Printable version

Drivers & software

** CRITICAL ** HP System Management Homepage for Windows x86

By downloading, you agree to the terms and conditions of the Hewlett Packard Enterprise Software License Agreement.
Note:  Some software requires a valid warranty, current Hewlett Packard Enterprise support contract, or a license fee.

Type: Software - System Management
Version: 7.2.6.3(18 Aug 2015)
Operating System(s):
Microsoft Windows Server 2003 | View all
File name: cp027468.exe (15 MB)
The System Management Homepage provides a consolidated view for single server management highlighting tightly integrated management functionalities including performance, fault, security, diagnostic, configuration, and software change management.

Upgraded the following components

  • OpenSSL from openssl-1.0.1j to openssl-1.0.1o
  • Curl from curl-7.35.0 to curl-7.43.0

To ensure the integrity of your download, HP recommends verifying your results with this MD5 Checksum value:

e06dadee1842bf0ad62c94aa9e8672d8 cp027468.exe

Reboot Requirement:
Reboot is not required after installation for updates to take effect and hardware stability to be maintained.


Installation:

  1. Download the Smart Component (cpxxxxxx.exe) file to a local directory on the server where you want to install the software.
  2. Change to the directory.
  3. Run the .exe file by double-clicking it. A dialog box will display.
  4. Click the ‘Install’ button to install the SMH.

End User License Agreements:
Hewlett-Packard End User License Agreement


Upgrade Requirement:
Critical - HP requires users update to this version immediately.


Upgrade Requirement:
Critical - HP requires users update to this version immediately.


Improved security feature

Version:7.6.3.3 (5 Feb 2018)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Security fixes

Enhancements

Updated the following components:

  • PHP to version 5.6.30

  • Zlib to version 1.2.11

  • Libxslt to version 1.1.32

  • PCRE to version 8.41


Version:7.6.2.1 (25 Sep 2017)
Enhancements

Upgrade Requirement:
Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.

All SMH binaries are now code signed.


  • Updated the following components:

    • PHP to version 5.6.27

    • OpenSSL to version 1.0.2k

    • Apache to version 2.4.25

  • SMH binaries are code signed

  • Improved Security features [Please find more details in the Security Bulletin (ID: HPESBMU03753)]


Version:7.6.1.9 (12 Jul 2017)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Updated the following components:

    • PHP to version 5.6.27

    • OpenSSL to version 1.0.2k

    • Apache to version 2.4.25

  • Improved Security features [Please find more details in the Security Bulletin (ID: HPESBMU03753)]


Version:7.6.0.11 (21 Oct 2016)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Proper handling of Single Sign-On requests and certificates, which are in bad format
  • HPE Rebranding changes
Enhancements

  • Updated the following components:

    • PHP to version 5.5.38

    • Curl to version 7.49.1

    • OpenSSL to version 1.0.2h

    • Libxml2 to version libxml2-2.9.4

  • SSL Cipher Suite is set to TLSv1.2 as default

  • Improved Security features [Please find more details in the Security Bulletin (ID: HPSBMU03653)]


Version:7.5.5.6 (4 May 2016)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • HPE Rebranding
  • Updated the following components:
    • PHP to version 5.5.31
    • Curl to version 7.47.0
    • OpenSSL to version 1.0.2g
    • Libxml2 to version libxml2-2.9.3
  • SSL protocol is now configurable using 'smhconfig' CLI
  • Improved Security features [ Please find more details in the Security Bulletin (ID: HPSBMU03593) ]

Version:7.5.4.3 (1 Apr 2016)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Signature Hash Algorithm of SMH certificate is upgraded to SHA-2 (SHA-256)


Version:7.5.3.1 (28 Sep 2015)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


Japanese localization error in Insight agents pages


Version:7.5.2.4 (1 Oct 2015)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


Improved security features

Enhancements

Updated the following components

  • OpenSSL to version OpenSSL-1.0.2d
  • PHP to version php-5.6.11
  • Curl to version curl-7.42.1

Version:7.5.0.4 (15 Jun 2015)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Improved Security feature
Enhancements

  • Updated following components
    • OpenSSL to version OpenSSL-1.0.1m
    • PHP to version php-5.5.23

Version:7.4.2.4 (30 Mar 2015)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Security feature is optimized
Enhancements

  • Verbose logging
  • Simplified Chinese support for configuration information
  • Updated the following Compontents
    • Apache to version 2.4.10

Version:7.4.1.6 (5 Feb 2015)
Fixes

Upgrade Requirement:
Critical - HPE requires users update to this version immediately.


  • Fixed POODLE vulnerability (CVE-2014-3566)
  • Fixed a bug in Single Sign-On (SSO) feature
Enhancements

  • Updated the following components
  • OpenSSL to version OpenSSL-1.0.1j
  • PHP to version PHP-5.5.18
  • Curl to version Curl-7.38.0

Version:7.4.0.12 (9 Sep 2014)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Improved SMH to use the system resources efficiently.
  • SMH Plugin integration is modified.
Enhancements

  • Updated the following components
    • PHP to version php-5.5.13
    • curl to version curl-7.35.0

Version:7.3.3.1 (19 Jun 2014)
Fixes

Upgrade Requirement:
Critical - HP requires users update to this version immediately.


Patched to address SSL/TLS MITM Vulnerability CVE-2014-0224 (http://www.openssl.org/news/secadv_20140605.txt)


Version:7.3.2.1 (B) (23 Apr 2014)
Fixes

Upgrade Requirement:
Critical - HP requires users update to this version immediately.


  • OpenSSL has been updated to address the security vulnerability communicated in Security Bulletin HPSBMU02998 for CVE-2014-0160 known as “Heartbleed”.
  • Removed support for Microsoft Windows XP and Windows Server 2003 operating systems.

Version:7.3.1.4 (18 Feb 2014)
Enhancements

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Enabled support of 2048 & 4096 bit certificate for Single Sign-On (SSO).
  • Enabled FQDN (Fully Qualified Domain Name) for the CN (Common Name) field in the self-signed certificate & CSR (Certificate Signing Request).

Version:7.3.0.9 (27 Nov 2013)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Enabled Simplified Chinese localization
  • Updated English OLH files
  • Updated the following components:
    • Apache to version 2.4.6
    • Libxml2 to version 2.9.1
    • OpenSSL to version 1.0.1e
    • Curl to version 7.32.0
    • PHP to version 5.5.2
    • zlib to version 1.2.8

Version:7.2.6.3 (18 Aug 2015)
Fixes

Upgrade Requirement:
Critical - HP requires users update to this version immediately.


Improved security feature

Enhancements

Upgraded the following components

  • OpenSSL from openssl-1.0.1j to openssl-1.0.1o
  • Curl from curl-7.35.0 to curl-7.43.0

Version:7.2.5.3 (30 Jan 2015)
Fixes

Upgrade Requirement:
Critical - HP requires users update to this version immediately.


  • Disabled SSLv3 protocol
  • Improved security features
Enhancements

  •  Updated the following components
    • OpenSSL to version OpenSSL-1.0.1j
    • Curl to version Curl-7.35.0

Version:7.2.4.1 (19 Jun 2014)
Fixes

Upgrade Requirement:
Critical - HP requires users update to this version immediately.


