ECO NUMBER: VAXLOAD03_062 PRODUCT: OpenVMS VAX OPERATING SYSTEM 6.2 UPDATE PRODUCT: OpenVMS VAX OPERATING SYSTEM 6.2 COVER LETTER 1 KIT NAME: VAXLOAD03_062 2 KITS SUPERSEDED BY THIS KIT: VAXLOAD02_062 3 KIT DESCRIPTION: 3.1 Version(s) of OpenVMS to which this kit may be applied: OpenVMS VAX V6.2 3.2 In order to receive the full fixes listed in this kit the following remedial kits also need to be installed: None 3.3 Files patched or replaced: o [SYSEXE]CIA.EXE (new image) o [SYSEXE]LOGINOUT.EXE (new image) o [SYSLIB]SECURESHR.EXE (new image) o [SYSLIB]SECURESHRP.EXE (new image) 4 PROBLEMS ADDRESSED IN VAXLOAD03_062 KIT o Incorrect User Authorization failures when trying to log on to a system. 5 PROBLEMS ADDRESSED IN VAXLOAD02_062 KIT o User account gets DISUSER flag set when no intrusions are present. -- COVER LETTER -- Page 2 14 July 1997 6 PROBLEMS ADDRESSED IN VAXLOAD01_070 KIT FOR OPENVMS VAX V6.2 o Proxy behavior is unpredictable. Sometimes they are inoperative and at other times access is given to an incorrect place. o Users without WORLD privilege generate many "No WORLD priv" audits when logging in. o Records in the old intrusion database can not be deleted. o Some logins are not correctly audited. 7 PROBLEMS ADDRESSED IN VAXLOGI02_070 KIT FOR OPENVMS VAX V6.2 o Audit information about network sessions from TCP/IP connections does not contain remote host information. o Users with an expired password, but with the DISFORCE_PWD_CHANGE flag set, are getting their password unexpired even though they do not set a new password. 8 PROBLEMS ADDRESSED IN VAXLOGI01_070 KIT FOR OPENVMS VAX V6.2 o Problem with LGI callouts. o Intrusion records and audits from DECnet/OSI network connections have a username padded with characters. o A user typing meaningless characters, whitespace, or "/" in response to the USERNAME prompt receives a CLI error, and then successfully logs in has an intrusion and an incorrect audit generated. 9 PROBLEMS ADDRESSED IN VAXLOGI01_070 KIT FOR OPENVMS VAX V6.2 o Five seconds after entering a password, the login is rejected. This problem is corrected in OpenVMS VAX V7.0. o Login attempt hangs for 30 seconds and then is rejected. This problem is corrected in OpenVMS VAX V7.0. -- COVER LETTER -- Page 3 14 July 1997 10 PROBLEMS ADDRESSED IN VAXLOGI01_062 KIT o When using item code SJC$_LOG_SPECIFICATION with SYS$SNDJBCW, OpenVMS V6.2 does not handle logical names like it used to under OpenVMS V6.1 or earlier. For example, Using "TEST" as the log file specification the command: $ DEFINE/SYSTEM TEST DEV1:[USER.TMP] gives the following results from $SNDJBC when executed from directory DEV1:[USER]: For OpenVMS V6.1 DEV1:[USER.TMP]jobname.LOG For OpenVMS V6.2: DEV1:[USER.TMP].LOG 11 PROBLEMS ADDRESSED IN VAXLOAD01_062 KIT o Five seconds after entering a password, the login is rejected. This problem is corrected in OpenVMS VAX V7.0. o Login attempt hangs for 30 seconds and then is rejected. This problem is corrected in OpenVMS VAX V7.0. 12 KIT INSTALLATION RATING: The following kit installation rating, based upon current CLD information, is provided to serve as a guide as to which customers should apply this remedial kit. (Reference attached Disclaimer of Warranty and Limitation of Liability Statement) INSTALLATION RATING: INSTALL_3 : To be installed by customers experiencing the problems corrected. -- COVER LETTER -- Page 4 14 July 1997 13 INSTALLATION INSTRUCTIONS: Install this kit with the VMSINSTAL utility by logging into the SYSTEM account, and typing the following at the DCL prompt: @SYS$UPDATE:VMSINSTAL VAXLOAD03_062 [location of the saveset] The saveset location may be a tape drive, or a disk directory that contains the kit saveset. No reboot is necessary after successful installation of this kit. If you have other nodes in your VMScluster, they should be rebooted or install this kit in each system in order to make use of the new image(s). Copyright (c) Digital Equipment Corporation, 1997 All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. The software contained on this media is proprietary to and embodies the confidential technology of Digital Equipment Corporation. Possession, use, or dissemination of the software and media is authorized only pursuant to a valid written license from Digital Equipment Corporation. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY THIS PATCH IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL DIGITAL BE LIABLE FOR ANY LOST REVENUE OR PROFIT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WITH RESPECT TO ANY PATCH MADE AVAILABLE HERE OR TO THE USE OF SUCH PATCH.