Printable version

Drivers & software

* RECOMMENDED * HPE System Management Homepage for Linux (AMD64/EM64T)

By downloading, you agree to the terms and conditions of the Hewlett Packard Enterprise Software License Agreement.
Note:  Some software requires a valid warranty, current Hewlett Packard Enterprise support contract, or a license fee.

Type: Software - System Management
Version: 7.6.1-9(12 Jul 2017)
Operating System(s):
Red Hat Enterprise Linux 6 Server (x86-64) | View all
File name: hpsmh-7.6.1-9.x86_64.rpm (14 MB)
The System Management Homepage provides a consolidated view for single server management highlighting tightly integrated management functionalities including performance, fault, security, diagnostic, configuration, and software change management.

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Updated the following components:

    • PHP to version 5.6.27

    • OpenSSL to version 1.0.2k

    • Apache to version 2.4.25

  • Improved Security features [Please find more details in the Security Bulletin (ID: HPESBMU03753)]

  • Enabled support for RHEL 6.9, RHEL 7.3 and SLES 12.2 OS

Prerequisites:

Before installing the SMH software, the RPM verifies that the required versions of Linux library dependencies are present. If any dependencies are not present, then a list of the missing dependencies is provided. The user must manually install all missing dependencies to satisfy the prerequisites before proceeding with the RPM installation.


To ensure the integrity of your download, HPE recommends verifying your results with this SHA-256 Checksum value:

b6085ee93eed31537f21eaafaa3ac76bb3d29875bb3ba06e27bb63b14a8f6116 hpsmh-7.6.1-9.x86_64.rpm

Reboot Requirement:
Reboot is not required after installation for updates to take effect and hardware stability to be maintained.


Installation:
Download the rpm package to a directory on your hard drive and change the directory accordingly. Use the following commands for specific tasks:

  1. Installation: rpm -ivh hpsmh-< version >.x86_64.rpm
  2. Upgrade (from lower version to higher version): rpm -Uvh hpsmh-<version>.x86_64.rpm>
  3. Reinstallation (of same version): rpm -Uvh hpsmh-<version>.x86_64.rpm
  4. Downgrade (from higher version to lower version): User needs to uninstall the higher version (rpm –e hpsmh-<version>) and then install the lower version (rpm -ivh hpsmh-<version>.x86_64.rpm).

End User License Agreements:
HPE Software License Agreement v1


Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Important:

SMH 7.6.0 & later versions, will support only Gen 8 and Gen 9 servers. Any future patch releases could be available, only on SMH web page. Please refer to HPE SMH Release Notes

Precautions for the user on Linux OS:

  • Do not provide login access to the “hpsmh” user (created during installation) by editing the /etc/passwd file or any other means
  • Do not add any user to the “hpmsh” group (created during installation)

 


Availability:

SMH 7.6.1 will be aligned with SPP v2017.07.0.


Notes:

As per SMH EOL terms, future patch releases will continue to provide fixes for security vulnerabilities & might not provide support to any new OS or Browser.


SMH 7.6.1 will be aligned with SPP v2017.07.0.

SMH 7.6.0 & later versions, will support only Gen 8 and Gen 9 servers. Any future patch releases could be available, only on SMH web page. Please refer to HPE SMH Release Notes

Precautions for the user on Linux OS:

  • Do not provide login access to the “hpsmh” user (created during installation) by editing the /etc/passwd file or any other means
  • Do not add any user to the “hpmsh” group (created during installation)

 

Version:7.6.4-3 (27 Sep 2018)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


SUSE Linux Enterprise server 15 Operating System support


Version:7.6.3-3 (5 Feb 2018)
Enhancements

Upgrade Requirement:
Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


Updated the following components:

  • PHP to version 5.6.30
  • Zlib to version 1.2.11
  • PCRE to version 8.41
  • Libxslt to version 1.1.32

Version:7.6.1-9 (12 Jul 2017)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Updated the following components:

    • PHP to version 5.6.27

    • OpenSSL to version 1.0.2k

    • Apache to version 2.4.25

  • Improved Security features [Please find more details in the Security Bulletin (ID: HPESBMU03753)]

  • Enabled support for RHEL 6.9, RHEL 7.3 and SLES 12.2 OS


Version:7.6.0-11 (21 Oct 2016)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Proper handling of Single Sign-On requests and certificates, which are in bad format
  • HPE Rebranding changes
Enhancements

  • Updated the following components:

    • PHP to version 5.5.38

    • Curl to version 7.49.1

    • OpenSSL to version 1.0.2h

    • Libxml2 to version libxml2-2.9.4

  • SSL Cipher Suite is set to TLSv1.2 as default

  • Improved Security features [Please find more details in the Security Bulletin (ID: HPSBMU03653)]


Version:7.5.5-6 (4 May 2016)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • HPE Rebranding
  • Updated the following components:
    • PHP to version 5.5.31
    • Curl to version 7.47.0
    • OpenSSL to version 1.0.2g
    • Libxml2 to version libxml2-2.9.3
  • SSL protocol is now configurable using 'smhconfig' CLI
  • Improved Security features [ Please find more details in the Security Bulletin (ID: HPSBMU03593) ]

Version:7.5.4-3 (1 Apr 2016)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Signature Hash Algorithm of SMH certificate is upgraded to SHA-2 (SHA-256)


Version:7.5.2-4 (1 Oct 2015)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


Improved security features

Enhancements

Updated the following components

  • OpenSSL to version OpenSSL-1.0.2d
  • PHP to version php-5.6.11
  • Curl to version cul -7.42.1

Version:7.5.3-1 (28 Sep 2015)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


Japanese localization error in Insight agents pages


Version:7.5.0-4 (15 Jun 2015)
Enhancements

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Updated following components
    • OpenSSL to version OpenSSL-1.0.1m
    • PHP to version php-5.5.23

Version:7.4.2-4 (30 Mar 2015)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Security feature is optimized
Enhancements

  • Simplified Chinese support for configuration information
  • Updated the following components
    • Apache to version 2.4.10

Version:7.4.1-6 (5 Feb 2015)
Fixes

Upgrade Requirement:
Critical - HPE requires users update to this version immediately.


