Kit Name: DEC-AXPVMS-VMS731_MUP-V0100--4.PCSI Kit Applies To: OpenVMS ALPHA V7.3-1 Approximate Kit Size: 656 blocks Installation Rating: INSTALL_1 Reboot Required: Yes - rolling reboot Superseded Kits: None Mandatory Kit Dependencies: VMS731_UPDATE-V0500 VMS731_PCSI-V0200 Optional Kit Dependencies: None VMS731_MUP-V0100.PCSI-DCX_AXPEXE Checksum: 3290767314 DEC-AXPVMS-VMS731_MUP-V0100--4.PCSI Checksum: 1547739492 ======================================================================= Hewlett-Packard OpenVMS ECO Cover Letter ======================================================================= 1 KIT NAME: VMS731_MUP-V0100 2 KIT DESCRIPTION: 2.1 Installation Rating: INSTALL_1 : To be installed by all customers. This installation rating, based upon current CLD information, is provided to serve as a guide to which customers should apply this remedial kit. (Reference attached Disclaimer of Warranty and Limitation of Liability Statement) 2.2 Reboot Requirement: Reboot Required. HP strongly recommends that a reboot is performed immediately after kit installation to avoid system instability. If you have other nodes in your OpenVMS cluster, they must also be rebooted in order to make use of the new image(s). If it is not possible or convenient to reboot the entire cluster at this time, a rolling re-boot may be performed. 2.3 Version(s) of OpenVMS to which this kit may be applied: OpenVMS ALPHA V7.3-1 2.4 New functionality or new hardware support provided: No 3 KITS SUPERSEDED BY THIS KIT: - None 4 KIT DEPENDENCIES: 4.1 The following remedial kit(s), or later, must be installed BEFORE installation of this, or any required kit: - VMS731_PCSI-V0200 - VMS731_UPDATE-V0500 Page 2 4.2 In order to receive all the corrections listed in this kit, the following remedial kits, or later, should also be installed: - None 5 NEW FUNCTIONALITY AND/OR PROBLEMS ADDRESSED IN THE VMS731_MUP-V0100 KIT 5.1 New functionality addressed in this kit Not Applicable 5.2 Problems addressed in this kit 5.2.1 Potential Security Vulnerability 5.2.1.1 Problem Description: HP has determined that systems running OpenVMS on Alpha servers and Integrityservers have a potential security vulnerability. This vulnerability could be exploited, allowing non-privileged users or remote users to cause a system crash. To protect against this potential security risk, HP is making a mandatory update patch available for OpenVMS customers. This patch is provided by installing this VMS731_MUP-V0100 kit. Images Affected: - [SYSEXE]SET.EXE 5.2.1.2 CLDs, and QARs reporting this problem: 5.2.1.2.1 CLD(s) None. 5.2.1.2.2 QAR(s) None. 5.2.1.3 Problem Analysis: See problem description. Page 3 5.2.1.4 Release Version of OpenVMS that will contain this change: Next release of OpenVMS Alpha after V8.2 5.2.1.5 Work-arounds: None. 6 FILES PATCHED OR REPLACED: o [SYSEXE]SET.EXE (new image) Image Identification Information image name: "SET" image file identification: "X01-13" image file build identification: "XA9J-0060030010" link date/time: 7-SEP-2005 13:21:51.32 linker identification: "A11-50" Overall Image Checksum: 2004581490 7 INSTALLATION INSTRUCTIONS 7.1 Compressed File This kit is provided as a DCX compressed kit. To expand this file to the installable .PCSI file, run the file with a RUN file_name command. When the file is run you will see the following output: $ RUN VMS731_MUP-V0100.PCSI-DCX_AXPEXE FTSV DCX auto-extractible compressed file for OpenVMS (AXP) FTSV V3.0 -- FTSV$DCX_AXP_AUTO_EXTRACT Copyright (c) Digital Equipment Corp. 1993 Options: [output_file_specification] [input_file_specification] The decompressor needs to know the filename to use for the decompressed file. If you don't specify any, it will use the original name of the file before it was compressed, and create it in the current directory. If you specify a directory name, the file will be created in that directory. Decompress into (file specification): If you want the file to be expanded into a different directory, enter the directory specification. DO NOT enter a new file name. The expanded file must retain the original name. Page 4 If you want to expand the file via batch, the command file must contain an answer to the Decompress into "(file specification)" question, either a or an alternate directory specification 7.2 Installation Command Install this kit with the POLYCENTER Software installation utility by logging into the SYSTEM account, and typing the following at the DCL prompt: PRODUCT INSTALL VMS731_MUP/SAVE_RECOVERY_DATA [/SOURCE=location of Kit] o The kit location may be a tape drive, CD, or a disk directory that contains the kit. The /SOURCE qualifier is not needed if the PRODUCT INSTALL command is executed from the same directory as the kit location. o Because this kit corrects a security vulnerability, the replaced file willnot be saved as SET.EXE_OLD. o See section "7.4 Special Installation Instructions" for additional information on the /NOSAVE_RECOVERY_DATA qualifier. o Additional help on installing PCSI kits can be found by typing HELP PRODUCT INSTALL at the system prompt. 7.3 Scripting of Answers to Installation Questions During installation, this kit will ask and require user response to several questions. If you wish to automate the installation of this kit and avoid having to provide responses to these questions, you must create a DCL command procedure that includes the following logical name definitions and commands: o To avoid the BACKUP question, define the following: $ DEFINE/SYS NO_ASK$BACKUP TRUE o To avoid the REBOOT question, define the following: $ DEFINE/SYS NO_ASK$REBOOT TRUE o Add the following qualifiers to the PRODUCT INSTALL command and add that command to the DCL procedure. /PROD=DEC/BASE=AXPVMS/VER=V1.0/NOSAVE_RECOVERY_DATA o De-assign the logical names assigned Page 5 For example, a sample command file to install the VMS731_MUP-V0100 kit would be: $ DEFINE/SYS NO_ASK$BACKUP TRUE $ DEFINE/SYS NO_ASK$REBOOT TRUE $! $ PROD INSTALL VMS731_MUP/PRODUCER=DEC/BASE=AXPVMS- /VER=V1.0/NOSAVE_RECOVERY_DATA $! $ DEASSIGN/SYS NO_ASK$BACKUP $ DEASSIGN/SYS NO_ASK$REBOOT $! $ exit $! 7.4 Special Installation Instructions: The VMS731_MUP-V0100 kit corrects a security vulnerability. Use of the /SAVE_RECOVERY_DATA qualifier will cause PCSI to save a copy of the replaced, defective file. If, at some future time, this file is restored the system will be re-exposed to this security vulnerability. Because of this, HP recommends that, if possible, the /NOSAVE_RECOVERY_DATA qualifier be used in place of the /SAVE_RECOVERY_DATA qualifier. Note, however, that if the /NOSAVE_RECOVERY_DATA qualifier is used, recovery data for this kit will not be saved and all previously created recovery data sets will be deleted. This will prevent you from using the PRODUCT UNDO PATCH command to uninstall this or previously installed kits for which recovery data had been saved. 8 COPYRIGHT AND DISCLAIMER: (C) Copyright 2005 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP and/or its subsidiaries required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Neither HP nor any of its subsidiaries shall be liable for technical or editorial errors or omissions contained herein. The information in this document is provided "as is" without warranty of any kind and is subject to change without notice. The warranties for HP products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY THIS PATCH IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR Page 6 PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL HP BE LIABLE FOR ANY LOST REVENUE OR PROFIT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WITH RESPECT TO ANY PATCH MADE AVAILABLE HERE OR TO THE USE OF SUCH PATCH.