                                                          29 June 2000
Dear 3000 customers:

Recently, a security hole has been found in DBUTIL program.  By a special
setup, certain user who only has 'READ' capability to a database will be
able to perform tasks which only the database creator should be able to do. 
The problem has existed since 4.5 of MPE release.

We are in the process of creating a fix for this problem.  TurboIMAGE
patch TIXLX74 will include the fix.  This patch updates the TurboIMAGE
version to C.08.01 and is for MPE 5.5, 6.0 and 6.5.  Since the problem
only occurs in the DBUTIL program, if you don't want to change other
parts of the product, you can download only the DBUTIL program from
JAZZ (http://jazz.external.hp.com/src/misc/dbutil.std or 
http://jazz.external.hp.com/src/misc/dbutil.tar.Z) and replace
DBUTIL.PUB.SYS on your system with the correct version of DBUTIL contained
in one of these archives. 

Be sure to save the old DBUTIL program and swap back when you install the
TurboIMAGE patch later on, because PATCH/iX may complain the checksum 
mismatch. Depending on the TurboIMAGE version on your system (run QUERY;
use 'version' command), three matching DBUTIL programs are provided:
DBUTIL06 for TurboIMAGE version C.06.xx, DBUTIL07 for TurboIMAGE
version C.07.xx and DBUTIL08 for TurboIMAGE version C.08.xx.

For the ./dbutil.std download use the following directions:
   : file d=./dbutil.std;dev=disc
   : restore *d;@;show
   : do the RENAME's shown below...
Note: there are no ACDs in the store-to-disk archive.

For ./dbutil.tar.Z download use the following directions:
   :sh   # run the POSIX shell
   $ uncompress dbutil.tar.Z
   $ tar xvf dbutil.tar
   $ exit
Note: the DBUTIL06,07,08 files have an ACDin the tar archive.  This ACD
grants eXecute access to everyone (@.@) and can be deleted if you choose.


The following MPE CI commands will move the extracted DBUTIL file to
PUB.SYS:
   : rename DBUTIL.PUB.SYS, DBUTIL1.PUB.SYS
   : rename DBUTIL0n, DBUTIL.PUB.SYS
     # where n is 6,7,8 depending on your DBUTIL version
   : purge DBUTIL0x   to cleanup the extra versions of DBUTIL.


In the meantime, if you have security concerns, the best solution
is to add a lockword on DBUTIL.PUB.SYS to prevent illegal usage.

If you have any concern regarding the product, please don't
hesitate to call HP Response Center.

Best Regards,

Tien-You Chen
Commercial System Division