HP transmitted a Security Bulletin for MPE/iX yesterday. Such a bulletin is a rare thing for the HP 3000, which is often protected by its unique architecture and design. But adopting an open source standard for Domain Name Services (DNS) has cut off the system, now that DNS caches are at risk.
The HP bulletin reports a security breech of BIND/iX, the software that has provided DNS for the 3000 since 1998. HP reports that the DNS cache poisoning of last year is permitted by BIND/iX 9.3.0, which is inside MPE/iX 6.5, 7.0 and 7.5, HP says. (You'll need a login and password to read the text off the HP IT Response Center Web page.)
DNS is not a widely-used service hosted on HP 3000s. When HP rolled BIND/iX out more than 10 years ago, it called DNS “a basic Internet service that’s been lacking from the HP 3000,” and noted that the addition will help sites bypass Unix or Windows systems and create all-3000 intranets.
But even if BIND isn't that important to the community, there's news in the Resolution part of the bulletin, which says,"The resolution is to discontinue the use of BIND/iX and migrate DNS services to another platform." This is as clear a message as any that the HP patch era for the 3000 has ended. Last year HP announced that it would not create any more patches for the 3000, starting in 2009 — not even patches for security risks.