ECO NUMBER: ACMS_U2_043 PRODUCT: OpenVMS ACM OPERATING SYSTEM V4.3-2 UPDATE PRODUCT: OpenVMS ACM OPERATING SYSTEM V4.3-2 COVER LETTER 1 KIT NAME: ACMS_U2_043 2 KITS SUPERSEDED BY THIS KIT: o VMS73_ACMS-V0100 o VMS722_ACMS-V0100 o VMS721H1_ACMS-V0100 o VMS721_ACMS-V0100 3 KIT DEPENDENCIES: 3.1 The following remedial kit(s), or later, must be installed BEFORE installation of this, or any required kit: ACMS V4.3. 3.2 In order to receive all the corrections listed in this kit, the following remedial kits, or later, should also be installed: None. 4 KIT DESCRIPTION: 4.1 Version(s) of ACMS to which this kit may be applied: ACMS V4.3 4.2 Files patched or replaced: o [SYSEXE]ACMSBOOT.EXE (new image) o [SYSEXE]ACMSDBG.EXE (new image) o [SYS$STARTUP]ACMSTART.COM (new file) -- COVER LETTER -- Page 2 22 May 2002 5 PROBLEMS ADDRESSED IN ACMS_U2_043 KIT o When running the Compaq OpenVMS Alpha Version 7.3 Debugger (provided with OpenVMS Alpha Version 7.2), the ACMS Task Debugger cannot access workspace contents using the Workspace symbol process (workspace looker). The following error is returned when the EXAMINE command is issued: ACMSDBG> EXAMINE CTRL_WKSP %DEBUG-E-NOSYMBOL, symbol 'CTRL_WKSP' is not in the symbol table Images Affected: - [SYSEXE]ACMSDBG.EXE o If the previous ACMS ECO kits are installed, during an OpenVMS upgrade, ACMS V4.3 files are deleted from the system. Images Affected: - N/A 6 PROBLEMS ADDRESSED IN VMS73_ACMS-V0100, VMS722_ACMS-V0100, VMS721H1_ACMS-V0100 AND VMS721_ACMS-V0100 KITS o Compaq has determined that OpenVMS Alpha systems running ACMS version 4.3 or 4.4 have a serious security flaw involving elevated privileges that could be exploited. This potential Security Vulnerability involves ACMS processes having more privileges enabled than the privileges specified in the authorization file. To protect against this potential security risk, Compaq is making available a mandatory update ECO for ACMS V4.3 customers running OpenVMS Alpha V7.2, V7.2-2, and V7.3. The ACMS V4.3 ECO kit is being made available through the Compaq services web site and ECO kit distribution tools. For ACMS V4.4 customers a new product version release, ACMS V4.4A, is being distributed on the OpenVMS Alpha Product Library starting in Q1 CY2002. ACMS V4.4 customers should upgrade to V4.4A immediately. ACMS V4.4A is supported on OpenVMS Alpha V7.2-2 and V7.3. **** NOTE **** This problem does not compromise the security of the OpenVMS -- COVER LETTER -- Page 3 22 May 2002 operating system. If ACMS is not installed on your system, you do NOT need to install this mandatory update. You can verify whether or not ACMS has been installed on your system using the following command: $ ACMS/SHOW SYSTEM If ACMS is not installed you will get a "%DCL-W-IVVERB, unrecognized command verb" error message. If ACMS is installed, you will get a ACMS status message that tells you the version of ACMS running on your machine. Images Affected: - [SYSEXE]ACMSBOOT.EXE - [SYS$STARTUP]ACMSTART.COM 7 KIT INSTALLATION RATING: The following kit installation rating, based upon current CLD information, is provided to serve as a guide to which customers should apply this remedial kit. (Reference attached Disclaimer of Warranty and Limitation of Liability Statement) INSTALLATION RATING: INSTALL_1 : To be installed by all customers. 8 INSTALLATION INSTRUCTIONS: Install this kit with the VMSINSTAL utility by logging into the SYSTEM account, and typing the following at the DCL prompt: @SYS$UPDATE:VMSINSTAL ACMS_U2_043 /SOURCE=[location of Kit] The saveset location may be a tape drive, CD, or a disk directory that contains the kit. You do not need to reboot your OpenVMS system. However, you will need to restart ACMS after applying the patch kit by using the following ACMS procedures: o @SYS$STARTUP:ACMSTOP o @SYS$STARTUP:ACMSTART -- COVER LETTER -- Page 4 22 May 2002 Copyright (c) Compaq Computer Corporation, 2002 All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. COMPAQ, the Compaq logo, VAX, Alpha, VMS, and OpenVMS are registered in the U.S. Patent and Trademark Office. All other product names mentioned herein may be trademarks of their respective companies. Confidential computer software. Valid license from Compaq required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is provided as is without warranty of any kind and is subject to change without notice. The warranties for Compaq products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY THIS PATCH IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL COMPAQ BE LIABLE FOR ANY LOST REVENUE OR PROFIT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WITH RESPECT TO ANY PATCH MADE AVAILABLE HERE OR TO THE USE OF SUCH PATCH.