Patched to address SSL/TLS MITM Vulnerability CVE-2014-0224 (http://www.openssl.org/news/secadv_20140605.txt)


Version:7.2.3.1 (16 Apr 2014)
Fixes

Upgrade Requirement:
Critical - HP requires users update to this version immediately.


Provides fix for CVE-2014-0160.

Enhancements

  • Enabled Simplified Chinese localization
  • Updated English OLH files
  • Updated the following components:
    • Apache to version 2.4.6
    • Libxml2 to version 2.9.1
    • OpenSSL to version 1.0.1g
    • Curl to version 7.32.0
    • PHP to version 5.4.27
    • zlib to version 1.2.8

Version:7.2.2.9 (10 Sep 2013)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


Fixed a security issue that could allow escalation of non-admin privileges to local administrative privileges.

Enhancements

  • Updated the following components:
    • PHP to 5.4.11
    • Libxml2 to 2.9.0
    • Curl to 7.28.1
    • Libxslt to 1.1.28

Version:7.2.1.3 (21 May 2013)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Security updates (Please refer upcoming Security Bulletin for more information)

Version:7.2.0.14 (19 Feb 2013)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Improved logging on few Operating Systems
  • Improved login mechanism for some setup scenarios
Enhancements

  • Improvement in Certificate management
  • Added support for the following browsers:
    • Firefox ESR 17.0
    • Internet Explorer 10.0
  • Updated Apache to version 2.4.3
  • Enable support for Transport Layer Security (TLS) protocol 1.1 / 1.2
  • Improved CLI options for easier management of SMH configurations
  • Secured handling of HTTP communication
  • Improved User Interface for Online Help

Version:7.1.2.3 (26 Oct 2012)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Improved security features
  • Improved logging on few Operating Systems
Enhancements

  • Enable support of following OS:
    • Windows Server 2012
  • Updated the following components:
    • OpenSSL to version 1.0.1c
    • PHP to version 5.3.14

Version:7.1.1.1 (19 Jun 2012)
Fixes

Upgrade Requirement:
Critical - HPE requires users update to this version immediately.


  • On some Non-English Windows Operating Systems, user is not able to login into SMH 7.1.0. This version will solve this problem.
  • Improved security features of PHP.

Version:7.1.0.17 (4 Jun 2012)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Improved the handling of following components:
    • Trust mode during upgrade
    • Group Configuration management during Replicate Agents Settings
    • SMH service management
    • PHP files to avoid crash
    • Webapp configuration files
    • SMH supporting DLLs to avoid version conflicts
  • Updated properties of SMH setup file
     
Enhancements

  • Secured handling of HTTP response
  • Updated the following components:
    • Libxml2 to version 2.7.8
    • PHP to version 5.3.10
    • Curl library to version 7.24.0
    • OpenSSL to version 1.0.0h
  • SMH service runs with managed privileges
  • Enable support of following OS:
    • Windows 2008 R2 Sp1 - Server Core
    • Windows Server 8 (Beta)
    • Windows Multipoint Server 2011 for x64
    • Microsoft Windows Small Business Server 2011 for x64, Standard and Essentials
  • Usability of IP restrictions with SMH Command Line Interface
  • Information provided on webapp availability & loading statistics
  • Added support for the following browsers:
    • Firefox 9.0 & 10.0

Version:7.0.0.24 (27 Mar 2012)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.
  • Uninstalling SMH in some scenarios would inappropriately delete HP registry key.
Enhancements

Added the following features:

  • A command line option to modify the local and state information in the SMH PKCS (Public-Key Cryptography Standards) data
  • Secured handling of HTTP request and response

Added support for the following browsers:

  • Firefox 6.0, 7.0 & 8.0
  • Internet Explorer 9.0

Clarified the log messages

Improved the handling of the following components:

  • Command Line Interface options
  • IP fields
  • Memory resources
  • Revoked trusted certificate
  • SMH configuration file and settings

Improved the following features:

  • CLI options, for easier management of SMH configurations
  • Validation of Kerberos group

Updated the HTTP links

Updated the following elements:

  • Apache to version 2.2.21
  • Curl library to version 7.21.7
  • OpenSSL to version 1.0.0e
  • PHP to version 5.3.8

Version:6.3.1.24 (B) (24 Jan 2012)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.
  • Uninstalling SMH would unexpectedly delete HP registry key in the following scenarios:
    1. Install SMH x, install IS DVD x+1, uninstall SMH x+1 [SMH x is upgraded to x+1]
    2. Install SMH x, install IS DVD x, uninstall SMH x [IS DVD x will not be (re)installing SMH x]
    3. Install SMH x, install IS DVD x-1, uninstall SMH x [SMH will not be downgraded]

Version:6.3.1.24 (11 Aug 2011)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.
  • Uninstalling SMH would unexpectedly delete HP registry key in the following scenarios:
    1. Install SMH x, install IS DVD x+1, uninstall SMH x+1 [SMH x is upgraded to x+1]
    2. Install SMH x, install IS DVD x, uninstall SMH x [IS DVD x will not be (re)installing SMH x]
    3. Install SMH x, install IS DVD x-1, uninstall SMH x [SMH will not be downgraded]

Version:6.3.0.22 (18 Feb 2011)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Proper validation of data, passed to CLI.
  • Proper handling of Presentation mode in User Preferences.
  • Proper handling of settings changes, when configuration file is Read only.
  • Secured handling of HTTP response.
Enhancements

  • CLI to display current settings.
  • Updated PHP component to version 5.3.3.
  • Proper management of SMH self-signed certificate.
  • Consolidated logging API for SMH web applications (plug-ins).
  • Platform specific setup files for Windows x86 & x64.
  • Better handling of installer log.
  • Better handling of Apache startup issue.
  • Enabling Apache Tomcat integration on HP Integrity servers with IPv6 enabled.
  • Changed the default UI Timeout to 120 seconds.

Version:6.2.4.9 (27 Jul 2011)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


Uninstalling SMH would unexpectedly delete HP registry key in the following scenarios:

  1. Install SMH x, install IS DVD x+1, uninstall SMH x+1 [SMH x is upgraded to x+1]
  2. Install SMH x, install IS DVD x, uninstall SMH x [IS DVD x will not be (re)installing SMH x]
  3. Install SMH x, install IS DVD x-1, uninstall SMH x [SMH will not be downgraded]

Version:6.2.3.8 (28 Jan 2011)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.

This release update is recommended for users who are planning to use Insight Remote Support Advanced (IRSA) with SMH 6.2.2 version.

The PHP curl extension, bundled in SMH 6.2.2 breaks the Remote Support Configuration Collector (RSCC) UI, because of the PHP compatibility issue. This issue is resolved in the current version of the product.


  • Updated php_curl library (curl-7.19.6).

Version:6.2.2.7 (22 Nov 2010)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Support for servers with multiple Virtual IPs.
Enhancements

  • Updated PHP to version 5.3.3.

  • Version:6.2.1.14 (10 Sep 2010)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


  • For optimized memory usage.

