[Info-vax] DCL vulnerability write up on The Register

[Stephen Hoffman]

On 2018-02-08 17:11:53 +0000, Tom Wade said:

> On 2018-02-07 12:49, Craig A. Berry wrote:
> 
>> This doesn't make any sense. People can get the vulnerability patched 
>> today on Alpha and Itanium. They do have to get to a current release, 
>> which apparently even includes that very loose definition of "current" 
>> which is HPE v8.4. An architecture change to x86_64 may be attractive 
>> for many reasons, but has nothing to do with addressing this particular 
>> vulnerability.
> 
> Does this include people on hobbyist licenses, or without support 
> contracts ?  If so, can somebody post a URL, I am finding it next to 
> impossible to navigate the HP site (I'm running OpenVMS Alpha 8.4).


HPE transitioned OpenVMS Alpha into mature support — that's HPE-speak 
for "no patches" — over a year ago.

HPE OpenVMS hobbyists haven't had access to patches for many years, 
outside of the occasional UPDATE kit.

Various security patches have not been available to hobbyists in the 
past, outside of potential inclusion in some subsequent UPDATE kit.   
Whether security patches are to become an exception to that?

Given that VSI lacks a hobbyist program and AFAIK HPE hasn't yet 
distributed a patch, rummaging the HPE site — for those with support — 
seems a little premature, too.

Then there's the whole discussion of whether this patch is even 
particularly relevant, as most OpenVMS systems have far larger holes.   
More than a few OpenVMS sites are still using telnet, and SCS and 
DECnet traffic is also in the clear, for instance.

HP is not relevant to OpenVMS.


-- 
Pure Personal Opinion | HoffmanLabs LLC