  • Fixed POODLE vulnerability (CVE-2014-3566)
  • Fixed a bug in Single Sign-On (SSO) feature
Enhancements

  • Updated the following components
    • OpenSSL to version OpenSSL-1.0.1j
    • PHP to version PHP-5.5.18
    • Curl to version Curl-7.38.0

Version:7.4.0-13 (9 Sep 2014)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Improved SMH to use the system resources efficiently.
  • SMH Plugin integration is modified.
Enhancements

  • Enabled support for Red Hat Enterprise Linux 7
  • Updated the following components
    • PHP to version php-5.5.13
    • curl to version curl-7.35.0

Version:7.3.3-1 (19 Jun 2014)
Fixes

Upgrade Requirement:
Critical - HP requires users update to this version immediately.


Patched to address SSL/TLS MITM Vulnerability CVE-2014-0224 (http://www.openssl.org/news/secadv_20140605.txt)


Version:7.3.2-1 (15 Apr 2014)
Fixes

Upgrade Requirement:
Critical - HP requires users update to this version immediately.


Provides fix for CVE-2014-0160.


Version:7.3.1-4 (18 Feb 2014)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Enabled support of 2048 & 4096 bit certificate for Single Sign-On (SSO).
  • Enabled FQDN (Fully Qualified Domain Name) for the CN (Common Name) field in the self-signed certificate & CSR (Certificate Signing Request).

Version:7.3.0-9 (27 Nov 2013)
Enhancements

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Enabled Simplified Chinese localization
  • Updated English OLH files
  • Updated the following components:
    • Apache to version 2.4.6
    • Libxml2 to version 2.9.1
    • OpenSSL to version 1.0.1e
    • Curl to version 7.32.0
    • PHP to version 5.5.2
    • zlib to version 1.2.8

Version:7.2.2-8 (10 Sep 2013)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


Fixed a security issue that could allow escalation of non-admin privileges to local administrative privileges.

Enhancements

  • Enable support of SUSE Linux Enterprise Server 11 SP3
  • Updated the following components:
    • PHP to 5.4.11
    • Curl to 7.28.1
    • Libxslt to 1.1.28

Version:7.2.1-2 (21 May 2013)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Security updates (Please refer upcoming Security Bulletin for more information)

Version:7.2.0-14 (19 Feb 2013)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Improved logging on few Operating Systems
Enhancements

  • Improvement in Certificate management
  • Added support for the following browsers:
    • Firefox ESR 17.0
    • Internet Explorer 10.0
  • Updated Apache to version 2.4.3
  • Enable support for Transport Layer Security (TLS) protocol 1.1 / 1.2
  • Improved CLI options for easier management of SMH configurations
  • Secured handling of HTTP communication
  • Improved User Interface for Online Help

Version:7.1.2-3 (26 Oct 2012)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Improved security features.
  • Improved logging on few Operating Systems
Enhancements

  • Enable support of following OS:
    • Red Hat Client 5.8
  • Updated the following components:
    • OpenSSL to version 1.0.1c
    • PHP to version 5.3.14
  • Improvement in following components:
    • RPM packaging

Version:7.1.1-1 (19 Jun 2012)
Fixes

Upgrade Requirement:
Critical - HPE requires users update to this version immediately.


  • Improved security features of PHP.

Version:7.1.0-16 (4 Jun 2012)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Improved the handling of following components:
    • Trust mode during upgrade
    • Group Configuration management during Replicate Agents Settings
    • SMH service management
    • PHP files to avoid crash
    • Webapp configuration files
Enhancements

  • Secured handling of HTTP response
  • Updated the following components:
    • Libxml2 to version 2.7.8
    • PHP to version 5.3.10
    • Curl library to version 7.24.0
    • OpenSSL to version 1.0.0h
  • Enable support of following OS:
    • Red Hat KVM
  • Usability of IP restrictions with SMH Command Line Interface
  • Information provided on webapp availability & loading statistics
  • Added support for the following browsers:
    • Firefox 9.0 & 10.0

Version:7.0.0-24 (27 Mar 2012)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.
Enhancements

Added the following features:

  • A command line option to modify the local and state information in the SMH PKCS (Public-Key Cryptography Standards) data
  • Secured handling of HTTP request and response

Added support for the following browsers:

  • Firefox 6.0, 7.0 & 8.0
  • Internet Explorer 9.0

Clarified the log messages

Improved the handling of the following components:

  • Command Line Interface options
  • IP fields
  • Memory resources
  • Revoked trusted certificate
  • SMH configuration file and settings

Improved the CLI options, for easier management of SMH configurations

Updated the HTTP links

Updated the following elements:

  • Apache to version 2.2.21
  • Curl library to version 7.21.7
  • OpenSSL to version 1.0.0e
  • PHP to version 5.3.8

Version:6.3.1-23 (11 Aug 2011)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.

Version:6.3.0-22 (18 Feb 2011)
Fixes

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


  • Proper validation of data, passed to CLI.
  • Proper handling of Presentation mode in User Preferences.
  • Proper handling of settings changes, when configuration file is Read only.
  • Better handling of Autostart feature.
  • Secured handling of HTTP response.
Enhancements

  • CLI to display current settings.
  • Updated PHP component to version 5.3.3.
  • Proper management of SMH self-signed certificate.
  • Consolidated logging API for SMH web applications (plug-ins).
  • Changed the default UI Timeout to 120 seconds.

Version:6.2.2-2 (17 Dec 2010)
Enhancements

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • Updated PHP to version 5.3.3 to improve security.

Version:6.2.1-14 (17 Sep 2010)
Enhancements

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.


  • For optimized memory usage.