  • Version:6.2.0.13 (8 Sep 2010)
    Fixes

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    • SMH was not displaying all the data in Home page for anonymous login. This has been fixed.
    • Modified HTML processing. 
    Enhancements

  • A CLI based configurable logging support in SMH log.
  • For better auditing, user name is logged in access log for SMH login and SMH settings pages.
  • Configuration of SSL Cipher Suite through CLI.
  • Added logging in smhstart and Replicate Agent Settings(RAS).
  • Added logging when SMH security settings are changed.
  • SMH now displays remaining plug-ins even after one of the plug-ins times out.
  • Added "Enable port 2301" option to the SMH installer.
  • The 'System Status' and 'Overall System Summary' tabs on the SMH Home page have been changed to 'Overall System Health Status' and 'Component Status Summary' respectively.
  • Updated the following open source components:
    - Apache 2.2.15
    - PHP 5.2.13
    - OpenSSL 0.9.8n

  • Version:6.1.0.102 (17 Feb 2010)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • In some cases, SMH component was seen in add/remove programs even though SMH installation failed. This behavior is fixed.
  • Enhancements

  • Updated OpenSSL to version 0.9.8l due to security vulnerabilities reported on earlier versions.
  • Updated Namazu to version 2.0.20 due to a security vulnerability reported on version 2.0.18.

  • Version:6.0.0.96 (4 Nov 2009)
    Fixes
  • Fixed a cross-site scripting vulnerability (XSS).

  • Fixed issue with search functionality in SMH help files.

  • Enhancements
    • smhlogreader command line interface
    • IE8 support
    • Tomcat Windows support using mod_proxy
    • IS2009 support
    • Native x64 bit support

    Version:3.0.2.77 (B) (8 Oct 2009)
    Fixes
  • Fixed a cross-site scripting vulnerability (XSS).

  • Fixed an issue with search in SMH help.

  • Enhancements

    Support for the following Environments has been added:

    • Microsoft Windows Server 2008 R2 for Itanium-Based Systems
    • Microsoft Windows Server 2008 Itanium

    System Management Homepage has no changes to its functionality.

    If the target system has previously installed HP SMH version 3.0.2, an upgrade to version  3.0.2 (B) is optional. If the HP Version Control Repository Manager (VCRM) manages a version control repository for your computing environment, then version 3.0.2 (B) must be added to the repository folder to enable VCRM support for the new Environments.

    The following enhancement note from version 3.0.2.77 is still applicable to version 3.0.2.77(B)

    Enhanced component-level logging has been implemented in the smart component installer. The generated log file will be located on the target system in %SYSTEMROOT%\cpqsystem\log directory under the name CPQSETUP.LOG.


    Version:3.0.2.77 (6 Aug 2009)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • Fixed a cross-site scripting vulnerability (XSS).

  • Fixed an issue with search in SMH help.

  • Enhancements

    Enhanced component-level logging has been implemented in the smart component installer. The generated log file will be located on the target system in %SYSTEMROOT%\cpqsystem\log directory under the name CPQSETUP.LOG.


    Version:3.0.1.73 (6 May 2009)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • Fixed vulnerabilities in PHP and OpenSSL libraries.

  • Fixed a cross-site scripting vulnerability (XSS).

  • Enhancements

    • Updated PHP and OpenSSL libraries

    Version:3.0.0.64 (26 Jan 2009)
    Fixes
    • Improved security
    Enhancements
    • The component installer has been updated to recognize if it is running within a virtualized guest environment.
    • Session Persistence
    • SIM communication through secure port and support to enable/disable non-secure port (2301)
    • Kerberos authentication support
    • IPv6 support
    • New interface and icons
    • Per-user UI preferences
    • Command line interface for SMH configuration
    • Log localization
    • Apache 2.2.6
    • OpenSSL 0.9.8h
    • PHP 5.2.6
    • libxml2 2.7.2+ (with security patch)

    Version:2.1.15.210 (23 Sep 2008)
    Fixes
    • Addressed the vulnerability:

      • CVE-2007-6203: Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

      • CVE-2008-2939: Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI.

      • Removed OpenSSL option to avoid vulnerability.

    Enhancements
    • Replace link on desktop icon to use name 'localhost' instead of IP loopback '127.0.0.1'
    • Added support to use COM objects in PHP code

    Version:2.1.14.204 (9 Jul 2008)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • New implemented solution to avoid WMI service locks SMH service

    Version:2.1.12.201 (16 May 2008)
    Fixes
    • Fixed issue on httpd lib triggered by user logoff on local system
    • Fixed issue when running SMH on Windows XP in the presence of Performance Management Pack
    • Handled situation where WMI service locks SMH service
    • Fixed a cross-site scripting vulnerability (XSS)


    Version:2.1.11.197(A) (11 Feb 2008)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Addressed the following vulnerabilities:

    • CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144.

    • CVE-2007-3304: prefork, worker MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.

    • CVE-2007-5135: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.

    • CVE-2007-3108: The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.

    • CVE-2007-6203: Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

    • CVE-2007-4657: Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read.

    • CVE-2007-3998: The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set.

    Enhancements

    Updated OpenSSL, httpd and PHP libraries.


    Version:2.1.10.186 (C) (29 Jan 2008)
    Fixes

    Addressed the following vulnerabilities:

    • CVE-2007-1717: The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0
      through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
      which might allow context-dependent attackers to prevent intended
      information from being delivered in e-mail messages. NOTE: this issue
      might be security-relevant in cases when the trailing contents of e-mail
      messages are important, such as logging information or if the message is
      expected to be well-formed.
    • CVE-2007-1711: Double free vulnerability in the unserializer in PHP
      4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary
      code by overwriting variables pointing to (1) the GLOBALS array or (2)
      the session data in _SESSION. NOTE: this issue was introduced when
      attempting to patch CVE-2007-1701 (MOPB-31-2007).
    • CVE-2007-1583: The mb_parse_str function in PHP 4.0.0 through 4.4.6
      and 5.0.0 through 5.2.1 sets the internal register_globals flag and does
      not disable it in certain cases when a script terminates, which allows
      remote attackers to invoke available PHP scripts with register_globals
      functionality that is not detectable by these scripts, as demonstrated
      by forcing a memory_limit violation.
    • CVE-2007-1582: The resource system in PHP 4.0.0 through 4.4.6 and
      5.0.0 through 5.2.1 allows context-dependent attackers to execute
      arbitrary code by interrupting certain functions in the GD (ext/gd)
      extension and unspecified other extensions via a userspace error
      handler, which can be used to destroy and modify internal resources.
    • CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and
      (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0
      through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers
      to execute arbitrary code via Wireless Bitmap (WBMP) images with large
      width or height values.
    Enhancements

    This version only contains a change to an internal component, cpqstub.exe, which was updated to a newer version. System Management Homepage has undergone no changes to its functionality.

    The following enhancements note from version 2.1.10.186 is still applicable to version 2.1.10.186(B).

    • Updated PHP libraries.

