INFO-VAX Tue, 29 Jul 2008 Volume 2008 : Issue 418 Contents: Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) Re: Another BIND vulnerability (cache poisoning) How do you allow telnet access to your own computer? Re: How do you allow telnet access to your own computer? Re: How do you allow telnet access to your own computer? Re: How do you allow telnet access to your own computer? Re: Itanium Question Re: Itanium Question Re: TSM on Integrity Re: VERY Old RDB Manuals (V2.3) wanted! Re: Were can I buy a cheap vaxstation Re: Were can I buy a cheap vaxstation ---------------------------------------------------------------------- Date: Mon, 28 Jul 2008 10:59:04 -0700 From: "Jeffrey H. Coffield" Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: <1Mnjk.6790$cn7.1545@flpi145.ffdc.sbc.com> I contacted HP support for one of my customers and got the following response: > There are 2 part to DNS. > 1) Server > - The vulnerability only affects the servers and may render it "compromised", and there is a fix for this. > > 2) Resolver/client > - The vulnerability will not affect the clients directly and there is no fix for it. > > But if your client is pointing to a server that was compromised, the client may not get the proper answers from the affected server. > > The only fix to this is to fix the affected server or point your client to another server that is not compromised. > > Regards, > > Jay So HP Services > Since these systems point to a corporate DNS server (at another location and the responsibility of another department) I am not asking for the patch but HP said they had one. At other customers, the OpenVMS systems point to DNS servers provided by their ISPs and I am checking those to see if they are patched. I am using http://www.doxpara.com/ to do the test. As I understand the problem, once the server your system points to is patched, there is nothing more you can do. If this is not correct, please let me know. Jeffrey Coffield www.digitalsynergyinc.com ------------------------------ Date: Mon, 28 Jul 2008 14:23:46 -0400 From: JF Mezei Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: <488e0f25$0$1845$c3e8da3@news.astraweb.com> Jan-Erik Söderholm wrote: > So, again, where *is* the problem ?? Besides of the > possible perception that HP don't care, of course... Captain of Titanic: don't bother closing the bulkhead doors, we're abandonning the ship anyways and not many will benefit from closed bulkhead doors, but it is important that we continue to play the violin on the top deck to make the remaining passengers feel good since they are still stranded on VMS and unable to port to something else. The longer we can keep passengers stranded on the top deck and give them the appearance that all is well, the more money we can extract from them by selling drinks to them. HP will happily sell you overpriced Cool Aid. Drink the Cool Aid. It is clear that HP doesn't care. It is very sad. As of now, IBM, SUN and Linux vendors can pitch stuff to CEOs of VMS shops stating factually that HP is not even releasing critical patches for VMS anymore, justifying the decision with "not enough customers are affected". That says a hell of a lot about how quickly the VMS installed base is shrinking. Will there be any celebrations next yesr when it goes below 100,000 ? (or has it already go below that number ?) And just how does HP know that only a few customers are affected by this ? And for what it is worth, BIND 8 and BIND 9 are vulnerable. This isn't just the resolver. Just make sure VMS isn't acting as your corporate bind server since it is no longer being maintained. That is the message here. I originally thought IA64 would die first, and VMS with it (or hopped VMS would be ported to the 8086). Now, it appears VMS will already be in a coma when IA64 is put out of its misery and HP won't have to justify not porting it to 8086. If HP can unilaterally decided not to generate a critical, high visibility patch to one of its products, what does it say about its other products ? Would you trust HP for HP-UX when you look at how it is handling VMS ? HP needs to spin off its enterprise computing to a new company. We'll call it "Digital Equipment Corporation", and then HP can focus on its core business of injecting a few ml of coloured water/alchool into expensive plastic cartridges. ------------------------------ Date: Mon, 28 Jul 2008 14:26:19 -0400 From: JF Mezei Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: <488e0fbb$0$1845$c3e8da3@news.astraweb.com> david20@alpha1.mdx.ac.uk wrote: > Look in TCPIP$BIND.CONF > > If recursion is restricted to internal systems you will have something like > > acl "internal" { > xxx.xxx.xxxx/24 ; 10/8 ; > }; > > options { > directory "SYS$SPECIFIC:[TCPIP$BIND]"; > allow-recursion { "internal"; }; > max-cache-size 10M; > }; > > If there is no allow-recursion option specified then