- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: TCP/IP security patch
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-24-2010 12:23 PM
тАО03-24-2010 12:23 PM
Re: TCP/IP security patch
>TCPIP V5.6 ECO 5 seems to already contain this fix:
I found the description of the TCPIP$NTPQ fix (see base note), but the patch kit consists of all seven TCPIP$NTP*.EXE images which are part of the product! This allows two interpretations:
- the problem was part of some code commonly used by all NTP images
- the fix delivered all seven images routinely, e.g. to hide the security hole.
Maybe a member of the TCP/IP team is reading here...
Hans.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-24-2010 01:07 PM
тАО03-24-2010 01:07 PM
Re: TCP/IP security patch
> and to fix the backup saveset try the magic
> BACKUP/REPAIR command :-)
> (worked for me on on VMS Alpha V8.3 YMMV)
yes, this was my first suggestion too! I only wasn't sure when this qualifier was added. In the meantime I found that Guy Peleg mentioned it as part of his V8.3 Utilities Update presentation at the OpenVMS Technical Update Days in 2006.
The qualifier is still undocumented in the OpenVMS 8.4 field test release.
Hans.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-24-2010 01:43 PM
тАО03-24-2010 01:43 PM
Re: TCP/IP security patch
>I only wasn't sure when this qualifier was
>added. In the meantime I found that Guy
>Peleg mentioned it as part of his V8.3
>Utilities Update
You should find it in anything above V8.0. Guy added it after finding one of my > decade old SPRs requesting it.
Engineering seems to have gotten a bit slack about updating documentation of late :-(
(my original request was that backup *automatically* fix broken savesets, but that seemed a bit too much!)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-24-2010 02:50 PM
тАО03-24-2010 02:50 PM
Re: TCP/IP security patch
It seems, if you set up a symbol like backup:=backup/repair it should repair any broken saveset, automagically. But you will get an informational for both, broken and intact savesets. I didn't see that it accepts the keyword "quiet". For the other backup operations I usually use, a quick test didn't show any conflict or message when used that way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-24-2010 07:25 PM
тАО03-24-2010 07:25 PM
Re: TCP/IP security patch
As someone else pointed out; the images are over 3 months old. How hard is it to produce a PCSI kit?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-25-2010 12:53 AM
тАО03-25-2010 12:53 AM
Re: TCP/IP security patch
the closer you look, the more questions arise:
The V5.6 patch simply collected all *.EXE files from the NTP build directory into a backup saveset. Whether this is necessary or required, I can't tell. TCPIP ECO kits have always been full kits since around JUN-2007, so this may explain why all NTP* images are included.
One of the problems referenced in the Security Bulletin c01961959 version 1 seems to be a BIND problem (CVE-2009-0696), not a NTP problem. There are no bind images in the V5.6 patch kits.
SSRT 090245 is not referenced in the TCPIP V5.6 ECO 5 release notes, so you could assume, that this problem is not fixed in ECO 5 (or the fix is not mentioned).
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-25-2010 01:27 AM
тАО03-25-2010 01:27 AM
Re: TCP/IP security patch
As someone else pointed out; the images are over 3 months old. How hard is it to produce a PCSI kit?
<<<
Maybe it could have been done faster and I admit I didn't look at the actual kit dates. But you are comparing link dates with the availability of all the kits. You may want to add some time for kitting and testing. Everybody wants to have the kits tested, not only the images! And if there are kits for different OS and TCPIP versions it may take a signifikant amount of time. And in this case you also want to release all kits at once or none.
>>>
the closer you look, the more questions arise:
<<<
That's a problem and needs to be reported/addressed. ECOs should be well documented and there shouldn't be any uncertainty what needs to be installed in case of security related kits.
Just my EUR .02
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-25-2010 02:42 AM
тАО03-25-2010 02:42 AM
Re: TCP/IP security patch
thanks for your 'encouragement'. I've informed the Office of OpenVMS Programs about these issues.
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-25-2010 03:44 AM
тАО03-25-2010 03:44 AM
Re: TCP/IP security patch
If Volker did not already have one, I'd nominate him for a VMS Ambassadors Spirit Award :-D
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-25-2010 04:54 AM
тАО03-25-2010 04:54 AM
Re: TCP/IP security patch
more findings and questions:
the V56_ECO4 patches (both Alpha and I64) contain a TCPIP$NTPTRACE image from 30-MAR-2004.
the V55_ECO3 patches do NOT contain this image.
So either NTPTRACE is not affected, then why ship it ? Or it has been 'forgotten' to be fixed and shipped.
Volker.