List of patches for VMS Alpha v8.4 freely available ?

[Simon Clubley]

I'm not looking for the patches themselves; I know they are not
available without a support contract. What I am looking for are
a list of the VMS Alpha v8.4 patches and a summary of what was fixed.

Searching with Google has only found old postings and the old ITRC
references.

Background: I had an idea a few days ago and as a result I have
now found something. So far, it's not a system compromise problem,
but it's certainly the kind of problem which someone could have
preemptively decided to fix in a patch just in case.

Thanks,

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

[Jan-Erik Soderholm]

Den 2017-08-20 kl. 16:30, skrev Simon Clubley:
> I'm not looking for the patches themselves; I know they are not
> available without a support contract. What I am looking for are
> a list of the VMS Alpha v8.4 patches and a summary of what was fixed.
>
> Searching with Google has only found old postings and the old ITRC
> references.
>
> Background: I had an idea a few days ago and as a result I have
> now found something. So far, it's not a system compromise problem,
> but it's certainly the kind of problem which someone could have
> preemptively decided to fix in a patch just in case.
>
> Thanks,
>
> Simon.
>

"HP OpenVMS Alpha 8.4" or "VSI OpenVMS Alpha 8.4-2L2"?

[Simon Clubley]

Good point, thanks. :-)

I want to mainly trace the history of patches for HPE Alpha VMS but
would also be interested in knowing if VSI have a list of VMS Alpha
patches (including details of problems fixed) which they may have
also created since they were formed.

[Jan-Erik Soderholm]

Den 2017-08-20 kl. 17:38, skrev Simon Clubley:
> On 2017-08-20, Jan-Erik Soderholm <jan-erik....@telia.com> wrote:
>> Den 2017-08-20 kl. 16:30, skrev Simon Clubley:
>>> I'm not looking for the patches themselves; I know they are not
>>> available without a support contract. What I am looking for are
>>> a list of the VMS Alpha v8.4 patches and a summary of what was fixed.
>>>
>>> Searching with Google has only found old postings and the old ITRC
>>> references.
>>>
>>> Background: I had an idea a few days ago and as a result I have
>>> now found something. So far, it's not a system compromise problem,
>>> but it's certainly the kind of problem which someone could have
>>> preemptively decided to fix in a patch just in case.
>>>
>>> Thanks,
>>>
>>> Simon.
>>>
>>
>> "HP OpenVMS Alpha 8.4" or "VSI OpenVMS Alpha 8.4-2L2"?
>
> Good point, thanks. :-)
>
> I want to mainly trace the history of patches for HPE Alpha VMS but
> would also be interested in knowing if VSI have a list of VMS Alpha
> patches (including details of problems fixed) which they may have
> also created since they were formed.
>
> Thanks,
>
> Simon.
>

No pathes from VSI known to me. And the 8.4-2L2 kit was just released
a month ago or so... :-) But as far as I understand, everything that was
(or is) available from HPE is included in the 8.4-2L2 kit with some
extra fixes from VSI. I have not seen any document that has an "what
has been fixed in this release" kind of specification.

Regarding HP OpenVMS, I just checked and I can still login to HPE but
my patch access (and the patch lists and releae notes) has been closed.
Probably due to that our contract with HPE closed 31-Dec 2016... :-)

Probably best to look for that "something" that you have found
in the latest kit from VSI.

Jan-Erik.

[Simon Clubley]

Thanks, Jan-Erik.

What I've found is not great even though it's not currently a system
compromise type problem, but at the same time, someone else may
have already found it. Therefore, I didn't want to waste someone's time
if it's already known about, especially if HPE has already issued
a preemptive patch just in case.

[Simon Clubley]

On 2017-08-20, Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:
>
> Thanks, Jan-Erik.
>
> What I've found is not great even though it's not currently a system
> compromise type problem, but at the same time, someone else may
> have already found it. Therefore, I didn't want to waste someone's time
> if it's already known about, especially if HPE has already issued
> a preemptive patch just in case.
>

Actually, OTOH, I suppose this is something the vendor will just have
to deal with when it decides to restrict access to the patches.

I'll evaluate it a bit more when I get some free time and then I'll
give HPE/VSI a bit of time to evaluate what I have found before
I report the details here.

Thanks,

[abrsvc]

Shoot me a note at the address below. I have the listings on paper. If you can tell me what to look for, I can look and reply. I suggest that you send it to me directly to avoid any publication of the problem.

Dan

dansabrservices AT yahoo DOT com

[Simon Clubley]

On 2017-08-20, abrsvc <dansabr...@yahoo.com> wrote:
> Shoot me a note at the address below. I have the listings on paper. If
> you can tell me what to look for, I can look and reply. I suggest that you
> send it to me directly to avoid any publication of the problem.
>

Thanks for the offer Dan, but given the nature of the problem it's
probably best if I only send it via the HPE/VSI formal contact
mechanisms for now.

Although it's not an actual vulnerability at the moment, I am still
more nervous about this one than I was with the DCL one.

When you see the details you will understand why.

[abrsvc]

If there are module areas that you want checked, let me know. If the list is short enough, I can type the summaries or perhaps scan the sheets.

Dan

[Robert A. Brooks]

On 8/20/2017 2:08 PM, Simon Clubley wrote:

> Thanks for the offer Dan, but given the nature of the problem it's
> probably best if I only send it via the HPE/VSI formal contact
> mechanisms for now.

Which of our formal contact mechanisms do you plan to use?

I'd suggest using either the RnD or support addresses

--
-- Rob

[Simon Clubley]

On 2017-08-20, Robert A. Brooks <FIRST...@vmssoftware.com> wrote:
> On 8/20/2017 2:08 PM, Simon Clubley wrote:
>
>> Thanks for the offer Dan, but given the nature of the problem it's
>> probably best if I only send it via the HPE/VSI formal contact
>> mechanisms for now.
> Which of our formal contact mechanisms do you plan to use?
>

I'd prefer a security bug reporting mechanism, but unfortunately
that's not an option yet. :-(

As such, since it's not an actual vulnerability yet, I'll just email
it to Clair after I've spent a bit more time looking at it.