recursion is allowed > from all hosts. Pardon my ignorance, but this latest issue happens when a local client tries to resolve a list of foreign hosts and uses his designated DNS server to do this. So the requests come from the internal lan and are thus validated in the above rule, aren't they ? ------------------------------ Date: 28 Jul 2008 21:00:27 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: <6f6qbbFa0nqfU1@mid.individual.net> In article , koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes: > In article <488a10c0$0$14356$c3e8da3@news.astraweb.com>, JF Mezei writes: >> >> If VMS is not affected, then HP should post this info on the CERT web >> site to indicate that VMS has been tested and while the public tests >> show it as vulnerable, it is not vulnerable to actual "attacks". > > How does HP define whether VMS is affected, when HP doesn't own all > the BIND implementations being run on VMS? The best HP can do is > tell us whether UCX (clear throat, "HP TCP/IP Services for OpenVMS") > is affected. > > What has Process got to say about theirs? I thought it was already announced here that Process had fixed all of their software. And in a very timely manner as opposed to HP who I don't think has even admited there is a problem yet. Anyone want chime in here to defend VMS again as this is exactly what many people have said about the lack of CERT advisories in the first place and why they do not necessarily reflect greater security. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves billg999@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: 28 Jul 2008 21:10:13 GMT From: billg999@cs.uofs.edu (Bill Gunshannon) Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: <6f6qtkFa0nqfU2@mid.individual.net> In article <488e0f25$0$1845$c3e8da3@news.astraweb.com>, JF Mezei writes: > > Would you trust HP for HP-UX when you look at how it is > handling VMS ? Why would their handling of VMS have any effect on the faith of HP-UX users? I thought they posted a timely patch to ensure HP-UX was fixed. bill -- Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves billg999@cs.scranton.edu | and a sheep voting on what's for dinner. University of Scranton | Scranton, Pennsylvania | #include ------------------------------ Date: 28 Jul 2008 16:33:18 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: billg999@cs.uofs.edu (Bill Gunshannon) writes: > > Why would their handling of VMS have any effect on the faith of HP-UX > users? I thought they posted a timely patch to ensure HP-UX was fixed. I saw how HP "supported" 68K HP-UX users when they went to PARC. We all saw how HP "supported" TruCluster users. Now they're showing equal levels of support for VAXen and UCX. Relying on HP for long term investment support has not been one of the brighter lights in the computer business. Gartner has tried now for about 20 years to kill VMS. HP may be thier best ally. ------------------------------ Date: Mon, 28 Jul 2008 22:06:35 GMT From: =?ISO-8859-1?Q?Jan-Erik_S=F6derholm?= Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: Jeffrey H. Coffield wrote: > I contacted HP support for one of my customers and got the following > response: > >> There are 2 part to DNS. >> 1) Server >> - The vulnerability only affects the servers and may render it >> "compromised", and there is a fix for this. >> >> 2) Resolver/client >> - The vulnerability will not affect the clients directly and there is >> no fix for it. >> I take it for granted that the above was regarding VMS, right ? And if so, it was more or less as I thought it was. Fine then, nothing to care about for me, those managing the DNS *servers* has to patch *their* systems... Was that realy what all the fuzz was about ? Jan-Erik. >> But if your client is pointing to a server that was compromised, the >> client may not get the proper answers from the affected server. > > >> The only fix to this is to fix the affected server or point your >> client to another server that is not compromised. >> >> Regards, >> >> Jay So HP Services >> > > Since these systems point to a corporate DNS server (at another location > and the responsibility of another department) I am not asking for the > patch but HP said they had one. > > At other customers, the OpenVMS systems point to DNS servers provided by > their ISPs and I am checking those to see if they are patched. I am > using http://www.doxpara.com/ to do the test. > > As I understand the problem, once the server your system points to is > patched, there is nothing more you can do. If this is not correct, > please let me know. > > Jeffrey Coffield > www.digitalsynergyinc.com ------------------------------ Date: Mon, 28 Jul 2008 16:49:39 -0700 From: "Jeffrey H. Coffield" Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: Jan-Erik Söderholm wrote: > Jeffrey H. Coffield wrote: >> I contacted HP support for one of my customers and