SUMMARY: Dependency problems with Tru64 patches

From: Bob Vickers <bobv_at_cs.rhul.ac.uk>
Date: Thu, 29 May 2003 10:19:07 +0100 (BST)

Dear All,

Thanks go to Dr Thomas Blinn, Iain Barker, Chris Ruhnke, Ken Kleiner and
especially to Denise Dumas of the T64 security team who sends sincere
apologies on their behalf and says we should expect to see the patch
reissued. She believes the 4.0F patch probably has the same problem.

The replies are tricky to summarise but here are a few salient points:

(1) a couple of people suggested baselining the system, but this does
*not* work in this particular situation because the baselining part of
dupatch does not regard these files as being of unknown origin. If you
want to use baselining you have to delete the files first which is a
fairly hairy process.

(2) Many security related "Early Release Patches" *are* released as CSPs

(3) Some people suggested removing the older patches. This is certainly
possible, but I have been unable to convince myself that they have been
fully superceded by later patches.

(4) As usual the good Dr Thomas Blinn provided excellent insight some of
which I pass on:

 The terminology is somewhat confusing. The "SSRT" kits which contain
 "Early Release Patches" (things that will be in the next patch kit, if
 there ever is one, and one is in testing now for V4.0G and should be
 out by this summer) are produced using exactly the same tools as the
 Customer Specific Patch (CSP) kits.

 My suspicion is that the newer Patch C 00296.00 - V40G.BL17 CSP for
 SSRT2373 and SSRT2374 -- contains some of the same files that were in an
 older security patch (Patch C 00103.04 and Patch C 00103.01) that you did
 install, but that the older patch doesn't have as good a label on it as
 the newer one. In any case, presumably the new patch supercedes the
 older patch, and it's safe to remove the (two) older patch(es) and apply
 the new one. You need to go find the documentation for the two patches
 it's complaining about and make sure that all the files they replaced are
 being replaced again. That should have been done in making the newer
 patch, I don't know (personally) whether it was or not.


Anyway I'm now going to wait for HP to do that checking and hope that a
new patch arrives soon.

Bob

---------- Original message ----------
Date: Wed, 28 May 2003 12:35:53 +0100 (BST)
From: Bob Vickers <bobv_at_cs.rhul.ac.uk>
Reply-To: Bob Vickers <R.Vickers_at_cs.rhul.ac.uk>
To: Tru64 Unix Managers <tru64-unix-managers_at_ornl.gov>
Subject: Dependency problems with Tru64 patches

Dear Managers,

Once again I am trying to install a security patch and it is failing to
install because dupatch alleges that I have installed a customer specific
patch which interferes.

An online manual defines a customer specific patch as:

 Any patch that is developed and made available to resolve a problem for a
 specific customer. A Customer-Specific patch is developed with prior
 knowledge of that customer's unique hardware and software configuration
 and environment. Customer-Specific patches may not be useful for another
 customer's system.

I have never installed such a patch on Tru64 4.0G, I have only installed
official patch kits and publicly announced patches to security problems.
It seems to me that in the past Compaq have erroneously marked some
patches as CSP and this prevents future patches being installed.

I am reluctant to remove the older so-called CSPs because this may bring
back a security problem. What is the simplest safe way out of this mess?

Here are the messages from dupatch:

Problem installing:

 - Tru64_UNIX_V4.0G / Security Related Patches:
        Patch C 00296.00 - V40G.BL17 CSP for SSRT2373 and SSRT2374 (Shared
Libra
        ./usr/dt/lib/libDtSvc.so:
                is installed by Customer Specific Patch (CSP):


 - Tru64_UNIX_V4.0G:
        Patch C 00103.04

                and can not be replaced by this patch. To install this
patch,
                you must first remove the CSP using dupatch. Before
performing
                this action, you should contact your Compaq Service
                Representative to determine if this patch kit contains the
                CSP. If it does not, you may need to obtain a new CSP from
                Compaq in order to install the patch kit and retain the
CSP fix.

This patch will not be installed.

-------------------------------------------------------------------------
-------------------------------------------------------------------------

Problem installing:

 - Tru64_UNIX_V4.0G / Security Related Patches:
        Patch C 00297.00 - V40G.BL17 CSP for SSRT2415
        ./usr/dt/bin/dtsession:
                is installed by Customer Specific Patch (CSP):


 - Tru64_UNIX_V4.0G:
        Patch C 00103.01

                and can not be replaced by this patch. To install this
patch,
                you must first remove the CSP using dupatch. Before
performing
                this action, you should contact your Compaq Service
                Representative to determine if this patch kit contains the
                CSP. If it does not, you may need to obtain a new CSP from
                Compaq in order to install the patch kit and retain the
CSP fix.

This patch will not be installed.

-------------------------------------------------------------------------
-------------------------------------------------------------------------

Problem installing:

 - Tru64_UNIX_V4.0G / Security Related Patches:
        Patch C 00299.00 - V40G.BL17 CSP for SSRT2373 and SSRT2374 (Static
Libra
        ./usr/dt/lib/libDtSvc.a:
                is installed by Customer Specific Patch (CSP):

 - Tru64_UNIX_V4.0G:
        Patch C 00103.01

                and can not be replaced by this patch. To install this
patch,
                you must first remove the CSP using dupatch. Before
performing
                this action, you should contact your Compaq Service
                Representative to determine if this patch kit contains the
                CSP. If it does not, you may need to obtain a new CSP from
                Compaq in order to install the patch kit and retain the
CSP fix.

This patch will not be installed.



Regards,
Bob
==============================================================
Bob Vickers R.Vickers_at_cs.rhul.ac.uk
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691
Received on Thu May 29 2003 - 09:20:09 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:44 NZDT