    Version:2.1.10.186 (B) (21 Sep 2007)
    Fixes

    Addressed the following vulnerabilities:

    • CVE-2007-1717: The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0
      through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
      which might allow context-dependent attackers to prevent intended
      information from being delivered in e-mail messages. NOTE: this issue
      might be security-relevant in cases when the trailing contents of e-mail
      messages are important, such as logging information or if the message is
      expected to be well-formed.
    • CVE-2007-1711: Double free vulnerability in the unserializer in PHP
      4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary
      code by overwriting variables pointing to (1) the GLOBALS array or (2)
      the session data in _SESSION. NOTE: this issue was introduced when
      attempting to patch CVE-2007-1701 (MOPB-31-2007).
    • CVE-2007-1583: The mb_parse_str function in PHP 4.0.0 through 4.4.6
      and 5.0.0 through 5.2.1 sets the internal register_globals flag and does
      not disable it in certain cases when a script terminates, which allows
      remote attackers to invoke available PHP scripts with register_globals
      functionality that is not detectable by these scripts, as demonstrated
      by forcing a memory_limit violation.
    • CVE-2007-1582: The resource system in PHP 4.0.0 through 4.4.6 and
      5.0.0 through 5.2.1 allows context-dependent attackers to execute
      arbitrary code by interrupting certain functions in the GD (ext/gd)
      extension and unspecified other extensions via a userspace error
      handler, which can be used to destroy and modify internal resources.
    • CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and
      (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0
      through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers
      to execute arbitrary code via Wireless Bitmap (WBMP) images with large
      width or height values.
    Enhancements

    This version only contains a change to the component xml file. System Management Homepage has undergone no changes to its functionality. If you are running Microsoft Windows Server 2000 and you are using HP Version Control Repository Manager, you should upgrade to this component. Otherwise, no upgrade is recommended.

    The following enhancements note from version 2.1.10.186 is still applicable to version 2.1.10.186(B).

    • Updated PHP libraries.

    Version:2.1.10.186 (5 Sep 2007)
    Fixes

    Addressed the following vulnerabilities:

    • CVE-2007-1717: The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0
      through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
      which might allow context-dependent attackers to prevent intended
      information from being delivered in e-mail messages. NOTE: this issue
      might be security-relevant in cases when the trailing contents of e-mail
      messages are important, such as logging information or if the message is
      expected to be well-formed.
    • CVE-2007-1711: Double free vulnerability in the unserializer in PHP
      4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary
      code by overwriting variables pointing to (1) the GLOBALS array or (2)
      the session data in _SESSION. NOTE: this issue was introduced when
      attempting to patch CVE-2007-1701 (MOPB-31-2007).
    • CVE-2007-1583: The mb_parse_str function in PHP 4.0.0 through 4.4.6
      and 5.0.0 through 5.2.1 sets the internal register_globals flag and does
      not disable it in certain cases when a script terminates, which allows
      remote attackers to invoke available PHP scripts with register_globals
      functionality that is not detectable by these scripts, as demonstrated
      by forcing a memory_limit violation.
    • CVE-2007-1582: The resource system in PHP 4.0.0 through 4.4.6 and
      5.0.0 through 5.2.1 allows context-dependent attackers to execute
      arbitrary code by interrupting certain functions in the GD (ext/gd)
      extension and unspecified other extensions via a userspace error
      handler, which can be used to destroy and modify internal resources.
    • CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and
      (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0
      through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers
      to execute arbitrary code via Wireless Bitmap (WBMP) images with large
      width or height values.
    Enhancements

    Updated PHP libraries.


    Version:2.1.8.179 (14 May 2007)
    Enhancements

    Updated PHP libraries.

    Addressed the following vulnerabilities:

    • CVE-2007-1710 - The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files by referring to local files with a certain URL syntax instead of a pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence.
    • CVE-2007-1286 - Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
    • CVE-2006-4625 - PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults.
    • CVE-2007-1884 - Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location.
    • CVE-2007-1885 - Integer overflow in the str_replace function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows a 32 bit length counter. NOTE: this is probably the same issue as CVE-2007-0906.6.
    • CVE-2007-1701 - PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".
    • CVE-2007-1700 - The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.
    • CVE-2007-1380 - The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.
    • CVE-2007-0988 - The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
    • CVE-2007-1886 - Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2.1 allows context-dependent attackers to have an unknown impact via a single character search string in conjunction with a single character replacement string, which causes an "off by one overflow."
    • CVE-2007-1835 - PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.

     


    Version:2.1.7.168 (16 Jan 2007)
    Fixes

    Addressed the following vulnerabilities:

    • CVE-2006-2937: OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
    • CVE-2006-2940: OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of serivce (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
    • CVE-2006-3738: Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier verisons has unspecified impact and remote attack vectors involving a long list of ciphers.
    • CVE-2006-4343: The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
    • CVE-2006-4339: OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS#1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
    • CVE-2006-3747: Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
    Enhancements
    Updated OpenSSL and PHP libraries.

    Version:2.1.6.156 (15 Dec 2006)
    Enhancements
    Added "Back" button support to the User Interface.

    Addressed the following vulnerabilities:

    • CVE-2005-3357: mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference.
    • CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

    Version:2.1.5.146 (B) (28 Apr 2006)
    Fixes
    Modified the component pre-configuration form to allow the backslash character in the "Group Name" field of the "Operating System Groups" page.

    Version:2.1.5.146 (13 Apr 2006)
    Enhancements
    Added the following security update:
    • A potential directory traversal vulnerability has been identified and resolved.
    • Updated PHP security
    Added operating system support to include:
      Windows Server 2003 R2
    Added browser support to include:
    • Mozilla 1.7
    • Firefox 1.5.1
    Component installer was enhanced to leave the component XML file (cpxxxxxx.xml) in a known location (%SystemDrive%\CPQSYSTEM\) so the HP Management and Version Control agents can retrieve information about the installed components on the server.

    Version:2.1.4.143 (26 Jan 2006)
    Enhancements
    Updated OpenSSL library to version 0.9.7i.

    Updates & patches for the following potential vulnerabilities associated with System Management Homepage have been added. The vulnerabilities are identified by the following candidates for common vulnerabilities and exposures:

    • CAN-2005-2969 - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
    • CAN-2005-2088 - Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
    • CAN-2005-2700 - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
    • CAN-2005-2969 - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
    • CAN-2005-2088 - Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
    • CAN-2005-2700 - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
    • CAN-2005-1268 - Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    • CAN-2005-2491 - Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    • CAN-2005-3353 - The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image.
    • CAN-2005-3388 - Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."
    • CAN-2005-3389 -The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.
    • CAN-2005-3390 - The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.
    Additionally, the SSLv2 protocol can now be selectively configured, and is disabled by default. It can be enabled by adding False in XML configuration file.

    Version:2.1.3.132 (21 Sep 2005)
    Fixes
    Resolved the following:
    • IP Binding issue wherein Windows systems with System Management Homepage 2.1.0 or 2.1.2 installed, which have more than one IP address assigned to any of the system's network adapters, will only recognize one IP address per adapter.
    • Smart Component pre-configuration issue wherein, if IP Restriction is checked but no addresses are entered, System Management Homepage installation fails.
    • Smart Component issue that appeared in System Management Homepage 2.1.2, in which updating from System Management Homepage 2.1.0 using a pre-configured Windows component resulted in a loss of configuration.

    Version:2.1.2.127 (9 Sep 2005)
    Enhancements
    Added log rotation feature under Windows to better manage System Management Homepage logs.

    Addressed a Cross Site Scripting (XSS) issue in this release.


    Version:2.1.0.121 (15 Jul 2005)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Corrected the following:

    • NIC teaming in Windows environments, to always complete IP address information.
    • Windows registry to properly update the System Management Homepage installer version.
    Enhancements

    Added the following:

    • Access support for the Power Users group for Windows platforms.
    • Support for managed systems running IPF.
    • Operating system support for new Windows platforms.
    Modified the System Management Homepage installer to remove Java dependencies.

