[Linux-disciples] HP Tru64 Unix vulnerability

[Stephen R Laniel]

Any idea whether this SSH/IPSec vulnerability exists in Linux
too?
http://www.infoworld.com/article/04/01/16/HNtru64hole_1.html

(article reproduced below)

It seems short on technical details, and badly written. Maybe
someone can fill in the holes?

Steve

/*
Gaping hole found in HP Tru64 Unix
'Highly critical' vulnerabilities found in both IPsec and SSH
 
By Kieren  McCarthy, Techworld.com 	January 16, 2004 

A massive security hole has been found in Hewlett-Packard Co.'s
(HP) Tru64 Unix operating system, leaving some to wonder how far
the company is willing to go to push Linux.

"Highly critical" vulnerabilities have been found in both IPsec
and SSH -- the programs designed to provide watertight security
for IP data and system commands -- which may allow system access
or a denial of service. In short, the sysadmin's worst fear.

Perhaps fortunately, we don't know any more details about what
the exact vulnerabilities are since it is HP that has issued
patches for the holes (although you will need to be signed up to
its support web site to get at them).

The vaguely good news is that IPsec 2.1.1 and SSH 3.2.2 are not
affected by the vulnerability and you can grab them off HP's
site. The patch reference is T64KIT0020963-V51BB24-ES-20031204.

The timing is somewhat inconvenient though as HP was just
launching into a pro-Linux PR campaign, trying desperately hard
not to be outdone by IBM Corp. in its support for the open-source
OS.

Does revealing a gaping hole in its own Unix offering aid or
hinder that, is what we are pondering.
*/

-- 
``I get the warm and fuzzies hearing about how standards-
  compliant Free software rocks. I don't get them from hearing
  about proprietary, non-standards-compliant software sucks.

  Make me warm and fuzzy, Shlomi.''
 -Peter Whysall on the linux-elitists mailing list,
  http://shorl.com/banafytrarere