FTP security hole could prompt upgrades

Another security hole, this time affecting the FTP file exchange services which HP recently enhanced for the HP 3000, might prompt customers to upgrade to more recent versions of MPE/iX.

Remote unauthorized users may potentially access privileged data as a result of the FTP problems. HP recommends that customers upgrade to at least the 6.5 version of MPE/iX if they want to use FTP on the HP 3000. Patches FTPGDY7 for 6.5, FTPGDY8 for 7.0, and FTPGDY9 for 7.5 repair the problem.

HP support engineer James Hofmeister noted that the patches generated errors on older MPE/iX releases. Security holes might well force upgrades to newer releases. “For those folks who are homesteaded on unsupported MPE releases, security bulletins and CERT reports of security problems are going to create ongoing opportunities for reevaluation of your homesteading decision,” he said. Security patches to some software that is included with MPE/iX are already available from sources outside HP, however. HP engineer Mark Bixby personally supports some versions of Sendmail for the HP 3000 which HP does not, for example.