Re: TCP/IP security patch

H_Bachner · ‎03-24-2010

@Volker:

>TCPIP V5.6 ECO 5 seems to already contain this fix:

I found the description of the TCPIP$NTPQ fix (see base note), but the patch kit consists of all seven TCPIP$NTP*.EXE images which are part of the product! This allows two interpretations:

- the problem was part of some code commonly used by all NTP images
- the fix delivered all seven images routinely, e.g. to hide the security hole.

Maybe a member of the TCP/IP team is reading here...

Hans.

H_Bachner · ‎03-24-2010

@Ian:

> and to fix the backup saveset try the magic
> BACKUP/REPAIR command :-)
> (worked for me on on VMS Alpha V8.3 YMMV)

yes, this was my first suggestion too! I only wasn't sure when this qualifier was added. In the meantime I found that Guy Peleg mentioned it as part of his V8.3 Utilities Update presentation at the OpenVMS Technical Update Days in 2006.

The qualifier is still undocumented in the OpenVMS 8.4 field test release.

Hans.

John Gillings · ‎03-24-2010

BACKUP/REPAIR

>I only wasn't sure when this qualifier was
>added. In the meantime I found that Guy
>Peleg mentioned it as part of his V8.3
>Utilities Update

You should find it in anything above V8.0. Guy added it after finding one of my > decade old SPRs requesting it.

Engineering seems to have gotten a bit slack about updating documentation of late :-(

(my original request was that backup *automatically* fix broken savesets, but that seemed a bit too much!)

A crucible of informative mistakes

H.Becker · ‎03-24-2010

Backup/repair: I admit, I didn't know it, I should have attended the TUD. But I had a look at the real documentation. The code for /repair was checked into 8.3. I have no idea if it was back-ported or if there was any special image (plus CLD file) for older VMS versions. The qualifier will be documented (at least it showed in a recent checkin for the online help) in 8.4.

It seems, if you set up a symbol like backup:=backup/repair it should repair any broken saveset, automagically. But you will get an informational for both, broken and intact savesets. I didn't see that it accepts the keyword "quiet". For the other backup operations I usually use, a quick test didn't show any conflict or message when used that way.

Malcolm Wade · ‎03-24-2010

The worrying thing about this patch is that it's distributed as a simple backup save-set which you and I have to pull apart and put the images into place which as we all know is fraught with danger as I bet some customers end up with these new images in SYS$SPECIFIC:[SYSEXE] There was not even a readme or command file in the saveset which you could refer to or run to patch your system.

As someone else pointed out; the images are over 3 months old. How hard is it to produce a PCSI kit?

Volker Halle · ‎03-25-2010

Hans,

the closer you look, the more questions arise:

The V5.6 patch simply collected all *.EXE files from the NTP build directory into a backup saveset. Whether this is necessary or required, I can't tell. TCPIP ECO kits have always been full kits since around JUN-2007, so this may explain why all NTP* images are included.

One of the problems referenced in the Security Bulletin c01961959 version 1 seems to be a BIND problem (CVE-2009-0696), not a NTP problem. There are no bind images in the V5.6 patch kits.

SSRT 090245 is not referenced in the TCPIP V5.6 ECO 5 release notes, so you could assume, that this problem is not fixed in ECO 5 (or the fix is not mentioned).

Volker.

H.Becker · ‎03-25-2010

>>>
As someone else pointed out; the images are over 3 months old. How hard is it to produce a PCSI kit?
<<<

Maybe it could have been done faster and I admit I didn't look at the actual kit dates. But you are comparing link dates with the availability of all the kits. You may want to add some time for kitting and testing. Everybody wants to have the kits tested, not only the images! And if there are kits for different OS and TCPIP versions it may take a signifikant amount of time. And in this case you also want to release all kits at once or none.

>>>
the closer you look, the more questions arise:
<<<

That's a problem and needs to be reported/addressed. ECOs should be well documented and there shouldn't be any uncertainty what needs to be installed in case of security related kits.

Just my EUR .02

Volker Halle · ‎03-25-2010

Hartmut,

thanks for your 'encouragement'. I've informed the Office of OpenVMS Programs about these issues.

Volker.

Ian Miller. · ‎03-25-2010

There is some 'discussion' going on already in HP about this and I've pointed people at this thread.

If Volker did not already have one, I'd nominate him for a VMS Ambassadors Spirit Award :-D

____________________
Purely Personal Opinion

Volker Halle · ‎03-25-2010

Hans,

more findings and questions:

the V56_ECO4 patches (both Alpha and I64) contain a TCPIP$NTPTRACE image from 30-MAR-2004.

the V55_ECO3 patches do NOT contain this image.

So either NTPTRACE is not affected, then why ship it ? Or it has been 'forgotten' to be fixed and shipped.

Volker.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: TCP/IP security patch