ECO NUMBER: VMS73_DW_MOT_MUP-V0100 PRODUCT: OpenVMS Alpha OPERATING SYSTEM V7.3 UPDATE PRODUCT: OpenVMS Alpha OPERATING SYSTEM V7.3 COVER LETTER 1 KIT NAME: VMS73_DW_MOT_MUP-V0100 2 KITS SUPERSEDED BY THIS KIT: None. 3 KIT DEPENDENCIES: 3.1 The following remedial kit(s), or later, must be installed BEFORE installation of this, or any required kit: None. 3.2 In order to receive all the corrections listed in this kit, the following remedial kits, or later, should also be installed: None. 4 KIT DESCRIPTION: 4.1 Version(s) of OpenVMS to which this kit may be applied: OpenVMS Alpha V7.3 4.2 Files patched or replaced: o [SYSLIB]DECW$TRANSPORT_COMMON.EXE (new image) o [SYSLIB]DECW$TRANSPORT_DECNET.EXE (new image) o [SYSLIB]DECW$TRANSPORT_LAT.EXE (new image) o [SYSLIB]DECW$TRANSPORT_LOCAL.EXE (new image) o [SYSLIB]DECW$TRANSPORT_TCPIP.EXE (new image) -- COVER LETTER -- Page 2 1 October 2001 5 PROBLEMS ADDRESSED IN VMS73_DW_MOT_MUP-V0100 KIT o Compaq has determined that systems running OpenVMS Alpha, OpenVMS VAX, SEVMS VAX or SEVMS Alpha with the DECwindows MotifServer installed have a potential security vulnerability that could be exploited to allow existing users unauthorized access to data and system resources. To protect against this potential security risk, Compaq is making available a mandatory update patch for OpenVMS customers. Installation of the DECwindows Motif Server is optional during the installation of the OpenVMS Operating System. You can verify whether or not the DECwindows Motif Server has been installed on your system using the following command: $ DIRECTORY SYS$LIBRARY:DECW$*.EXE If no DECW$*.EXE files are present on your system, the DECwindows Motif Server is not installed on your system and you do not need to apply this mandatory update. NOTE ---- If the DECwindows Motif Server is not installed on your system you do NOT need to install this mandatory update. Apply this mandatory update if the DECwindow Motif Server is installed on your system and you are running one of the following versions of OpenVMS or SEVMS: o OpenVMS Alpha Version 6.2 and all associated hardware releases (for example, Version 6.2-1H1) o SEVMS Alpha Version 6.2 o OpenVMS Alpha Version 7.1-2 o OpenVMS Alpha Version 7.2-1 o OpenVMS Alpha Version 7.2-2 o OpenVMS Alpha Version 7.2-1H1 o OpenVMS Alpha Version 7.3 o OpenVMS VAX Version 6.2 o OpenVMS VAX Version 7.1 o OpenVMS VAX Version 7.2 o OpenVMS VAX Version 7.3 -- COVER LETTER -- Page 3 1 October 2001 o SEVMS VAX Version 6.2 NOTE ---- OpenVMS VAX V5.5-2 is not subject to this potential security vulnerability. After completing the update, Compaq strongly recommends that you perform an immediate backup of your system disk so that any subsequent restore operations begin with updated software. Otherwise, you must reapply the update after a future restore operation. Also, if at some future time you upgrade your system to one of the versions of OpenVMS or SEVMS listed you must reapply the update. Images Affected: - [SYSLIB]DECW$TRANSPORT_COMMON.EXE - [SYSLIB]DECW$TRANSPORT_DECNET.EXE - [SYSLIB]DECW$TRANSPORT_LAT.EXE - [SYSLIB]DECW$TRANSPORT_LOCAL.EXE - [SYSLIB]DECW$TRANSPORT_TCPIP.EXE 6 KIT INSTALLATION RATING: The following kit installation rating, based upon current CLD information, is provided to serve as a guide to which customers should apply this remedial kit. (Reference attached Disclaimer of Warranty and Limitation of Liability Statement) INSTALLATION RATING: INSTALL_1 : To be installed by all customers. 7 INSTALLATION INSTRUCTIONS: Install this kit with the POLYCENTER Software installation utility by logging into the SYSTEM account, and typing the following at the DCL prompt: PRODUCT INSTALL VMS73_DW_MOT_MUP /SOURCE=[location of Kit] -- COVER LETTER -- Page 4 1 October 2001 The kit location may be a tape drive, CD, or a disk directory that contains the kit. Additional help on installing PCSI kits can be found by typing HELP PRODUCT INSTALL at the system prompt This kit requires a system reboot. Compaq strongly recommends that a reboot is performed immediately after kit installation to avoid system instability. If you have other nodes in your OpenVMS cluster, they must also be rebooted in order to make use of the new image(s). If it is not possible or convenient to reboot the entire cluster at this time, a rolling re-boot may be performed. However, due to the nature of the problem that this kit corrects, Compaq strongly recommends a rolling re-boot be performed immediately on each cluster node. 7.1 Special Installation Instructions: Due to the nature of the problem that this kit corrects, Compaq recommends that the old files be deleted and not left on the system. During installation, this kit will ask and require user response to several questions. If you wish to automate the installation of this kit and avoid having to provide responses to these questions, you must create a DCL command procedure that includes the following definitions and commands: - Define logical NO_ASK$BACKUP as TRUE - Define logical NO_ASK$REBOOT as TRUE - Define logical ARCHIVE_DW_MOT_MUP as TRUE if you wish to delete the replaced files. If you do not want the replaced files deleted (NOT recommended by Compaq), define this logical as FALSE. - Add the following qualifiers to the PRODUCT INSTALL command and add that command to the DCL procedure. /PROD=DEC/BASE=AXPVMS/VER=V1.0 - De-assign the logicals assigned For example, a sample command file to install the VMS73_DW_MOT_MUP-V0100 kit would be: $ DEFINE/SYS NO_ASK$BACKUP "TRUE" $ DEFINE/SYS NO_ASK$REBOOT "TRUE" $ DEFINE/SYS ARCHIVE_DW_MOT_MUP "TRUE" $! $ PROD INSTALL VMS73_DW_MOT_MUP/PROD=DEC/BASE=AXPVMS/VER=V1.0 -- COVER LETTER -- Page 5 1 October 2001 $! $ DEASSIGN/SYS NO_ASK$BACKUP $ DEASSIGN/SYS NO_ASK$REBOOT $ DEASSIGN/SYS ARCHIVE_DW_MOT_MUP $ exit After the command file is created, run the file to to install the kit. Note that if you use this method to install the kit, the installation will proceed without interruption. All "Do you wish to continue" questions will be disabled. Copyright (c) Compaq Computer Corporation, 2001 All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. COMPAQ, the Compaq logo, VAX, Alpha, VMS, and OpenVMS are registered in the U.S. Patent and Trademark Office. All other product names mentioned herein may be trademarks of their respective companies. Confidential computer software. Valid license from Compaq required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is provided as is without warranty of any kind and is subject to change without notice. The warranties for Compaq products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY THIS PATCH IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL COMPAQ BE LIABLE FOR ANY LOST REVENUE OR PROFIT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WITH RESPECT TO ANY PATCH MADE AVAILABLE HERE OR TO THE USE OF SUCH PATCH.