Version:6.2.0-12 (25 Aug 2010)
Fixes

Upgrade Requirement:
Recommended - HP recommends users update to this version at their earliest convenience.

SMH version 6.2.0-12 resolved an information disclosure issue.


  • SMH was not displaying all the data in Home page for anonymous login. This has been fixed.
  • Modified HTML processing.
  • Enhancements

  • A CLI based configurable logging support in SMH log.
  • For better auditing, user name is logged in access log for SMH login and SMH settings pages.
  • Configuration of SSL Cipher Suite through CLI.
  • Added logging in smhstart and Replicate Agent Settings(RAS).
  • Added logging when SMH security settings are changed.
  • SMH now displays remaining plug-ins even after one of the plug-ins times out.
  • Autostart mode support.
  • The 'System Status' and 'Overall System Summary' tabs on the SMH Home page have been changed to 'Overall System Health Status' and 'Component Status Summary' respectively.
  • Updated the following open source components:
    - Apache 2.2.15
    - PHP 5.2.13
    - OpenSSL 0.9.8n

  • Version:6.1.0-103 (17 Feb 2010)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • Service hpsmhd now displays the correct message as "hpsmhd already running" if one tries to start hpsmhd when it is already running. Similarly, hpsmhd displays the message "hpsmhd already stopped" if one tries to stop an already stopped hpsmhd.
  • Enhancements

    • Updated OpenSSL to version 0.9.8l due to security vulnerabilities reported on earlier versions.

    Version:6.0.0-95 (3 Dec 2009)
    Fixes
  • Fixed a cross-site scripting vulnerability (XSS).

  • Fixed issue with search functionality in SMH help files.

  • Enhancements
    • Added smhlogreader, a command line interface to read SMH log
    • Added support for Microsoft Internet Explorer 8

    Version:3.0.2-77 (6 Aug 2009)
    Fixes
    • Fixed a cross-site scripting vulnerability (XSS).

    • Fixed an issue on search feature in SMH help

    • Fixed an UID issue with "hpsmh" user


    Version:3.0.1-73 (6 May 2009)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • Fixed vulnerabilities in PHP and OpenSSL libraries.

  • Fixed a cross-site scripting vulnerability (XSS).

  • Enhancements

    • Updated PHP and OpenSSL libraries

    Version:3.0.0-68 (11 Feb 2009)
    Fixes
    • Improved security
    Enhancements
    • Session Persistence
    • SIM communication through secure port and support to enable/disable non-secure port (2301)
    • IPv6 support
    • New interface and icons
    • Per-user UI preferences
    • Command line interface for SMH configuration
    • XEN server support
    • VMware 3.5 support
    • Log localization
    • Apache 2.2.6
    • OpenSSL 0.9.8h
    • PHP 5.2.6
    • libxml2 2.7.2

    Version:2.1.15-210 (19 Sep 2008)
    Fixes
  • Addressed the vulnerability:

    • CVE-2007-6203: Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.
    • CVE-2008-2939: Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI.
    • Removed OpenSSL option to avoid vulnerability.
  • XEStatusReport was not working for some webapps based on ELM.

  • Version:2.1.12-200 (16 May 2008)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Fixed a cross-site scripting vulnerability (XSS)


    Version:2.1.11-197 (11 Feb 2008)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Addressed the following vulnerabilities:

    • CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144.

    • CVE-2007-3304: prefork, worker MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.

    • CVE-2007-5135: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.

    • CVE-2007-3108: The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.

    • CVE-2007-6203: Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

    • CVE-2007-4657: Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read.

    • CVE-2007-3998: The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set.

    Enhancements

    Updated OpenSSL, httpd and PHP libraries.


    Version:2.1.10-186 (24 Jul 2007)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Addressed the following vulnerabilities:

    • CVE-2007-1717: The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0
      through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
      which might allow context-dependent attackers to prevent intended
      information from being delivered in e-mail messages. NOTE: this issue
      might be security-relevant in cases when the trailing contents of e-mail
      messages are important, such as logging information or if the message is
      expected to be well-formed.
    • CVE-2007-1711: Double free vulnerability in the unserializer in PHP
      4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary
      code by overwriting variables pointing to (1) the GLOBALS array or (2)
      the session data in _SESSION. NOTE: this issue was introduced when
      attempting to patch CVE-2007-1701 (MOPB-31-2007).
    • CVE-2007-1583: The mb_parse_str function in PHP 4.0.0 through 4.4.6
      and 5.0.0 through 5.2.1 sets the internal register_globals flag and does
      not disable it in certain cases when a script terminates, which allows
      remote attackers to invoke available PHP scripts with register_globals
      functionality that is not detectable by these scripts, as demonstrated
      by forcing a memory_limit violation.
    • CVE-2007-1582: The resource system in PHP 4.0.0 through 4.4.6 and
      5.0.0 through 5.2.1 allows context-dependent attackers to execute
      arbitrary code by interrupting certain functions in the GD (ext/gd)
      extension and unspecified other extensions via a userspace error
      handler, which can be used to destroy and modify internal resources.
    • CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and
      (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0
      through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers
      to execute arbitrary code via Wireless Bitmap (WBMP) images with large
      width or height values.
    Enhancements

    Updated OpenSSL and PHP libraries.


    Version:2.1.9-178 (22 May 2007)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added operating system support to include:

    • VMware ESX Server 2.5.4

    Version:2.1.8-177 (4 Apr 2007)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Updated PHP libraries.

    Added operating system support to include:

    • Red Hat Enterprise Linux 5 for AMD64 and Intel EM64T

    Addressed the following vulnerabilities:

    • CVE-2007-1710 - The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files by referring to local files with a certain URL syntax instead of a pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence.
    • CVE-2007-1286 - Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
    • CVE-2006-4625 - PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults.
    • CVE-2007-1884 - Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location.
    • CVE-2007-1885 - Integer overflow in the str_replace function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows a 32 bit length counter. NOTE: this is probably the same issue as CVE-2007-0906.6.
    • CVE-2007-1701 - PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".
    • CVE-2007-1700 - The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.
    • CVE-2007-1380 - The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.
    • CVE-2007-0988 - The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
    • CVE-2007-1886 - Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2.1 allows context-dependent attackers to have an unknown impact via a single character search string in conjunction with a single character replacement string, which causes an "off by one overflow."
    • CVE-2007-1835 - PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.

