I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by Rich Jorda » Sat, 18 Dec 2010 00:49:15


OpenVMS.ORG has a link here: http://www.yqcomputer.com/
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by R.A.Omon » Sat, 18 Dec 2010 01:48:44


Hmmm... this is going to be, ahem, "interesting".

Will it be only customers with a support contract who get this ?

At least this issue should force HP into clarifying the situation.

 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by Michael Kr » Sat, 18 Dec 2010 02:10:58

R.A.Omond schrieb:


Wouldn't that be a reason to sue HP for warranty claims?
I mean they delivered a defective product and should fix
it without charge.
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by JF Meze » Sat, 18 Dec 2010 02:19:12


##
HP is broadly distributing this Security Bulletin in order to bring to
the attention of users of the affected HP products the important
security information contained in this Bulletin. HP recommends that all
users determine the applicability of this information to their
individual situations and take appropriate action
##

Anyone know if this applies to a layered/middleware, or to vamilla VMS ?
(for instance, if it applies to TCPIP Services, those who don't have it
installed are not concerned).


Interesting that HP says it is broadly distrbuting this when those not
on contact cannot get patches. There is no reason for broad
dissemination anymore. Then again, those who cannot get the patches now
have an additional reason to seek another vendor and leave VMS/HP.
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by Richard B. » Sat, 18 Dec 2010 02:20:37


If the product is defective, don't pay for it. Return all media,
documentation, etc.

Get a copy of Linux.
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by JF Meze » Sat, 18 Dec 2010 02:22:40


**IF** self-cupport customers who paid for the right to upgrade to 8.4
also got free support for X months, then they would get access to the
patches.

If you didn't pay for the right to upgrade, then istalling 8.4 would be
illegal and you can't sue HP.

I am pretty sure HP has a legal department who will have considered all
those issues when they decided to retrict access to patches.
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by billg99 » Sat, 18 Dec 2010 02:42:23

In article <iedh73$9m8$02$ XXXX@XXXXX.COM >,
Michael Kraemer < XXXX@XXXXX.COM > writes:


Did you ever actually read the warranty?

bill


--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
XXXX@XXXXX.COM | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by billg99 » Sat, 18 Dec 2010 02:45:20

In article <4d0a4a12$0$1955$c3e8da3$ XXXX@XXXXX.COM >,
JF Mezei < XXXX@XXXXX.COM > writes:


Or pay for support which is probably the rationale behind "broadly
distributing this Security Bulletin".

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
XXXX@XXXXX.COM | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by Scot » Sat, 18 Dec 2010 02:53:22


Hopefully some folks can help me understand some of this.

HP sent email and posted a patch for a critical fix as SYS_MUP-V1300.
In order to install this MUP, you must have PCSI V2.0 and UPDATE V9.0
installed on OVMS v8.3-1H1
However, in another posting to C.O.V. the included SYS V12.0 patch (in
the consolidated UPDATE V9.0) patch appears to have issues which can
lead to alignment faults on Integrity systems.

So what is a customer to do? Wait for a patch to SYS?
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by VAXman- » Sat, 18 Dec 2010 03:19:00

In article <4d0a42ee$0$23752$ XXXX@XXXXX.COM >, "R.A.Omond" < XXXX@XXXXX.COM > writes:


As far as I can tell now, you cannot get this patch without an HP SAID.
This is wrong. Wrong! Wrong! Wrong! This is a security vulnerability
patch and it should be provided for all FoC, IMHO.

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

All your spirit rack abuses, come to haunt you back by day.
All your Byzantine excuses, given time, given you away.
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by JF Meze » Sat, 18 Dec 2010 03:34:19


No point in fighting a faceless company like HP. It is its product, its
policies, and if you don't like them, go elsewhere. Sad to be so blunt,
but this is really the case. If the newbie engineering produces too many
bugs in VMS, there is only one thing you can do: seek a non HP product.
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by VAXman- » Sat, 18 Dec 2010 04:30:27

In article <4d0a4a12$0$1955$c3e8da3$ XXXX@XXXXX.COM >, JF Mezei < XXXX@XXXXX.COM > writes:


The MUP replaces the SYSTEM_PRIMITIVES(_MIN) execlets, so it would appear
to be a very fundamental flaw.

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

All your spirit rack abuses, come to haunt you back by day.
All your Byzantine excuses, given time, given you away.
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by VAXman- » Sat, 18 Dec 2010 04:42:07

In article < XXXX@XXXXX.COM >, Scott < XXXX@XXXXX.COM > writes:


This just doesn't jive with Mandar Chitale's OpenVMS Bootcamp 2010 V300
presentation, slide #22... ie. no bad patches released 2010. Of course,
that slide concluded July 2010. I suppose that a consultation with the
Paramahansa provided a prognostication of the latter half of 2010 that
was less than optimal and thus, elided. ;)

FYI, I'm still waiting for the Macro-32/De *** *** to be patched.

--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG

All your spirit rack abuses, come to haunt you back by day.
All your Byzantine excuses, given time, given you away.
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by JF Meze » Sat, 18 Dec 2010 04:48:41


Does anyone in the community know what this denial of service bug is about ?

I realise it is politically incorrect to give specifics on how to
trigger it, but is there any generic information that would help someone
know whether they are vulnerable/being attacked ?

For instance, is it something that would give someone priority 64 and
could then run an infinite loop that would derpive all others of
service, or is it a DDoS that comes from an external source through the
TCP stack and which thge system primitives tells TCP Services that it is
OK ?
 
 
 

I64 VMS critical vulnerability in V8.3, V8.3-1H1, V8.4

Post by Richard B. » Sat, 18 Dec 2010 06:17:21


Or you could avoid upgrading until and *IF* H-P issues a working version.

My VMS system is running a two or three year old version of the O/S.
Don't laugh, it works!