There is a scanning software provided by "Qualys" that has a problem but they REFUSE to fix their scanning software. The scanning software reports the vulnerability discussed in this notice but fails to report that the proper MP was applied to resolve the vulnerability. This is what our security group calls a "false positive". They then require that paper work be submitted to negate the "false positive". I think the scanning software should be fixed to NOT report a vulnerability, if the proper resolution has already been applied. Am I wrong? Here is the initial symantec resolution A vulnerability has recently been discovered, which affects the bpjava-msvc logon process within VERITAS NetBackup (tm) 4.5, 5.0, 5.1, and 6.0 (including maintenance and feature packs). This vulnerability could potentially allow remote malicious users to execute arbitrary code. http://support.veritas.com/docs/279085 The above resolution IS INCLUDED in subsequent maintenance packs. BTW: I asked our security group to contact the source and get it fixed but they said they had no confidence that the resolution from symantec is adequate. here is their website http://www.qualys.com/products/overview/
_______________________________________________ Veritas-bu maillist - Veritas-bu@mailman.eng.auburn.edu http://mailman.eng.auburn.edu/mailman/listinfo/veritas-bu