    Version:2.1.7-168 (16 Jan 2007)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Addressed the following vulnerabilities:

    • CVE-2006-2937: OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
    • CVE-2006-2940: OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of serivce (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
    • CVE-2006-3738: Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier verisons has unspecified impact and remote attack vectors involving a long list of ciphers.
    • CVE-2006-4343: The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
    • CVE-2006-4339: OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS#1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
    • CVE-2006-3747: Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
    Enhancements

    Updated OpenSSL and PHP libraries.


    Version:2.1.6-156 (25 Sep 2006)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added "Back" button support to the User Interface.

    Addressed the following vulnerabilities:

    • CVE-2005-3357: mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference.
    • CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

    Version:2.1.5-146 (13 Apr 2006)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Updated OpenSSL library to version 0.9.7i

    SSLv2 is now disabled by default

    Issues addressed:

    • CAN-2005-2969 - SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - Byterange filter DoS
    • CAN-2005-2088 - HTTP Request Spoofing
    • CAN-2005-2700 - important: SSLVerifyClient bypass
    • CAN-2005-1268 - low: Malicious CRL off-by-one
    • CAN-2005-2491 - Updated possbly vulnerable PCRE v4.5 extension to v6.2
    • CAN-2005-3353 - exif IFD2 patch to filter duplicates
    • CAN-2005-3388 - Fix XSS issue in PHP
    • CAN-2005-3389 - Fix for parse_str vulnerability
    • CAN-2005-3390 - RFC1867 file upload feature allows remote attackers to modify the GLOBALS array and bypass security protections

    Version:2.1.4-143 (30 Jan 2006)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Updated OpenSSL library to version 0.9.7i.

    Updates & patches for the following potential vulnerabilities associated with System Management Homepage have been added. The vulnerabilities are identified by the following candidates for common vulnerabilities and exposures:

    • CAN-2005-2969 - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
    • CAN-2005-2088 - Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
    • CAN-2005-2700 - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
    • CAN-2005-2969 - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
    • CAN-2005-2088 - Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
    • CAN-2005-2700 - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
    • CAN-2005-1268 - Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    • CAN-2005-2491 - Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    • CAN-2005-3353 - The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image.
    • CAN-2005-3388 - Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."
    • CAN-2005-3389 -The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.
    • CAN-2005-3390 - The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.
    Additionally, the SSLv2 protocol can now be selectively configured, and is disabled by default. It can be enabled by adding False in XML configuration file.

    Version:2.1.2-127 (9 Sep 2005)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added log rotation feature under Windows to better manage System Management Homepage logs.

    Addressed a Cross Site Scripting (XSS) issue in this release.


    Version:2.1.0-118 (11 Jul 2005)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Modified NIC bonding so that the server would properly start when certain IP addresses were used in NIC bonding configurations.

    Removed unnecessary dependency checks for gdbm, db, and compat RPMs used in previous versions.

    Modified IP Restriction logic to prevent a potential segmentation fault.

    Enhancements

    Remote unauthorized user may create a Denial of Service (DOS), cause a buffer overflow, or allow cross-site scripting attacks. Potential security vulnerabilities associated with web applications using PHP (prior to 4.3.11) have been identified by the following candidates for common vulnerabilities and exposures:

    • CAN-2004-1018 - Multiple integer handling errors in PHP may allow attackers to bypass safe mode restrictions, causing a denial of service
    • CAN-2004-1019 - The deserialization code in PHP may allow remote attackers to cause a denial of service
    • CAN-2004-1020 - The addslashes function in PHP does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements
    • CAN-2004-1063 - When running in safe mode on a multithreaded Linux webserver, may allow local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name.
    • CAN-2004-1064 - The safe mode checks in PHP truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode.
    • CAN-2004-1065 - Buffer overflow in the exif_read_data function in PHP may allow remote attackers to execute arbitrary code via a long section name in an image file.
    Additionally, the following vulnerability exists in Namazu versions prior to v2.0.14:
    • Namazu contains a vulnerability that can allow remote attackers to launch cross-site scripting attacks. The vulnerability is due to improper filtering of queries that start with a tab (%09) character in namazu.cgi. Remote attackers can exploit the vulnerability to inject arbitrary HTML and launch a variety of cross-site scripting attacks.

    Version:2.0.2-109 (4 May 2005)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added the following:

    • Japanese Language Kit
    • New index.html.* to pop-up when unsupported browser logs into HPSMH (Konqueror/FireFox)

    Version:2.0.0-103(A) (28 Feb 2005)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added support for Red Hat Enterprise Linux 4.


    Version:2.0.0-103 (14 Feb 2005)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Initial release.


    Type: Software - System Management
    Version: 7.6.1-9(12 Jul 2017)
    Operating System(s):
    Red Hat Enterprise Linux 6 Server (x86-64)
    Red Hat Enterprise Linux 7 Server
    SUSE Linux Enterprise Server 11 (AMD64/EM64T)
    SUSE Linux Enterprise Server 12

    Description

    The System Management Homepage provides a consolidated view for single server management highlighting tightly integrated management functionalities including performance, fault, security, diagnostic, configuration, and software change management.

    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Updated the following components:

      • PHP to version 5.6.27

      • OpenSSL to version 1.0.2k

      • Apache to version 2.4.25

    • Improved Security features [Please find more details in the Security Bulletin (ID: HPESBMU03753)]

    • Enabled support for RHEL 6.9, RHEL 7.3 and SLES 12.2 OS

    Installation Instructions

    Prerequisites:

    Before installing the SMH software, the RPM verifies that the required versions of Linux library dependencies are present. If any dependencies are not present, then a list of the missing dependencies is provided. The user must manually install all missing dependencies to satisfy the prerequisites before proceeding with the RPM installation.


