user's use or disregard of the information provided in this
  Bulletin."

(c)Copyright 2002 Hewlett-Packard Company.
  Hewlett-Packard Company shall not be liable for technical
  or editorial errors or omissions contained herein. The information
  in this document is subject to change without notice.
  Hewlett-Packard Company and the names of Hewlett-Packard
  products referenced herein are trademarks of Hewlett-Packard
  Company in the United States and other countries. Other product
  and company names mentioned herein may be trademarks of
  their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPePRhjnTu2ckvbFuEQJ0+wCgpDPoTmqztSd9HvoOp6oWP9T3DboAniCe
6btMqvVZWcnEMdV2fJ8dwpKt
=dmAE
-----END PGP SIGNATURE-----