HPE Community
Operating System - OpenVMS
1753818 Members
8793 Online
108805 Solutions
New Discussion юеВ

Re: TCP/IP security patch

 
SOLVED
Go to solution
H_Bachner
Regular Advisor

тАО03-24-2010 03:34 AM

тАО03-24-2010 03:34 AM

TCP/IP security patch

Yesterday, HP published Security Bulletin c01961959 (see <>).

This bulletin points to updated images for HP TCP/IP Services V5.5 ECO3 and V5.6 ECO4.

I did not look at the V5.5 stuff (yet), but got the fix for V5.6 ECO4 on Alpha.

Current ECO for V5.6 is ECO5.

The security patch contains a number of NTP related images. I compared the first image from this fix for ECO4 and the respective image in the official ECO5 kit and found the following:

image name: "TCPIP$NTP"
image file identification: "V5.6-ECO4B"
link date/time: 7-DEC-2009 16:30:34.44

image name: "TCPIP$NTP"
image file identification: "V5.6-ECO5"
link date/time: 30-NOV-2009 18:07:22.57

So the image from the the security patch is newer than that from ECO5. The ECO 5 release notes don't mention security issues for NTP (except maybe a corrected stack overflow problem for TCPIP$NTPQ, but not the other programs contained in the security patch).

Can anyone tell me:

- does ECO5 contain these fixes?
- if not, will there be a patch kit for ECO5 as well?

An interesting question remains: why does HP publish a Security Bulletin on 23-Mar pointing to a fix that os more than three months old?

Thanks for any info,
Hans.
0 Kudos
46 REPLIES 46
The Brit
Honored Contributor

тАО03-24-2010 03:47 AM

тАО03-24-2010 03:47 AM

Re: TCP/IP security patch

I am also running TCPIP 5.6 ECO5 on my testing system, and I am curious as to whether this security bulletin applies to ECO5.

On different note, I downloaded the ECO4 patch (backup saveset) to the same system, but I couldnt read it. I got

backup/list qxcr1000910870_v56_eco4_i64.bck;1/save_set
Listing of save set(s)

%BACKUP-E-POSERROR, error positioning DSA101:[OPENVMS.PRODUCTS.TCPIP56_E5]qxcr1000910870_v56_eco4_i64.bck;1
-RMS-F-IOP, operation invalid for file organization or device
%BACKUP-E-READERRS, excessive error rate reading DSA101:[OPENVMS.PRODUCTS.TCPIP56_E5]qxcr1000910870_v56_eco4_i64.bck;1
-BACKUP-E-BLOCKCRC, software block CRC error
%BACKUP-I-OPERSPEC
%BACKUP-I-OPERASSIST, operator assistance has been requested
%BACKUP-I-NOOPER, no operator is available to handle the request
%BACKUP-I-OPERSPEC, specify option (QUIT or CONTINUE)
Requesting PID:2020078C, Target Device:_DSA101

I downloaded in binary mode, (see attachment)

(I just know someone is going to point out some novice mistake I made.)

Dave
0 Kudos
H_Bachner
Regular Advisor

тАО03-24-2010 04:24 AM

тАО03-24-2010 04:24 AM

Re: TCP/IP security patch

Hi Dave,

binary download creates files with fixed length (ok for BACKUP), but 512 bytes record length (usually not what BACKUP expects).

On a sufficiently new system, just add the /REPAIR qualifier to your BACKUP command.
On older systems, use
$ SET FILE /ATTRIB=LRL=32256 saveset.bck

The actual record length may vary and can be found out once BACKUP /LIST gets sufficently far to display the savest block size, or you DUMP the first block of the saveset and get the required record size (in hex) at offset 28(hex).

Hans.
0 Kudos
H.Becker
Honored Contributor

тАО03-24-2010 04:26 AM

тАО03-24-2010 04:26 AM

Re: TCP/IP security patch

>>>
(I just know someone is going to point out some novice mistake I made.)
<<<
You may want to get Hein's magic spell - FIXSAVESET.COM which will print a
RFM was FIX, MRS = 512, LRL = 512.
and do a
$SET FILE /ATTR=(RFM=FIX, MRS=32256, LRL=32256)
0 Kudos
Art Wiens
Respected Contributor

тАО03-24-2010 04:32 AM

тАО03-24-2010 04:32 AM

Re: TCP/IP security patch

Using FTP to download VMS savesets doesn't usually "work well". Try the recommended:

SET FILE/ATTRIBUTES=(RFM:FIX,MRS:32256,LRL:32256,RAT:NONE) file.bck

to fix your saveset.

Cheers,
Art
0 Kudos
Art Wiens
Respected Contributor

тАО03-24-2010 04:33 AM

тАО03-24-2010 04:33 AM

Re: TCP/IP security patch

Doh! That's what happens when you take the time to go get a coffee refill!

Cheers anyways,
Art
0 Kudos
Volker Halle
Honored Contributor

тАО03-24-2010 05:58 AM

тАО03-24-2010 05:58 AM

Re: TCP/IP security patch

Hans,

TCPIP V5.6 ECO 5 seems to already contain this fix:

ECO 5 updates
-------------
16-JUN-2009 Alpha and INTEGRITY SERVERS

Problem:

A stack buffer overflow problem exists in the NTPQ program.

Deliverables:

TCPIP$NTPQ.EXE

Reference:
SSRT#090073, TCPIP_BUGS Note 3709


Volker.
0 Kudos
Volker Halle
Honored Contributor

тАО03-24-2010 06:05 AM

тАО03-24-2010 06:05 AM

Re: TCP/IP security patch

Hans,

TCPIP V5.5 ECO 3 is still the 'current' patch (released on 21-FEB-2008).

I can't answer your question about the 'age' of the fix, but the comment in the V5.6 ECO 3 release notes seems to indicate, that this part of the problem already got fixed on 16-JUN-2009.

Volker.
0 Kudos
Ian Miller.
Honored Contributor

тАО03-24-2010 07:07 AM

тАО03-24-2010 07:07 AM

Re: TCP/IP security patch

and to fix the backup saveset try the magic

BACKUP/REPAIR command :-)

(worked for me on on VMS Alpha V8.3 YMMV)
____________________
Purely Personal Opinion
0 Kudos
Hoff
Honored Contributor

тАО03-24-2010 09:24 AM

тАО03-24-2010 09:24 AM

Re: TCP/IP security patch

There's an Apache Secure Web Server (SWS) patch that just dropped, too.

http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02002308
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.