    Version:2.0.2.106 (25 Apr 2005)
    Enhancements
    Added the following:
    • Japanese Language Kit

    Version:2.0.1.104 (14 Feb 2005)
    Fixes
    Resolved issue with SmartStart install on Microsoft Windows 2000 - Small Business.

    Type: Software - System Management
    Version: 7.2.6.3(18 Aug 2015)
    Operating System(s):
    Microsoft Windows Server 2003
    Microsoft Windows Server 2008 W32

    Description

    The System Management Homepage provides a consolidated view for single server management highlighting tightly integrated management functionalities including performance, fault, security, diagnostic, configuration, and software change management.

    Enhancements

    Upgraded the following components

    • OpenSSL from openssl-1.0.1j to openssl-1.0.1o
    • Curl from curl-7.35.0 to curl-7.43.0

    Installation Instructions

    To ensure the integrity of your download, HP recommends verifying your results with this MD5 Checksum value:

    e06dadee1842bf0ad62c94aa9e8672d8 cp027468.exe

    Reboot Requirement:
    Reboot is not required after installation for updates to take effect and hardware stability to be maintained.


    Installation:

    1. Download the Smart Component (cpxxxxxx.exe) file to a local directory on the server where you want to install the software.
    2. Change to the directory.
    3. Run the .exe file by double-clicking it. A dialog box will display.
    4. Click the ‘Install’ button to install the SMH.

    Release Notes

    End User License Agreements:
    Hewlett-Packard End User License Agreement


    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    Improved security feature

    Revision History

    Version:7.6.3.3 (5 Feb 2018)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Security fixes

    Enhancements

    Updated the following components:

    • PHP to version 5.6.30

    • Zlib to version 1.2.11

    • Libxslt to version 1.1.32

    • PCRE to version 8.41


    Version:7.6.2.1 (25 Sep 2017)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.

    All SMH binaries are now code signed.


    • Updated the following components:

      • PHP to version 5.6.27

      • OpenSSL to version 1.0.2k

      • Apache to version 2.4.25

    • SMH binaries are code signed

    • Improved Security features [Please find more details in the Security Bulletin (ID: HPESBMU03753)]


    Version:7.6.1.9 (12 Jul 2017)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Updated the following components:

      • PHP to version 5.6.27

      • OpenSSL to version 1.0.2k

      • Apache to version 2.4.25

    • Improved Security features [Please find more details in the Security Bulletin (ID: HPESBMU03753)]


    Version:7.6.0.11 (21 Oct 2016)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Proper handling of Single Sign-On requests and certificates, which are in bad format
    • HPE Rebranding changes
    Enhancements

    • Updated the following components:

      • PHP to version 5.5.38

      • Curl to version 7.49.1

      • OpenSSL to version 1.0.2h

      • Libxml2 to version libxml2-2.9.4

    • SSL Cipher Suite is set to TLSv1.2 as default

    • Improved Security features [Please find more details in the Security Bulletin (ID: HPSBMU03653)]


    Version:7.5.5.6 (4 May 2016)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • HPE Rebranding
    • Updated the following components:
      • PHP to version 5.5.31
      • Curl to version 7.47.0
      • OpenSSL to version 1.0.2g
      • Libxml2 to version libxml2-2.9.3
    • SSL protocol is now configurable using 'smhconfig' CLI
    • Improved Security features [ Please find more details in the Security Bulletin (ID: HPSBMU03593) ]

    Version:7.5.4.3 (1 Apr 2016)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Signature Hash Algorithm of SMH certificate is upgraded to SHA-2 (SHA-256)


    Version:7.5.3.1 (28 Sep 2015)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    Japanese localization error in Insight agents pages


    Version:7.5.2.4 (1 Oct 2015)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    Improved security features

    Enhancements

    Updated the following components

    • OpenSSL to version OpenSSL-1.0.2d
    • PHP to version php-5.6.11
    • Curl to version curl-7.42.1

    Version:7.5.0.4 (15 Jun 2015)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Improved Security feature
    Enhancements

    • Updated following components
      • OpenSSL to version OpenSSL-1.0.1m
      • PHP to version php-5.5.23

    Version:7.4.2.4 (30 Mar 2015)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Security feature is optimized
    Enhancements

    • Verbose logging
    • Simplified Chinese support for configuration information
    • Updated the following Compontents
      • Apache to version 2.4.10

    Version:7.4.1.6 (5 Feb 2015)
    Fixes

    Upgrade Requirement:
    Critical - HPE requires users update to this version immediately.


    • Fixed POODLE vulnerability (CVE-2014-3566)
    • Fixed a bug in Single Sign-On (SSO) feature
    Enhancements

    • Updated the following components
    • OpenSSL to version OpenSSL-1.0.1j
    • PHP to version PHP-5.5.18
    • Curl to version Curl-7.38.0

    Version:7.4.0.12 (9 Sep 2014)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Improved SMH to use the system resources efficiently.
    • SMH Plugin integration is modified.
    Enhancements

    • Updated the following components
      • PHP to version php-5.5.13
      • curl to version curl-7.35.0

    Version:7.3.3.1 (19 Jun 2014)
    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    Patched to address SSL/TLS MITM Vulnerability CVE-2014-0224 (http://www.openssl.org/news/secadv_20140605.txt)


    Version:7.3.2.1 (B) (23 Apr 2014)
    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    • OpenSSL has been updated to address the security vulnerability communicated in Security Bulletin HPSBMU02998 for CVE-2014-0160 known as “Heartbleed”.
    • Removed support for Microsoft Windows XP and Windows Server 2003 operating systems.

    Version:7.3.1.4 (18 Feb 2014)
    Enhancements

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Enabled support of 2048 & 4096 bit certificate for Single Sign-On (SSO).
    • Enabled FQDN (Fully Qualified Domain Name) for the CN (Common Name) field in the self-signed certificate & CSR (Certificate Signing Request).

    Version:7.3.0.9 (27 Nov 2013)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Enabled Simplified Chinese localization
    • Updated English OLH files
    • Updated the following components:
      • Apache to version 2.4.6
      • Libxml2 to version 2.9.1
      • OpenSSL to version 1.0.1e
      • Curl to version 7.32.0
      • PHP to version 5.5.2
      • zlib to version 1.2.8

    Version:7.2.6.3 (18 Aug 2015)
    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    Improved security feature

    Enhancements

    Upgraded the following components

    • OpenSSL from openssl-1.0.1j to openssl-1.0.1o
    • Curl from curl-7.35.0 to curl-7.43.0

    Version:7.2.5.3 (30 Jan 2015)
    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    • Disabled SSLv3 protocol
    • Improved security features
    Enhancements

    •  Updated the following components
      • OpenSSL to version OpenSSL-1.0.1j
      • Curl to version Curl-7.35.0

    Version:7.2.4.1 (19 Jun 2014)
    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    Patched to address SSL/TLS MITM Vulnerability CVE-2014-0224 (http://www.openssl.org/news/secadv_20140605.txt)


    Version:7.2.3.1 (16 Apr 2014)
    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    Provides fix for CVE-2014-0160.

