======================================================================= Hewlett-Packard DECnet/OSI MUP Cover Letter ======================================================================= MUP NUMBER: AXP_DNVOSIMUP01-V0703-2 PRODUCT: DECnet/OSI V7.3-2 for OpenVMS ALPHA UPDATE PRODUCT: DECnet/OSI V7.3-2 for OpenVMS ALPHA 1 KIT NAME: AXP_DNVOSIMUP01-V0703-2 2 KIT DESCRIPTION: 2.1 Installation Rating: INSTALL_2: To be installed by all customers using the following feature(s): - DECnet-Plus V7.3-2 This installation rating, based upon current CLD information, is provided to serve as a guide to which customers should apply this remedial kit. (Reference attached Disclaimer of Warranty and Limitation of Liability Statement) 2.2 Reboot Requirement: Reboot Required. HP strongly recommends that a reboot is performed immediately after kit installation to avoid system instability. If you have other nodes in your OpenVMS cluster, they must also be rebooted in order to make use of the new image(s). If it is not possible or convenient to reboot the entire cluster at this time, a rolling re-boot may be performed. 2.3 Version(s) of DECnet-Plus to which this kit may be applied: DECnet-Plus V7.3-2 2.4 New functionality or new hardware support provided: No. 3 KITS SUPERSEDED BY THIS KIT: - None. Page 2 4 KIT DEPENDENCIES: 4.1 The following kit(s), or later, must be installed BEFORE installation of this, or any required kit: - VMS732_PCSI-V0100 - DECNET_OSI-V0703-2 NOTE: After installing the required VMS731_PCSI-V0200 PCSI patch kit, you must log out and log back in before attempting to install this MUP, or the MUP installation may fail. 4.2 In order to receive all the corrections listed in this kit, the following remedial kits, or later, should also be installed: - VMS732_VMSMUP-V0100 5 FILES PATCHED OR REPLACED: o [SYSEXE]CTF$UI.EXE (new image) Image Identification Information image name: "CTF$UI" image file build identification: "" link date/time: 21-NOV-2004 02:10:40.75 linker identification: "A11-50" image checksum: 36064895 o [SYSMSG]CTF$MESSAGES.EXE (new image) Image Identification Information image name: "CTF$MESSAGES" image file identification: "V7.3-2 ECO01" image file build identification: "" link date/time: 21-NOV-2004 02:10:39.69 linker identification: "A11-50" image checksum: 2636556787 o [SYSHLP]CTF$HELP.HLB (new file) o [SYSMGR]CTF$STARTUP.COM (new file) Page 3 6 NEW FUNCTIONALITY AND/OR PROBLEMS ADDRESSED IN THE AXP_DNVOSIMUP01-V732 KIT 6.1 New functionality addressed in this kit None. 6.2 Problems addressed in this kit 6.2.1 Potential security vulnerability. 6.2.1.1 Problem Description: HP has determined that systems running OpenVMS VAX or Alpha Version V7.* or V6.* have a potential security vulnerability. This vulnerability could be exploited allowing for an unintended privileged access to data and system resources. To protect against this potential security risk, HP is making a mandatory update patch available for OpenVMS customers. This patch is provided by installing this AXP_DNVOSIMUP01-V0703-2 kit and the VMS732_VMSMUP-V0100 kit. To fully install this Security MUP, DECnet Phase V customers must install both of these kits. Note that OpenVMS V8.2 and VAX Version 5.* customers are not subject to this potential security vulnerability. Images Affected: - [SYSEXE]CTF$UI.EXE - [SYSMSG]CTF$MESSAGES.EXE - [SYSHLP]CTF$HELP.HLB - [SYSMGR]CTF$STARTUP.COM 6.2.1.2 CLDs, and QARs reporting this problem: 6.2.1.2.1 CLD(s) None. 6.2.1.2.2 QAR(s) None. Page 4 6.2.1.3 Problem Analysis: See Problem Description 6.2.1.4 ECO Version of DECnet-Plus that will containthis change: DECnet-Plus V7.3-2 ECO2 6.2.1.5 Work-arounds: None. 7 INSTALLATION INSTRUCTIONS 7.1 Compressed File This kit is provided as a DCX compressed kit. To expand this file to the installable PCSI file, run the file with a RUN file_name command. When the file is run you will see the following output: $ RUN