ECO NUMBER: VAXDWMOTMUP01_062 PRODUCT: OpenVMS VAX OPERATING SYSTEM V6.2 UPDATE PRODUCT: OpenVMS VAX OPERATING SYSTEM V6.2 COVER LETTER 1 KIT NAME: VAXDWMOTMUP01_062 2 KITS SUPERSEDED BY THIS KIT: None. 3 KIT DEPENDENCIES: 3.1 The following remedial kit(s), or later, must be installed BEFORE installation of this, or any required kit: None. 3.2 In order to receive all the corrections listed in this kit, the following remedial kits, or later, should also be installed: None. 4 KIT DESCRIPTION: 4.1 Version(s) of OpenVMS to which this kit may be applied: OpenVMS VAX V6.2 4.2 Files patched or replaced: o [SYSLIB]DECW$TRANSPORT_COMMON.EXE (new image) o [SYSLIB]DECW$TRANSPORT_DECNET.EXE (new image) o [SYSLIB]DECW$TRANSPORT_LOCAL.EXE (new image) o [SYSLIB]DECW$TRANSPORT_TCPIP.EXE (new image) 5 PROBLEMS ADDRESSED IN VAXDWMOTMUP01_062 KIT o Compaq has determined that systems running OpenVMS Alpha, OpenVMS VAX, SEVMS VAX or SEVMS Alpha with the DECwindows MotifServer installed have a potential security vulnerability that could be exploited to allow existing users unauthorized access to data and system resources. To protect against this -- COVER LETTER -- Page 2 2 October 2001 potential security risk, Compaq is making available a mandatory update patch for OpenVMS customers. Installation of the DECwindows Motif Server is optional during the installation of the OpenVMS Operating System. You can verify whether or not the DECwindows Motif Server has been installed on your system using the following command: $ DIRECTORY SYS$LIBRARY:DECW$*.EXE If no DECW$*.EXE files are present on your system, the DECwindows Motif Server is not installed on your system and you do NOT need to apply this mandatory update. Apply this mandatory update if the DECwindow Motif Server is installed on your system and you are running one of the following versions of OpenVMS or SEVMS: o OpenVMS Alpha Version 6.2 and all associated hardware releases (for example, Version 6.2-1H1) o OpenVMS Alpha Version 7.1-2 o OpenVMS Alpha Version 7.2-1 o OpenVMS Alpha Version 7.2-1H1 o OpenVMS Alpha Version 7.2-2 o OpenVMS Alpha Version 7.3 o OpenVMS VAX Version 6.2 o OpenVMS VAX Version 7.1 o OpenVMS VAX Version 7.2 o OpenVMS VAX Version 7.3 o SEVMS Alpha Version 6.2 o SEVMS VAX Version 6.2 NOTE ---- OpenVMS VAX V5.5-2 is not subject to this potential security vulnerability. After completing the update, Compaq strongly recommends that you perform an immediate backup of your system disk so that any subsequent restore operations begin with updated software. Otherwise, you must reapply the update after a future restore operation. Also, if at some future time you upgrade your system to one of the versions of OpenVMS or SEVMS listed you -- COVER LETTER -- Page 3 2 October 2001 must reapply the update. Images Affected: - [SYSLIB]DECW$TRANSPORT_COMMON.EXE - [SYSLIB]DECW$TRANSPORT_DECNET.EXE - [SYSLIB]DECW$TRANSPORT_LAT.EXE - [SYSLIB]DECW$TRANSPORT_LOCAL.EXE - [SYSLIB]DECW$TRANSPORT_TCPIP.EXE 6 KIT INSTALLATION RATING: The following kit installation rating, based upon current CLD information, is provided to serve as a guide to which customers should apply this remedial kit. (Reference attached Disclaimer of Warranty and Limitation of Liability Statement) INSTALLATION RATING: INSTALL_1 : To be installed by all customers. 7 INSTALLATION INSTRUCTIONS: Install this kit with the VMSINSTAL utility by logging into the SYSTEM account, and typing the following at the DCL prompt: @SYS$UPDATE:VMSINSTAL VAXDWMOTMUP01_062 [location of the saveset] The kit location may be a tape drive, CD, or a disk directory that contains the kit. Note that the kit installation will ask if you wish to delete the old files rather than archive them. Due to the nature of the problem that this kit corrects, Compaq recommends that the old files be deleted and not left on the system. This kit requires a system reboot. Compaq strongly recommends that a reboot is performed immediately after kit installation to avoid system instability. If you have other nodes in your OpenVMS cluster, they must also be rebooted in order to make use of the new image(s). If it is not possible or convenient to reboot the entire cluster at this time, a rolling re-boot may be performed. However, due to the nature of the problem that this kit corrects, Compaq strongly recommends a rolling re-boot be performed immediately on each cluster node. -- COVER LETTER -- Page 4 2 October 2001 Copyright (c) Compaq Computer Corporation, 2001 All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. COMPAQ, the Compaq logo, VAX, Alpha, VMS, and OpenVMS are registered in the U.S. Patent and Trademark Office. All other product names mentioned herein may be trademarks of their respective companies. Confidential computer software. Valid license from Compaq required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is provided as is without warranty of any kind and is subject to change without notice. The warranties for Compaq products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY THIS PATCH IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL COMPAQ BE LIABLE FOR ANY LOST REVENUE OR PROFIT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WITH RESPECT TO ANY PATCH MADE AVAILABLE HERE OR TO THE USE OF SUCH PATCH.