    Enhancements

    • Enabled Simplified Chinese localization
    • Updated English OLH files
    • Updated the following components:
      • Apache to version 2.4.6
      • Libxml2 to version 2.9.1
      • OpenSSL to version 1.0.1g
      • Curl to version 7.32.0
      • PHP to version 5.4.27
      • zlib to version 1.2.8

    Version:7.2.2.9 (10 Sep 2013)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    Fixed a security issue that could allow escalation of non-admin privileges to local administrative privileges.

    Enhancements

    • Updated the following components:
      • PHP to 5.4.11
      • Libxml2 to 2.9.0
      • Curl to 7.28.1
      • Libxslt to 1.1.28

    Version:7.2.1.3 (21 May 2013)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Security updates (Please refer upcoming Security Bulletin for more information)

    Version:7.2.0.14 (19 Feb 2013)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Improved logging on few Operating Systems
    • Improved login mechanism for some setup scenarios
    Enhancements

    • Improvement in Certificate management
    • Added support for the following browsers:
      • Firefox ESR 17.0
      • Internet Explorer 10.0
    • Updated Apache to version 2.4.3
    • Enable support for Transport Layer Security (TLS) protocol 1.1 / 1.2
    • Improved CLI options for easier management of SMH configurations
    • Secured handling of HTTP communication
    • Improved User Interface for Online Help

    Version:7.1.2.3 (26 Oct 2012)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Improved security features
    • Improved logging on few Operating Systems
    Enhancements

    • Enable support of following OS:
      • Windows Server 2012
    • Updated the following components:
      • OpenSSL to version 1.0.1c
      • PHP to version 5.3.14

    Version:7.1.1.1 (19 Jun 2012)
    Fixes

    Upgrade Requirement:
    Critical - HPE requires users update to this version immediately.


    • On some Non-English Windows Operating Systems, user is not able to login into SMH 7.1.0. This version will solve this problem.
    • Improved security features of PHP.

    Version:7.1.0.17 (4 Jun 2012)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Improved the handling of following components:
      • Trust mode during upgrade
      • Group Configuration management during Replicate Agents Settings
      • SMH service management
      • PHP files to avoid crash
      • Webapp configuration files
      • SMH supporting DLLs to avoid version conflicts
    • Updated properties of SMH setup file
       
    Enhancements

    • Secured handling of HTTP response
    • Updated the following components:
      • Libxml2 to version 2.7.8
      • PHP to version 5.3.10
      • Curl library to version 7.24.0
      • OpenSSL to version 1.0.0h
    • SMH service runs with managed privileges
    • Enable support of following OS:
      • Windows 2008 R2 Sp1 - Server Core
      • Windows Server 8 (Beta)
      • Windows Multipoint Server 2011 for x64
      • Microsoft Windows Small Business Server 2011 for x64, Standard and Essentials
    • Usability of IP restrictions with SMH Command Line Interface
    • Information provided on webapp availability & loading statistics
    • Added support for the following browsers:
      • Firefox 9.0 & 10.0

    Version:7.0.0.24 (27 Mar 2012)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.
    • Uninstalling SMH in some scenarios would inappropriately delete HP registry key.
    Enhancements

    Added the following features:

    • A command line option to modify the local and state information in the SMH PKCS (Public-Key Cryptography Standards) data
    • Secured handling of HTTP request and response

    Added support for the following browsers:

    • Firefox 6.0, 7.0 & 8.0
    • Internet Explorer 9.0

    Clarified the log messages

    Improved the handling of the following components:

    • Command Line Interface options
    • IP fields
    • Memory resources
    • Revoked trusted certificate
    • SMH configuration file and settings

    Improved the following features:

    • CLI options, for easier management of SMH configurations
    • Validation of Kerberos group

    Updated the HTTP links

    Updated the following elements:

    • Apache to version 2.2.21
    • Curl library to version 7.21.7
    • OpenSSL to version 1.0.0e
    • PHP to version 5.3.8

    Version:6.3.1.24 (B) (24 Jan 2012)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.
    • Uninstalling SMH would unexpectedly delete HP registry key in the following scenarios:
      1. Install SMH x, install IS DVD x+1, uninstall SMH x+1 [SMH x is upgraded to x+1]
      2. Install SMH x, install IS DVD x, uninstall SMH x [IS DVD x will not be (re)installing SMH x]
      3. Install SMH x, install IS DVD x-1, uninstall SMH x [SMH will not be downgraded]

    Version:6.3.1.24 (11 Aug 2011)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.
    • Uninstalling SMH would unexpectedly delete HP registry key in the following scenarios:
      1. Install SMH x, install IS DVD x+1, uninstall SMH x+1 [SMH x is upgraded to x+1]
      2. Install SMH x, install IS DVD x, uninstall SMH x [IS DVD x will not be (re)installing SMH x]
      3. Install SMH x, install IS DVD x-1, uninstall SMH x [SMH will not be downgraded]

    Version:6.3.0.22 (18 Feb 2011)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Proper validation of data, passed to CLI.
    • Proper handling of Presentation mode in User Preferences.
    • Proper handling of settings changes, when configuration file is Read only.
    • Secured handling of HTTP response.
    Enhancements

    • CLI to display current settings.
    • Updated PHP component to version 5.3.3.
    • Proper management of SMH self-signed certificate.
    • Consolidated logging API for SMH web applications (plug-ins).
    • Platform specific setup files for Windows x86 & x64.
    • Better handling of installer log.
    • Better handling of Apache startup issue.
    • Enabling Apache Tomcat integration on HP Integrity servers with IPv6 enabled.
    • Changed the default UI Timeout to 120 seconds.

    Version:6.2.4.9 (27 Jul 2011)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    Uninstalling SMH would unexpectedly delete HP registry key in the following scenarios:

    1. Install SMH x, install IS DVD x+1, uninstall SMH x+1 [SMH x is upgraded to x+1]
    2. Install SMH x, install IS DVD x, uninstall SMH x [IS DVD x will not be (re)installing SMH x]
    3. Install SMH x, install IS DVD x-1, uninstall SMH x [SMH will not be downgraded]

    Version:6.2.3.8 (28 Jan 2011)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.

    This release update is recommended for users who are planning to use Insight Remote Support Advanced (IRSA) with SMH 6.2.2 version.

    The PHP curl extension, bundled in SMH 6.2.2 breaks the Remote Support Configuration Collector (RSCC) UI, because of the PHP compatibility issue. This issue is resolved in the current version of the product.


    • Updated php_curl library (curl-7.19.6).

    Version:6.2.2.7 (22 Nov 2010)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Support for servers with multiple Virtual IPs.
    Enhancements

  • Updated PHP to version 5.3.3.

  • Version:6.2.1.14 (10 Sep 2010)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


  • For optimized memory usage.

  • Version:6.2.0.13 (8 Sep 2010)
    Fixes

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    • SMH was not displaying all the data in Home page for anonymous login. This has been fixed.
    • Modified HTML processing. 
    Enhancements

  • A CLI based configurable logging support in SMH log.
  • For better auditing, user name is logged in access log for SMH login and SMH settings pages.
  • Configuration of SSL Cipher Suite through CLI.
  • Added logging in smhstart and Replicate Agent Settings(RAS).
  • Added logging when SMH security settings are changed.
  • SMH now displays remaining plug-ins even after one of the plug-ins times out.
  • Added "Enable port 2301" option to the SMH installer.
  • The 'System Status' and 'Overall System Summary' tabs on the SMH Home page have been changed to 'Overall System Health Status' and 'Component Status Summary' respectively.
  • Updated the following open source components:
    - Apache 2.2.15
    - PHP 5.2.13
    - OpenSSL 0.9.8n

  • Version:6.1.0.102 (17 Feb 2010)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • In some cases, SMH component was seen in add/remove programs even though SMH installation failed. This behavior is fixed.
  • Enhancements

  • Updated OpenSSL to version 0.9.8l due to security vulnerabilities reported on earlier versions.
  • Updated Namazu to version 2.0.20 due to a security vulnerability reported on version 2.0.18.