AXP_DNVOSIMUP01-V732.PCSI-DCX_AXPEXE FTSV DCX auto-extractible compressed file for OpenVMS (AXP) FTSV V3.0 -- FTSV$DCX_AXP_AUTO_EXTRACT Copyright (c) Digital Equipment Corp. 1993 Options: [output_file_specification] [input_file_specification] The decompressor needs to know the filename to use for the decompressed file. If you don't specify any, it will use the original name of the file before it was compressed, and create it in the current directory. If you specify a directory name, the file will be created in that directory. Decompress into (file specification): If you want the file to be expanded into a different directory, enter the directory specification. DO NOT enter a new file name. The expanded file must retain the original name. The file will expand into the installable file: DEC-AXPVMS-DNVOSIMUP01-V0703-2-4.PCSI If you want to expand the file via batch, the command file must contain an answer to the Decompress into "(file specification)" question, either a or an alternate directory specification Page 5 7.2 Installation Command Install this kit with the POLYCENTER Software installation utility by logging into the SYSTEM account, and typing the following at the DCL prompt: PRODUCT INSTALL DNVOSIMUP01 /SAVE_RECOVERY_DATA [/SOURCE=location of Kit] The /SAVE_RECOVERY_DATA qualifier is optional but highly recommended. Using this qualifier will allow easy removal of the kit from the system in the event of problems. The kit location may be a tape drive, CD, or a disk directory that contains the kit. The /SOURCE qualifier is not needed if the PRODUCT INSTALL command is executed from the same directory as the kit location. Additional help on installing PCSI kits can be found by typing HELP PRODUCT INSTALL at the system prompt. 7.3 Scripting of Answers to Installation Questions During installation, this kit will ask and require user response to several questions. If you wish to automate the installation of this kit and avoid having to provide responses to these questions, you must create a DCL command procedure that includes the following logical name definitions and commands: o To avoid the BACKUP question, define the following: $ DEFINE/SYS NO_ASK$BACKUP TRUE o To avoid the REBOOT question, define the following: $ DEFINE/SYS NO_ASK$REBOOT TRUE o To save replaced files as *.*_OLD define the following logical name as YES. If you do not wish to save replaced files, define the logical name as NO. Note that if you use the /SAVE_RECOVERY_DATA qualifier (recommended) on the PRODUCT INSTALL command all replaced files will be saved as part of that operation. There is no need to also save files as *.*_OLD: $ DEFINE/JOB ARCHIVE_OLD NO o Add the following qualifiers to the PRODUCT INSTALL command and add that command to the DCL procedure. /PROD=DEC/BASE=AXPVMS/VER=V7.3-2/SAVE_RECOVERY_DATA Page 6 o De-assign the logical names assigned For example, a sample command file to install the AXP_DNVOSIMUP01-V732 kit would be: $ $ DEFINE/SYS NO_ASK$BACKUP TRUE $ DEFINE/SYS NO_ASK$REBOOT TRUE $! $ PROD INSTALL DNVOSIMUP01/PRODUCER=DEC/BASE=AXPVMS- /VER=V7.3-2/SAVE_RECOVERY_DATA $! $ DEASSIGN/SYS NO_ASK$BACKUP $ DEASSIGN/SYS NO_ASK$REBOOT $! $ exit 8 COPYRIGHT AND DISCLAIMER: (C) Copyright 2004 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP and/or its subsidiaries required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Neither HP nor any of its subsidiaries shall be liable for technical or editorial errors or omissions contained herein. The information in this document is provided "as is" without warranty of any kind and is subject to change without notice. The warranties for HP products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY THIS PATCH IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL HP BE LIABLE FOR ANY LOST REVENUE OR PROFIT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WITH RESPECT TO ANY PATCH MADE AVAILABLE HERE OR TO THE USE OF SUCH PATCH.