    To ensure the integrity of your download, HPE recommends verifying your results with this SHA-256 Checksum value:

    b6085ee93eed31537f21eaafaa3ac76bb3d29875bb3ba06e27bb63b14a8f6116 hpsmh-7.6.1-9.x86_64.rpm

    Reboot Requirement:
    Reboot is not required after installation for updates to take effect and hardware stability to be maintained.


    Installation:
    Download the rpm package to a directory on your hard drive and change the directory accordingly. Use the following commands for specific tasks:

    1. Installation: rpm -ivh hpsmh-< version >.x86_64.rpm
    2. Upgrade (from lower version to higher version): rpm -Uvh hpsmh-<version>.x86_64.rpm>
    3. Reinstallation (of same version): rpm -Uvh hpsmh-<version>.x86_64.rpm
    4. Downgrade (from higher version to lower version): User needs to uninstall the higher version (rpm –e hpsmh-<version>) and then install the lower version (rpm -ivh hpsmh-<version>.x86_64.rpm).

    Release Notes

    End User License Agreements:
    HPE Software License Agreement v1


    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Important:

    SMH 7.6.0 & later versions, will support only Gen 8 and Gen 9 servers. Any future patch releases could be available, only on SMH web page. Please refer to HPE SMH Release Notes

    Precautions for the user on Linux OS:

    • Do not provide login access to the “hpsmh” user (created during installation) by editing the /etc/passwd file or any other means
    • Do not add any user to the “hpmsh” group (created during installation)

     


    Availability:

    SMH 7.6.1 will be aligned with SPP v2017.07.0.


    Notes:

    As per SMH EOL terms, future patch releases will continue to provide fixes for security vulnerabilities & might not provide support to any new OS or Browser.


    Availability

    SMH 7.6.1 will be aligned with SPP v2017.07.0.

    Important

    SMH 7.6.0 & later versions, will support only Gen 8 and Gen 9 servers. Any future patch releases could be available, only on SMH web page. Please refer to HPE SMH Release Notes

    Precautions for the user on Linux OS:

    • Do not provide login access to the “hpsmh” user (created during installation) by editing the /etc/passwd file or any other means
    • Do not add any user to the “hpmsh” group (created during installation)

     

    Revision History

    Version:7.6.4-3 (27 Sep 2018)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    SUSE Linux Enterprise server 15 Operating System support


    Version:7.6.3-3 (5 Feb 2018)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Updated the following components:

    • PHP to version 5.6.30
    • Zlib to version 1.2.11
    • PCRE to version 8.41
    • Libxslt to version 1.1.32

    Version:7.6.1-9 (12 Jul 2017)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Updated the following components:

      • PHP to version 5.6.27

      • OpenSSL to version 1.0.2k

      • Apache to version 2.4.25

    • Improved Security features [Please find more details in the Security Bulletin (ID: HPESBMU03753)]

    • Enabled support for RHEL 6.9, RHEL 7.3 and SLES 12.2 OS


    Version:7.6.0-11 (21 Oct 2016)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Proper handling of Single Sign-On requests and certificates, which are in bad format
    • HPE Rebranding changes
    Enhancements

    • Updated the following components:

      • PHP to version 5.5.38

      • Curl to version 7.49.1

      • OpenSSL to version 1.0.2h

      • Libxml2 to version libxml2-2.9.4

    • SSL Cipher Suite is set to TLSv1.2 as default

    • Improved Security features [Please find more details in the Security Bulletin (ID: HPSBMU03653)]


    Version:7.5.5-6 (4 May 2016)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • HPE Rebranding
    • Updated the following components:
      • PHP to version 5.5.31
      • Curl to version 7.47.0
      • OpenSSL to version 1.0.2g
      • Libxml2 to version libxml2-2.9.3
    • SSL protocol is now configurable using 'smhconfig' CLI
    • Improved Security features [ Please find more details in the Security Bulletin (ID: HPSBMU03593) ]

    Version:7.5.4-3 (1 Apr 2016)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Signature Hash Algorithm of SMH certificate is upgraded to SHA-2 (SHA-256)


    Version:7.5.2-4 (1 Oct 2015)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    Improved security features

    Enhancements

    Updated the following components

    • OpenSSL to version OpenSSL-1.0.2d
    • PHP to version php-5.6.11
    • Curl to version cul -7.42.1

    Version:7.5.3-1 (28 Sep 2015)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    Japanese localization error in Insight agents pages


    Version:7.5.0-4 (15 Jun 2015)
    Enhancements

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Updated following components
      • OpenSSL to version OpenSSL-1.0.1m
      • PHP to version php-5.5.23

    Version:7.4.2-4 (30 Mar 2015)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Security feature is optimized
    Enhancements

    • Simplified Chinese support for configuration information
    • Updated the following components
      • Apache to version 2.4.10

    Version:7.4.1-6 (5 Feb 2015)
    Fixes

    Upgrade Requirement:
    Critical - HPE requires users update to this version immediately.


    • Fixed POODLE vulnerability (CVE-2014-3566)
    • Fixed a bug in Single Sign-On (SSO) feature
    Enhancements

    • Updated the following components
      • OpenSSL to version OpenSSL-1.0.1j
      • PHP to version PHP-5.5.18
      • Curl to version Curl-7.38.0

    Version:7.4.0-13 (9 Sep 2014)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Improved SMH to use the system resources efficiently.
    • SMH Plugin integration is modified.
    Enhancements

    • Enabled support for Red Hat Enterprise Linux 7
    • Updated the following components
      • PHP to version php-5.5.13
      • curl to version curl-7.35.0

    Version:7.3.3-1 (19 Jun 2014)
    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    Patched to address SSL/TLS MITM Vulnerability CVE-2014-0224 (http://www.openssl.org/news/secadv_20140605.txt)


    Version:7.3.2-1 (15 Apr 2014)
    Fixes

    Upgrade Requirement:
    Critical - HP requires users update to this version immediately.