  • Version:6.0.0.96 (4 Nov 2009)
    Fixes
  • Fixed a cross-site scripting vulnerability (XSS).

  • Fixed issue with search functionality in SMH help files.

  • Enhancements
    • smhlogreader command line interface
    • IE8 support
    • Tomcat Windows support using mod_proxy
    • IS2009 support
    • Native x64 bit support

    Version:3.0.2.77 (B) (8 Oct 2009)
    Fixes
  • Fixed a cross-site scripting vulnerability (XSS).

  • Fixed an issue with search in SMH help.

  • Enhancements

    Support for the following Environments has been added:

    • Microsoft Windows Server 2008 R2 for Itanium-Based Systems
    • Microsoft Windows Server 2008 Itanium

    System Management Homepage has no changes to its functionality.

    If the target system has previously installed HP SMH version 3.0.2, an upgrade to version  3.0.2 (B) is optional. If the HP Version Control Repository Manager (VCRM) manages a version control repository for your computing environment, then version 3.0.2 (B) must be added to the repository folder to enable VCRM support for the new Environments.

    The following enhancement note from version 3.0.2.77 is still applicable to version 3.0.2.77(B)

    Enhanced component-level logging has been implemented in the smart component installer. The generated log file will be located on the target system in %SYSTEMROOT%\cpqsystem\log directory under the name CPQSETUP.LOG.


    Version:3.0.2.77 (6 Aug 2009)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • Fixed a cross-site scripting vulnerability (XSS).

  • Fixed an issue with search in SMH help.

  • Enhancements

    Enhanced component-level logging has been implemented in the smart component installer. The generated log file will be located on the target system in %SYSTEMROOT%\cpqsystem\log directory under the name CPQSETUP.LOG.


    Version:3.0.1.73 (6 May 2009)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • Fixed vulnerabilities in PHP and OpenSSL libraries.

  • Fixed a cross-site scripting vulnerability (XSS).

  • Enhancements

    • Updated PHP and OpenSSL libraries

    Version:3.0.0.64 (26 Jan 2009)
    Fixes
    • Improved security
    Enhancements
    • The component installer has been updated to recognize if it is running within a virtualized guest environment.
    • Session Persistence
    • SIM communication through secure port and support to enable/disable non-secure port (2301)
    • Kerberos authentication support
    • IPv6 support
    • New interface and icons
    • Per-user UI preferences
    • Command line interface for SMH configuration
    • Log localization
    • Apache 2.2.6
    • OpenSSL 0.9.8h
    • PHP 5.2.6
    • libxml2 2.7.2+ (with security patch)

    Version:2.1.15.210 (23 Sep 2008)
    Fixes
    • Addressed the vulnerability:

      • CVE-2007-6203: Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

      • CVE-2008-2939: Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI.

      • Removed OpenSSL option to avoid vulnerability.

    Enhancements
    • Replace link on desktop icon to use name 'localhost' instead of IP loopback '127.0.0.1'
    • Added support to use COM objects in PHP code

    Version:2.1.14.204 (9 Jul 2008)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • New implemented solution to avoid WMI service locks SMH service

    Version:2.1.12.201 (16 May 2008)
    Fixes
    • Fixed issue on httpd lib triggered by user logoff on local system
    • Fixed issue when running SMH on Windows XP in the presence of Performance Management Pack
    • Handled situation where WMI service locks SMH service
    • Fixed a cross-site scripting vulnerability (XSS)


    Version:2.1.11.197(A) (11 Feb 2008)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Addressed the following vulnerabilities:

    • CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144.

    • CVE-2007-3304: prefork, worker MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.

    • CVE-2007-5135: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.

    • CVE-2007-3108: The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.

    • CVE-2007-6203: Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

    • CVE-2007-4657: Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read.

    • CVE-2007-3998: The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set.

    Enhancements

    Updated OpenSSL, httpd and PHP libraries.


    Version:2.1.10.186 (C) (29 Jan 2008)
    Fixes

    Addressed the following vulnerabilities:

    • CVE-2007-1717: The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0
      through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
      which might allow context-dependent attackers to prevent intended
      information from being delivered in e-mail messages. NOTE: this issue
      might be security-relevant in cases when the trailing contents of e-mail
      messages are important, such as logging information or if the message is
      expected to be well-formed.
    • CVE-2007-1711: Double free vulnerability in the unserializer in PHP
      4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary
      code by overwriting variables pointing to (1) the GLOBALS array or (2)
      the session data in _SESSION. NOTE: this issue was introduced when
      attempting to patch CVE-2007-1701 (MOPB-31-2007).
    • CVE-2007-1583: The mb_parse_str function in PHP 4.0.0 through 4.4.6
      and 5.0.0 through 5.2.1 sets the internal register_globals flag and does
      not disable it in certain cases when a script terminates, which allows
      remote attackers to invoke available PHP scripts with register_globals
      functionality that is not detectable by these scripts, as demonstrated
      by forcing a memory_limit violation.
    • CVE-2007-1582: The resource system in PHP 4.0.0 through 4.4.6 and
      5.0.0 through 5.2.1 allows context-dependent attackers to execute
      arbitrary code by interrupting certain functions in the GD (ext/gd)
      extension and unspecified other extensions via a userspace error
      handler, which can be used to destroy and modify internal resources.
    • CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and
      (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0
      through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers
      to execute arbitrary code via Wireless Bitmap (WBMP) images with large
      width or height values.
    Enhancements

    This version only contains a change to an internal component, cpqstub.exe, which was updated to a newer version. System Management Homepage has undergone no changes to its functionality.

    The following enhancements note from version 2.1.10.186 is still applicable to version 2.1.10.186(B).

    • Updated PHP libraries.

    Version:2.1.10.186 (B) (21 Sep 2007)
    Fixes

    Addressed the following vulnerabilities:

    • CVE-2007-1717: The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0
      through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
      which might allow context-dependent attackers to prevent intended
      information from being delivered in e-mail messages. NOTE: this issue
      might be security-relevant in cases when the trailing contents of e-mail
      messages are important, such as logging information or if the message is
      expected to be well-formed.
    • CVE-2007-1711: Double free vulnerability in the unserializer in PHP
      4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary
      code by overwriting variables pointing to (1) the GLOBALS array or (2)
      the session data in _SESSION. NOTE: this issue was introduced when
      attempting to patch CVE-2007-1701 (MOPB-31-2007).
    • CVE-2007-1583: The mb_parse_str function in PHP 4.0.0 through 4.4.6
      and 5.0.0 through 5.2.1 sets the internal register_globals flag and does
      not disable it in certain cases when a script terminates, which allows
      remote attackers to invoke available PHP scripts with register_globals
      functionality that is not detectable by these scripts, as demonstrated
      by forcing a memory_limit violation.
    • CVE-2007-1582: The resource system in PHP 4.0.0 through 4.4.6 and
      5.0.0 through 5.2.1 allows context-dependent attackers to execute
      arbitrary code by interrupting certain functions in the GD (ext/gd)
      extension and unspecified other extensions via a userspace error
      handler, which can be used to destroy and modify internal resources.
    • CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and
      (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0
      through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers
      to execute arbitrary code via Wireless Bitmap (WBMP) images with large
      width or height values.
    Enhancements

    This version only contains a change to the component xml file. System Management Homepage has undergone no changes to its functionality. If you are running Microsoft Windows Server 2000 and you are using HP Version Control Repository Manager, you should upgrade to this component. Otherwise, no upgrade is recommended.

