Veritas-bu

[Veritas-bu] qualys vulnerability

2007-02-28 13:13:36
Subject: [Veritas-bu] qualys vulnerability
From: StumpB at michigan.gov (Bob Stump)
Date: Wed, 28 Feb 2007 13:13:36 -0500
There is a scanning software provided by "Qualys" that has a problem
but they REFUSE to fix their scanning software. The scanning software
reports the vulnerability discussed in this notice but fails to report
that the proper MP was applied to resolve the vulnerability. This is
what our security group calls a "false positive".  They then require
that paper work be submitted to negate the "false positive".  I think
the scanning software should be fixed to NOT report a vulnerability, if
the proper resolution has already been applied. Am I wrong?
 
Here is the initial symantec resolution
A vulnerability has recently been discovered, which affects the
bpjava-msvc logon process within VERITAS NetBackup (tm) 4.5, 5.0, 5.1,
and 6.0 (including maintenance and feature packs). This vulnerability
could potentially allow remote malicious users to execute arbitrary
code.
http://support.veritas.com/docs/279085
 
The above resolution IS INCLUDED in subsequent maintenance packs.
 
BTW: I asked our security group to contact the source and get it fixed
but they said they had no confidence that the resolution from symantec
is adequate.
here is their website
http://www.qualys.com/products/overview/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
http://mailman.eng.auburn.edu/pipermail/veritas-bu/attachments/20070228/ce4510c6/attachment.html

<Prev in Thread] Current Thread [Next in Thread>