Home · Articles · Downloads · Hobby Wear · Forums · Web Links · News CategoriesMonday, January 30, 2023
Navigation
Home
Articles
Downloads
Hobby Wear
FAQ
Forums
Web Links
News Categories
Contact Us
Photo Gallery
OpenVMS Bigot
Search
Users Online
Guests Online: 6
No Members Online

Registered Members: 7,681
Newest Member: MrManul
Sponsors
Island Computer
View Thread
OpenVMS Hobbyist Program | VAX Systems Forums | VAX Software Forum
Author Any chance VAX will ever see this fix?
johnklos
Member

Posts: 5
Location: California, USA, Earth
Joined: 30.09.16
Posted on February 20 2018 15:40
https://www.theregister.co.uk/2018/02/06/openvms_vulnerability/

The CVE will be made public in March. Does anyone know if the source for DCL is available for actual humans so that someone can patch it to remove these issues?

If not, what other actions could be taken to reduce the exploitability of this? Or will we have to wait for more details from the CVE?


--
http://vax.zia.io/
Author RE: Any chance VAX will ever see this fix?
abrsvc
Member

Posts: 108
Joined: 12.03.10
Posted on February 21 2018 01:44
I have researched the problem and am attempting to create a "fix". Since I do not have the sources nor access to them, I am trying to develop a patch that can be applied to the appropriate image to address this. In the meantime, removing the privs from the installed image will prevent this problem as stated in comp.os.vms. Realize that if your site does NOT utilize CLD files, then disabling the privs will NOT change any behavior.

This is a problem ONLY when using CLD files to modify/create commands.

Dan
Author RE: Any chance VAX will ever see this fix?
malmberg
Moderator

Posts: 530
Joined: 15.04.08
Posted on February 22 2018 02:38
Anyone can create a .CLD file for use. So unless you remove the privileges from the image, lacking an official patch, you are vulnerable.
Author RE: Any chance VAX will ever see this fix?
Bruce Claremont
Member

Posts: 620
Joined: 07.01.10
Posted on February 23 2018 09:45
We placed an article on mitigating the issue at this link:

http://www.migrationspecialties.com/pdf/CDU_VulnerabilityMitigation.pdf
Jump to Forum:
Login
Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.
Member Poll
Are you going to OpenVMS Boot Camp 2016?

Yes

No

You must login to vote.
Shoutbox
You must login to post a message.

malmberg
August 04 2022
No more VAX hobbyist licenses. Community licenses for Alpha/IA64/X86_64 VMS Software Inc. Commercial VMS software licenses for VAX available from HPE.

ozboomer
July 20 2022
Just re-visiting.. No more hobbyist licenses? Is that from vmssoftware.com, no 'community' licenses?

valdirfranco
July 01 2022
No more hobbyist license...sad

mister_wavey
February 12 2022
I recall that the disks failed on the public access VMS systems that included Fafner

parwezw
January 03 2022
Anyone know what happened to FAFNER.DYNDS.ORG? I had a hobbyist account here but can longer access the site.

gtackett
October 27 2021
Make that DECdfs _2.1A_ for Vax

gtackett
October 27 2021
I'm looking for DECdfs V2.4A kit for VAX. Asking here just in case anyone is still listening.

MarkRLV
September 17 2021
At one time, didn't this web site have a job board? I would love to use my legacy skills one last time in my career.

malmberg
January 18 2021
New Hobbyist PAKs for VAX/VMS are no longer available according to reports. Only commercial licenses are reported to be for sale from HPE

dfilip
January 16 2021
Can someone please point me to hobbyist license pak? I'm looking for VAX/VMS 7.1, DECnet Phase IV, and UCX/TCPIP ... have the 7.1 media, need the license paks ... thanks!

Bart
October 16 2020
OpenVMS, and this website!

malmberg
September 05 2020
VSI community non-commercial licenses for AXP/IA64 are available now.

malmberg
September 05 2020
See the forum about licensing. Don't know if HPE hobby licenses still being issued. Commercial licenses still being sold.

silfox70
September 01 2020
I need the license for OpenVMS7.3. Where can I find them?

malmberg
August 29 2020
Eisner, which is currently being moved, got an SSH update and the keys were updated to more modern encryption standards.

Shoutbox Archive