[Info-vax] DCL vulnerability write up on The Register

[DuncanMorris]

On Thursday, February 8, 2018 at 11:52:58 AM UTC, Ian Miller wrote:
> On Thursday, February 8, 2018 at 2:32:06 AM UTC, Craig A. Berry wrote:
> > On 2/7/18 7:28 PM, Arne Vajhøj wrote:
> > > On 2/7/2018 7:49 AM, Craig A. Berry wrote:
> > 
> > >> Side note: the Register article incorrectly stated that Itanium
> > >> customers have to get the patch from HPE, but if you have VSI support
> > >> you can get it from them and it was available there sooner.
> > > 
> > > So HPE also released a patch?
> > 
> > I assume they repackaged VSI's patch, and I take the Register's word for
> > it that you can get a patch from HPE. I just know they are wrong in
> > saying you *have* to get it from them.
> 
> I've not seen a patch nor announcement from HPE on this yet.
> 
> As previously mentioned, VSI have done the right thing after receiving the report of the issue.

Response from HPE:

Alpha has no engineering support, engineering will not be releasing any ECO for Alpha.

A case has been raised as Quix elevation QXCM1001616243 to OpenVMS engineering and they are working on the fix for possible process crash on Itanium due to malformed SET COMMANDs.

Engineering will be providing fix on Itanium for the following issues that were fixed as part of VSI's eco VMS842L1I_DCL-V0100.

1. SET COMMAND may construct command tables that cause a process crash 
2. SET COMMAND may cause a process or image crash

We have no release date but this fix will be available via HPESC