|
|
|
November
2004
|
|
|
|
|
Samba sparked an HP 3000 security bulletinHP announced a rare security bulletin for the HP 3000 at the end of October, one that can affect any site which is using the latest release of Samba/iX for file sharing on the system. HP 3000s which run Samba 2.2.8a could be inviting remote access of any files on the server, according to the HP Software Security Response Team. The team routinely rolls out security warnings for HP-UX systems, but the HP 3000s usually only see an announcement or two per year. The Samba software on the HP 3000s has caused a security breach in the past, back in 2001. Because Samba came out of the open source community, it’s more prone to being hacked. Not all of Samba’s security holes apply to the HP 3000, however. Buffer overrun attacks don’t work on MPE, for example. HP posted a fix on its IT Resource Center Web site to close the Samba security hole. 3000 sites can log in to the ITRC at itrc.hp.com (you don’t have to be on an HP support contract to do that) and search for the report about security alert CAN-2004-0815. The HP 3000 patches only apply to those systems which have upgraded to the 2.2.8a Samba on MPE/iX 6.5, 7.0 and 7.5. Patch numbers are SMBMXR5A for MPE/iX 6.5, SMBMXR5B for 7.0, and SMBMXR5C for MPE/iX 7.5. HP’s notes report that “The vulnerability could allow remote attackers to bypass the specified share restrictions to read, write or to list arbitrary files.” This summer HP rolled out a new version of 2.2.8a, one that restored performance that the original 2.2.8a had degraded. That summertime release, which was in beta test status, was delivered as patches SMBMXP8A for MPE/iX 6.5, SMBMXP8B for MPE/iX 7.0 and SMBMXP8C for MPE/iX 7.5. HP’s repair of the security problem installs Samba version 2.2.12. You won’t be able to check the version string afterward to ensure you’ve installed the right version, though. HP says the newest patches won’t change the SMBSTATUS command, which will still report “Samba version 2.2.8a” even after the patching.
Copyright The 3000 NewsWire. All rights reserved |