    Provides fix for CVE-2014-0160.


    Version:7.3.1-4 (18 Feb 2014)
    Enhancements

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Enabled support of 2048 & 4096 bit certificate for Single Sign-On (SSO).
    • Enabled FQDN (Fully Qualified Domain Name) for the CN (Common Name) field in the self-signed certificate & CSR (Certificate Signing Request).

    Version:7.3.0-9 (27 Nov 2013)
    Enhancements

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Enabled Simplified Chinese localization
    • Updated English OLH files
    • Updated the following components:
      • Apache to version 2.4.6
      • Libxml2 to version 2.9.1
      • OpenSSL to version 1.0.1e
      • Curl to version 7.32.0
      • PHP to version 5.5.2
      • zlib to version 1.2.8

    Version:7.2.2-8 (10 Sep 2013)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    Fixed a security issue that could allow escalation of non-admin privileges to local administrative privileges.

    Enhancements

    • Enable support of SUSE Linux Enterprise Server 11 SP3
    • Updated the following components:
      • PHP to 5.4.11
      • Curl to 7.28.1
      • Libxslt to 1.1.28

    Version:7.2.1-2 (21 May 2013)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Security updates (Please refer upcoming Security Bulletin for more information)

    Version:7.2.0-14 (19 Feb 2013)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Improved logging on few Operating Systems
    Enhancements

    • Improvement in Certificate management
    • Added support for the following browsers:
      • Firefox ESR 17.0
      • Internet Explorer 10.0
    • Updated Apache to version 2.4.3
    • Enable support for Transport Layer Security (TLS) protocol 1.1 / 1.2
    • Improved CLI options for easier management of SMH configurations
    • Secured handling of HTTP communication
    • Improved User Interface for Online Help

    Version:7.1.2-3 (26 Oct 2012)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Improved security features.
    • Improved logging on few Operating Systems
    Enhancements

    • Enable support of following OS:
      • Red Hat Client 5.8
    • Updated the following components:
      • OpenSSL to version 1.0.1c
      • PHP to version 5.3.14
    • Improvement in following components:
      • RPM packaging

    Version:7.1.1-1 (19 Jun 2012)
    Fixes

    Upgrade Requirement:
    Critical - HPE requires users update to this version immediately.


    • Improved security features of PHP.

    Version:7.1.0-16 (4 Jun 2012)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Improved the handling of following components:
      • Trust mode during upgrade
      • Group Configuration management during Replicate Agents Settings
      • SMH service management
      • PHP files to avoid crash
      • Webapp configuration files
    Enhancements

    • Secured handling of HTTP response
    • Updated the following components:
      • Libxml2 to version 2.7.8
      • PHP to version 5.3.10
      • Curl library to version 7.24.0
      • OpenSSL to version 1.0.0h
    • Enable support of following OS:
      • Red Hat KVM
    • Usability of IP restrictions with SMH Command Line Interface
    • Information provided on webapp availability & loading statistics
    • Added support for the following browsers:
      • Firefox 9.0 & 10.0

    Version:7.0.0-24 (27 Mar 2012)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.
    Enhancements

    Added the following features:

    • A command line option to modify the local and state information in the SMH PKCS (Public-Key Cryptography Standards) data
    • Secured handling of HTTP request and response

    Added support for the following browsers:

    • Firefox 6.0, 7.0 & 8.0
    • Internet Explorer 9.0

    Clarified the log messages

    Improved the handling of the following components:

    • Command Line Interface options
    • IP fields
    • Memory resources
    • Revoked trusted certificate
    • SMH configuration file and settings

    Improved the CLI options, for easier management of SMH configurations

    Updated the HTTP links

    Updated the following elements:

    • Apache to version 2.2.21
    • Curl library to version 7.21.7
    • OpenSSL to version 1.0.0e
    • PHP to version 5.3.8

    Version:6.3.1-23 (11 Aug 2011)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • SMH improperly displayed an invalid certificate warning when restarted, even on a fresh install.

    Version:6.3.0-22 (18 Feb 2011)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    • Proper validation of data, passed to CLI.
    • Proper handling of Presentation mode in User Preferences.
    • Proper handling of settings changes, when configuration file is Read only.
    • Better handling of Autostart feature.
    • Secured handling of HTTP response.
    Enhancements

    • CLI to display current settings.
    • Updated PHP component to version 5.3.3.
    • Proper management of SMH self-signed certificate.
    • Consolidated logging API for SMH web applications (plug-ins).
    • Changed the default UI Timeout to 120 seconds.

    Version:6.2.2-2 (17 Dec 2010)
    Enhancements

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • Updated PHP to version 5.3.3 to improve security.

    Version:6.2.1-14 (17 Sep 2010)
    Enhancements

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.


    • For optimized memory usage.

    Version:6.2.0-12 (25 Aug 2010)
    Fixes

    Upgrade Requirement:
    Recommended - HP recommends users update to this version at their earliest convenience.

    SMH version 6.2.0-12 resolved an information disclosure issue.


  • SMH was not displaying all the data in Home page for anonymous login. This has been fixed.
  • Modified HTML processing.
  • Enhancements

  • A CLI based configurable logging support in SMH log.
  • For better auditing, user name is logged in access log for SMH login and SMH settings pages.
  • Configuration of SSL Cipher Suite through CLI.
  • Added logging in smhstart and Replicate Agent Settings(RAS).
  • Added logging when SMH security settings are changed.
  • SMH now displays remaining plug-ins even after one of the plug-ins times out.
  • Autostart mode support.
  • The 'System Status' and 'Overall System Summary' tabs on the SMH Home page have been changed to 'Overall System Health Status' and 'Component Status Summary' respectively.
  • Updated the following open source components:
    - Apache 2.2.15
    - PHP 5.2.13
    - OpenSSL 0.9.8n

  • Version:6.1.0-103 (17 Feb 2010)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • Service hpsmhd now displays the correct message as "hpsmhd already running" if one tries to start hpsmhd when it is already running. Similarly, hpsmhd displays the message "hpsmhd already stopped" if one tries to stop an already stopped hpsmhd.
  • Enhancements

    • Updated OpenSSL to version 0.9.8l due to security vulnerabilities reported on earlier versions.