got the following >> response: >> >>> There are 2 part to DNS. >>> 1) Server >>> - The vulnerability only affects the servers and may render it >>> "compromised", and there is a fix for this. >>> >>> 2) Resolver/client >>> - The vulnerability will not affect the clients directly and there is >>> no fix for it. >>> > > I take it for granted that the above was regarding VMS, right ? > Yes ------------------------------ Date: Mon, 28 Jul 2008 17:36:54 -0700 From: "Tom Linden" Subject: Re: Another BIND vulnerability (cache poisoning) Message-ID: On Mon, 28 Jul 2008 08:12:34 -0700, wrote: > In article , "Tom Linden" > writes: >> On Mon, 28 Jul 2008 06:42:43 -0700, wrote: >> >>> No - unpatched internal DNS servers which are setup to do recursive >>> queries are >>> vulnerable to attack from compromised internal windows systems. >> >> How do you check if it is set up that way? >> > > Look in TCPIP$BIND.CONF > > If recursion is restricted to internal systems you will have something > like > > acl "internal" { > xxx.xxx.xxxx/24 ; 10/8 ; > }; > > options { > directory "SYS$SPECIFIC:[TCPIP$BIND]"; > allow-recursion { "internal"; }; > max-cache-size 10M; > }; > > If there is no allow-recursion option specified then recursion is allowed > from all hosts. > Don't have an acl statement, and only options { directory "TCPIP$BIND_COMMON:[TCPIP$BIND]"; recursion yes; > see > > http://www.openvms.compaq.com/doc/83final/6526/6256pro_010.html#bind9_access_tab > > and for the acl statement > > http://www.openvms.compaq.com/doc/83final/6526/6256pro_008.html#bind9_acl_sec > > > David Webb > Security team leader > CCSS > Middlesex University > >> -- >> PL/I for OpenVMS >> www.kednos.com -- PL/I for OpenVMS www.kednos.com ------------------------------ Date: Mon, 28 Jul 2008 18:39:29 -0700 (PDT) From: hamilton_n@encompasserve.org Subject: How do you allow telnet access to your own computer? Message-ID: Im wondering how i can acsess my own computer with telnet, how do i do this? ------------------------------ Date: Mon, 28 Jul 2008 21:43:32 -0400 From: "Richard B. Gilbert" Subject: Re: How do you allow telnet access to your own computer? Message-ID: hamilton_n@encompasserve.org wrote: > Im wondering how i can acsess my own computer with telnet, how do i do > this? $ TELNET LOCALHOST Or, if that is not the answer to your question, you could try stating your question a little more clearly! ------------------------------ Date: Mon, 28 Jul 2008 22:09:18 -0400 From: JF Mezei Subject: Re: How do you allow telnet access to your own computer? Message-ID: <488e7c40$0$1808$c3e8da3@news.astraweb.com> hamilton_n@encompasserve.org wrote: > Im wondering how i can acsess my own computer with telnet, how do i do > this? Login with the system manager account, execute @sys$manager:tcpip$config and then go through the menus to find telnet and enable that service. ------------------------------ Date: Mon, 28 Jul 2008 20:20:56 -0600 From: Jeff Campbell Subject: Re: How do you allow telnet access to your own computer? Message-ID: <1217297492_13809@isp.n> hamilton_n@encompasserve.org wrote: > Im wondering how i can acsess my own computer with telnet, how do i do > this? The system must be running a telnet server. If you are using TCPIP Services for OpenVMS, you can check whether the telnet server is running with: $ tcpip show service telnet Service Port Proto Process Address State TELNET 23 TCP not defined 0.0.0.0 Enabled If the telnet service is not configured on your machine you can use TCPIP$CONFIG.COM in SYS$MANAGER to add it. Once the telnet server is configured and running you can: $ telnet 0 or $ telnet localhost to start a local telnet connection. HTH, Jeff ----== Posted via Pronews.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.pronews.com The #1 Newsgroup Service in the World! >100,000 Newsgroups ---= - Total Privacy via Encryption =--- ------------------------------ Date: Mon, 28 Jul 2008 14:00:37 -0400 From: JF Mezei Subject: Re: Itanium Question Message-ID: <488e09b5$0$1806$c3e8da3@news.astraweb.com> Cross Michael C Mr CIV USAF 53 CSS/SCO wrote: > I have a FORTRAN executable that uses GKS which runs on a DS25 running > OpenVMS 8.2. What is the probability the application will run on an > Itanium running OpenVM S8.3? There is the Alpha-IA64 executable translator (equivalent to VEST that translated VAX to Alpha). However, I am not sure about GKS running on IA64, you might have to translate that too. It might "walk" instead or "run" because translated images will generate a lot of alignment faults which are very bad on that IA64 thing. ------------------------------ Date: Mon, 28 Jul 2008 14:28:29 -0700 (PDT) From: Bob Gezelter Subject: Re: Itanium Question Message-ID: On Jul 28, 8:58 am, "Cross Michael C Mr CIV USAF 53 CSS/SCO" wrote: > I have a FORTRAN executable that uses GKS which runs on a DS25 running > OpenVMS 8.2. What is the