======================================================================= Hewlett-Packard OpenVMS ECO Cover Letter ======================================================================= 1 KIT NAME: VMS821I_MUP-V0100 2 KIT DESCRIPTION: 2.1 Installation Rating: INSTALL_1 : To be installed by all customers. This installation rating, based upon current CLD information, is provided to serve as a guide to which customers should apply this remedial kit. (Reference attached Disclaimer of Warranty and Limitation of Liability Statement) 2.2 Reboot Requirement: No reboot is necessary after installation of this kit. NOTE: During installation, a message stating that a system reboot is needed will be displayed. This message can be ignored. The kit installation will INSTALL the new SET.EXE image, making a reboot un-necessary. This kit is also available via the ITRC patch site. Kits on the ITRC site will not display the reboot message. 2.3 Version(s) of OpenVMS to which this kit may be applied: OpenVMS Integrity V8.2-1 2.4 New functionality or new hardware support provided: No 3 KITS SUPERSEDED BY THIS KIT: - None 4 KIT DEPENDENCIES: 4.1 The following remedial kit(s), or later, must be installed BEFORE installation of this, or any required kit: - None Page 2 4.2 In order to receive all the corrections listed in this kit, the following remedial kits, or later, should also be installed: - None 5 NEW FUNCTIONALITY AND/OR PROBLEMS ADDRESSED IN THE VMS821I_MUP-V0100 KIT 5.1 New functionality addressed in this kit Not Applicable 5.2 Problems addressed in this kit 5.2.1 Potential Security Vulnerability 5.2.1.1 Problem Description: HP has determined that systems running OpenVMS on Alpha servers and Integrity servers have a potential security vulnerability. This vulnerability could be exploited, allowing non-privileged users or remote users to cause a system crash. To protect against this potential security risk, HP is making a mandatory update patch available for OpenVMS customers. This patch is provided by installing this VMS821I_MUP-V0100 kit. Images Affected: - [SYSEXE]SET.EXE 5.2.1.2 CLDs, and QARs reporting this problem: 5.2.1.2.1 CLD(s) None. 5.2.1.2.2 QAR(s) None. 5.2.1.3 Problem Analysis: See problem description. Page 3 5.2.1.4 Release Version of OpenVMS that will contain this change: Next release of OpenVMS Integrity after V8.2-1 5.2.1.5 Work-arounds: None. 6 FILES PATCHED OR REPLACED: o [SYSEXE]SET.EXE (new image) Image Identification Information Image name: "SET" Image file identification: "X02-00" Image build identification: "0070070001" linker identification: "Linker T02-24" Link Date/Time: 8-SEP-2005 07:21:01.85 Overall Image Checksum: 2995532507 7 INSTALLATION INSTRUCTIONS 7.1 Compressed File This kit is provided as a Self Extracting ZIPEXE kit. To expand this file to the installable .PCSI file, run the file with the following command: $ RUN VMS821I_MUP-V0100.ZIPEXE 7.2 Installation Command Install this kit with the POLYCENTER Software installation utility by logging into the SYSTEM account, and typing the following at the DCL prompt: PRODUCT INSTALL VMS821I_MUP/NOSAVE_RECOVERY_DATA [/SOURCE=location of Kit] o The kit location may be a tape drive, CD, or a disk directory that contains the kit. The /SOURCE qualifier is not needed if the PRODUCT INSTALL command is executed from the same directory as the kit location. Page 4 o Because this kit corrects a security vulnerability, the replaced file will not be saved as SET.EXE_OLD. o See section "7.4 Special Installation Instructions" for additional information on the /NOSAVE_RECOVERY_DATA qualifier. o Additional help on installing PCSI kits can be found by typing HELP PRODUCT INSTALL at the system prompt. 7.3 Scripting of Answers to Installation Questions During installation, this kit will ask and require user response to several questions. If you wish to automate the installation of this kit and avoid having to provide responses to these questions, you must create a DCL command procedure that includes the following logical name definitions and commands: o To avoid the BACKUP question, define the following: $ DEFINE/SYS NO_ASK$BACKUP TRUE o Add the following qualifiers to the PRODUCT INSTALL command and add that command to the DCL procedure. /PROD=HP/BASE=I64VMS/VER=V1.0/NOSAVE_RECOVERY_DATA For example, a sample command file to install the VMS821I_MUP-V0100 kit would be: $ DEFINE/SYS NO_ASK$BACKUP TRUE $! $ PROD INSTALL VMS821I_MUP/PRODUCER=HP/BASE=I64VMS- /VER=V1.0/NOSAVE_RECOVERY_DATA $! $ DEASSIGN/SYS NO_ASK$BACKUP $! $ exit $! 7.4 Special Installation Instructions: The VMS821I_MUP-V0100 kit corrects a security vulnerability. Use of the /SAVE_RECOVERY_DATA qualifier will cause PCSI to save a copy of the replaced, defective file. If, at some future time, this file is restored the system will be re-exposed to this security vulnerability. Because of this, HP recommends that, if possible, the /NOSAVE_RECOVERY_DATA qualifier be used in place of the /SAVE_RECOVERY_DATA qualifier. Note, however, that if the /NOSAVE_RECOVERY_DATA qualifier is used, recovery data for this kit will not be saved and all previously created recovery data sets will be deleted. This will prevent you from using the PRODUCT UNDO PATCH command to uninstall this or previously installed kits for Page 5 which recovery data had been saved. 8 COPYRIGHT AND DISCLAIMER: (C) Copyright 2005 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP and/or its subsidiaries required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Neither HP nor any of its subsidiaries shall be liable for technical or editorial errors or omissions contained herein. The information in this document is provided "as is" without warranty of any kind and is subject to change without notice. The warranties for HP products are set forth in the express limited warranty statements accompanying such products. Nothing herein should be construed as constituting an additional warranty. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY THIS PATCH IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL HP BE LIABLE FOR ANY LOST REVENUE OR PROFIT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WITH RESPECT TO ANY PATCH MADE AVAILABLE HERE OR TO THE USE OF SUCH PATCH.