    Version:6.0.0-95 (3 Dec 2009)
    Fixes
  • Fixed a cross-site scripting vulnerability (XSS).

  • Fixed issue with search functionality in SMH help files.

  • Enhancements
    • Added smhlogreader, a command line interface to read SMH log
    • Added support for Microsoft Internet Explorer 8

    Version:3.0.2-77 (6 Aug 2009)
    Fixes
    • Fixed a cross-site scripting vulnerability (XSS).

    • Fixed an issue on search feature in SMH help

    • Fixed an UID issue with "hpsmh" user


    Version:3.0.1-73 (6 May 2009)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


  • Fixed vulnerabilities in PHP and OpenSSL libraries.

  • Fixed a cross-site scripting vulnerability (XSS).

  • Enhancements

    • Updated PHP and OpenSSL libraries

    Version:3.0.0-68 (11 Feb 2009)
    Fixes
    • Improved security
    Enhancements
    • Session Persistence
    • SIM communication through secure port and support to enable/disable non-secure port (2301)
    • IPv6 support
    • New interface and icons
    • Per-user UI preferences
    • Command line interface for SMH configuration
    • XEN server support
    • VMware 3.5 support
    • Log localization
    • Apache 2.2.6
    • OpenSSL 0.9.8h
    • PHP 5.2.6
    • libxml2 2.7.2

    Version:2.1.15-210 (19 Sep 2008)
    Fixes
  • Addressed the vulnerability:

    • CVE-2007-6203: Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.
    • CVE-2008-2939: Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via wildcards in a pathname in an FTP URI.
    • Removed OpenSSL option to avoid vulnerability.
  • XEStatusReport was not working for some webapps based on ELM.

  • Version:2.1.12-200 (16 May 2008)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Fixed a cross-site scripting vulnerability (XSS)


    Version:2.1.11-197 (11 Feb 2008)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Addressed the following vulnerabilities:

    • CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers. PR 41144.

    • CVE-2007-3304: prefork, worker MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.

    • CVE-2007-5135: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.

    • CVE-2007-3108: The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.

    • CVE-2007-6203: Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918.

    • CVE-2007-4657: Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read.

    • CVE-2007-3998: The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set.

    Enhancements

    Updated OpenSSL, httpd and PHP libraries.


    Version:2.1.10-186 (24 Jul 2007)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Addressed the following vulnerabilities:

    • CVE-2007-1717: The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0
      through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
      which might allow context-dependent attackers to prevent intended
      information from being delivered in e-mail messages. NOTE: this issue
      might be security-relevant in cases when the trailing contents of e-mail
      messages are important, such as logging information or if the message is
      expected to be well-formed.
    • CVE-2007-1711: Double free vulnerability in the unserializer in PHP
      4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary
      code by overwriting variables pointing to (1) the GLOBALS array or (2)
      the session data in _SESSION. NOTE: this issue was introduced when
      attempting to patch CVE-2007-1701 (MOPB-31-2007).
    • CVE-2007-1583: The mb_parse_str function in PHP 4.0.0 through 4.4.6
      and 5.0.0 through 5.2.1 sets the internal register_globals flag and does
      not disable it in certain cases when a script terminates, which allows
      remote attackers to invoke available PHP scripts with register_globals
      functionality that is not detectable by these scripts, as demonstrated
      by forcing a memory_limit violation.
    • CVE-2007-1582: The resource system in PHP 4.0.0 through 4.4.6 and
      5.0.0 through 5.2.1 allows context-dependent attackers to execute
      arbitrary code by interrupting certain functions in the GD (ext/gd)
      extension and unspecified other extensions via a userspace error
      handler, which can be used to destroy and modify internal resources.
    • CVE-2007-1001: Multiple integer overflows in the (1) createwbmp and
      (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0
      through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers
      to execute arbitrary code via Wireless Bitmap (WBMP) images with large
      width or height values.
    Enhancements

    Updated OpenSSL and PHP libraries.


    Version:2.1.9-178 (22 May 2007)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added operating system support to include:

    • VMware ESX Server 2.5.4

    Version:2.1.8-177 (4 Apr 2007)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Updated PHP libraries.

    Added operating system support to include:

    • Red Hat Enterprise Linux 5 for AMD64 and Intel EM64T

    Addressed the following vulnerabilities:

    • CVE-2007-1710 - The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files by referring to local files with a certain URL syntax instead of a pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence.
    • CVE-2007-1286 - Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
    • CVE-2006-4625 - PHP 4.x up to 4.4.4 and PHP 5 up to 5.1.6 allows local users to bypass certain Apache HTTP Server httpd.conf options, such as safe_mode and open_basedir, via the ini_restore function, which resets the values to their php.ini (Master Value) defaults.
    • CVE-2007-1884 - Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location.
    • CVE-2007-1885 - Integer overflow in the str_replace function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows a 32 bit length counter. NOTE: this is probably the same issue as CVE-2007-0906.6.
    • CVE-2007-1701 - PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".
    • CVE-2007-1700 - The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.
    • CVE-2007-1380 - The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.
    • CVE-2007-0988 - The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
    • CVE-2007-1886 - Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2.1 allows context-dependent attackers to have an unknown impact via a single character search string in conjunction with a single character replacement string, which causes an "off by one overflow."
    • CVE-2007-1835 - PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.