probability the application will run on an > Itanium running OpenVM S8.3? > > Thanks, > > Mike Cross Mike, To be precise, the answer is "depends". Performance is a related, but not-necessarily strongly connected attribute. I did a bit of study on this for my paper in last spring's OpenVMS Technical Journal ("Strategies for Migrating from Alpha and VAX systems to HP Integrity Servers on OpenVMS", available through http://www.rlgsc.com/publications/vmstechjournal/migrationstrategies.html ). The most important questions to optimal performance and reliability are the availability of the sources for recompilation for Itanium. It is possible to translate binaries directly, but it does exact a cost in performance. It is certainly possible to translate a main program and use a native library, and vice versa in all combinations, albeit at some cost. Such approaches are often useful as part of a staged migration plan. Potentially viable, certainly. Whether it is the right answer depends upon a careful review of the facts. - Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Mon, 28 Jul 2008 12:19:45 -0700 (PDT) From: mancmar@googlemail.com Subject: Re: TSM on Integrity Message-ID: <30ba04b5-5551-4d08-bc67-5a3a94eeb88f@f36g2000hsa.googlegroups.com> Toine - HP also sell a product called Open DECserver Manager, which uses IP to manage servers rather than LAT. Obviously it only works with DECservers with firmware that supports IP. It is supported on VAX, Alpha and Integrity, and also supports the later Digital Networks servers. However as its an old Digital "asset", it can be tricky to find anyone within HP who knows anything about selling it. Feel free to contact me offline if you need any more information. ------------------------------ Date: Mon, 28 Jul 2008 23:28:20 GMT From: Antonio Carlini Subject: Re: VERY Old RDB Manuals (V2.3) wanted! Message-ID: Al Kossow wrote in news:g6kviu$1am$1 @registered.motzarella.org: > Rich Jordan wrote: >> As in its a pain in the rear to get at them and I won't >> try if the 2.x or 3.x availability dates are before early 1990... > > The release note for 3.0 is Jul, 1988 and the earliest manuals I see > from the DEC archives at CHM are 1985. > > Were they putting docs for layered products on documentation CDs this > early? FWIW: My earliest Consolidated Software CD is May 1989. Antonio ------------------------------ Date: Mon, 28 Jul 2008 16:19:56 -0500 From: Chris Scheers Subject: Re: Were can I buy a cheap vaxstation Message-ID: <488E37FC.90506@applied-synergy.com> Bob Koehler wrote: > In article <4889e6d1$0$5004$607ed4bc@cv.net>, VAXman- @SendSpamHere.ORG writes: >> I have a terabyte or more in RZ29s in the garage if they really truly want >> a 4.3 GB spindle. ;) > > Will those things talk narrow SCSI? My hobbyist spindles tend to be > 2G and under. I'm stuck using the system disk in my DS10L for new > storage. > > Maybe I should just go out and spend a few pennies. ;-) In my experience, RZ29x-VA (narrow) drives can still be rather pricey. RZ29x-VW (wide) drives seem to be dirt cheap. If you use a BA356 shelf with a narrow controller, the wide drives will work fine with a narrow VAX. I have some RZ29B-VW drives hooked to a VAXstation 4000=60 that way. NOTE: For the BA356 option, make sure the jumper plug is inserted. I didn't think it was necessary. In fact, narrow drives seem to work fine without it. I could not get wide drives to work until the jumper was present. Good luck! -- ----------------------------------------------------------------------- Chris Scheers, Applied Synergy, Inc. Voice: 817-237-3360 Internet: chris@applied-synergy.com Fax: 817-237-3074 ------------------------------ Date: 28 Jul 2008 18:08:30 -0400 From: Rich Alderson Subject: Re: Were can I buy a cheap vaxstation Message-ID: "Richard B. Gilbert" writes: > Once upon a time 4 GB was a lot of disk. I think that in days of yore, > VMS could be installed in 50 MB. That left little or no space for users > but you could shoe horn the O/S into it. In 1995, when we were getting the Toad-1 system ready for market, 4GB was the knee in the curve with respect to (FASTWIDE differential) SCSI disks, up from the 2GB drives we originally planned to ship. That single 4GB drive was the equivalent of the 2 RP06s and 7 RP07s in the computer room at XKL, with another RP06 and RP07 to spare. We could hang 15 disks off each of the 4 channels on our single SCSI board, and had a little trouble imagining the need for that much storage. (The base system had a 7-slot backplane, with 4 occupied slots: CPU, memory, 4-port SCSI, and 4-port Ethernet; mix-and-match anything but more CPUs in the other 3). 4GB was a LOT of disk, in days of yore. -- Rich Alderson "You get what anybody gets. You get a lifetime." news@alderson.users.panix.com --Death, of the Endless ------------------------------ End of INFO-VAX 2008.418 ************************