    The following enhancements note from version 2.1.10.186 is still applicable to version 2.1.10.186(B).

    • Updated PHP libraries.

    Version:2.1.10.186 (5 Sep 2007)
    Fixes

    Addressed the following vulnerabilities:

    • CVE-2007-1717: The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0
      through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
      which might allow context-dependent attackers to prevent intended
      information from being delivered in e-mail messages. NOTE: this issue
      might be security-relevant in cases when the trailing contents of e-mail
      messages are important, such as logging information or if the message is
      expected to be well-formed.
    • CVE-2007-1711: Double free vulnerability in the unserializer in PHP
      4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary
      code by overwriting variables pointing to (1) the GLOBALS array or (2)
      the session data in _SESSION. NOTE: this issue was introduced when
      attempting to patch CVE-2007-1701 (MOPB-31-2007).
    • CVE-2007-1583: The mb_parse_str function in PHP 4.0.0 through 4.4.6
      and 5.0.0 through 5.2.1 sets the internal register_globals flag and does
      not disable it in certain cases when a script terminates, which allows
      remote attackers to invoke available PHP scripts with register_globals
      functionality that is not detectable by these scripts, as demonstrated
      by forcing a memory_limit violation.
    • CVE-2007-1582: The resource system in PHP 4.0.0 through 4.4.6 and
      5.0.0 through 5.2.1 allows context-dependent attackers to execute
      arbitrary code by interrupting certain functions in the GD (ext/gd)
      extension and unspecified other extensions via a userspace error
      handler, which can be used to destroy and modify internal resources.
    • CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and
      (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0
      through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers
      to execute arbitrary code via Wireless Bitmap (WBMP) images with large
      width or height values.
    Enhancements

    Updated PHP libraries.


    Version:2.1.8.179 (14 May 2007)
    Enhancements

    Updated PHP libraries.

    Addressed the following vulnerabilities:

    • CVE-2007-1710 - The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files by referring to local files with a certain URL syntax instead of a pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence.
    • CVE-2007-1286 - Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
    • CVE-2006-4625 - PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults.
    • CVE-2007-1884 - Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location.
    • CVE-2007-1885 - Integer overflow in the str_replace function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows a 32 bit length counter. NOTE: this is probably the same issue as CVE-2007-0906.6.
    • CVE-2007-1701 - PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".
    • CVE-2007-1700 - The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.
    • CVE-2007-1380 - The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.
    • CVE-2007-0988 - The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
    • CVE-2007-1886 - Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2.1 allows context-dependent attackers to have an unknown impact via a single character search string in conjunction with a single character replacement string, which causes an "off by one overflow."
    • CVE-2007-1835 - PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.

     


    Version:2.1.7.168 (16 Jan 2007)
    Fixes

    Addressed the following vulnerabilities:

    • CVE-2006-2937: OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
    • CVE-2006-2940: OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of serivce (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
    • CVE-2006-3738: Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier verisons has unspecified impact and remote attack vectors involving a long list of ciphers.
    • CVE-2006-4343: The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
    • CVE-2006-4339: OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS#1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
    • CVE-2006-3747: Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
    Enhancements
    Updated OpenSSL and PHP libraries.

    Version:2.1.6.156 (15 Dec 2006)
    Enhancements
    Added "Back" button support to the User Interface.

    Addressed the following vulnerabilities:

    • CVE-2005-3357: mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference.
    • CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

    Version:2.1.5.146 (B) (28 Apr 2006)
    Fixes
    Modified the component pre-configuration form to allow the backslash character in the "Group Name" field of the "Operating System Groups" page.

    Version:2.1.5.146 (13 Apr 2006)
    Enhancements
    Added the following security update:
    • A potential directory traversal vulnerability has been identified and resolved.
    • Updated PHP security
    Added operating system support to include:
      Windows Server 2003 R2
    Added browser support to include:
    • Mozilla 1.7
    • Firefox 1.5.1
    Component installer was enhanced to leave the component XML file (cpxxxxxx.xml) in a known location (%SystemDrive%\CPQSYSTEM\) so the HP Management and Version Control agents can retrieve information about the installed components on the server.

    Version:2.1.4.143 (26 Jan 2006)
    Enhancements
    Updated OpenSSL library to version 0.9.7i.

    Updates & patches for the following potential vulnerabilities associated with System Management Homepage have been added. The vulnerabilities are identified by the following candidates for common vulnerabilities and exposures:

    • CAN-2005-2969 - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
    • CAN-2005-2088 - Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
    • CAN-2005-2700 - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
    • CAN-2005-2969 - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
    • CAN-2005-2088 - Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
    • CAN-2005-2700 - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
    • CAN-2005-1268 - Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    • CAN-2005-2491 - Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    • CAN-2005-3353 - The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image.
    • CAN-2005-3388 - Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."
    • CAN-2005-3389 -The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.
    • CAN-2005-3390 - The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.
    Additionally, the SSLv2 protocol can now be selectively configured, and is disabled by default. It can be enabled by adding False in XML configuration file.

    Version:2.1.3.132 (21 Sep 2005)
    Fixes
    Resolved the following:
    • IP Binding issue wherein Windows systems with System Management Homepage 2.1.0 or 2.1.2 installed, which have more than one IP address assigned to any of the system's network adapters, will only recognize one IP address per adapter.
    • Smart Component pre-configuration issue wherein, if IP Restriction is checked but no addresses are entered, System Management Homepage installation fails.
    • Smart Component issue that appeared in System Management Homepage 2.1.2, in which updating from System Management Homepage 2.1.0 using a pre-configured Windows component resulted in a loss of configuration.

    Version:2.1.2.127 (9 Sep 2005)
    Enhancements
    Added log rotation feature under Windows to better manage System Management Homepage logs.

    Addressed a Cross Site Scripting (XSS) issue in this release.


    Version:2.1.0.121 (15 Jul 2005)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Corrected the following:

    • NIC teaming in Windows environments, to always complete IP address information.
    • Windows registry to properly update the System Management Homepage installer version.
    Enhancements

    Added the following:

    • Access support for the Power Users group for Windows platforms.
    • Support for managed systems running IPF.
    • Operating system support for new Windows platforms.
    Modified the System Management Homepage installer to remove Java dependencies.

    Version:2.0.2.106 (25 Apr 2005)
    Enhancements
    Added the following:
    • Japanese Language Kit

    Version:2.0.1.104 (14 Feb 2005)
    Fixes
    Resolved issue with SmartStart install on Microsoft Windows 2000 - Small Business.

    Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.