    Version:2.1.7-168 (16 Jan 2007)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Addressed the following vulnerabilities:

    • CVE-2006-2937: OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition.
    • CVE-2006-2940: OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of serivce (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification.
    • CVE-2006-3738: Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier verisons has unspecified impact and remote attack vectors involving a long list of ciphers.
    • CVE-2006-4343: The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, and 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
    • CVE-2006-4339: OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS#1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
    • CVE-2006-3747: Off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) in Apache 1.3 from 1.3.28, 2.0.46 and other versions before 2.0.59, and 2.2, when RewriteEngine is enabled, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted URLs that are not properly handled using certain rewrite rules.
    Enhancements

    Updated OpenSSL and PHP libraries.


    Version:2.1.6-156 (25 Sep 2006)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added "Back" button support to the User Interface.

    Addressed the following vulnerabilities:

    • CVE-2005-3357: mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL vhost with access control and a custom error 400 error page, allows remote attackers to cause a denial of service (application crash) via a non-SSL request to an SSL port, which triggers a NULL pointer dereference.
    • CVE-2005-3352: Cross-site scripting (XSS) vulnerability in the mod_imap module of Apache httpd before 1.3.35-dev and Apache httpd 2.0.x before 2.0.56-dev allows remote attackers to inject arbitrary web script or HTML via the Referer when using image maps.

    Version:2.1.5-146 (13 Apr 2006)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Updated OpenSSL library to version 0.9.7i

    SSLv2 is now disabled by default

    Issues addressed:

    • CAN-2005-2969 - SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - Byterange filter DoS
    • CAN-2005-2088 - HTTP Request Spoofing
    • CAN-2005-2700 - important: SSLVerifyClient bypass
    • CAN-2005-1268 - low: Malicious CRL off-by-one
    • CAN-2005-2491 - Updated possbly vulnerable PCRE v4.5 extension to v6.2
    • CAN-2005-3353 - exif IFD2 patch to filter duplicates
    • CAN-2005-3388 - Fix XSS issue in PHP
    • CAN-2005-3389 - Fix for parse_str vulnerability
    • CAN-2005-3390 - RFC1867 file upload feature allows remote attackers to modify the GLOBALS array and bypass security protections

    Version:2.1.4-143 (30 Jan 2006)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Updated OpenSSL library to version 0.9.7i.

    Updates & patches for the following potential vulnerabilities associated with System Management Homepage have been added. The vulnerabilities are identified by the following candidates for common vulnerabilities and exposures:

    • CAN-2005-2969 - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
    • CAN-2005-2088 - Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
    • CAN-2005-2700 - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
    • CAN-2005-2969 - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. SSL v2.0 Rollback vulnerability
    • CAN-2005-2728 - The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field.
    • CAN-2005-2088 - Apache 2.0.45 and 1.3.29, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."
    • CAN-2005-2700 - ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions.
    • CAN-2005-1268 - Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
    • CAN-2005-2491 - Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.
    • CAN-2005-3353 - The exif_read_data function in the Exif module in PHP before 4.4.1 allows remote attackers to cause a denial of service (infinite loop) via a malformed JPEG image.
    • CAN-2005-3388 - Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."
    • CAN-2005-3389 -The parse_str function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the register_globals directive via inputs that cause a request to be terminated due to the memory_limit setting, which causes PHP to set an internal flag that enables register_globals and allows attackers to exploit vulnerabilities in PHP applications that would otherwise be protected.
    • CAN-2005-3390 - The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload field.
    Additionally, the SSLv2 protocol can now be selectively configured, and is disabled by default. It can be enabled by adding False in XML configuration file.

    Version:2.1.2-127 (9 Sep 2005)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added log rotation feature under Windows to better manage System Management Homepage logs.

    Addressed a Cross Site Scripting (XSS) issue in this release.


    Version:2.1.0-118 (11 Jul 2005)
    Fixes

    Upgrade Requirement:
    Recommended - HPE recommends users update to this version at their earliest convenience.


    Modified NIC bonding so that the server would properly start when certain IP addresses were used in NIC bonding configurations.

    Removed unnecessary dependency checks for gdbm, db, and compat RPMs used in previous versions.

    Modified IP Restriction logic to prevent a potential segmentation fault.

    Enhancements

    Remote unauthorized user may create a Denial of Service (DOS), cause a buffer overflow, or allow cross-site scripting attacks. Potential security vulnerabilities associated with web applications using PHP (prior to 4.3.11) have been identified by the following candidates for common vulnerabilities and exposures:

    • CAN-2004-1018 - Multiple integer handling errors in PHP may allow attackers to bypass safe mode restrictions, causing a denial of service
    • CAN-2004-1019 - The deserialization code in PHP may allow remote attackers to cause a denial of service
    • CAN-2004-1020 - The addslashes function in PHP does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements
    • CAN-2004-1063 - When running in safe mode on a multithreaded Linux webserver, may allow local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name.
    • CAN-2004-1064 - The safe mode checks in PHP truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode.
    • CAN-2004-1065 - Buffer overflow in the exif_read_data function in PHP may allow remote attackers to execute arbitrary code via a long section name in an image file.
    Additionally, the following vulnerability exists in Namazu versions prior to v2.0.14:
    • Namazu contains a vulnerability that can allow remote attackers to launch cross-site scripting attacks. The vulnerability is due to improper filtering of queries that start with a tab (%09) character in namazu.cgi. Remote attackers can exploit the vulnerability to inject arbitrary HTML and launch a variety of cross-site scripting attacks.

    Version:2.0.2-109 (4 May 2005)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added the following:

    • Japanese Language Kit
    • New index.html.* to pop-up when unsupported browser logs into HPSMH (Konqueror/FireFox)

    Version:2.0.0-103(A) (28 Feb 2005)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Added support for Red Hat Enterprise Linux 4.


    Version:2.0.0-103 (14 Feb 2005)
    Enhancements

    Upgrade Requirement:
    Optional - Users should update to this version if their system is affected by one of the documented fixes or if there is a desire to utilize any of the enhanced functionality provided by this version.


    Initial release.


    Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.